* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-08-13 18:32 Jason Zaman
2016-08-13 18:35 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:32 UTC (permalink / raw
To: gentoo-commits
commit: 9b78f18aa12787812bd7a663205f8d2e836f6577
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Aug 13 14:51:13 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9b78f18a
Module version bumps for patches from Guido Trentalancia.
policy/modules/contrib/apm.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/rtkit.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index e2ac3c1..449f23f 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.14.1)
+policy_module(apm, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 748f143..072047d 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.9.0)
+policy_module(gpg, 2.9.1)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index da0187b..b0e00eb 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.4.0)
+policy_module(policykit, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index e011c3a..e7511a8 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.2)
+policy_module(pulseaudio, 1.8.3)
########################################
#
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 2e8ac03..3e68e7f 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.3.0)
+policy_module(rtkit, 1.3.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
2016-08-13 18:32 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ Jason Zaman
@ 2016-08-13 18:35 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 9b78f18aa12787812bd7a663205f8d2e836f6577
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Aug 13 14:51:13 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9b78f18a
Module version bumps for patches from Guido Trentalancia.
policy/modules/contrib/apm.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/rtkit.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index e2ac3c1..449f23f 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.14.1)
+policy_module(apm, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 748f143..072047d 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.9.0)
+policy_module(gpg, 2.9.1)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index da0187b..b0e00eb 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.4.0)
+policy_module(policykit, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index e011c3a..e7511a8 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.2)
+policy_module(pulseaudio, 1.8.3)
########################################
#
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 2e8ac03..3e68e7f 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.3.0)
+policy_module(rtkit, 1.3.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2022-12-13 20:55 Kenton Groombridge
0 siblings, 0 replies; 1958+ messages in thread
From: Kenton Groombridge @ 2022-12-13 20:55 UTC (permalink / raw
To: gentoo-commits
commit: 23e8700745760bb466e92befdef2a9af525cac83
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Tue Dec 13 19:20:55 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:20:55 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=23e87007
salt: use mmap_manage_file_perms
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/contrib/salt.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index f82674f9e..c1e8cdbca 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -147,7 +147,7 @@ files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { file dir })
can_exec(salt_master_t, salt_master_tmp_t)
# salt_master_tmpfs_t
-allow salt_master_t salt_master_tmpfs_t:file { manage_file_perms map };
+allow salt_master_t salt_master_tmpfs_t:file mmap_manage_file_perms;
fs_tmpfs_filetrans(salt_master_t, salt_master_tmpfs_t, file)
# salt_master_runtime_t
@@ -266,7 +266,7 @@ files_tmp_filetrans(salt_minion_t, salt_minion_tmp_t, { file dir })
can_exec(salt_minion_t, salt_minion_tmp_t)
# salt_minion_tmpfs_t
-allow salt_minion_t salt_minion_tmpfs_t:file { manage_file_perms map };
+allow salt_minion_t salt_minion_tmpfs_t:file mmap_manage_file_perms;
fs_tmpfs_filetrans(salt_minion_t, salt_minion_tmpfs_t, file)
# salt_minion_runtime_t
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/contrib/
@ 2022-10-12 13:35 Kenton Groombridge
2022-09-03 20:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Kenton Groombridge
0 siblings, 1 reply; 1958+ messages in thread
From: Kenton Groombridge @ 2022-10-12 13:35 UTC (permalink / raw
To: gentoo-commits
commit: 177905ccd86a2aa56ca764bc5aa256eef76c2d91
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 12 01:27:06 2021 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 20:04:34 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=177905cc
phpfpm: various fixes and new tunables
Minor fixes for phpfpm and add several new tunables, primarily designed
to get various webapps working under SELinux.
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/contrib/phpfpm.te | 73 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 73 insertions(+)
diff --git a/policy/modules/contrib/phpfpm.te b/policy/modules/contrib/phpfpm.te
index cffae6d7..a1044f31 100644
--- a/policy/modules/contrib/phpfpm.te
+++ b/policy/modules/contrib/phpfpm.te
@@ -19,6 +19,49 @@ gen_tunable(phpfpm_use_ldap, false)
## </desc>
gen_tunable(phpfpm_send_syslog_msg, false)
+## <desc>
+## <p>
+## Allow phpfpm to execute shells. This
+## is needed by some webapps.
+## </p>
+## </desc>
+gen_tunable(phpfpm_exec_shell, false)
+
+## <desc>
+## <p>
+## Allow phpfpm to connect to http ports.
+## </p>
+## </desc>
+gen_tunable(phpfpm_connect_http, false)
+
+## <desc>
+## <p>
+## Allow phpfpm to connect to pop ports.
+## </p>
+## </desc>
+gen_tunable(phpfpm_connect_pop, false)
+
+## <desc>
+## <p>
+## Allow phpfpm to connect to redis ports.
+## </p>
+## </desc>
+gen_tunable(phpfpm_connect_redis, false)
+
+## <desc>
+## <p>
+## Allow phpfpm to connect to sieve ports.
+## </p>
+## </desc>
+gen_tunable(phpfpm_connect_sieve, false)
+
+## <desc>
+## <p>
+## Allow phpfpm to connect to smtp ports.
+## </p>
+## </desc>
+gen_tunable(phpfpm_connect_smtp, false)
+
type phpfpm_t;
type phpfpm_exec_t;
init_daemon_domain(phpfpm_t, phpfpm_exec_t)
@@ -44,6 +87,8 @@ allow phpfpm_t self:fifo_file rw_fifo_file_perms;
allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
allow phpfpm_t self:udp_socket connected_socket_perms;
allow phpfpm_t self:unix_stream_socket { accept create_stream_socket_perms };
+allow phpfpm_t self:unix_dgram_socket { create_socket_perms };
+dontaudit phpfpm_t self:capability net_admin;
manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
@@ -86,6 +131,10 @@ apache_manage_all_rw_content(phpfpm_t)
apache_read_sys_content(phpfpm_t)
apache_dontaudit_search_modules(phpfpm_t)
+optional_policy(`
+ apache_map_sys_content(phpfpm_t)
+')
+
optional_policy(`
mysql_stream_connect(phpfpm_t)
mysql_tcp_connect(phpfpm_t)
@@ -106,6 +155,30 @@ optional_policy(`
')
')
+tunable_policy(`phpfpm_exec_shell',`
+ corecmd_exec_shell(phpfpm_t)
+')
+
+tunable_policy(`phpfpm_connect_http',`
+ corenet_tcp_connect_http_port(phpfpm_t)
+')
+
+tunable_policy(`phpfpm_connect_pop',`
+ corenet_tcp_connect_pop_port(phpfpm_t)
+')
+
+tunable_policy(`phpfpm_connect_redis',`
+ corenet_tcp_connect_redis_port(phpfpm_t)
+')
+
+tunable_policy(`phpfpm_connect_sieve',`
+ corenet_tcp_connect_sieve_port(phpfpm_t)
+')
+
+tunable_policy(`phpfpm_connect_smtp',`
+ corenet_tcp_connect_smtp_port(phpfpm_t)
+')
+
tunable_policy(`phpfpm_send_syslog_msg',`
logging_send_syslog_msg(phpfpm_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2022-10-12 13:35 [gentoo-commits] proj/hardened-refpolicy:concord-dev " Kenton Groombridge
@ 2022-09-03 20:04 ` Kenton Groombridge
0 siblings, 0 replies; 1958+ messages in thread
From: Kenton Groombridge @ 2022-09-03 20:04 UTC (permalink / raw
To: gentoo-commits
commit: 177905ccd86a2aa56ca764bc5aa256eef76c2d91
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 12 01:27:06 2021 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 20:04:34 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=177905cc
phpfpm: various fixes and new tunables
Minor fixes for phpfpm and add several new tunables, primarily designed
to get various webapps working under SELinux.
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/contrib/phpfpm.te | 73 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 73 insertions(+)
diff --git a/policy/modules/contrib/phpfpm.te b/policy/modules/contrib/phpfpm.te
index cffae6d7..a1044f31 100644
--- a/policy/modules/contrib/phpfpm.te
+++ b/policy/modules/contrib/phpfpm.te
@@ -19,6 +19,49 @@ gen_tunable(phpfpm_use_ldap, false)
## </desc>
gen_tunable(phpfpm_send_syslog_msg, false)
+## <desc>
+## <p>
+## Allow phpfpm to execute shells. This
+## is needed by some webapps.
+## </p>
+## </desc>
+gen_tunable(phpfpm_exec_shell, false)
+
+## <desc>
+## <p>
+## Allow phpfpm to connect to http ports.
+## </p>
+## </desc>
+gen_tunable(phpfpm_connect_http, false)
+
+## <desc>
+## <p>
+## Allow phpfpm to connect to pop ports.
+## </p>
+## </desc>
+gen_tunable(phpfpm_connect_pop, false)
+
+## <desc>
+## <p>
+## Allow phpfpm to connect to redis ports.
+## </p>
+## </desc>
+gen_tunable(phpfpm_connect_redis, false)
+
+## <desc>
+## <p>
+## Allow phpfpm to connect to sieve ports.
+## </p>
+## </desc>
+gen_tunable(phpfpm_connect_sieve, false)
+
+## <desc>
+## <p>
+## Allow phpfpm to connect to smtp ports.
+## </p>
+## </desc>
+gen_tunable(phpfpm_connect_smtp, false)
+
type phpfpm_t;
type phpfpm_exec_t;
init_daemon_domain(phpfpm_t, phpfpm_exec_t)
@@ -44,6 +87,8 @@ allow phpfpm_t self:fifo_file rw_fifo_file_perms;
allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
allow phpfpm_t self:udp_socket connected_socket_perms;
allow phpfpm_t self:unix_stream_socket { accept create_stream_socket_perms };
+allow phpfpm_t self:unix_dgram_socket { create_socket_perms };
+dontaudit phpfpm_t self:capability net_admin;
manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
@@ -86,6 +131,10 @@ apache_manage_all_rw_content(phpfpm_t)
apache_read_sys_content(phpfpm_t)
apache_dontaudit_search_modules(phpfpm_t)
+optional_policy(`
+ apache_map_sys_content(phpfpm_t)
+')
+
optional_policy(`
mysql_stream_connect(phpfpm_t)
mysql_tcp_connect(phpfpm_t)
@@ -106,6 +155,30 @@ optional_policy(`
')
')
+tunable_policy(`phpfpm_exec_shell',`
+ corecmd_exec_shell(phpfpm_t)
+')
+
+tunable_policy(`phpfpm_connect_http',`
+ corenet_tcp_connect_http_port(phpfpm_t)
+')
+
+tunable_policy(`phpfpm_connect_pop',`
+ corenet_tcp_connect_pop_port(phpfpm_t)
+')
+
+tunable_policy(`phpfpm_connect_redis',`
+ corenet_tcp_connect_redis_port(phpfpm_t)
+')
+
+tunable_policy(`phpfpm_connect_sieve',`
+ corenet_tcp_connect_sieve_port(phpfpm_t)
+')
+
+tunable_policy(`phpfpm_connect_smtp',`
+ corenet_tcp_connect_smtp_port(phpfpm_t)
+')
+
tunable_policy(`phpfpm_send_syslog_msg',`
logging_send_syslog_msg(phpfpm_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2022-09-03 20:04 Kenton Groombridge
0 siblings, 0 replies; 1958+ messages in thread
From: Kenton Groombridge @ 2022-09-03 20:04 UTC (permalink / raw
To: gentoo-commits
commit: 10b3a91a0e7f0729cefb70ee4aa87eb862833b4a
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 12 01:24:50 2021 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 20:04:30 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=10b3a91a
nginx: various fixes
Various fixes for nginx, and also allow nginx to list and read user home
content given that the httpd_read_user_content boolean is enabled.
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/contrib/nginx.te | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te
index 57e8ceb9..0c935bb6 100644
--- a/policy/modules/contrib/nginx.te
+++ b/policy/modules/contrib/nginx.te
@@ -119,8 +119,13 @@ domain_use_interactive_fds(nginx_t)
files_read_etc_files(nginx_t)
+auth_use_nsswitch(nginx_t)
+logging_send_syslog_msg(nginx_t)
+
+miscfiles_read_generic_certs(nginx_t)
miscfiles_read_localization(nginx_t)
+
sysnet_dns_name_resolve(nginx_t)
optional_policy(`
@@ -129,10 +134,16 @@ optional_policy(`
apache_manage_log(nginx_t)
')
+tunable_policy(`httpd_read_user_content',`
+ userdom_list_user_home_content(nginx_t)
+ userdom_read_user_home_content_files(nginx_t)
+')
+
tunable_policy(`nginx_enable_http_server',`
corenet_tcp_bind_http_port(nginx_t)
apache_read_all_content(nginx_t)
apache_manage_all_rw_content(nginx_t)
+ apache_list_sys_content(nginx_t)
')
# We enable both binding and connecting, since nginx acts here as a reverse proxy
@@ -159,6 +170,10 @@ tunable_policy(`nginx_can_network_connect',`
corenet_tcp_connect_all_ports(nginx_t)
')
+optional_policy(`
+ certbot_read_lib(nginx_t)
+')
+
optional_policy(`
phpfpm_stream_connect(nginx_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-07-12 14:37 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-07-12 14:37 UTC (permalink / raw
To: gentoo-commits
commit: 6ee55a36f4be584799e0ee0df5f114e0a166e583
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jul 9 13:06:29 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jul 11 14:42:50 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6ee55a36
chromium: allow xserver_misc_device access for nvidia gpus
policy/modules/contrib/chromium.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 72621719..7e7f4490 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -160,6 +160,8 @@ dev_read_sound(chromium_t)
dev_write_sound(chromium_t)
dev_read_urand(chromium_t)
dev_read_rand(chromium_t)
+dev_rw_xserver_misc(chromium_t)
+dev_map_xserver_misc(chromium_t)
domain_dontaudit_search_all_domains_state(chromium_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-24 9:54 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-24 9:54 UTC (permalink / raw
To: gentoo-commits
commit: 10e31b2693ba55dbdbf29e0f2a78cd4fa5f22309
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Jun 24 09:27:29 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jun 24 09:27:29 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=10e31b26
contrib: add metadata.xml for gentoo specific modules
policy/modules/contrib/metadata.xml | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/metadata.xml b/policy/modules/contrib/metadata.xml
new file mode 100644
index 00000000..4e10f228
--- /dev/null
+++ b/policy/modules/contrib/metadata.xml
@@ -0,0 +1 @@
+<summary>Gentoo-specific policy modules</summary>
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-24 8:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-24 8:46 UTC (permalink / raw
To: gentoo-commits
commit: 91800ea6139c694b44466105595954ff72c91fb6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jun 16 06:43:20 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jun 16 14:35:45 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=91800ea6
gpg: migrate to upstream xdg rules
policy/modules/contrib/gpg.te | 19 +++++--------------
1 file changed, 5 insertions(+), 14 deletions(-)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 0e6b6f74..e763b76b 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -368,14 +368,6 @@ miscfiles_read_localization(gpg_pinentry_t)
userdom_use_user_terminals(gpg_pinentry_t)
-ifdef(`distro_gentoo',`
- optional_policy(`
- mutt_read_home_files(gpg_t)
- mutt_read_tmp_files(gpg_t)
- mutt_rw_tmp_files(gpg_t)
- ')
-')
-
xdg_read_data_files(gpg_pinentry_t)
tunable_policy(`use_nfs_home_dirs',`
@@ -404,10 +396,9 @@ optional_policy(`
')
ifdef(`distro_gentoo',`
- #########################################
- #
- # gpg_pinentry_t policy
- #
-
- xdg_read_data_home_files(gpg_pinentry_t)
+ optional_policy(`
+ mutt_read_home_files(gpg_t)
+ mutt_read_tmp_files(gpg_t)
+ mutt_rw_tmp_files(gpg_t)
+ ')
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-24 8:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-24 8:46 UTC (permalink / raw
To: gentoo-commits
commit: 488f7b482a62bb25f656d38387ed44ff28c01343
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri Jun 15 16:54:29 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jun 16 14:35:45 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=488f7b48
mozilla: remove gentoo specific rules that are now upstream
policy/modules/contrib/mozilla.fc | 21 ++++--
policy/modules/contrib/mozilla.te | 143 +++++++++++++++++++++-----------------
2 files changed, 95 insertions(+), 69 deletions(-)
diff --git a/policy/modules/contrib/mozilla.fc b/policy/modules/contrib/mozilla.fc
index 867ba3e8..15aa39b3 100644
--- a/policy/modules/contrib/mozilla.fc
+++ b/policy/modules/contrib/mozilla.fc
@@ -6,6 +6,14 @@ HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.vimperator.* gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+
/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -17,18 +25,19 @@ HOME_DIR/\.vimperator.* gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/firefox[^/]*/firefox-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/iceweasel/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla[^/]*/firefox-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/firefox-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 5a0a0a5b..807d3431 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -13,19 +13,6 @@ policy_module(mozilla, 2.13.2)
## </desc>
gen_tunable(mozilla_execstack, false)
-## <desc>
-## <p>
-## Allow mozilla to use java plugins
-## </p>
-## <p>
-## Some plugins use named pipes inside temporary directories created
-## by the browser to communicate with the java process. If other browsers
-## need to use java plugins as well, they will get search privileges within
-## the temporary directories of mozilla
-## </p>
-## </desc>
-gen_tunable(mozilla_use_java, false)
-
attribute_role mozilla_roles;
attribute_role mozilla_plugin_roles;
attribute_role mozilla_plugin_config_roles;
@@ -60,6 +47,10 @@ userdom_user_tmp_file(mozilla_plugin_tmp_t)
type mozilla_plugin_tmpfs_t;
userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t)
+optional_policy(`
+ pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t)
+')
+
type mozilla_plugin_rw_t;
files_type(mozilla_plugin_rw_t)
@@ -76,6 +67,10 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
userdom_user_tmpfs_file(mozilla_tmpfs_t)
+optional_policy(`
+ pulseaudio_tmpfs_content(mozilla_tmpfs_t)
+')
+
type mozilla_xdg_cache_t;
xdg_cache_content(mozilla_xdg_cache_t)
@@ -128,6 +123,8 @@ manage_files_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t)
manage_dirs_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t)
xdg_cache_filetrans(mozilla_t, mozilla_xdg_cache_t, dir, "mozilla")
+can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t })
+
kernel_read_kernel_sysctls(mozilla_t)
kernel_read_network_state(mozilla_t)
kernel_read_system_state(mozilla_t)
@@ -207,7 +204,13 @@ miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t)
userdom_use_user_ptys(mozilla_t)
+userdom_manage_user_tmp_dirs(mozilla_t)
+userdom_manage_user_tmp_files(mozilla_t)
+
userdom_user_content_access_template(mozilla, { mozilla_t mozilla_plugin_t })
+userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
+
+userdom_write_user_tmp_sockets(mozilla_t)
mozilla_run_plugin(mozilla_t, mozilla_roles)
mozilla_run_plugin_config(mozilla_t, mozilla_roles)
@@ -220,6 +223,17 @@ xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
+ifndef(`enable_mls',`
+ fs_list_dos(mozilla_t)
+ fs_read_dos_files(mozilla_t)
+
+ fs_search_removable(mozilla_t)
+ fs_read_removable_files(mozilla_t)
+ fs_read_removable_symlinks(mozilla_t)
+
+ fs_read_iso9660_files(mozilla_t)
+')
+
tunable_policy(`allow_execmem',`
allow mozilla_t self:process execmem;
')
@@ -292,6 +306,13 @@ optional_policy(`
gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
')
+optional_policy(`
+ java_exec(mozilla_t)
+ java_manage_generic_home_content(mozilla_t)
+ java_manage_java_tmp(mozilla_t)
+ java_home_filetrans_java_home(mozilla_t, dir, ".java")
+')
+
optional_policy(`
lpd_run_lpr(mozilla_t, mozilla_roles)
')
@@ -312,7 +333,6 @@ optional_policy(`
')
optional_policy(`
- java_manage_java_tmp(mozilla_t)
thunderbird_domtrans(mozilla_t)
')
@@ -345,6 +365,15 @@ userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla
userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".netscape")
userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".phoenix")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".adobe")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".macromedia")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gnash")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gcjwebplugin")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".icedteaplugin")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".spicec")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".ICAClient")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
+
filetrans_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -381,6 +410,8 @@ corecmd_exec_shell(mozilla_plugin_t)
corenet_all_recvfrom_netlabel(mozilla_plugin_t)
corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
+corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
+corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t)
corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
@@ -458,6 +489,7 @@ dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+files_exec_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
@@ -470,16 +502,43 @@ fs_search_auto_mountpoints(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
+application_exec(mozilla_plugin_t)
+
auth_use_nsswitch(mozilla_plugin_t)
+libs_exec_ld_so(mozilla_plugin_t)
+libs_exec_lib_files(mozilla_plugin_t)
+
logging_send_syslog_msg(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
miscfiles_read_fonts(mozilla_plugin_t)
miscfiles_read_generic_certs(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
+
+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
+userdom_manage_user_tmp_files(mozilla_plugin_t)
+
+userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
+
+userdom_write_user_tmp_sockets(mozilla_plugin_t)
+
+userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
xdg_read_config_files(mozilla_plugin_t)
+ifndef(`enable_mls',`
+ fs_list_dos(mozilla_plugin_t)
+ fs_read_dos_files(mozilla_plugin_t)
+
+ fs_search_removable(mozilla_plugin_t)
+ fs_read_removable_files(mozilla_plugin_t)
+ fs_read_removable_symlinks(mozilla_plugin_t)
+
+ fs_read_iso9660_files(mozilla_plugin_t)
+')
+
tunable_policy(`allow_execmem',`
allow mozilla_plugin_t self:process execmem;
')
@@ -500,6 +559,11 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_symlinks(mozilla_plugin_t)
')
+optional_policy(`
+ alsa_read_config(mozilla_plugin_t)
+ alsa_read_home_files(mozilla_plugin_t)
+')
+
optional_policy(`
automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t)
')
@@ -671,24 +735,17 @@ gen_tunable(mozilla_bind_all_unreserved_ports, false)
## </desc>
gen_tunable(mozilla_plugin_connect_all_unreserved, false)
- type mozilla_xdg_cache_t;
- xdg_cache_home_content(mozilla_xdg_cache_t)
-
#####################
#
# Mozilla policy
#
- allow mozilla_t mozilla_exec_t:file { execute_no_trans };
allow mozilla_t mozilla_plugin_t:process { rlimitinh siginh noatsecure };
allow mozilla_t self:process execmem; # Startup of firefox (otherwise immediately killed)
manage_fifo_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
- manage_files_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t)
- manage_dirs_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t)
allow mozilla_t mozilla_xdg_cache_t:file map;
- xdg_cache_home_filetrans(mozilla_t, mozilla_xdg_cache_t, dir, "mozilla")
corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
@@ -702,17 +759,6 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
# This deprecates userdom_use_user_ptys(mozilla_t) mentioned earlier
userdom_use_user_terminals(mozilla_t)
- xdg_manage_downloads_home(mozilla_t)
- xdg_read_config_home_files(mozilla_t)
- xdg_read_data_home_files(mozilla_t)
-
- #xserver_common_x_domain_template(mozilla_t, mozilla_tmpfs_t) is this
- #not better than user_x_domain_template ?
-
- # main refpolicy does not make this distinction anymore
- # (allows manage rights automatically)
- userdom_user_content_access_template(mozilla, { mozilla_t mozilla_plugin_t })
-
tunable_policy(`mozilla_bind_all_unreserved_ports',`
corenet_sendrecv_all_server_packets(mozilla_t)
corenet_tcp_bind_all_unreserved_ports(mozilla_t)
@@ -720,32 +766,14 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
')
optional_policy(`
- tunable_policy(`mozilla_use_java',`
- #java_noatsecure_domtrans(mozilla_t)
- # refpolicy method below, but we might want to introduce
- # specific domains for this (like mozilla_java_t)? TODO
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- ')
-
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
-
- # Cannot handle optional_policy within tunable_policy
- optional_policy(`
- tunable_policy(`mozilla_use_java',`
- chromium_tmp_filetrans(mozilla_t, mozilla_tmp_t, fifo_file)
- ')
- ')
+ # was in java tunable, upstream added unconditionally
+ chromium_tmp_filetrans(mozilla_t, mozilla_tmp_t, fifo_file)
')
optional_policy(`
nscd_socket_use(mozilla_t)
')
- optional_policy(`
- pulseaudio_client_domain(mozilla_t, mozilla_tmpfs_t)
- ')
-
ifdef(`use_alsa',`
optional_policy(`
# HTML5 support is built-in (no plugin) - bug 464398
@@ -762,8 +790,6 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
allow mozilla_plugin_t self:udp_socket create_socket_perms;
allow mozilla_plugin_t self:process execmem; # Needed for flash plugin
- read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
-
# Stupid google talk plugin runs find against /etc
files_dontaudit_getattr_all_dirs(mozilla_plugin_t)
@@ -771,14 +797,9 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_sendrecv_pulseaudio_port(mozilla_plugin_t)
- miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
- miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
-
userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
userdom_rw_user_tmpfs_files(mozilla_plugin_t)
- xdg_read_config_home_files(mozilla_plugin_t)
-
xserver_user_x_domain_template(mozilla_plugin, mozilla_plugin_t, mozilla_plugin_tmpfs_t)
tunable_policy(`mozilla_plugin_connect_all_unreserved', `
@@ -800,10 +821,6 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
googletalk_rw_inherited_plugin_unix_stream_sockets(mozilla_plugin_t)
')
- optional_policy(`
- pulseaudio_client_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t)
- ')
-
ifdef(`use_alsa',`
optional_policy(`
alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-24 8:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-24 8:46 UTC (permalink / raw
To: gentoo-commits
commit: beebac5c01a502b2ac5ee30864fc15cfbb63c96e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jun 16 06:39:33 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jun 16 14:35:45 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=beebac5c
thunderbird: migrate to upstream xdg rules
policy/modules/contrib/thunderbird.te | 11 +----------
1 file changed, 1 insertion(+), 10 deletions(-)
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index 4fa94a18..1f39efce 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -180,8 +180,7 @@ optional_policy(`
')
ifdef(`distro_gentoo',`
- type thunderbird_xdg_cache_home_t;
- xdg_cache_home_content(thunderbird_xdg_cache_home_t)
+ typealias thunderbird_xdg_cache_t alias thunderbird_xdg_cache_home_t;
type thunderbird_tmp_t;
userdom_user_tmp_file(thunderbird_tmp_t)
@@ -198,10 +197,6 @@ ifdef(`distro_gentoo',`
manage_files_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t)
files_tmp_filetrans(thunderbird_t, thunderbird_tmp_t, { dir file })
- manage_files_pattern(thunderbird_t, thunderbird_xdg_cache_home_t, thunderbird_xdg_cache_home_t)
- manage_dirs_pattern(thunderbird_t, thunderbird_xdg_cache_home_t, thunderbird_xdg_cache_home_t)
- xdg_cache_home_filetrans(thunderbird_t, thunderbird_xdg_cache_home_t, dir)
-
# File preview apps for instance
corecmd_exec_bin(thunderbird_t)
@@ -209,10 +204,6 @@ ifdef(`distro_gentoo',`
dev_rw_dri(thunderbird_t)
userdom_use_user_ptys(thunderbird_t)
- # User content access
- userdom_user_content_access_template(thunderbird, thunderbird_t)
-
- xdg_read_data_home_files(thunderbird_t)
optional_policy(`
pulseaudio_domtrans(thunderbird_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-24 8:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-24 8:46 UTC (permalink / raw
To: gentoo-commits
commit: 79a56036f05b18c433e3243f458c2474a20ba241
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jun 16 04:21:25 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jun 16 14:35:45 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79a56036
mplayer: migrate to upstream xdg interfaces
policy/modules/contrib/mplayer.te | 44 +++++++--------------------------------
1 file changed, 8 insertions(+), 36 deletions(-)
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index a1af29df..91b9569d 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -13,21 +13,6 @@ policy_module(mplayer, 2.7.1)
## </desc>
gen_tunable(allow_mplayer_execstack, false)
-## <desc>
-## <p>
-## Allow mplayer to read user content
-## </p>
-## </desc>
-gen_tunable(mplayer_read_user_content, true)
-
-## <desc>
-## <p>
-## Allow mplayer to manage user content
-## </p>
-## </desc>
-gen_tunable(mplayer_manage_user_content, false)
-
-
attribute_role mencoder_roles;
attribute_role mplayer_roles;
@@ -98,8 +83,6 @@ userdom_use_user_terminals(mencoder_t)
userdom_manage_user_tmp_dirs(mencoder_t)
userdom_manage_user_tmp_files(mencoder_t)
-userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
-userdom_user_runtime_filetrans_user_tmp(mplayer_t, { dir file })
userdom_user_content_access_template(mplayer_mencoder, mencoder_t)
@@ -220,8 +203,15 @@ miscfiles_read_fonts(mplayer_t)
userdom_use_user_terminals(mplayer_t)
+userdom_manage_user_tmp_dirs(mplayer_t)
+userdom_manage_user_tmp_files(mplayer_t)
+userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
+userdom_user_runtime_filetrans_user_tmp(mplayer_t, { dir file })
+
userdom_user_content_access_template(mplayer, mplayer_t)
+userdom_write_user_tmp_sockets(mplayer_t)
+
xdg_read_music(mplayer_t)
xdg_read_videos(mplayer_t)
@@ -280,26 +270,8 @@ ifdef(`distro_gentoo',`
# Local mplayer_t policy
#
- xdg_manage_videos_home(mplayer_t)
-
- tunable_policy(`mplayer_read_user_content',`
- userdom_read_user_home_content_files(mplayer_t)
- userdom_read_user_home_content_symlinks(mplayer_t)
- ')
-
- tunable_policy(`mplayer_manage_user_content',`
- userdom_manage_user_tmp_dirs(mplayer_t)
- userdom_manage_user_tmp_files(mplayer_t)
+ tunable_policy(`mplayer_manage_generic_user_content',`
userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file })
-
- userdom_manage_user_home_content_dirs(mplayer_t)
- userdom_manage_user_home_content_files(mplayer_t)
-
- userdom_write_user_tmp_sockets(mplayer_t)
- ')
-
- optional_policy(`
- pulseaudio_client_domain(mplayer_t, mplayer_tmpfs_t)
')
ifdef(`use_alsa',`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-24 8:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-24 8:46 UTC (permalink / raw
To: gentoo-commits
commit: 9e8e1d8565e63678d43e33a9c11130c986cd4bed
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jun 14 14:28:31 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jun 16 13:16:02 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9e8e1d85
gnome: update to use new upstream xdg interfaces
policy/modules/contrib/gnome.fc | 14 +++--------
policy/modules/contrib/gnome.te | 56 +++++------------------------------------
2 files changed, 9 insertions(+), 61 deletions(-)
diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index 030f6b7b..81e9716a 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -1,5 +1,3 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_xdg_config_t,s0)
-
HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_cache_t,s0)
HOME_DIR/\.cache/keyring-.* gen_context(system_u:object_r:gnome_xdg_cache_t,s0)
HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_config_t,s0)
@@ -20,17 +18,11 @@ HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
/usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+
/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/run/user/%{USERID}/keyring(/.*)? gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
-/run/user/%{USERID}/dconf(/.*)? gen_context(system_u:object_r:gconf_tmp_t,s0)
/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
-
-ifdef(`distro_gentoo',`
-HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_config_home_t,s0)
-HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
-HOME_DIR/\.cache/keyring-.* gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
-HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gnome_xdg_data_home_t,s0)
-')
+/run/user/%{USERID}/dconf(/.*)? gen_context(system_u:object_r:gconf_tmp_t,s0)
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index e198bc71..340e394a 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -204,56 +204,12 @@ optional_policy(`
telepathy_mission_control_read_state(gkeyringd_domain)
')
-ifdef(`distro_gentoo',`
- type gnome_xdg_cache_home_t;
- type gnome_xdg_config_t; # Fase out
- type gnome_xdg_config_home_t;
- type gnome_xdg_data_home_t;
-
- xdg_cache_home_content(gnome_xdg_cache_home_t)
- xdg_config_home_content(gnome_xdg_config_t)
- xdg_config_home_content(gnome_xdg_config_home_t)
- xdg_data_home_content(gnome_xdg_data_home_t)
-
- ##
- ## Keyring
- ##
-
- # When gnome-keyring creates a .cache/keyring-.... make sure it is gnome_xdg_cache_home_t
- xdg_cache_home_filetrans(gkeyringd_domain, gnome_xdg_cache_home_t, dir)
- # Same for ~/.config and ~/.local stuff
- xdg_config_home_filetrans(gkeyringd_domain, gnome_xdg_config_home_t, dir)
- xdg_data_home_filetrans(gkeyringd_domain, gnome_xdg_data_home_t, dir)
-
- allow gkeyringd_domain gnome_xdg_cache_home_t:file manage_file_perms;
- allow gkeyringd_domain gnome_xdg_cache_home_t:sock_file manage_sock_file_perms;
- manage_dirs_pattern(gkeyringd_domain, gnome_xdg_cache_home_t, gnome_xdg_cache_home_t)
-
- allow gkeyringd_domain gnome_xdg_config_home_t:file manage_file_perms;
- manage_dirs_pattern(gkeyringd_domain, gnome_xdg_config_home_t, gnome_xdg_config_home_t)
-
- allow gkeyringd_domain gnome_xdg_data_home_t:file manage_file_perms;
- manage_dirs_pattern(gkeyringd_domain, gnome_xdg_data_home_t, gnome_xdg_data_home_t)
-
- ##
- ## gconfd
- ##
-
- xdg_cache_home_filetrans(gconfd_t, gnome_xdg_cache_home_t, dir)
- xdg_config_home_filetrans(gconfd_t, gnome_xdg_config_home_t, dir)
- xdg_data_home_filetrans(gconfd_t, gnome_xdg_data_home_t, dir)
-
- # gconf stores settings for gnome, it needs access
- allow gconfd_t gnome_xdg_cache_home_t:file manage_file_perms;
- manage_dirs_pattern(gconfd_t, gnome_xdg_cache_home_t, gnome_xdg_cache_home_t)
-
- allow gconfd_t gnome_xdg_config_home_t:file manage_file_perms;
- manage_dirs_pattern(gconfd_t, gnome_xdg_config_home_t, gnome_xdg_config_home_t)
-
- allow gconfd_t gnome_xdg_data_home_t:file manage_file_perms;
- manage_dirs_pattern(gconfd_t, gnome_xdg_data_home_t, gnome_xdg_data_home_t)
-')
-
optional_policy(`
xserver_rw_xsession_log(gkeyringd_domain)
')
+
+ifdef(`distro_gentoo',`
+ typealias gnome_xdg_cache_t alias gnome_xdg_cache_home_t;
+ typealias gnome_xdg_config_t alias gnome_xdg_config_home_t;
+ typealias gnome_xdg_data_t alias gnome_xdg_data_home_t;
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-24 8:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-24 8:46 UTC (permalink / raw
To: gentoo-commits
commit: 069e44feb788fe848a3a27ed42d580f99c4aa151
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jun 16 04:29:22 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jun 16 14:35:45 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=069e44fe
pulseaudio: migrate to upstream xdg interfaces
policy/modules/contrib/pulseaudio.te | 11 -----------
1 file changed, 11 deletions(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 167de7c9..1a58bde5 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -306,14 +306,3 @@ optional_policy(`
optional_policy(`
unconfined_signull(pulseaudio_client)
')
-
-ifdef(`distro_gentoo',`
- typealias pulseaudio_home_t alias pulseaudio_xdg_config_t;
-
- # ~/.config/pulse/
- xdg_config_home_filetrans(pulseaudio_t, pulseaudio_home_t, dir, "pulse")
- xdg_config_home_filetrans(pulseaudio_client, pulseaudio_home_t, dir, "pulse")
-
- # /tmp/pulse-* gets created by the clients usually as user_tmp_t, bug 556526
- userdom_list_user_tmp(pulseaudio_client)
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-24 8:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-24 8:46 UTC (permalink / raw
To: gentoo-commits
commit: e0b7ab785a4807bba64814a1763ffd76b431d116
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Jun 10 17:39:35 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jun 14 12:56:53 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e0b7ab78
XDG module version bump.
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/firstboot.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/i18n_input.te | 2 +-
policy/modules/contrib/irc.te | 2 +-
policy/modules/contrib/java.te | 2 +-
policy/modules/contrib/minidlna.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mplayer.te | 2 +-
policy/modules/contrib/openoffice.te | 2 +-
policy/modules/contrib/postfix.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/syncthing.te | 2 +-
policy/modules/contrib/telepathy.te | 2 +-
policy/modules/contrib/thunderbird.te | 2 +-
policy/modules/contrib/wireshark.te | 2 +-
policy/modules/contrib/xscreensaver.te | 2 +-
19 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 6479d526..49a14a6a 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.13.1)
+policy_module(cron, 2.13.2)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 8fb6a5d2..e8362b8a 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.8.1)
+policy_module(evolution, 2.8.2)
########################################
#
diff --git a/policy/modules/contrib/firstboot.te b/policy/modules/contrib/firstboot.te
index d5fed3ec..1576b498 100644
--- a/policy/modules/contrib/firstboot.te
+++ b/policy/modules/contrib/firstboot.te
@@ -1,4 +1,4 @@
-policy_module(firstboot, 1.14.0)
+policy_module(firstboot, 1.14.1)
gen_require(`
class passwd { passwd chfn chsh rootok };
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index e9b51ded..e198bc71 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.9.1)
+policy_module(gnome, 2.9.2)
##############################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 12a6e44d..0e6b6f74 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.13.1)
+policy_module(gpg, 2.13.2)
########################################
#
diff --git a/policy/modules/contrib/i18n_input.te b/policy/modules/contrib/i18n_input.te
index ac499495..181d3e90 100644
--- a/policy/modules/contrib/i18n_input.te
+++ b/policy/modules/contrib/i18n_input.te
@@ -1,4 +1,4 @@
-policy_module(i18n_input, 1.12.0)
+policy_module(i18n_input, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
index 7f34e532..99ddaecb 100644
--- a/policy/modules/contrib/irc.te
+++ b/policy/modules/contrib/irc.te
@@ -1,4 +1,4 @@
-policy_module(irc, 2.5.0)
+policy_module(irc, 2.5.1)
########################################
#
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 78a994e0..c9b2487e 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.11.0)
+policy_module(java, 2.11.1)
########################################
#
diff --git a/policy/modules/contrib/minidlna.te b/policy/modules/contrib/minidlna.te
index a94860a0..2d2840e0 100644
--- a/policy/modules/contrib/minidlna.te
+++ b/policy/modules/contrib/minidlna.te
@@ -1,4 +1,4 @@
-policy_module(minidlna, 1.2.0)
+policy_module(minidlna, 1.2.1)
#############################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 552db05e..5a0a0a5b 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.13.1)
+policy_module(mozilla, 2.13.2)
########################################
#
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index ba19a870..a1af29df 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -1,4 +1,4 @@
-policy_module(mplayer, 2.7.0)
+policy_module(mplayer, 2.7.1)
########################################
#
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index 6da6335d..2cb4d6d2 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -1,4 +1,4 @@
-policy_module(openoffice, 1.3.0)
+policy_module(openoffice, 1.3.1)
##############################
#
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 212d34d4..03843a2a 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.19.0)
+policy_module(postfix, 1.19.1)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 81760a40..167de7c9 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.11.0)
+policy_module(pulseaudio, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/syncthing.te b/policy/modules/contrib/syncthing.te
index de3b9791..5799b8e2 100644
--- a/policy/modules/contrib/syncthing.te
+++ b/policy/modules/contrib/syncthing.te
@@ -1,4 +1,4 @@
-policy_module(syncthing, 1.0.0)
+policy_module(syncthing, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te
index 5a05159e..8f0997d9 100644
--- a/policy/modules/contrib/telepathy.te
+++ b/policy/modules/contrib/telepathy.te
@@ -1,4 +1,4 @@
-policy_module(telepathy, 1.8.0)
+policy_module(telepathy, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index 07699a32..62e0accb 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -1,4 +1,4 @@
-policy_module(thunderbird, 2.7.0)
+policy_module(thunderbird, 2.7.1)
########################################
#
diff --git a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te
index 7eabbc8b..1f2641f4 100644
--- a/policy/modules/contrib/wireshark.te
+++ b/policy/modules/contrib/wireshark.te
@@ -1,4 +1,4 @@
-policy_module(wireshark, 2.6.0)
+policy_module(wireshark, 2.6.1)
########################################
#
diff --git a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
index e6f5e649..4e67161c 100644
--- a/policy/modules/contrib/xscreensaver.te
+++ b/policy/modules/contrib/xscreensaver.te
@@ -1,4 +1,4 @@
-policy_module(xscreensaver, 1.3.0)
+policy_module(xscreensaver, 1.3.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-24 8:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-24 8:46 UTC (permalink / raw
To: gentoo-commits
commit: 3d7c163810e87958c8eed978d0297463ce958005
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jun 14 14:32:02 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jun 16 13:16:02 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3d7c1638
xdg: remove gentoo-specific xdg rules
policy/modules/contrib/minidlna.te | 28 ----------------------------
1 file changed, 28 deletions(-)
diff --git a/policy/modules/contrib/minidlna.te b/policy/modules/contrib/minidlna.te
index 2d2840e0..565f6090 100644
--- a/policy/modules/contrib/minidlna.te
+++ b/policy/modules/contrib/minidlna.te
@@ -104,31 +104,3 @@ tunable_policy(`minidlna_read_generic_user_content',`
userdom_dontaudit_read_user_home_content_files(minidlna_t)
userdom_dontaudit_read_user_tmp_files(minidlna_t)
')
-
-ifdef(`distro_gentoo',`
-
-## <desc>
-## <p>
-## Determine whether minidlna can read all user content.
-## </p>
-## </desc>
-gen_tunable(minidlna_read_all_user_content, false)
-
-## <desc>
-## <p>
-## Determine whether minidlna can read users xdg videos, pictures and music labeled files
-## </p>
-## </desc>
-gen_tunable(minidlna_read_xdg_media_content, false)
-
- tunable_policy(`minidlna_read_all_user_content',`
- userdom_list_user_tmp(minidlna_t)
- userdom_read_all_user_home_content(minidlna_t)
- ')
-
- tunable_policy(`minidlna_read_xdg_media_content',`
- xdg_read_music_home(minidlna_t)
- xdg_read_pictures_home(minidlna_t)
- xdg_read_videos_home(minidlna_t)
- ')
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-24 8:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-24 8:46 UTC (permalink / raw
To: gentoo-commits
commit: dbe18188f633a120c1c900140da3e824cd339ecb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jun 16 07:34:08 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jun 16 14:35:45 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dbe18188
pulseaudio: deprecate gentoo-specific pulseaudio_client_domain()
policy/modules/contrib/chromium.te | 5 +++-
policy/modules/contrib/pulseaudio.if | 50 ++++++++++++++++++-----------------
policy/modules/contrib/skype.te | 5 +++-
policy/modules/contrib/thunderbird.te | 3 ++-
4 files changed, 36 insertions(+), 27 deletions(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 29e7fee7..72621719 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -74,6 +74,9 @@ userdom_user_tmp_file(chromium_tmp_t)
type chromium_tmpfs_t;
userdom_user_tmpfs_file(chromium_tmpfs_t)
+optional_policy(`
+ pulseaudio_tmpfs_content(chromium_tmpfs_t)
+')
type chromium_xdg_config_t;
xdg_config_home_content(chromium_xdg_config_t)
@@ -271,7 +274,7 @@ ifdef(`use_alsa',`
')
optional_policy(`
- pulseaudio_client_domain(chromium_t, chromium_tmpfs_t)
+ pulseaudio_domtrans(chromium_t)
')
')
diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if
index 3073fd4a..ca005df0 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -356,30 +356,6 @@ interface(`pulseaudio_tmpfs_content',`
typeattribute $1 pulseaudio_tmpfsfile;
')
-# Below are Gentoo specifics but ifdef distro_gentoo cannot be used in interfaces
-
-########################################
-## <summary>
-## Mark the specified domain as a PulseAudio client domain
-## and the related tmpfs file type as a (shared) PulseAudio tmpfs
-## file type used for the shared memory access
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to become a PulseAudio client domain
-## </summary>
-## </param>
-## <param name="tmpfstype">
-## <summary>
-## Tmpfs type used for shared memory of the given domain
-## </summary>
-## </param>
-#
-interface(`pulseaudio_client_domain',`
- pulseaudio_domtrans($1)
- pulseaudio_tmpfs_content($2)
-')
-
#######################################
## <summary>
## Read pulseaudio tmpfs files.
@@ -418,3 +394,29 @@ interface(`pulseaudio_rw_tmpfs_files',`
fs_search_tmpfs($1)
rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
')
+
+# Below are Gentoo specifics but ifdef distro_gentoo cannot be used in interfaces
+
+########################################
+## <summary>
+## Mark the specified domain as a PulseAudio client domain
+## and the related tmpfs file type as a (shared) PulseAudio tmpfs
+## file type used for the shared memory access
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to become a PulseAudio client domain
+## </summary>
+## </param>
+## <param name="tmpfstype">
+## <summary>
+## Tmpfs type used for shared memory of the given domain
+## </summary>
+## </param>
+#
+interface(`pulseaudio_client_domain',`
+ refpolicywarn(`$0($*) has been deprecated')
+
+ pulseaudio_domtrans($1)
+ pulseaudio_tmpfs_content($2)
+')
diff --git a/policy/modules/contrib/skype.te b/policy/modules/contrib/skype.te
index be0684f8..85ce3c10 100644
--- a/policy/modules/contrib/skype.te
+++ b/policy/modules/contrib/skype.te
@@ -29,6 +29,9 @@ ubac_constrained(skype_tmp_t)
type skype_tmpfs_t;
files_tmpfs_file(skype_tmpfs_t)
ubac_constrained(skype_tmpfs_t)
+optional_policy(`
+ pulseaudio_tmpfs_content(skype_tmpfs_t)
+')
############################
#
@@ -114,7 +117,7 @@ tunable_policy(`skype_manage_user_content',`
')
optional_policy(`
- pulseaudio_client_domain(skype_t, skype_tmpfs_t)
+ pulseaudio_domtrans(skype_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index 62e0accb..4fa94a18 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -215,7 +215,8 @@ ifdef(`distro_gentoo',`
xdg_read_data_home_files(thunderbird_t)
optional_policy(`
- pulseaudio_client_domain(thunderbird_t, thunderbird_tmpfs_t)
+ pulseaudio_domtrans(thunderbird_t)
+ pulseaudio_tmpfs_content(thunderbird_tmpfs_t)
')
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-24 8:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-24 8:46 UTC (permalink / raw
To: gentoo-commits
commit: 6aa6d4c122f71c70f45bc09edea0e945fc366381
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 25 11:57:09 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jun 14 12:56:53 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6aa6d4c1
Make java user content access optional
The java_domain attribute covers many java related domains.
Historically, the privileges on the java domain have been quite open,
including the access to the users' personal files. However, this should
not be the case at all times - some administrators might want to reduce
this scope, and only grant specific domains (rather than the generic
java ones) the necessary accesses.
In this patch, the manage rights on the user content is moved under
support of specific java-related booleans.
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/java.te | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index f23a330b..78a994e0 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -109,15 +109,16 @@ miscfiles_read_fonts(java_domain)
userdom_dontaudit_use_user_terminals(java_domain)
userdom_dontaudit_exec_user_home_content_files(java_domain)
-userdom_manage_user_home_content_dirs(java_domain)
-userdom_manage_user_home_content_files(java_domain)
-userdom_manage_user_home_content_symlinks(java_domain)
-userdom_manage_user_home_content_pipes(java_domain)
-userdom_manage_user_home_content_sockets(java_domain)
-userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file })
+userdom_user_content_access_template(java, java_domain)
userdom_write_user_tmp_sockets(java_domain)
+tunable_policy(`java_manage_generic_user_content',`
+ userdom_manage_user_home_content_pipes(java_domain)
+ userdom_manage_user_home_content_sockets(java_domain)
+ userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file })
+')
+
ifdef(`distro_gentoo',`
# For java browser plugin accessing internet resources
allow java_domain self:netlink_route_socket create_netlink_socket_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-24 8:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-24 8:46 UTC (permalink / raw
To: gentoo-commits
commit: 417531b2a24c4ce1da7378579b265abd06a4c983
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 25 11:57:12 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jun 14 12:56:53 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=417531b2
Make wireshark user content access optional
The wireshark application does not need full manage rights on user
content. Hence, we make these privileges optional through support of the
wireshark_*_user_content booleans.
To allow wireshark to read recorded network traffic, wireshark is
granted read access on the downloads location.
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/wireshark.te | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te
index 30dd6af8..7eabbc8b 100644
--- a/policy/modules/contrib/wireshark.te
+++ b/policy/modules/contrib/wireshark.te
@@ -102,8 +102,9 @@ miscfiles_read_localization(wireshark_t)
userdom_use_user_terminals(wireshark_t)
-userdom_manage_user_home_content_files(wireshark_t)
-userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file)
+userdom_user_content_access_template(wireshark, wireshark_t)
+
+xdg_read_downloads(wireshark_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(wireshark_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-24 8:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-24 8:46 UTC (permalink / raw
To: gentoo-commits
commit: 3f70983f816e464b3071a17ca690115c61c35fba
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 25 11:57:14 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jun 14 12:56:53 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3f70983f
Switch syncthing to XDG config types and make user content access optional
The syncthing application can, but does not have to, be used for
synchronizing end user data. Hence, the user data access is made
optional through the support of the syncthing_*_user_content booleans.
Also, the syncthing_config_home_t type is renamed to
syncthing_xdg_config_t to be aligned with the XDG setup. An alias
is put in place to allow for a transitional period before
syncthing_config_home_t is completely phaded out.
Changes since v2:
- Fix typo in call to userdom_user_content_access_template
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/syncthing.fc | 2 +-
policy/modules/contrib/syncthing.if | 8 ++++----
policy/modules/contrib/syncthing.te | 19 ++++++++-----------
3 files changed, 13 insertions(+), 16 deletions(-)
diff --git a/policy/modules/contrib/syncthing.fc b/policy/modules/contrib/syncthing.fc
index 4f7f53ed..e95b451e 100644
--- a/policy/modules/contrib/syncthing.fc
+++ b/policy/modules/contrib/syncthing.fc
@@ -1,3 +1,3 @@
/usr/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)
-HOME_DIR/\.config/syncthing(/.*)? gen_context(system_u:object_r:syncthing_config_home_t,s0)
+HOME_DIR/\.config/syncthing(/.*)? gen_context(system_u:object_r:syncthing_xdg_config_t,s0)
diff --git a/policy/modules/contrib/syncthing.if b/policy/modules/contrib/syncthing.if
index 065800a3..2c0eb24c 100644
--- a/policy/modules/contrib/syncthing.if
+++ b/policy/modules/contrib/syncthing.if
@@ -18,14 +18,14 @@
interface(`syncthing_role', `
gen_require(`
attribute_role syncthing_roles;
- type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
+ type syncthing_t, syncthing_exec_t, syncthing_xdg_config_t;
')
roleattribute $1 syncthing_roles;
domtrans_pattern($2, syncthing_exec_t, syncthing_t)
- allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
- allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 syncthing_xdg_config_t:file { manage_file_perms relabel_file_perms };
+ allow $2 syncthing_xdg_config_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 syncthing_xdg_config_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
')
diff --git a/policy/modules/contrib/syncthing.te b/policy/modules/contrib/syncthing.te
index 92d0bf51..de3b9791 100644
--- a/policy/modules/contrib/syncthing.te
+++ b/policy/modules/contrib/syncthing.te
@@ -13,8 +13,8 @@ type syncthing_exec_t;
init_daemon_domain(syncthing_t, syncthing_exec_t)
userdom_user_application_domain(syncthing_t, syncthing_exec_t)
-type syncthing_config_home_t;
-userdom_user_home_content(syncthing_config_home_t)
+type syncthing_xdg_config_t alias syncthing_config_home_t;
+xdg_config_content(syncthing_xdg_config_t)
########################################
#
@@ -27,9 +27,10 @@ allow syncthing_t self:tcp_socket { listen accept };
can_exec(syncthing_t, syncthing_exec_t)
-manage_dirs_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-manage_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_dirs_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
+manage_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
+manage_lnk_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
+xdg_config_filetrans(syncthing_t, syncthing_xdg_config_t, dir)
kernel_read_kernel_sysctls(syncthing_t)
kernel_read_net_sysctls(syncthing_t)
@@ -58,13 +59,9 @@ auth_use_nsswitch(syncthing_t)
miscfiles_read_generic_certs(syncthing_t)
miscfiles_read_localization(syncthing_t)
-userdom_manage_user_home_content_files(syncthing_t)
-userdom_manage_user_home_content_dirs(syncthing_t)
-userdom_manage_user_home_content_symlinks(syncthing_t)
-userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
+userdom_user_content_access_template(syncthing, syncthing_t)
+
userdom_use_user_terminals(syncthing_t)
-# newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
-userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")
optional_policy(`
# temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-24 8:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-24 8:46 UTC (permalink / raw
To: gentoo-commits
commit: f097f60dd8911534016b5e356313096a2bf413df
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 25 11:57:13 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jun 14 12:56:53 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f097f60d
Make xscreensaver user content access optional
The xscreensaver application currently has the privileges to read user
content, to display images stored in the users' home directory. We now
grant this through xdg_pictures_t access, and make the generic user
content access optional.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/xscreensaver.te | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
index 1f581107..e6f5e649 100644
--- a/policy/modules/contrib/xscreensaver.te
+++ b/policy/modules/contrib/xscreensaver.te
@@ -5,6 +5,13 @@ policy_module(xscreensaver, 1.3.0)
# Declarations
#
+## <desc>
+## <p>
+## Grant the xscreensaver domains read access to generic user content
+## </p>
+## </desc>
+gen_tunable(`xscreensaver_read_generic_user_content', true)
+
attribute_role xscreensaver_roles;
attribute_role xscreensaver_helper_roles;
@@ -56,11 +63,28 @@ logging_send_syslog_msg(xscreensaver_t)
miscfiles_read_localization(xscreensaver_t)
userdom_use_user_terminals(xscreensaver_t)
-userdom_read_user_home_content_files(xscreensaver_t)
+
+xdg_read_pictures(xscreensaver_t)
xserver_rw_xsession_log(xscreensaver_t)
xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+tunable_policy(`xscreensaver_read_generic_user_content',`
+ userdom_list_user_tmp(xscreensaver_t)
+ userdom_list_user_home_content(xscreensaver_t)
+ userdom_read_user_home_content_files(xscreensaver_t)
+ userdom_read_user_home_content_symlinks(xscreensaver_t)
+ userdom_read_user_tmp_files(xscreensaver_t)
+',`
+ files_dontaudit_list_home(xscreensaver_t)
+ files_dontaudit_list_tmp(xscreensaver_t)
+
+ userdom_dontaudit_list_user_home_dirs(xscreensaver_t)
+ userdom_dontaudit_list_user_tmp(xscreensaver_t)
+ userdom_dontaudit_read_user_home_content_files(xscreensaver_t)
+ userdom_dontaudit_read_user_tmp_files(xscreensaver_t)
+')
+
########################################
#
# Helper local policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-24 8:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-24 8:46 UTC (permalink / raw
To: gentoo-commits
commit: d61a937aadcff678640a712430f84c5cb9cc7443
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 25 11:57:11 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jun 14 12:56:53 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d61a937a
Make postfix user content access optional
The postfix virtual domain does not always need full manage rights on
the users' home directories and content. We make these rights optional
through the postfix_{read,manage}_{generic,all}_user_content booleans.
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/postfix.te | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 5463a21c..212d34d4 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -826,11 +826,7 @@ mta_delete_spool(postfix_virtual_t)
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
-userdom_manage_user_home_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_files(postfix_virtual_t)
-userdom_home_filetrans_user_home_dir(postfix_virtual_t)
-userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir })
+userdom_user_content_access_template(postfix, postfix_virtual_t)
ifdef(`distro_gentoo',`
#####################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-24 8:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-24 8:46 UTC (permalink / raw
To: gentoo-commits
commit: 76c143d44f9ca0f671344b247b24230c816d9ace
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 25 11:57:10 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jun 14 12:56:53 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=76c143d4
Make openoffice user content access optional
The openoffice domain should not have full manage rights on all user
content. Instead, it is granted manage rights on the documents
(xdg_documents_t) while the other privileges are made optional through
the openoffice_{read,manage}_{generic,all}_user_content booleans.
Changes since v1:
- Move tunable definitions inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/openoffice.te | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index d2371f57..6da6335d 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -94,18 +94,14 @@ sysnet_dns_name_resolve(ooffice_t)
userdom_dontaudit_exec_user_home_content_files(ooffice_t)
userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
-
-userdom_read_user_tmp_files(ooffice_t)
-userdom_manage_user_home_content_dirs(ooffice_t)
-userdom_manage_user_home_content_files(ooffice_t)
-userdom_manage_user_home_content_symlinks(ooffice_t)
-userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
-
userdom_manage_user_tmp_dirs(ooffice_t)
userdom_manage_user_tmp_sockets(ooffice_t)
-
userdom_use_inherited_user_terminals(ooffice_t)
+userdom_user_content_access_template(openoffice, ooffice_t)
+
+xdg_manage_documents(ooffice_t)
+
tunable_policy(`openoffice_allow_update',`
corenet_tcp_connect_http_port(ooffice_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-09 5:24 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-09 5:24 UTC (permalink / raw
To: gentoo-commits
commit: b984ddb5cf16162f3b1066f71d99d010ab1779a2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri Jun 8 09:09:40 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun 8 11:10:51 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b984ddb5
dirmngr: allow connecting to hkps (hkp over TLS)
policy/modules/contrib/dirmngr.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index f2be3f70..983de0c6 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -69,10 +69,12 @@ dev_read_rand(dirmngr_t)
sysnet_dns_name_resolve(dirmngr_t)
+corenet_tcp_connect_http_port(dirmngr_t)
corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
corenet_udp_bind_generic_node(dirmngr_t)
files_read_etc_files(dirmngr_t)
+files_read_usr_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
miscfiles_read_generic_certs(dirmngr_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-09 5:24 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-09 5:24 UTC (permalink / raw
To: gentoo-commits
commit: 42545cbd9d2a1d266e84907a669873b5b3b31ff1
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Apr 22 11:41:20 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun 8 11:10:51 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=42545cbd
colord: allow mapping usr files
policy/modules/contrib/colord.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te
index 0236b279..ca3aae6e 100644
--- a/policy/modules/contrib/colord.te
+++ b/policy/modules/contrib/colord.te
@@ -83,6 +83,7 @@ domain_use_interactive_fds(colord_t)
files_list_mnt(colord_t)
files_read_usr_files(colord_t)
+files_map_usr_files(colord_t)
fs_getattr_noxattr_fs(colord_t)
fs_getattr_tmpfs(colord_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-09 5:24 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-09 5:24 UTC (permalink / raw
To: gentoo-commits
commit: b7f21ed3852a1688dc52dc89f2f37b85e93a0d9c
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri Jun 8 11:18:05 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun 8 11:19:06 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b7f21ed3
gpg: Introduce gpg_exec_agent()
policy/modules/contrib/gpg.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 359560f8..78efb186 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -123,6 +123,25 @@ interface(`gpg_spec_domtrans',`
domain_auto_transition_pattern($1, gpg_exec_t, $2)
')
+########################################
+## <summary>
+## Execute the gpg-agent in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_exec_agent',`
+ gen_require(`
+ type gpg_agent_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, gpg_agent_exec_t)
+')
+
######################################
## <summary>
## Make gpg executable files an
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-09 5:24 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-09 5:24 UTC (permalink / raw
To: gentoo-commits
commit: 72a1e7f19c14ef58114bfeb4510194f0cd11cc73
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jun 7 10:28:05 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun 8 11:10:51 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=72a1e7f1
redis: add log filetrans, already had log manage
policy/modules/contrib/redis.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index fda6e5b2..2c8495b6 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -39,6 +39,7 @@ allow redis_t redis_conf_t:file rw_file_perms;
manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
manage_files_pattern(redis_t, redis_log_t, redis_log_t)
manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
+logging_log_filetrans(redis_t, redis_log_t, dir)
manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-06-09 5:24 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-06-09 5:24 UTC (permalink / raw
To: gentoo-commits
commit: 15024f09418e364b25ab3ba1b3c202d41b6bacd3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri Jun 8 11:09:13 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun 8 11:19:06 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=15024f09
portage: allow gpg for tree signature verification
policy/modules/contrib/portage.te | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index e0aea54c..47d7fcc6 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -227,6 +227,10 @@ optional_policy(`
cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
')
+optional_policy(`
+ gpg_spec_domtrans(portage_t, portage_fetch_t)
+')
+
optional_policy(`
modutils_run(portage_t, portage_roles)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
@@ -253,7 +257,7 @@ allow portage_fetch_t self:process signal;
allow portage_fetch_t self:capability { chown dac_read_search dac_override fowner fsetid };
allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
allow portage_fetch_t self:tcp_socket { accept listen };
-allow portage_fetch_t self:unix_stream_socket create_socket_perms;
+allow portage_fetch_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow portage_fetch_t portage_conf_t:dir list_dir_perms;
@@ -264,6 +268,7 @@ allow portage_fetch_t portage_gpg_t:file manage_file_perms;
allow portage_fetch_t portage_tmp_t:dir manage_dir_perms;
allow portage_fetch_t portage_tmp_t:file manage_file_perms;
+allow portage_fetch_t portage_tmp_t:sock_file manage_sock_file_perms;
read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
@@ -300,8 +305,10 @@ corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
corenet_tcp_connect_generic_port(portage_fetch_t)
# bug 540056
corenet_tcp_connect_all_unreserved_ports(portage_fetch_t)
+corenet_udp_bind_generic_node(portage_fetch_t)
+corenet_udp_bind_all_unreserved_ports(portage_fetch_t)
-dev_dontaudit_read_rand(portage_fetch_t)
+dev_read_rand(portage_fetch_t)
domain_use_interactive_fds(portage_fetch_t)
@@ -344,7 +351,13 @@ tunable_policy(`portage_read_user_content',`
')
optional_policy(`
+ gpg_entry_type(portage_fetch_t)
gpg_exec(portage_fetch_t)
+ gpg_exec_agent(portage_fetch_t)
+')
+
+optional_policy(`
+ dirmngr_exec(portage_fetch_t)
')
##########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 14:07 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 14:07 UTC (permalink / raw
To: gentoo-commits
commit: 00d9b0fc77f8205e1a43a484bba28acc39f039fa
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jan 24 04:40:00 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:59:13 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=00d9b0fc
xdg: allow lnk_file for home xdg types (downloads, music, videos, etc)
policy/modules/contrib/xdg.if | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if
index 3188d96f..b48016a0 100644
--- a/policy/modules/contrib/xdg.if
+++ b/policy/modules/contrib/xdg.if
@@ -785,6 +785,8 @@ interface(`xdg_read_downloads_home',`
read_files_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
allow $1 xdg_downloads_home_t:file map;
+ list_dirs_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
+ read_lnk_files_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
userdom_search_user_home_dirs($1)
')
@@ -807,6 +809,7 @@ interface(`xdg_read_videos_home',`
read_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
allow $1 xdg_videos_home_t:file map;
list_dirs_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
+ read_lnk_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
userdom_search_user_home_dirs($1)
')
@@ -829,6 +832,7 @@ interface(`xdg_read_pictures_home',`
read_files_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
allow $1 xdg_pictures_home_t:file map;
list_dirs_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
+ read_lnk_files_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
userdom_search_user_home_dirs($1)
')
@@ -851,6 +855,7 @@ interface(`xdg_read_music_home',`
read_files_pattern($1, xdg_music_home_t, xdg_music_home_t)
allow $1 xdg_music_home_t:file map;
list_dirs_pattern($1, xdg_music_home_t, xdg_music_home_t)
+ read_lnk_files_pattern($1, xdg_music_home_t, xdg_music_home_t)
userdom_search_user_home_dirs($1)
')
@@ -914,6 +919,7 @@ interface(`xdg_manage_downloads_home',`
manage_dirs_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
manage_files_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
+ manage_lnk_files_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
allow $1 xdg_downloads_home_t:file map;
')
@@ -934,6 +940,7 @@ interface(`xdg_manage_documents_home',`
manage_dirs_pattern($1, xdg_documents_home_t, xdg_documents_home_t)
manage_files_pattern($1, xdg_documents_home_t, xdg_documents_home_t)
+ manage_lnk_files_pattern($1, xdg_documents_home_t, xdg_documents_home_t)
allow $1 xdg_documents_home_t:file map;
')
@@ -954,6 +961,7 @@ interface(`xdg_manage_music_home',`
manage_dirs_pattern($1, xdg_music_home_t, xdg_music_home_t)
manage_files_pattern($1, xdg_music_home_t, xdg_music_home_t)
+ manage_lnk_files_pattern($1, xdg_music_home_t, xdg_music_home_t)
allow $1 xdg_music_home_t:file map;
')
@@ -974,6 +982,7 @@ interface(`xdg_manage_pictures_home',`
manage_dirs_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
manage_files_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
+ manage_lnk_files_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
allow $1 xdg_pictures_home_t:file map;
')
@@ -994,5 +1003,6 @@ interface(`xdg_manage_videos_home',`
manage_dirs_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
manage_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
+ manage_lnk_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
allow $1 xdg_videos_home_t:file map;
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: c5a0ff1ec0997bf6887ccdf1620c7630d49675ed
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Apr 12 11:38:06 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:59 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c5a0ff1e
virt: Add netlink socket and filetrans
policy/modules/contrib/virt.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index dd4ae9b5..73d53004 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -475,6 +475,7 @@ allow virtd_t self:tcp_socket { accept listen };
allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow virtd_t self:rawip_socket create_socket_perms;
allow virtd_t self:packet_socket create_socket_perms;
+allow virtd_t self:netlink_generic_socket create_socket_perms;
allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow virtd_t self:netlink_route_socket nlmsg_write;
@@ -493,6 +494,7 @@ domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
+files_var_filetrans(virtd_t, virt_cache_t, { file dir })
manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: bd2b8d19d0ad21719a31065a325e8bf083dc623f
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Apr 12 11:38:05 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:59 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bd2b8d19
mta: Add msmtp fcontexts and allow ssl certs
policy/modules/contrib/mta.fc | 3 +++
policy/modules/contrib/mta.te | 1 +
2 files changed, 4 insertions(+)
diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
index ace4a1f1..66634b0c 100644
--- a/policy/modules/contrib/mta.fc
+++ b/policy/modules/contrib/mta.fc
@@ -2,6 +2,7 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/\.msmtprc -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
HOME_DIR/DovecotMail(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
@@ -10,10 +11,12 @@ HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
/etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/msmtprc -- gen_context(system_u:object_r:etc_mail_t,s0)
/etc/postfix/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/bin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/bin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/bin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 996c1fb5..01183ef1 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -109,6 +109,7 @@ init_dontaudit_rw_utmp(user_mail_domain)
logging_send_syslog_msg(user_mail_domain)
+miscfiles_read_all_certs(user_mail_domain)
miscfiles_read_localization(user_mail_domain)
tunable_policy(`use_samba_home_dirs',`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: 7d5664f48f42b70d705bb3abbafe23d372918985
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Apr 12 23:11:25 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:59 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7d5664f4
gnome, ifplugd, mozilla, mta, samba, virt: Module version bump.
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/ifplugd.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mta.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 39b5ed5d..84b65163 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.9.0)
+policy_module(gnome, 2.9.1)
##############################
#
diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te
index 78bcd143..14180ac6 100644
--- a/policy/modules/contrib/ifplugd.te
+++ b/policy/modules/contrib/ifplugd.te
@@ -1,4 +1,4 @@
-policy_module(ifplugd, 1.4.0)
+policy_module(ifplugd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index b17ab878..0780d14b 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.13.0)
+policy_module(mozilla, 2.13.1)
########################################
#
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 01183ef1..b64e2322 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.10.1)
+policy_module(mta, 2.10.2)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index e388e822..6a0978b2 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.22.1)
+policy_module(samba, 1.22.2)
#################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 73d53004..76629885 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.13.0)
+policy_module(virt, 1.13.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: 1870ca3149fcec38e799cc567cf88daccc20fba5
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Apr 12 11:38:03 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:59 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1870ca31
gnome: add fcontext gconf_tmp_t for /run/user/%{USERID}/dconf
policy/modules/contrib/gnome.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index fa478dc8..90e46cd2 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -20,6 +20,7 @@ HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
/run/user/%{USERID}/keyring(/.*)? gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+/run/user/%{USERID}/dconf(/.*)? gen_context(system_u:object_r:gconf_tmp_t,s0)
/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
ifdef(`distro_gentoo',`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: 5daa9a0ca0dd357ea6b06fa3cadd6a4bd5f772c4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Apr 12 11:38:04 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:59 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5daa9a0c
mozilla: allow map usr, home, tmp files
policy/modules/contrib/mozilla.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index d7a7be05..b17ab878 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -113,6 +113,7 @@ manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
+allow mozilla_t mozilla_plugin_tmpfs_t:file map;
allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms;
allow mozilla_t mozilla_plugin_rw_t:file read_file_perms;
@@ -324,6 +325,7 @@ allow mozilla_plugin_t mozilla_t:sem create_sem_perms;
manage_dirs_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
manage_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
manage_lnk_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+allow mozilla_plugin_t mozilla_home_t:file map;
userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".galeon")
userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla")
@@ -338,6 +340,8 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin
files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+allow mozilla_plugin_t mozilla_tmp_t:file rw_file_perms;
+
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
@@ -444,6 +448,7 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
+files_map_usr_files(mozilla_plugin_t)
fs_getattr_all_fs(mozilla_plugin_t)
# fs_read_hugetlbfs_files(mozilla_plugin_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: b60736bf3d0ec4cae2f1e603b110e1a7391c8a69
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed Apr 11 18:56:39 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:03 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b60736bf
Fix interfaces that use an undeclared identifier
These interfaces are not being called in the policy.
dbus.if:dbus_send_all_session_bus()
Use session_bus_type instead of dbus_session_bus_type.
rabbitmq.if:rabbitmq_domtrans()
Use rabbitmq_epmd_t and rabbitmq_beam_t instead of rabbitmq_t
and rabbitmq_epmd_exec_t and rabbitmq_beam_exec_t instead of
rabbitmq_exec_t.
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
policy/modules/contrib/dbus.if | 2 +-
policy/modules/contrib/rabbitmq.if | 6 ++++--
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index 4f62c23a..01e353ed 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -259,7 +259,7 @@ interface(`dbus_send_all_session_bus',`
class dbus send_msg;
')
- allow $1 dbus_session_bus_type:dbus send_msg;
+ allow $1 session_bus_type:dbus send_msg;
')
#######################################
diff --git a/policy/modules/contrib/rabbitmq.if b/policy/modules/contrib/rabbitmq.if
index 53efd0dd..854cd364 100644
--- a/policy/modules/contrib/rabbitmq.if
+++ b/policy/modules/contrib/rabbitmq.if
@@ -12,11 +12,13 @@
#
interface(`rabbitmq_domtrans',`
gen_require(`
- type rabbitmq_t, rabbitmq_exec_t;
+ type rabbitmq_epmd_t, rabbitmq_epmd_exec_t;
+ type rabbitmq_beam_t, rabbitmq_beam_exec_t;
')
corecmd_search_bin($1)
- domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
+ domtrans_pattern($1, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
+ domtrans_pattern($1, rabbitmq_beam_exec_t, rabbitmq_beam_t)
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: 1805a99f61ca86dea7465a06a5ac3d4ba2f40b36
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed Apr 11 18:56:55 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:03 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1805a99f
Remove undeclared identifiers from interfaces
All the interfaces below were always being removed because of unmet
requires.
cups.if:cups_admin()
Remove references to undeclared type cupsd_spool_t.
Called in roles/sysadm.te
dspam.if:dspam_stream_connect()
Remove references to undeclared type dspam_tmp_t.
Called in contrib/postfix.te
samba.if:samba_admin()
Remove references to undeclared type smbd_spool_t.
Called in roles/sysadm.te
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
policy/modules/contrib/cups.if | 3 +--
policy/modules/contrib/dspam.if | 4 ++--
policy/modules/contrib/samba.if | 3 +--
3 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index 73887e50..e268b96f 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -352,7 +352,7 @@ interface(`cups_domtrans_hplip',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+ type cupsd_etc_t, cupsd_log_t;
type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
@@ -374,7 +374,6 @@ interface(`cups_admin',`
admin_pattern($1, cupsd_log_t)
files_list_spool($1)
- admin_pattern($1, cupsd_spool_t)
files_list_tmp($1)
admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t })
diff --git a/policy/modules/contrib/dspam.if b/policy/modules/contrib/dspam.if
index a8cd028b..969fd89d 100644
--- a/policy/modules/contrib/dspam.if
+++ b/policy/modules/contrib/dspam.if
@@ -32,12 +32,12 @@ interface(`dspam_domtrans',`
#
interface(`dspam_stream_connect',`
gen_require(`
- type dspam_t, dspam_var_run_t, dspam_tmp_t;
+ type dspam_t, dspam_var_run_t;
')
files_search_pids($1)
files_search_tmp($1)
- stream_connect_pattern($1, { dspam_tmp_t dspam_var_run_t }, { dspam_tmp_t dspam_var_run_t }, dspam_t)
+ stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t)
')
########################################
diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
index f863af8f..3d729f0c 100644
--- a/policy/modules/contrib/samba.if
+++ b/policy/modules/contrib/samba.if
@@ -684,7 +684,7 @@ interface(`samba_stream_connect_winbind',`
interface(`samba_admin',`
gen_require(`
type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
- type smbd_t, smbd_tmp_t, smbd_spool_t;
+ type smbd_t, smbd_tmp_t;
type samba_log_t, samba_var_t, samba_secrets_t;
type samba_etc_t, samba_share_t, samba_initrc_exec_t;
type swat_var_run_t, swat_tmp_t, winbind_log_t;
@@ -707,7 +707,6 @@ interface(`samba_admin',`
admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t })
files_list_spool($1)
- admin_pattern($1, smbd_spool_t)
files_list_pids($1)
admin_pattern($1, { winbind_var_run_t smbd_var_run_t swat_var_run_t nmbd_var_run_t })
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: 9e9a550bda8bd26f72427991d261486faa7d8461
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed Apr 11 18:57:04 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:03 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9e9a550b
Fix typos in identifier names
The interfaces djbdns_link_tinydns_keys(), firewalld_admin(),
tftp_etc_filetrans_config(), and wm_write_pipes() were
always being removed because of unmet requires.
In djbdns.if:djbdns_link_tinydns_keys()
djbdns_tinydn_t should be djbdns_tinydns_t
Called in contrib/cron.te
In firewald.if:firewalld_admin()
firewall_etc_rw_t should be firewalld_etc_rw_t
Called in roles/sysadm.te
In ftp.te:
tcpd_t should be ftpd_t
In tftp.if:tftp_etc_filetrans_config()
tftp_conf_t should be tftpd_conf_t
Called in contrib/cobbler.te
In wm.if:wm_write_pipes()
$_t should be $1_wm_t
Called in wm_role_template() which is called in roles/unprivuser.te,
roles/sysadm.te, and roles/staff.te.
wm_role_template is also called in
system/userdomain.if:userdom_restricted_xwindows_user_template() which
is called in contrib/xguest.te.
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
policy/modules/contrib/djbdns.if | 4 ++--
policy/modules/contrib/firewalld.if | 4 ++--
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/tftp.if | 4 ++--
policy/modules/contrib/wm.if | 2 +-
5 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/policy/modules/contrib/djbdns.if b/policy/modules/contrib/djbdns.if
index 671d3c0a..dd87a12a 100644
--- a/policy/modules/contrib/djbdns.if
+++ b/policy/modules/contrib/djbdns.if
@@ -71,8 +71,8 @@ interface(`djbdns_search_tinydns_keys',`
#
interface(`djbdns_link_tinydns_keys',`
gen_require(`
- type djbdns_tinydn_t;
+ type djbdns_tinydns_t;
')
- allow $1 djbdns_tinydn_t:key link;
+ allow $1 djbdns_tinydns_t:key link;
')
diff --git a/policy/modules/contrib/firewalld.if b/policy/modules/contrib/firewalld.if
index d5f86696..b4fda82c 100644
--- a/policy/modules/contrib/firewalld.if
+++ b/policy/modules/contrib/firewalld.if
@@ -98,7 +98,7 @@ interface(`firewalld_read_var_run_files',`
interface(`firewalld_admin',`
gen_require(`
type firewalld_t, firewalld_initrc_exec_t;
- type firewall_etc_rw_t, firewalld_var_run_t;
+ type firewalld_etc_rw_t, firewalld_var_run_t;
type firewalld_var_log_t;
')
@@ -114,5 +114,5 @@ interface(`firewalld_admin',`
admin_pattern($1, firewalld_var_log_t)
files_search_etc($1)
- admin_pattern($1, firewall_etc_rw_t)
+ admin_pattern($1, firewalld_etc_rw_t)
')
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 0a5465a6..a711bfbd 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -394,7 +394,7 @@ optional_policy(`
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
optional_policy(`
- tcpd_domtrans(tcpd_t)
+ tcpd_domtrans(ftpd_t)
')
')
diff --git a/policy/modules/contrib/tftp.if b/policy/modules/contrib/tftp.if
index dae82eb7..b32fa3c0 100644
--- a/policy/modules/contrib/tftp.if
+++ b/policy/modules/contrib/tftp.if
@@ -105,10 +105,10 @@ interface(`tftp_manage_config_files',`
#
interface(`tftp_etc_filetrans_config',`
gen_require(`
- type tftp_conf_t;
+ type tftpd_conf_t;
')
- files_etc_filetrans($1, tftp_conf_t, $2, $3)
+ files_etc_filetrans($1, tftpd_conf_t, $2, $3)
')
########################################
diff --git a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
index bb0d3ea7..260a7b01 100644
--- a/policy/modules/contrib/wm.if
+++ b/policy/modules/contrib/wm.if
@@ -245,7 +245,7 @@ interface(`wm_application_domain',`
#
interface(`wm_write_pipes',`
gen_require(`
- type $1_t;
+ type $1_wm_t;
')
allow $2 $1_wm_t:fifo_file write;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: 33e79c86efaee37a32289cd31932528aaf4d4f6d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Apr 12 11:38:01 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:03 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=33e79c86
ifplugd: Allow transition to init scripts
policy/modules/contrib/ifplugd.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te
index 9267c1b8..78bcd143 100644
--- a/policy/modules/contrib/ifplugd.te
+++ b/policy/modules/contrib/ifplugd.te
@@ -53,6 +53,8 @@ domain_dontaudit_read_all_domains_state(ifplugd_t)
auth_use_nsswitch(ifplugd_t)
+init_domtrans_script(ifplugd_t)
+
logging_send_syslog_msg(ifplugd_t)
miscfiles_read_localization(ifplugd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: 4704ab0db3680062416380525f7f14d95f9073e0
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed Apr 11 18:56:37 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:03 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4704ab0d
Fix typos in identifier names
These interfaces are not being called in the policy (or are only called by
interfaces that are not called).
In kismet.if:kismet_role()
kistmet_tmpfs_t should be kismet_tmpfs_t
In obex.if:obex_role_template()
obex_exec_exec_t should be obex_exec_t
In sosreport.if:sosreport_run()
sospreport_roles should be sosreport_roles
Called only in sosreport_role() which is not called in policy.
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
policy/modules/contrib/kismet.if | 4 ++--
policy/modules/contrib/obex.if | 2 +-
policy/modules/contrib/sosreport.if | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/kismet.if b/policy/modules/contrib/kismet.if
index 7e612761..1ba783c4 100644
--- a/policy/modules/contrib/kismet.if
+++ b/policy/modules/contrib/kismet.if
@@ -18,12 +18,12 @@
template(`kismet_role',`
gen_require(`
type kismet_exec_t, kismet_home_t, kismet_tmp_t;
- type kistmet_tmpfs_t, kismet_t;
+ type kismet_tmpfs_t, kismet_t;
')
kismet_run($1, $2)
- allow $2 kistmet_t:process { ptrace signal_perms };
+ allow $2 kismet_t:process { ptrace signal_perms };
ps_process_pattern($2, kismet_t)
allow $2 kismet_home_t:dir { manage_dir_perms relabel_dir_perms };
diff --git a/policy/modules/contrib/obex.if b/policy/modules/contrib/obex.if
index 410c0e8f..6723697e 100644
--- a/policy/modules/contrib/obex.if
+++ b/policy/modules/contrib/obex.if
@@ -24,7 +24,7 @@
template(`obex_role_template',`
gen_require(`
attribute_role obex_roles;
- type obex_t, obex_exec_exec_t;
+ type obex_t, obex_exec_t;
')
########################################
diff --git a/policy/modules/contrib/sosreport.if b/policy/modules/contrib/sosreport.if
index 634c6b4f..e1edfd96 100644
--- a/policy/modules/contrib/sosreport.if
+++ b/policy/modules/contrib/sosreport.if
@@ -42,7 +42,7 @@ interface(`sosreport_run',`
')
sosreport_domtrans($1)
- roleattribute $2 sospreport_roles;
+ roleattribute $2 sosreport_roles;
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: 09027956501013a775b57369b819fa2d10ee79b2
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed Apr 11 18:57:19 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:03 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=09027956
Removed call to deprecated interface xserver_manage_xdm_spool_files()
The interface xserver_manage_xdm_spool_files() used the undeclared
type xdm_spool_t and was deprecated.
Removed the call to xserver_manage_xdm_spool_files() in plymouthd.te
which means that the call to xserver_read_xdm_state() which was
in the same optional block will now be in the policy.
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
policy/modules/contrib/plymouthd.te | 1 -
1 file changed, 1 deletion(-)
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index 89000ec9..5e390e03 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -92,7 +92,6 @@ optional_policy(`
')
optional_policy(`
- xserver_manage_xdm_spool_files(plymouthd_t)
xserver_read_xdm_state(plymouthd_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: 0970480bdaa803f0540b597b5f386cc77461dccb
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed Apr 11 18:56:35 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:03 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0970480b
Move use of httpd_t from mojomojo.te to apache.te
The type httpd_t is actually declared in apache.te.
Created apache.if:apache_rw_stream_sockets() which allows
reading and writing unix domain stream sockets labeled httpd_t.
Modified mojomojo.te to use the new interface instead of
This is needed by the module mojomojo which had been referring to
httpd_t directly.
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
policy/modules/contrib/apache.if | 19 +++++++++++++++++++
policy/modules/contrib/mojomojo.te | 2 +-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 135e2f51..94878d66 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -371,6 +371,25 @@ interface(`apache_dontaudit_rw_stream_sockets',`
dontaudit $1 httpd_t:unix_stream_socket { read write };
')
+########################################
+## <summary>
+## Read and write httpd unix domain
+## stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_rw_stream_sockets',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:unix_stream_socket rw_stream_socket_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to read and
diff --git a/policy/modules/contrib/mojomojo.te b/policy/modules/contrib/mojomojo.te
index 8f4d4779..ea853ce1 100644
--- a/policy/modules/contrib/mojomojo.te
+++ b/policy/modules/contrib/mojomojo.te
@@ -12,7 +12,7 @@ apache_content_template(mojomojo)
# Local policy
#
-allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+apache_rw_stream_sockets(httpd_mojomojo_script_t)
corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: 7d890102e3a63b001659d6ae6a636007831cc7ca
Author: Scall <scall <AT> prosemail <DOT> net>
AuthorDate: Thu Apr 12 11:38:02 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:03 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7d890102
Fix /run/samba context generated by samba init script
policy/modules/contrib/samba.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index c4a2eea4..e388e822 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -114,7 +114,7 @@ init_daemon_domain(nmbd_t, nmbd_exec_t)
type samba_var_run_t;
typealias samba_var_run_t alias { nmbd_var_run_t smbd_var_run_t };
-files_pid_file(samba_var_run_t)
+init_daemon_pid_file(samba_var_run_t, dir, "samba")
type samba_etc_t;
files_config_file(samba_etc_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: 22db9ffa981508adc52f3751fb285cce44f98c29
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed Apr 11 18:56:38 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:03 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=22db9ffa
Remove undeclared identifiers from shorewall interfaces
Both shorewall_read_pid_files() and shorewall_rw_pid_files() use the
undeclared type shorewall_var_run_t. Removed statements referring to this
type and marked the interfaces as deprecated because they no longer do
anything useful.
Neither interface is called in the policy.
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
policy/modules/contrib/shorewall.if | 18 ++++--------------
1 file changed, 4 insertions(+), 14 deletions(-)
diff --git a/policy/modules/contrib/shorewall.if b/policy/modules/contrib/shorewall.if
index 108ce759..119ba279 100644
--- a/policy/modules/contrib/shorewall.if
+++ b/policy/modules/contrib/shorewall.if
@@ -62,38 +62,28 @@ interface(`shorewall_read_config',`
## <summary>
## Read shorewall pid files.
## </summary>
-## <param name="domain">
+## <param name="domain" unused="true">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`shorewall_read_pid_files',`
- gen_require(`
- type shorewall_var_run_t;
- ')
-
- files_search_pids($1)
- read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+ refpolicywarn(`$0($*) has been deprecated')
')
#######################################
## <summary>
## Read and write shorewall pid files.
## </summary>
-## <param name="domain">
+## <param name="domain" unused="true">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`shorewall_rw_pid_files',`
- gen_require(`
- type shorewall_var_run_t;
- ')
-
- files_search_pids($1)
- rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+ refpolicywarn(`$0($*) has been deprecated')
')
######################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: 70cfb901fc6c8a692295ebb15914e13fc6e1223e
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed Apr 11 18:56:36 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:03 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70cfb901
Move use of sendmail_exec_t from sendmail.te to mta.te
The type sendmail_exec_t is actually declared in mta.te.
Created mta.if:mta_sendmail_entry_point() to make sendmail_exec_t
usable as an entry point for a domain.
Modified sendmail.te to use the new interface along with the
application_type() interface to replace the call to
application_domain() using sendmail_exec_t.
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
policy/modules/contrib/mta.if | 19 +++++++++++++++++++
policy/modules/contrib/sendmail.te | 3 ++-
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if
index 4384caae..f98346fe 100644
--- a/policy/modules/contrib/mta.if
+++ b/policy/modules/contrib/mta.if
@@ -536,6 +536,25 @@ interface(`mta_sendmail_exec',`
can_exec($1, sendmail_exec_t)
')
+########################################
+## <summary>
+## Make sendmail usable as an entry
+## point for the domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be entered.
+## </summary>
+## </param>
+#
+interface(`mta_sendmail_entry_point',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ domain_entry_file($1, sendmail_exec_t)
+')
+
########################################
## <summary>
## Read mail server configuration content.
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
index 8d2669ee..3503f315 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -32,7 +32,8 @@ mta_mailserver_sender(sendmail_t)
role sendmail_roles types sendmail_t;
type unconfined_sendmail_t;
-application_domain(unconfined_sendmail_t, sendmail_exec_t)
+application_type(unconfined_sendmail_t)
+mta_sendmail_entry_point(unconfined_sendmail_t)
role sendmail_unconfined_roles types unconfined_sendmail_t;
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: 31c5b9a3d82c234e5a2423a9cf49d09e474aa218
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed Apr 11 18:57:12 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:03 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=31c5b9a3
Fix interfaces that use an undeclared identifier
All the interfaces below were always being removed because of unmet requires.
ccs.if:ccs_admin()
Use cluster_conf_t instead of ccs_conf_t.
Called in roles/sysadm.te.
cfengine.if:cfengine_dontaudit_write_log_files()
Use cfengine_log_t instead of cfengine_var_log_t.
Called in contrib/sendmail.te.
cobbler.if:cobbler_admin()
Use cobbler_content_t instead of httpd_cobbler_content_t,
httpd_cobbler_content_ra_t, and httpd_cobbler_content_rw_t.
Called in roles/sysadm.te.
cron.if:cron_manage_system_spool()
Use system_cron_spool_t instead of cron_system_spool_t.
Called in system/init.te.
rpm.if:rpm_admin()
Use rpm_var_cache_t instead of rpm_cache_t.
Called in roles/sysadm.te
sssd.if:sssd_admin()
Use sssd_var_log_t instead of sssd_log_t.
Called in roles/sysadm.te
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
policy/modules/contrib/ccs.if | 4 ++--
policy/modules/contrib/cfengine.if | 4 ++--
policy/modules/contrib/cobbler.if | 6 +++---
policy/modules/contrib/cron.if | 4 ++--
policy/modules/contrib/rpm.if | 4 ++--
policy/modules/contrib/sssd.if | 4 ++--
6 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if
index 92f67fa4..767fb712 100644
--- a/policy/modules/contrib/ccs.if
+++ b/policy/modules/contrib/ccs.if
@@ -99,7 +99,7 @@ interface(`ccs_admin',`
gen_require(`
type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
type ccs_var_lib_t, ccs_var_log_t;
- type ccs_var_run_t, ccs_tmp_t, ccs_conf_t;
+ type ccs_var_run_t, ccs_tmp_t;
')
allow $1 ccs_t:process { ptrace signal_perms };
@@ -108,7 +108,7 @@ interface(`ccs_admin',`
init_startstop_service($1, $2, ccs_t, ccs_initrc_exec_t)
files_search_etc($1)
- admin_pattern($1, ccs_conf_t)
+ admin_pattern($1, cluster_conf_t)
files_search_var_lib($1)
admin_pattern($1, ccs_var_lib_t)
diff --git a/policy/modules/contrib/cfengine.if b/policy/modules/contrib/cfengine.if
index fdef5f34..ff0b0038 100644
--- a/policy/modules/contrib/cfengine.if
+++ b/policy/modules/contrib/cfengine.if
@@ -65,10 +65,10 @@ interface(`cfengine_read_lib_files',`
#
interface(`cfengine_dontaudit_write_log_files',`
gen_require(`
- type cfengine_var_log_t;
+ type cfengine_log_t;
')
- dontaudit $1 cfengine_var_log_t:file write_file_perms;
+ dontaudit $1 cfengine_log_t:file write_file_perms;
')
########################################
diff --git a/policy/modules/contrib/cobbler.if b/policy/modules/contrib/cobbler.if
index 40f89990..6c6b5757 100644
--- a/policy/modules/contrib/cobbler.if
+++ b/policy/modules/contrib/cobbler.if
@@ -154,8 +154,8 @@ interface(`cobbler_manage_lib_files',`
interface(`cobbler_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
- type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
- type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t;
+ type cobbler_etc_t, cobblerd_initrc_exec_t, cobbler_content_t;
+ type cobbler_tmp_t;
')
allow $1 cobblerd_t:process { ptrace signal_perms };
@@ -176,5 +176,5 @@ interface(`cobbler_admin',`
admin_pattern($1, cobbler_var_log_t)
apache_search_sys_content($1)
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
+ admin_pattern($1, cobbler_content_t)
')
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 7bb5d6e6..7bb6065b 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -696,11 +696,11 @@ interface(`cron_use_system_job_fds',`
#
interface(`cron_manage_system_spool',`
gen_require(`
- type cron_system_spool_t;
+ type system_cron_spool_t;
')
files_search_spool($1)
- manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
+ manage_files_pattern($1, system_cron_spool_t, system_cron_spool_t)
')
########################################
diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index 016cdb2a..d316410d 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -613,7 +613,7 @@ interface(`rpm_pid_filetrans_rpm_pid',`
interface(`rpm_admin',`
gen_require(`
type rpm_t, rpm_script_t, rpm_initrc_exec_t;
- type rpm_cache_t, rpm_var_lib_t, rpm_lock_t;
+ type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t, rpm_var_run_t;
type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
')
@@ -626,7 +626,7 @@ interface(`rpm_admin',`
admin_pattern($1, rpm_file_t)
files_list_var($1)
- admin_pattern($1, rpm_cache_t)
+ admin_pattern($1, rpm_var_cache_t)
files_list_tmp($1)
admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if
index e1b4cb01..bdb7f881 100644
--- a/policy/modules/contrib/sssd.if
+++ b/policy/modules/contrib/sssd.if
@@ -336,7 +336,7 @@ interface(`sssd_admin',`
gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
type sssd_var_lib_t, sssd_var_run_t, sssd_conf_t;
- type sssd_log_t;
+ type sssd_var_log_t;
')
allow $1 sssd_t:process { ptrace signal_perms };
@@ -354,5 +354,5 @@ interface(`sssd_admin',`
admin_pattern($1, sssd_var_run_t)
logging_search_logs($1)
- admin_pattern($1, sssd_log_t)
+ admin_pattern($1, sssd_var_log_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: d43361d53192784e92754e6d076032fec77490b5
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Apr 12 22:49:03 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:03 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d43361d5
Module version bumps for patches from James Carter.
policy/modules/contrib/accountsd.te | 2 +-
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/bugzilla.te | 2 +-
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/cfengine.te | 2 +-
policy/modules/contrib/cobbler.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/djbdns.te | 2 +-
policy/modules/contrib/dspam.te | 2 +-
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/kismet.te | 2 +-
policy/modules/contrib/lsm.te | 2 +-
policy/modules/contrib/mojomojo.te | 2 +-
policy/modules/contrib/mta.te | 2 +-
policy/modules/contrib/obex.te | 2 +-
policy/modules/contrib/plymouthd.te | 2 +-
policy/modules/contrib/portage.te | 2 +-
policy/modules/contrib/qemu.te | 2 +-
policy/modules/contrib/rabbitmq.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/rsync.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/samhain.te | 2 +-
policy/modules/contrib/sectoolm.te | 2 +-
policy/modules/contrib/sendmail.te | 2 +-
policy/modules/contrib/setroubleshoot.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/sosreport.te | 2 +-
policy/modules/contrib/sssd.te | 2 +-
policy/modules/contrib/tftp.te | 2 +-
policy/modules/contrib/wm.te | 2 +-
37 files changed, 37 insertions(+), 37 deletions(-)
diff --git a/policy/modules/contrib/accountsd.te b/policy/modules/contrib/accountsd.te
index abd51292..5ae5fa50 100644
--- a/policy/modules/contrib/accountsd.te
+++ b/policy/modules/contrib/accountsd.te
@@ -1,4 +1,4 @@
-policy_module(accountsd, 1.2.0)
+policy_module(accountsd, 1.2.1)
gen_require(`
class passwd all_passwd_perms;
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index e7943397..008b6d25 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.18.0)
+policy_module(alsa, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index ad74e5cb..f04ba5c3 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.14.0)
+policy_module(apache, 2.14.1)
########################################
#
diff --git a/policy/modules/contrib/bugzilla.te b/policy/modules/contrib/bugzilla.te
index 18623e39..1ff9613f 100644
--- a/policy/modules/contrib/bugzilla.te
+++ b/policy/modules/contrib/bugzilla.te
@@ -1,4 +1,4 @@
-policy_module(bugzilla, 1.1.0)
+policy_module(bugzilla, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index 84eab68b..12865a83 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.11.0)
+policy_module(ccs, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/cfengine.te b/policy/modules/contrib/cfengine.te
index be8509b5..18ffc278 100644
--- a/policy/modules/contrib/cfengine.te
+++ b/policy/modules/contrib/cfengine.te
@@ -1,4 +1,4 @@
-policy_module(cfengine, 1.3.0)
+policy_module(cfengine, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/cobbler.te b/policy/modules/contrib/cobbler.te
index a3a4453a..5e8425c1 100644
--- a/policy/modules/contrib/cobbler.te
+++ b/policy/modules/contrib/cobbler.te
@@ -1,4 +1,4 @@
-policy_module(cobbler, 1.3.0)
+policy_module(cobbler, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 5ff3277a..6564d0cd 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.13.0)
+policy_module(cron, 2.13.1)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 0719ef4f..ce2694e2 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.22.0)
+policy_module(cups, 1.22.1)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 0b3c3d9e..486b0b18 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.24.2)
+policy_module(dbus, 1.24.3)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 27e0dae0..a5b869d3 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.8.2)
+policy_module(devicekit, 1.8.3)
########################################
#
diff --git a/policy/modules/contrib/djbdns.te b/policy/modules/contrib/djbdns.te
index 87ca536a..d77c66b0 100644
--- a/policy/modules/contrib/djbdns.te
+++ b/policy/modules/contrib/djbdns.te
@@ -1,4 +1,4 @@
-policy_module(djbdns, 1.6.0)
+policy_module(djbdns, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/dspam.te b/policy/modules/contrib/dspam.te
index c90f7ff4..edf5d942 100644
--- a/policy/modules/contrib/dspam.te
+++ b/policy/modules/contrib/dspam.te
@@ -1,4 +1,4 @@
-policy_module(dspam, 1.3.0)
+policy_module(dspam, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 1775ccc7..e11f37b8 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.8.0)
+policy_module(evolution, 2.8.1)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index aa1c637d..7eea5265 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.6.0)
+policy_module(firewalld, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index a711bfbd..96a92aca 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.21.0)
+policy_module(ftp, 1.21.1)
########################################
#
diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te
index a581ece2..dc07e769 100644
--- a/policy/modules/contrib/kismet.te
+++ b/policy/modules/contrib/kismet.te
@@ -1,4 +1,4 @@
-policy_module(kismet, 1.10.0)
+policy_module(kismet, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/lsm.te b/policy/modules/contrib/lsm.te
index 423296d0..c80e3e96 100644
--- a/policy/modules/contrib/lsm.te
+++ b/policy/modules/contrib/lsm.te
@@ -1,4 +1,4 @@
-policy_module(lsm, 1.1.0)
+policy_module(lsm, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/mojomojo.te b/policy/modules/contrib/mojomojo.te
index ea853ce1..b22d0d98 100644
--- a/policy/modules/contrib/mojomojo.te
+++ b/policy/modules/contrib/mojomojo.te
@@ -1,4 +1,4 @@
-policy_module(mojomojo, 1.2.0)
+policy_module(mojomojo, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 239f191a..996c1fb5 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.10.0)
+policy_module(mta, 2.10.1)
########################################
#
diff --git a/policy/modules/contrib/obex.te b/policy/modules/contrib/obex.te
index 724df1a3..c0e36892 100644
--- a/policy/modules/contrib/obex.te
+++ b/policy/modules/contrib/obex.te
@@ -1,4 +1,4 @@
-policy_module(obex, 1.1.0)
+policy_module(obex, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index 5e390e03..8b265787 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.5.0)
+policy_module(plymouthd, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index b033e44f..e0aea54c 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -1,4 +1,4 @@
-policy_module(portage, 1.16.0)
+policy_module(portage, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 6bdd0acc..a27624d8 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.10.0)
+policy_module(qemu, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/rabbitmq.te b/policy/modules/contrib/rabbitmq.te
index 3aa20847..e557dc00 100644
--- a/policy/modules/contrib/rabbitmq.te
+++ b/policy/modules/contrib/rabbitmq.te
@@ -1,4 +1,4 @@
-policy_module(rabbitmq, 1.3.0)
+policy_module(rabbitmq, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 8fa6dc4c..aee8795b 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.21.0)
+policy_module(rpm, 1.21.1)
########################################
#
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index abe4c43f..ad85fa79 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -1,4 +1,4 @@
-policy_module(rsync, 1.16.0)
+policy_module(rsync, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index f6042e7d..c4a2eea4 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.22.0)
+policy_module(samba, 1.22.1)
#################################
#
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index aee1fbbe..4d093b83 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -1,4 +1,4 @@
-policy_module(samhain, 1.5.0)
+policy_module(samhain, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/sectoolm.te b/policy/modules/contrib/sectoolm.te
index 4bc8c13e..ba3360f4 100644
--- a/policy/modules/contrib/sectoolm.te
+++ b/policy/modules/contrib/sectoolm.te
@@ -1,4 +1,4 @@
-policy_module(sectoolm, 1.1.0)
+policy_module(sectoolm, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
index 3503f315..9fb6b649 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -1,4 +1,4 @@
-policy_module(sendmail, 1.16.0)
+policy_module(sendmail, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/setroubleshoot.te b/policy/modules/contrib/setroubleshoot.te
index 4888855e..7610a7ce 100644
--- a/policy/modules/contrib/setroubleshoot.te
+++ b/policy/modules/contrib/setroubleshoot.te
@@ -1,4 +1,4 @@
-policy_module(setroubleshoot, 1.16.0)
+policy_module(setroubleshoot, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index 89ed7d03..429230e9 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.7.0)
+policy_module(shorewall, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te
index a2521051..0c7189ff 100644
--- a/policy/modules/contrib/sosreport.te
+++ b/policy/modules/contrib/sosreport.te
@@ -1,4 +1,4 @@
-policy_module(sosreport, 1.5.0)
+policy_module(sosreport, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index 833944b8..32c9761b 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -1,4 +1,4 @@
-policy_module(sssd, 1.5.0)
+policy_module(sssd, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/tftp.te b/policy/modules/contrib/tftp.te
index 5c508ab2..add99702 100644
--- a/policy/modules/contrib/tftp.te
+++ b/policy/modules/contrib/tftp.te
@@ -1,4 +1,4 @@
-policy_module(tftp, 1.14.0)
+policy_module(tftp, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index c7296a25..4b7e88ad 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.8.0)
+policy_module(wm, 1.8.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: d24f33d87d25b3022b46807b9a94d80883eeb67e
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed Apr 11 18:56:33 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:03 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d24f33d8
Add unused parameter and mark as unused
Added unused parameters and marked them as unused in the interfaces
listed below.
setroubleshoot.if:setroubleshoot_admin()
tftp.if:tftp_admin()
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
policy/modules/contrib/setroubleshoot.if | 5 +++++
policy/modules/contrib/tftp.if | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/policy/modules/contrib/setroubleshoot.if b/policy/modules/contrib/setroubleshoot.if
index 800b545e..f7d788b8 100644
--- a/policy/modules/contrib/setroubleshoot.if
+++ b/policy/modules/contrib/setroubleshoot.if
@@ -133,6 +133,11 @@ interface(`setroubleshoot_dbus_chat_fixit',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="role" unused="true">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
## <rolecap/>
#
interface(`setroubleshoot_admin',`
diff --git a/policy/modules/contrib/tftp.if b/policy/modules/contrib/tftp.if
index 9957e300..dae82eb7 100644
--- a/policy/modules/contrib/tftp.if
+++ b/policy/modules/contrib/tftp.if
@@ -156,6 +156,11 @@ interface(`tftp_filetrans_tftpdir',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="role" unused="true">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
## <rolecap/>
#
interface(`tftp_admin',`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: 567e6837c7ed7d7a88f13cb648e1a18787b84ff1
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed Apr 11 18:56:32 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:03 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=567e6837
Mark unused parameter as unused
Marked unused paramters as unused in the interfaces listed below.
accountsd.if:accountsd_admin()
bugzilla.if:bugzilla_admin()
devicekit.if:devicekit_admin()
lsm.if:lsmd_admin()
plymouthd.if:plymouthd_admin()
rsync.if:rsync_admin()
samhain.if:samhain_admin()
sectoolm.if:sectoolm_role()
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
policy/modules/contrib/accountsd.if | 2 +-
policy/modules/contrib/bugzilla.if | 2 +-
policy/modules/contrib/devicekit.if | 2 +-
policy/modules/contrib/lsm.if | 2 +-
policy/modules/contrib/plymouthd.if | 2 +-
policy/modules/contrib/rsync.if | 2 +-
policy/modules/contrib/samhain.if | 2 +-
policy/modules/contrib/sectoolm.if | 2 +-
8 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/policy/modules/contrib/accountsd.if b/policy/modules/contrib/accountsd.if
index bd5ec9ab..312d5692 100644
--- a/policy/modules/contrib/accountsd.if
+++ b/policy/modules/contrib/accountsd.if
@@ -129,7 +129,7 @@ interface(`accountsd_manage_lib_files',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
diff --git a/policy/modules/contrib/bugzilla.if b/policy/modules/contrib/bugzilla.if
index 1b22262d..19fce8e0 100644
--- a/policy/modules/contrib/bugzilla.if
+++ b/policy/modules/contrib/bugzilla.if
@@ -48,7 +48,7 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
diff --git a/policy/modules/contrib/devicekit.if b/policy/modules/contrib/devicekit.if
index 8ce99ff4..da75b8e4 100644
--- a/policy/modules/contrib/devicekit.if
+++ b/policy/modules/contrib/devicekit.if
@@ -248,7 +248,7 @@ interface(`devicekit_manage_pid_files',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
diff --git a/policy/modules/contrib/lsm.if b/policy/modules/contrib/lsm.if
index 365ab6fe..44910afa 100644
--- a/policy/modules/contrib/lsm.if
+++ b/policy/modules/contrib/lsm.if
@@ -10,7 +10,7 @@
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
diff --git a/policy/modules/contrib/plymouthd.if b/policy/modules/contrib/plymouthd.if
index 54cd777a..04e0c734 100644
--- a/policy/modules/contrib/plymouthd.if
+++ b/policy/modules/contrib/plymouthd.if
@@ -242,7 +242,7 @@ interface(`plymouthd_read_pid_files',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if
index 7a149374..097f4d3a 100644
--- a/policy/modules/contrib/rsync.if
+++ b/policy/modules/contrib/rsync.if
@@ -247,7 +247,7 @@ interface(`rsync_etc_filetrans_config',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
diff --git a/policy/modules/contrib/samhain.if b/policy/modules/contrib/samhain.if
index 983fee57..8b6fb18b 100644
--- a/policy/modules/contrib/samhain.if
+++ b/policy/modules/contrib/samhain.if
@@ -203,7 +203,7 @@ interface(`samhain_manage_pid_files',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
diff --git a/policy/modules/contrib/sectoolm.if b/policy/modules/contrib/sectoolm.if
index c78a569c..9e9663b5 100644
--- a/policy/modules/contrib/sectoolm.if
+++ b/policy/modules/contrib/sectoolm.if
@@ -4,7 +4,7 @@
## <summary>
## Role access for sectoolm.
## </summary>
-## <param name="role">
+## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: 75d0432cdaaf2c2626d5e03c2838b676ab7ff2c7
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed Apr 11 18:56:31 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:03 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=75d0432c
Remove unnecessary semicolons
Removed unnecessary semicolons in alsa.te, evolution.if, and qemu.te.
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/evolution.if | 2 +-
policy/modules/contrib/qemu.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 6caddbc8..e7943397 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -73,7 +73,7 @@ manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
allow alsa_t alsa_var_lock_t:file manage_file_perms;
-files_lock_filetrans(alsa_t, alsa_var_lock_t, file);
+files_lock_filetrans(alsa_t, alsa_var_lock_t, file)
kernel_read_system_state(alsa_t)
diff --git a/policy/modules/contrib/evolution.if b/policy/modules/contrib/evolution.if
index 43194431..32cc77f2 100644
--- a/policy/modules/contrib/evolution.if
+++ b/policy/modules/contrib/evolution.if
@@ -224,5 +224,5 @@ interface(`evolution_domtrans',`
')
corecmd_search_bin($1)
- domtrans_pattern($1, evolution_exec_t, evolution_t);
+ domtrans_pattern($1, evolution_exec_t, evolution_t)
')
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 0fe74b0f..6bdd0acc 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -26,7 +26,7 @@ type qemu_unit_t;
init_unit_file(qemu_unit_t)
type qemu_var_run_t;
-files_pid_file(qemu_var_run_t);
+files_pid_file(qemu_var_run_t)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-22 12:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
To: gentoo-commits
commit: a84cf781659c60e5684f8759e85d9a9267a13c87
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed Apr 11 18:56:34 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:53:03 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a84cf781
Remove use of undeclared attribute from portage.te
Removed two dontaudit rules that referred to device_type.
This attribute was not declared in policy and its only use was in a
TODO ifdef block in portage.te.
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
policy/modules/contrib/portage.te | 2 --
1 file changed, 2 deletions(-)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 224eedc0..b033e44f 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -241,8 +241,6 @@ ifdef(`TODO',`
# seems to work ok without these
dontaudit portage_t device_t:{ blk_file chr_file } getattr;
dontaudit portage_t proc_t:dir setattr_dir_perms;
-dontaudit portage_t device_type:chr_file read_chr_file_perms;
-dontaudit portage_t device_type:blk_file read_blk_file_perms;
')
##########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-04-12 11:57 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-04-12 11:57 UTC (permalink / raw
To: gentoo-commits
commit: 5857e634aaee0f8665a884859ffc3d4cf05d16c4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Apr 12 10:25:18 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Apr 12 11:56:59 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5857e634
dropbox: update fcontext and map usr_t
policy/modules/contrib/dropbox.fc | 2 +-
policy/modules/contrib/dropbox.te | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dropbox.fc b/policy/modules/contrib/dropbox.fc
index a83a1bff..bcd85a60 100644
--- a/policy/modules/contrib/dropbox.fc
+++ b/policy/modules/contrib/dropbox.fc
@@ -8,7 +8,7 @@ HOME_DIR/\.dropbox-dist(/.*)?/dropboxd? -- gen_context(system_u:object_r:dropbo
/opt/bin/dropbox -l gen_context(system_u:object_r:dropbox_exec_t,s0)
/opt/dropbox/.*py?\.?.*egg(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/dropbox/lib.*\.so\.. -- gen_context(system_u:object_r:lib_t,s0)
+/opt/dropbox/lib.*\.so\.[0-9]+ -- gen_context(system_u:object_r:lib_t,s0)
/opt/dropbox/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0)
/opt/dropbox/library\.zip -l gen_context(system_u:object_r:lib_t,s0)
diff --git a/policy/modules/contrib/dropbox.te b/policy/modules/contrib/dropbox.te
index 63f95c25..80d8af37 100644
--- a/policy/modules/contrib/dropbox.te
+++ b/policy/modules/contrib/dropbox.te
@@ -89,6 +89,7 @@ dev_read_urand(dropbox_t)
libs_exec_ldconfig(dropbox_t)
files_read_usr_files(dropbox_t)
+files_map_usr_files(dropbox_t)
auth_use_nsswitch(dropbox_t)
miscfiles_read_localization(dropbox_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-03-25 10:29 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-03-25 10:29 UTC (permalink / raw
To: gentoo-commits
commit: d124bc67058d9f7913289dec07b0b4cb27e25acf
Author: Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Mon Mar 5 14:03:01 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 09:31:07 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d124bc67
Policy for chronyc - it was running in init_t domain
This patch is creating a new domain for /usr/bin/chronyc. This is a cli program that talks to a running chronyd process. chronyc is used by chrony-wait.service and I was seeing chronyc running in the init_t domain when started this way.
Interface name updated based on suggestions.
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
policy/modules/contrib/chronyd.fc | 1 +
policy/modules/contrib/chronyd.if | 20 +++++++++++++++++
policy/modules/contrib/chronyd.te | 46 +++++++++++++++++++++++++++++++++++++--
3 files changed, 65 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index 445f3749..7153deee 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -9,6 +9,7 @@
/usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
/usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
+/usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0)
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
index a42bc4f4..32988914 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -252,6 +252,26 @@ interface(`chronyd_status',`
allow $1 chronyd_unit_t:service status;
')
+########################################
+## <summary>
+## Send to chronyd command line interface using a unix domain
+## datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_dgram_send_cli',`
+ gen_require(`
+ type chronyc_t, chronyd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyc_t)
+')
+
####################################
## <summary>
## All of the rules required to
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index f28dd5e6..0634548d 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -9,6 +9,10 @@ type chronyd_t;
type chronyd_exec_t;
init_daemon_domain(chronyd_t, chronyd_exec_t)
+type chronyc_t;
+type chronyc_exec_t;
+init_daemon_domain(chronyc_t, chronyc_exec_t)
+
type chronyd_conf_t;
files_config_file(chronyd_conf_t)
@@ -35,10 +39,10 @@ init_daemon_pid_file(chronyd_var_run_t, dir, "chrony")
########################################
#
-# Local policy
+# chronyd local policy
#
-allow chronyd_t self:capability { dac_override ipc_lock setgid setuid sys_resource sys_time };
+allow chronyd_t self:capability { chown dac_override ipc_lock setgid setuid sys_resource sys_time };
allow chronyd_t self:process { getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
allow chronyd_t self:fifo_file rw_fifo_file_perms;
@@ -91,6 +95,7 @@ logging_send_syslog_msg(chronyd_t)
miscfiles_read_localization(chronyd_t)
+chronyd_dgram_send_cli(chronyd_t)
chronyd_read_config(chronyd_t)
optional_policy(`
@@ -100,3 +105,40 @@ optional_policy(`
optional_policy(`
mta_send_mail(chronyd_t)
')
+
+########################################
+#
+# chronyc local policy
+#
+
+allow chronyc_t self:capability { dac_override };
+allow chronyc_t self:process { signal };
+allow chronyc_t self:udp_socket create_socket_perms;
+allow chronyc_t self:netlink_route_socket create_netlink_socket_perms;
+
+manage_dirs_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_sock_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+files_pid_filetrans(chronyc_t, chronyd_var_run_t, { dir file sock_file })
+
+corenet_all_recvfrom_unlabeled(chronyc_t)
+corenet_all_recvfrom_netlabel(chronyc_t)
+corenet_udp_sendrecv_generic_if(chronyc_t)
+corenet_udp_sendrecv_generic_node(chronyc_t)
+
+corenet_sendrecv_chronyd_client_packets(chronyc_t)
+corenet_udp_sendrecv_chronyd_port(chronyc_t)
+
+files_read_etc_files(chronyc_t)
+files_read_usr_files(chronyc_t)
+
+logging_send_syslog_msg(chronyc_t)
+
+sysnet_read_config(chronyc_t)
+sysnet_dns_name_resolve(chronyc_t)
+
+miscfiles_read_localization(chronyc_t)
+
+chronyd_dgram_send(chronyc_t)
+chronyd_read_config(chronyc_t)
+
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-03-25 10:29 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-03-25 10:29 UTC (permalink / raw
To: gentoo-commits
commit: 1100fd2c68b60b6ab5eb34baedb20a63a191f057
Author: Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Mon Mar 5 14:03:02 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 09:31:12 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1100fd2c
Allow execution of chronyc from commandline
With the previous patch moving chronyc into a separate domain this adds interfaces to execute chronyc from the command line and have it run in the chronyc_t domain.
Updated interface names based on suggestion, added missing permission to allow chronyc_t domain access to tty.
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
policy/modules/contrib/chronyd.if | 46 +++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/chronyd.te | 8 +++++++
2 files changed, 54 insertions(+)
diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
index 32988914..bc4ba691 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -19,6 +19,25 @@ interface(`chronyd_domtrans',`
domtrans_pattern($1, chronyd_exec_t, chronyd_t)
')
+#####################################
+## <summary>
+## Execute chronyc in the chronyc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chronyd_domtrans_cli',`
+ gen_require(`
+ type chronyc_t, chronyc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chronyc_exec_t, chronyc_t)
+')
+
########################################
## <summary>
## Execute chronyd server in the
@@ -57,6 +76,33 @@ interface(`chronyd_exec',`
can_exec($1, chronyd_exec_t)
')
+########################################
+## <summary>
+## Execute chronyc in the chronyc domain,
+## and allow the specified roles the
+## chronyc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`chronyd_run_cli',`
+ gen_require(`
+ attribute_role chronyc_roles;
+ ')
+
+ chronyd_domtrans_cli($1)
+ roleattribute $2 chronyc_roles;
+')
+
#####################################
## <summary>
## Read chronyd log files.
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 0634548d..8277ef81 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -5,6 +5,8 @@ policy_module(chronyd, 1.5.0)
# Declarations
#
+attribute_role chronyc_roles;
+
type chronyd_t;
type chronyd_exec_t;
init_daemon_domain(chronyd_t, chronyd_exec_t)
@@ -12,6 +14,8 @@ init_daemon_domain(chronyd_t, chronyd_exec_t)
type chronyc_t;
type chronyc_exec_t;
init_daemon_domain(chronyc_t, chronyc_exec_t)
+application_domain(chronyc_t, chronyc_exec_t)
+role chronyc_roles types chronyc_t;
type chronyd_conf_t;
files_config_file(chronyd_conf_t)
@@ -132,6 +136,8 @@ corenet_udp_sendrecv_chronyd_port(chronyc_t)
files_read_etc_files(chronyc_t)
files_read_usr_files(chronyc_t)
+locallogin_use_fds(chronyc_t)
+
logging_send_syslog_msg(chronyc_t)
sysnet_read_config(chronyc_t)
@@ -139,6 +145,8 @@ sysnet_dns_name_resolve(chronyc_t)
miscfiles_read_localization(chronyc_t)
+userdom_use_user_ttys(chronyc_t)
+
chronyd_dgram_send(chronyc_t)
chronyd_read_config(chronyc_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-03-25 10:29 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-03-25 10:29 UTC (permalink / raw
To: gentoo-commits
commit: 00fd90a80b6325005dc025fddcb990d8db9502ee
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Mar 7 22:03:15 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 09:31:15 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=00fd90a8
chronyd: Module version bump.
policy/modules/contrib/chronyd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 8277ef81..e89aa2fe 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.5.0)
+policy_module(chronyd, 1.5.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-03-25 10:29 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-03-25 10:29 UTC (permalink / raw
To: gentoo-commits
commit: db9a72463f10cbb7217d816dc4a2fe7ba584e888
Author: Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Mon Mar 5 14:03:00 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 09:30:59 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=db9a7246
Chronyd talks ntp client packets to get time from server
chronyd is an NTP client along with an NTP server. Change to allow chronyd to send/recv ntp client packets.
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
policy/modules/contrib/chronyd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 09d7f834..f28dd5e6 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -74,6 +74,7 @@ corenet_udp_sendrecv_generic_if(chronyd_t)
corenet_udp_sendrecv_generic_node(chronyd_t)
corenet_udp_bind_generic_node(chronyd_t)
+corenet_sendrecv_ntp_client_packets(chronyd_t)
corenet_sendrecv_ntp_server_packets(chronyd_t)
corenet_udp_bind_ntp_port(chronyd_t)
corenet_udp_sendrecv_ntp_port(chronyd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-03-25 10:29 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-03-25 10:29 UTC (permalink / raw
To: gentoo-commits
commit: 7a8275937a8628ca031dddf5f47cf2b27aaf94b3
Author: Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Mon Mar 5 14:02:59 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 09:30:44 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a827593
Add interface to start/stop/enable/disable/status of chronyd service
Add interfaces to allow process to systemctl start, stop, enable, disable, and status of chronyd.service
Fix summary for chronyd_startstop from previous submission
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
policy/modules/contrib/chronyd.if | 57 +++++++++++++++++++++++++++++++++++++++
1 file changed, 57 insertions(+)
diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
index e0a751ac..a42bc4f4 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -195,6 +195,63 @@ interface(`chronyd_read_key_files',`
read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
')
+########################################
+## <summary>
+## Allow specified domain to enable and disable chronyd unit
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_enabledisable',`
+ gen_require(`
+ type chronyd_unit_t;
+ class service { enable disable };
+ ')
+
+ allow $1 chronyd_unit_t:service { enable disable };
+')
+
+########################################
+## <summary>
+## Allow specified domain to start and stop chronyd unit
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_startstop',`
+ gen_require(`
+ type chronyd_unit_t;
+ class service { start stop };
+ ')
+
+ allow $1 chronyd_unit_t:service { start stop };
+')
+
+########################################
+## <summary>
+## Allow specified domain to get status of chronyd unit
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_status',`
+ gen_require(`
+ type chronyd_unit_t;
+ class service status;
+ ')
+
+ allow $1 chronyd_unit_t:service status;
+')
+
####################################
## <summary>
## All of the rules required to
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-03-25 10:29 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-03-25 10:29 UTC (permalink / raw
To: gentoo-commits
commit: 3a5a7910830b23b71b72a90d4e941f066475f613
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Feb 27 22:25:59 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 09:30:33 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3a5a7910
ntp: Module version bump.
policy/modules/contrib/ntp.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 50d54178..da6bd145 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.17.0)
+policy_module(ntp, 1.17.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-03-25 10:29 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-03-25 10:29 UTC (permalink / raw
To: gentoo-commits
commit: a70aa3e3b948e30a7ed01a9d09b762419fa76d48
Author: Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Mon Mar 5 14:02:58 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 09:30:41 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a70aa3e3
Separate type for chronyd config file.
Separate label for /etc/chrony.conf (chronyd_conf_t) with interfaces to allow read-only or read/write access. Needed as I have a process that alters chrony.conf but I didn't want this process to have access to write all etc_t files.
Fixed summary for chronyd_rw_config interface from previous submission.
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
policy/modules/contrib/chronyd.fc | 1 +
policy/modules/contrib/chronyd.if | 38 ++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/chronyd.te | 5 +++++
3 files changed, 44 insertions(+)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index ca2747e7..445f3749 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -1,3 +1,4 @@
+/etc/chrony\.conf -- gen_context(system_u:object_r:chronyd_conf_t,s0)
/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
index 3d45be4c..e0a751ac 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -76,6 +76,44 @@ interface(`chronyd_read_log',`
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
')
+#####################################
+## <summary>
+## Read chronyd config file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_read_config',`
+ gen_require(`
+ type chronyd_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 chronyd_conf_t:file read_file_perms;
+')
+
+#####################################
+## <summary>
+## Read and write chronyd config file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_rw_config',`
+ gen_require(`
+ type chronyd_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 chronyd_conf_t:file rw_file_perms;
+')
+
########################################
## <summary>
## Read and write chronyd shared memory.
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 0de7b520..09d7f834 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -9,6 +9,9 @@ type chronyd_t;
type chronyd_exec_t;
init_daemon_domain(chronyd_t, chronyd_exec_t)
+type chronyd_conf_t;
+files_config_file(chronyd_conf_t)
+
type chronyd_initrc_exec_t;
init_script_file(chronyd_initrc_exec_t)
@@ -87,6 +90,8 @@ logging_send_syslog_msg(chronyd_t)
miscfiles_read_localization(chronyd_t)
+chronyd_read_config(chronyd_t)
+
optional_policy(`
gpsd_rw_shm(chronyd_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-03-25 10:29 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-03-25 10:29 UTC (permalink / raw
To: gentoo-commits
commit: de0bc389501c938e7a739a6dc4c9812f8412f715
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Feb 18 13:19:26 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 09:30:24 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de0bc389
udisks2 and /dev/mem version 2 patch from Russell Coker.
policy/modules/contrib/devicekit.te | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 390564a3..27e0dae0 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.8.1)
+policy_module(devicekit, 1.8.2)
########################################
#
@@ -151,6 +151,11 @@ miscfiles_read_localization(devicekit_disk_t)
userdom_read_all_users_state(devicekit_disk_t)
userdom_search_user_home_dirs(devicekit_disk_t)
+ifdef(`distro_debian',`
+ # /dev/mem is accessed by libparted to get EFI data
+ dev_read_raw_memory(devicekit_disk_t)
+')
+
optional_policy(`
dbus_system_bus_client(devicekit_disk_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-03-25 10:29 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-03-25 10:29 UTC (permalink / raw
To: gentoo-commits
commit: 30f047c074b82fddea4cd78aab1e2935733d29ef
Author: David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Sat Feb 24 14:52:17 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 09:30:30 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=30f047c0
ntp only uses UDP, remove TCP permissions
The NTP protocol states it only used UDP for network communication. Remove currently allowed access to TCP that should not be needed.
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
policy/modules/contrib/ntp.te | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 66c8eaa9..50d54178 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -59,7 +59,6 @@ allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:shm create_shm_perms;
allow ntpd_t self:socket create;
-allow ntpd_t self:tcp_socket { accept listen };
allow ntpd_t self:unix_dgram_socket sendto;
allow ntpd_t ntp_conf_t:file read_file_perms;
@@ -101,20 +100,15 @@ kernel_request_load_module(ntpd_t)
corenet_all_recvfrom_unlabeled(ntpd_t)
corenet_all_recvfrom_netlabel(ntpd_t)
-corenet_tcp_sendrecv_generic_if(ntpd_t)
corenet_udp_sendrecv_generic_if(ntpd_t)
-corenet_tcp_sendrecv_generic_node(ntpd_t)
corenet_udp_sendrecv_generic_node(ntpd_t)
corenet_udp_bind_generic_node(ntpd_t)
+corenet_sendrecv_ntp_client_packets(ntpd_t)
corenet_sendrecv_ntp_server_packets(ntpd_t)
corenet_udp_bind_ntp_port(ntpd_t)
corenet_udp_sendrecv_ntp_port(ntpd_t)
-corenet_sendrecv_ntp_client_packets(ntpd_t)
-corenet_tcp_connect_ntp_port(ntpd_t)
-corenet_tcp_sendrecv_ntp_port(ntpd_t)
-
corecmd_exec_bin(ntpd_t)
corecmd_exec_shell(ntpd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-03-25 10:29 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-03-25 10:29 UTC (permalink / raw
To: gentoo-commits
commit: d2e8b8d134bb93e896d3c2c73487abe31406323a
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Feb 18 16:25:01 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 09:30:28 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d2e8b8d1
another trivial dbus patch from Russell Coker.
policy/modules/contrib/dbus.te | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 0d84f3dd..0b3c3d9e 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.24.1)
+policy_module(dbus, 1.24.2)
gen_require(`
class dbus all_dbus_perms;
@@ -192,6 +192,10 @@ optional_policy(`
udev_read_db(system_dbusd_t)
')
+optional_policy(`
+ unconfined_dbus_send(system_dbusd_t)
+')
+
optional_policy(`
xserver_read_xdm_lib_files(system_dbusd_t)
xserver_use_xdm_fds(system_dbusd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-02-18 11:30 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-02-18 11:30 UTC (permalink / raw
To: gentoo-commits
commit: 8fdebd557db3d293e40ef47be7cbff315576beab
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Feb 15 22:09:45 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 18 11:19:30 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8fdebd55
Simple map patch from Russell Coker.
policy/modules/contrib/dictd.te | 3 ++-
policy/modules/contrib/dpkg.if | 18 ++++++++++++++++++
policy/modules/contrib/dpkg.te | 2 +-
policy/modules/contrib/logrotate.te | 3 ++-
policy/modules/contrib/tor.te | 2 +-
5 files changed, 24 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te
index acf5c932..6cad541b 100644
--- a/policy/modules/contrib/dictd.te
+++ b/policy/modules/contrib/dictd.te
@@ -1,4 +1,4 @@
-policy_module(dictd, 1.11.0)
+policy_module(dictd, 1.11.1)
########################################
#
@@ -57,6 +57,7 @@ dev_read_sysfs(dictd_t)
domain_use_interactive_fds(dictd_t)
+files_map_usr_files(dictd_t)
files_read_etc_runtime_files(dictd_t)
files_read_usr_files(dictd_t)
files_search_var_lib(dictd_t)
diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if
index c753ad62..a5e88d6f 100644
--- a/policy/modules/contrib/dpkg.if
+++ b/policy/modules/contrib/dpkg.if
@@ -301,3 +301,21 @@ interface(`dpkg_manage_script_tmp_files',`
allow $1 dpkg_script_tmp_t:dir manage_dir_perms;
allow $1 dpkg_script_tmp_t:file manage_file_perms;
')
+
+########################################
+## <summary>
+## map dpkg_script_tmp_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_map_script_tmp_files',`
+ gen_require(`
+ type dpkg_script_tmp_t;
+ ')
+
+ allow $1 dpkg_script_tmp_t:file map;
+')
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 0ff59b94..e7747bc7 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.12.0)
+policy_module(dpkg, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 4bb9da7b..2490cdfa 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.20.0)
+policy_module(logrotate, 1.20.1)
########################################
#
@@ -77,6 +77,7 @@ domain_use_interactive_fds(logrotate_t)
domain_getattr_all_entry_files(logrotate_t)
domain_read_all_domains_state(logrotate_t)
+files_map_etc_files(logrotate_t)
files_read_usr_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t)
files_read_all_pids(logrotate_t)
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 990ea8c4..8029630f 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.14.0)
+policy_module(tor, 1.14.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-02-18 11:30 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2018-02-18 11:30 UTC (permalink / raw
To: gentoo-commits
commit: f9fe55e7d7c4635f6de5b252fb1887b200601792
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Feb 15 22:06:45 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 18 11:17:07 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f9fe55e7
Misc dbus fixes from Russell Coker.
policy/modules/contrib/apt.te | 11 ++++++++++-
policy/modules/contrib/dbus.te | 5 ++++-
policy/modules/contrib/devicekit.te | 8 +++++++-
policy/modules/contrib/networkmanager.te | 3 ++-
4 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index c54e2126..ed05a060 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.11.0)
+policy_module(apt, 1.11.1)
########################################
#
@@ -135,6 +135,15 @@ optional_policy(`
optional_policy(`
dbus_system_domain(apt_t, apt_exec_t)
+
+ optional_policy(`
+ # for packagekitd
+ policykit_dbus_chat(apt_t)
+ ')
+
+ optional_policy(`
+ unconfined_dbus_send(apt_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 00a15e45..0d84f3dd 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.24.0)
+policy_module(dbus, 1.24.1)
gen_require(`
class dbus all_dbus_perms;
@@ -136,6 +136,9 @@ init_use_script_ptys(system_dbusd_t)
init_all_labeled_script_domtrans(system_dbusd_t)
init_start_system(system_dbusd_t) # needed by dbus-broker
+# for powerdevil /usr/lib/x86_64-linux-gnu/libexec/kauth/*
+libs_exec_lib_files(system_dbusd_t)
+
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 562cede8..390564a3 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.8.0)
+policy_module(devicekit, 1.8.1)
########################################
#
@@ -163,6 +163,11 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(devicekit_disk_t)
')
+
+ optional_policy(`
+ # gwenview triggers the need for this
+ xserver_dbus_chat_xdm(devicekit_disk_t)
+ ')
')
optional_policy(`
@@ -287,6 +292,7 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(devicekit_power_t)
+ init_dbus_chat(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 18137aed..e65eb094 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.22.0)
+policy_module(networkmanager, 1.22.1)
########################################
#
@@ -224,6 +224,7 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+ init_dbus_chat(NetworkManager_t)
optional_policy(`
avahi_dbus_chat(NetworkManager_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-01-18 16:37 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
To: gentoo-commits
commit: 78a19a3f7cbb0596156dc9c50dadfaf629111ccf
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Wed Jan 3 23:40:06 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:26:15 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=78a19a3f
spamassassin: fix missing perms
version 2:
* fix non existent interface kernel_search_crypto_sysctls
* add spamd-gpg permissions on update
policy/modules/contrib/spamassassin.te | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 9bc81030..7d34829d 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -549,10 +549,13 @@ optional_policy(`
allow spamd_gpg_t spamd_update_t:fd use;
allow spamd_gpg_t spamd_update_t:process sigchld;
allow spamd_gpg_t spamd_update_t:fifo_file { getattr write };
- allow spamd_gpg_t spamd_var_lib_t:dir search_dir_perms;
- allow spamd_gpg_t spamd_var_lib_t:file rw_file_perms;
+ allow spamd_gpg_t spamd_var_lib_t:dir rw_dir_perms;
+ allow spamd_gpg_t spamd_var_lib_t:file manage_file_perms;
allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms;
+ # fips
+ kernel_read_crypto_sysctls(spamd_gpg_t)
+
domain_use_interactive_fds(spamd_gpg_t)
files_read_etc_files(spamd_gpg_t)
@@ -562,6 +565,7 @@ optional_policy(`
files_search_tmp(spamd_gpg_t)
init_use_fds(spamd_gpg_t)
+ init_rw_inherited_stream_socket(spamd_gpg_t)
miscfiles_read_localization(spamd_gpg_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-01-18 16:37 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
To: gentoo-commits
commit: d356cc2603d590a9ad14d47b09fb3a84ff7f2fce
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Jan 14 19:08:09 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:26:15 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d356cc26
Update Changelog for release.
policy/modules/contrib/Changelog | 156 +++++++++++++++++++++++++++++++++++++++
1 file changed, 156 insertions(+)
diff --git a/policy/modules/contrib/Changelog b/policy/modules/contrib/Changelog
index 2a6e15b4..1596ba77 100644
--- a/policy/modules/contrib/Changelog
+++ b/policy/modules/contrib/Changelog
@@ -1,3 +1,159 @@
+* Sun Jan 14 2018 Chris PeBenito <pebenito@ieee.org> - 2.20180114
+Chad Hanson (1):
+ Allow rpm to relabel files at all levels
+
+Chris PeBenito (46):
+ Remove deprecated interfaces more than one year old.
+ Remove complement and wildcard in allow rules.
+ Merge branch 'master' of git://github.com/teg/refpolicy-contrib
+ dbus: Module version bump for dbus-broker patch from Tom Gundersen.
+ Module version bump for patches from Guido Trentalancia.
+ Module version bumps for patches from David Sugar.
+ dhcp, logrotate: Module version bump.
+ Module version bumps for chkrootkit, dkim, dmidecode, portage, and
+ rkhunter.
+ Module version bumps.
+ spamassassin: Move lines.
+ mandb, spamassassin: Module version bumps.
+ spamassassin: Fix build error.
+ spamassassin: Add missing requirement in spamassassin_admin().
+ dphysswapfile: Module version bump.
+ gpg, pulseaudio, rpc: Module version bump.
+ dnsmasq, gnome, mon, mta, openoffice, pulseaudio, wm: Version bumps.
+ Revert "postfix: Some table drivers (notably cdb) need to mmap() their
+ databases"
+ java, mozilla, mta, postfix: Module version bump.
+ portage: Fix usr_t map interface usage.
+ apache, portage: Module version bump.
+ dbus, policykit, wm: Module version bump.
+ dbus: Add comment.
+ Merge branch 'nm_audit' of git://github.com/bigon/refpolicy-contrib
+ networkmanager: Module version bump.
+ virt: Move a line.
+ alsa, mon, virt: Module version bump.
+ gpg, mozilla, rpc: Module version bump.
+ Several module version bumps.
+ blueman, evolution, gpg, mozilla, openoffice, thunderbird, wireshark, wm:
+ Module version bump.
+ wm: Module version bump.
+ networkmanager: Move line.
+ networkmanager: Module version bump.
+ Merge branch 'pkcs' of https://github.com/dodys/refpolicy-contrib
+ pkcs: Rename pkcs_slotd_unit_file_t.
+ pkcs: Module version bump.
+ accountsd, policykit: Module version bump.
+ dbus, devicekit, modemmanager, networkmanager, virt: Module version bump.
+ modemmanager: Move lines.
+ rpm: Module version bump.
+ cachefilesd, dbus, dirmngr, gnome, gpg, pulseaudio: Module version bump.
+ Replace deprecated mmap perm sets and pattern usage.
+ gssproxy: Module version bump.
+ monit: Module version bump.
+ apache, dkim, monit: Module version bump.
+ spamassassin: Module version bump.
+ Bump module versions for release.
+
+Christian Göttsche (20):
+ dkim: align filecontexts
+ dkim: update
+ milter: align filecontexts
+ apache: align filecontexts
+ dmidecode: use userdom_use_inherited_user_terminals
+ spamassassin: align filecontexts
+ chkrootkit: update
+ rkhunter: add several missing permission
+ fakehwclock: update
+ milter: update
+ mandb: fixes for systemd timer and /usr/local/man label
+ spamassassin: update
+ dphysswapfile: fix swapfile creation
+ apache: update
+ monit: update
+ dkim: align file contexts
+ dkim: update
+ apache: update
+ monit: read /usr/share/ca-certificates for cert verification
+ spamassassin: fix missing perms
+
+Daniel Jurgens (1):
+ networkmanager: Grant access to unlabeled PKeys
+
+David Sugar (5):
+ mon: move rpc_* into optional
+ wm: consolidate networkmanger interface calls into single optional
+ cron: optional_policy for mta_* interfaces
+ Label /usr/bin/mutter
+ Allow to read /proc/sys/crypto/fips_enabled
+
+Eduardo Barretto (2):
+ Update pkcs policy to include pkccsslotd.service
+ Update missing permissions for pkcs
+
+Guido Trentalancia (13):
+ libmtp: read symlinks in user home directories
+ spamassassin: update rules for the Bayesian classifier trainer
+ wm: let gnome-shell start properly
+ gnome: keyring daemon dbus policy update
+ gnome: keyring daemon read SELinux config
+ openoffice: improve temporary directories' operations
+ pulseaudio: general update
+ wm: gnome-shell SELinux integration
+ mozilla: run Java Web Start applications
+ wm: run PolicyKit
+ dbus: read user home content files
+ mozilla: read generic SSL certificates
+ contrib: use the new SSL private keys type (was: "let the mozilla and
+ other domains read generic SSL certificates")
+
+Jason Zaman (12):
+ cgmanager: Apply auth_use_nsswitch interface
+ alsa: needs to map its tmpfs files
+ virt: add policy for virtlogd
+ virt: updated perms for starting guests
+ gssproxy: add policy
+ rpc: Allow stream connect to gssproxy
+ gpg: search dir when connecting to agent socket
+ dirmngr: allow filetrans in gpg_runtime_t
+ gpg: Add gpg_agent_use_card boolean for OpenPGP cards
+ cachefilesd: make cachefilesd_cache_t a mountpoint
+ Set user_runtime_content_type for all remaining types in /run/user/%{UID}/
+ gssproxy: allow writing kerberos rcache
+
+Jason Zaman via refpolicy (3):
+ pulseaudio: Add neccessary map permissions
+ gpg: add fcontexts for user runtime sockets
+ rpc: add sm-notify pid fcontext
+
+Laurent Bigonville (2):
+ Allow NetworkManager to write to audit
+ Call systemd_write_inherited_logind_inhibit_pipes() where needed
+
+Luis Ressel (12):
+ portage: Allow portage_t and portage_sandbox_t to access locale_t
+ postfix: Some table drivers (notably cdb) need to mmap() their databases
+ portage: Grant the map permissions neccessary for git and install
+ alsa: alsactl needs to map its configuration
+ mozilla: Add neccessary map permissions
+ mandb: man-db needs to map its 'index.db' cache
+ portage: Remove nonsensical dontaudit of an allowed permission
+ portage: Transition to ldconfig_t when calling ldconfig
+ postfix: Some table drivers (notably cdb) need to mmap() their databases
+ postfix: Silence cap_dac_read_search denials
+ portage: Grant portage the map permission on usr_t
+ Allow gtk apps to map usr_t files
+
+Nicolas Iooss (2):
+ dbus: move comments out of the file context definitions
+ logrotate: allow systemd to start logrotate
+
+Russell Coker (3):
+ udev and dhcpd
+ minor nspawn, dnsmasq, and mon patches
+ refpolicy and certs
+
+Tom Gundersen (1):
+ dbus: add policy for dbus-broker
+
* Sat Aug 05 2017 Chris PeBenito <pebenito@ieee.org> - 2.20170805
Chris PeBenito (82):
Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-01-18 16:37 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
To: gentoo-commits
commit: f090e17ce1ab4dbb518f5c9216fb603c37619f3f
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Mon Jan 1 11:54:04 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:26:14 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f090e17c
monit: read /usr/share/ca-certificates for cert verification
policy/modules/contrib/monit.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index c08fd4f3..79d3d1bf 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -123,6 +123,7 @@ domain_getpgid_all_domains(monit_t)
domain_read_all_domains_state(monit_t)
files_read_all_pids(monit_t)
+files_read_usr_files(monit_t)
selinux_get_enforce_mode(monit_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-01-18 16:37 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
To: gentoo-commits
commit: ee15243311266d2947b10a7a2e3d8a1a7f399748
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Mon Jan 1 11:22:29 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:26:14 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ee152433
dkim: align file contexts
policy/modules/contrib/dkim.fc | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/policy/modules/contrib/dkim.fc b/policy/modules/contrib/dkim.fc
index 621180ab..08b65263 100644
--- a/policy/modules/contrib/dkim.fc
+++ b/policy/modules/contrib/dkim.fc
@@ -1,25 +1,25 @@
-/etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+/etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
/etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) -- gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0)
-/usr/bin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
-/usr/bin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/bin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/bin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/lib/systemd/system/opendkim\.service -- gen_context(system_u:object_r:dkim_milter_unit_t,s0)
-/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
-/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
-/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
-/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/var/spool/postfix/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/spool/postfix/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-01-18 16:37 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
To: gentoo-commits
commit: 7e89b19207d85c82d3d6ffef921bdea4ab0b3a5c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Jan 5 21:20:21 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:26:15 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7e89b192
spamassassin: Module version bump.
policy/modules/contrib/spamassassin.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 7d34829d..37226963 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.11.4)
+policy_module(spamassassin, 2.11.5)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-01-18 16:37 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
To: gentoo-commits
commit: ad682abef88d5a18cdc7ca5daeda810b6cbfbc31
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Dec 31 12:06:27 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:26:14 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ad682abe
monit: Module version bump.
policy/modules/contrib/monit.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index e9c940a1..c08fd4f3 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -1,4 +1,4 @@
-policy_module(monit, 1.1.0)
+policy_module(monit, 1.1.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-01-18 16:37 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
To: gentoo-commits
commit: 57f4342adb2522941718def593aa88b860fe32d9
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Mon Jan 1 11:34:16 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:26:14 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=57f4342a
apache: update
policy/modules/contrib/apache.fc | 1 -
policy/modules/contrib/apache.te | 1 +
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index 094344ca..f3202453 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -196,7 +196,6 @@ ifdef(`distro_suse',`
/var/www(/.*)?/nextcloud/config(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www(/.*)?/nextcloud/data(.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www(/.*)?/nextcloud/apps(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www(/.*)?/nextcloud/\.htaccess -- gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/sessions(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index be12966a..30f9755d 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -503,6 +503,7 @@ fs_search_auto_mountpoints(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_read_anon_inodefs_files(httpd_t)
+fs_rw_inherited_hugetlbfs_files(httpd_t)
fs_read_iso9660_files(httpd_t)
fs_search_auto_mountpoints(httpd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-01-18 16:37 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
To: gentoo-commits
commit: ed84591411e71acf518d0660feed05318f57fbdb
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Jan 3 21:52:45 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:26:15 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ed845914
apache, dkim, monit: Module version bump.
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/dkim.te | 2 +-
policy/modules/contrib/monit.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 30f9755d..d932339c 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.13.2)
+policy_module(apache, 2.13.3)
########################################
#
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 29880efb..3c116507 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.6.1)
+policy_module(dkim, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index 79d3d1bf..7c5be707 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -1,4 +1,4 @@
-policy_module(monit, 1.1.1)
+policy_module(monit, 1.1.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-01-18 16:37 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
To: gentoo-commits
commit: 52fa8fd6827120ac1b622bc6ec8f7d7899f3b5cd
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Jan 14 19:08:08 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:26:15 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=52fa8fd6
Bump module versions for release.
policy/modules/contrib/accountsd.te | 2 +-
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/blueman.te | 2 +-
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/cgmanager.te | 2 +-
policy/modules/contrib/chkrootkit.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/cyrus.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/dirmngr.te | 2 +-
policy/modules/contrib/dkim.te | 2 +-
policy/modules/contrib/dmidecode.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/dovecot.te | 2 +-
policy/modules/contrib/dphysswapfile.te | 2 +-
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/fakehwclock.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/gssproxy.te | 2 +-
policy/modules/contrib/java.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/libmtp.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/mandb.te | 2 +-
policy/modules/contrib/milter.te | 2 +-
policy/modules/contrib/modemmanager.te | 2 +-
policy/modules/contrib/mon.te | 2 +-
policy/modules/contrib/monit.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mta.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/openoffice.te | 2 +-
policy/modules/contrib/pkcs.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
policy/modules/contrib/portage.te | 2 +-
policy/modules/contrib/postfix.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/radius.te | 2 +-
policy/modules/contrib/rkhunter.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/sendmail.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/stunnel.te | 2 +-
policy/modules/contrib/thunderbird.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
policy/modules/contrib/wireshark.te | 2 +-
policy/modules/contrib/wm.te | 2 +-
56 files changed, 56 insertions(+), 56 deletions(-)
diff --git a/policy/modules/contrib/accountsd.te b/policy/modules/contrib/accountsd.te
index dcc0cfe2..abd51292 100644
--- a/policy/modules/contrib/accountsd.te
+++ b/policy/modules/contrib/accountsd.te
@@ -1,4 +1,4 @@
-policy_module(accountsd, 1.1.1)
+policy_module(accountsd, 1.2.0)
gen_require(`
class passwd all_passwd_perms;
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index ce97649f..6caddbc8 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.17.2)
+policy_module(alsa, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index d932339c..ad74e5cb 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.13.3)
+policy_module(apache, 2.14.0)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index bee20f04..c96d0b82 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.19.1)
+policy_module(bind, 1.20.0)
########################################
#
diff --git a/policy/modules/contrib/blueman.te b/policy/modules/contrib/blueman.te
index 06d9d1d0..718e3bf3 100644
--- a/policy/modules/contrib/blueman.te
+++ b/policy/modules/contrib/blueman.te
@@ -1,4 +1,4 @@
-policy_module(blueman, 1.1.1)
+policy_module(blueman, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index 97a70718..cf1e0337 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.4.1)
+policy_module(cachefilesd, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/cgmanager.te b/policy/modules/contrib/cgmanager.te
index 64cecfc3..2faf6b79 100644
--- a/policy/modules/contrib/cgmanager.te
+++ b/policy/modules/contrib/cgmanager.te
@@ -1,4 +1,4 @@
-policy_module(cgmanager, 1.0.1)
+policy_module(cgmanager, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/chkrootkit.te b/policy/modules/contrib/chkrootkit.te
index 0d7ceb09..6d9fc5c3 100644
--- a/policy/modules/contrib/chkrootkit.te
+++ b/policy/modules/contrib/chkrootkit.te
@@ -1,4 +1,4 @@
-policy_module(chkrootkit, 1.0.1)
+policy_module(chkrootkit, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 0e03ba14..5ff3277a 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.12.1)
+policy_module(cron, 2.13.0)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
index e0089870..af6b5b6c 100644
--- a/policy/modules/contrib/cyrus.te
+++ b/policy/modules/contrib/cyrus.te
@@ -1,4 +1,4 @@
-policy_module(cyrus, 1.16.1)
+policy_module(cyrus, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 395f0981..00a15e45 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.23.4)
+policy_module(dbus, 1.24.0)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index ecb13e14..562cede8 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.7.1)
+policy_module(devicekit, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index 08a5571c..2e5802bb 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.15.1)
+policy_module(dhcp, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 064750e1..f2be3f70 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -1,4 +1,4 @@
-policy_module(dirmngr, 1.3.1)
+policy_module(dirmngr, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 3c116507..03c8fc65 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.6.2)
+policy_module(dkim, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te
index 6c97a440..bda30744 100644
--- a/policy/modules/contrib/dmidecode.te
+++ b/policy/modules/contrib/dmidecode.te
@@ -1,4 +1,4 @@
-policy_module(dmidecode, 1.7.1)
+policy_module(dmidecode, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 65a76edd..29d34c13 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.15.1)
+policy_module(dnsmasq, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index be73cbec..1d7a3bd3 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.20.1)
+policy_module(dovecot, 1.21.0)
########################################
#
diff --git a/policy/modules/contrib/dphysswapfile.te b/policy/modules/contrib/dphysswapfile.te
index 26132dd8..ee4ec4e2 100644
--- a/policy/modules/contrib/dphysswapfile.te
+++ b/policy/modules/contrib/dphysswapfile.te
@@ -1,4 +1,4 @@
-policy_module(dphysswapfile, 1.1.1)
+policy_module(dphysswapfile, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index e31a843a..1775ccc7 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.7.1)
+policy_module(evolution, 2.8.0)
########################################
#
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 60263b43..693ac491 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.11.1)
+policy_module(exim, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/fakehwclock.te b/policy/modules/contrib/fakehwclock.te
index 22630f22..a773824c 100644
--- a/policy/modules/contrib/fakehwclock.te
+++ b/policy/modules/contrib/fakehwclock.te
@@ -1,4 +1,4 @@
-policy_module(fakehwclock, 1.1.1)
+policy_module(fakehwclock, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 502e23e8..39b5ed5d 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.8.2)
+policy_module(gnome, 2.9.0)
##############################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 96b9cd12..2c0ccac8 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.12.4)
+policy_module(gpg, 2.13.0)
########################################
#
diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
index 3ad1f620..cd1b2b37 100644
--- a/policy/modules/contrib/gssproxy.te
+++ b/policy/modules/contrib/gssproxy.te
@@ -1,4 +1,4 @@
-policy_module(gssproxy, 1.0.1)
+policy_module(gssproxy, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 193ba99d..f23a330b 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.10.2)
+policy_module(java, 2.11.0)
########################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 72a829de..4a525e6d 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.16.1)
+policy_module(ldap, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/libmtp.te b/policy/modules/contrib/libmtp.te
index 3bdb3ed8..7eb27c40 100644
--- a/policy/modules/contrib/libmtp.te
+++ b/policy/modules/contrib/libmtp.te
@@ -1,4 +1,4 @@
-policy_module(libmtp, 1.0.1)
+policy_module(libmtp, 1.1.0)
##############################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 0e936771..4bb9da7b 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.19.1)
+policy_module(logrotate, 1.20.0)
########################################
#
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index d4e691f1..48c17bb8 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.4.2)
+policy_module(mandb, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
index 3b615940..6767e831 100644
--- a/policy/modules/contrib/milter.te
+++ b/policy/modules/contrib/milter.te
@@ -1,4 +1,4 @@
-policy_module(milter, 1.7.1)
+policy_module(milter, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te
index 32493977..9efe585d 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -1,4 +1,4 @@
-policy_module(modemmanager, 1.5.1)
+policy_module(modemmanager, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index ea7cd4c2..ae2ef764 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -1,4 +1,4 @@
-policy_module(mon, 1.1.3)
+policy_module(mon, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index 7c5be707..54e411b2 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -1,4 +1,4 @@
-policy_module(monit, 1.1.2)
+policy_module(monit, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 1bc1e707..d7a7be05 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.12.4)
+policy_module(mozilla, 2.13.0)
########################################
#
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 4c2ea191..239f191a 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.9.3)
+policy_module(mta, 2.10.0)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index b66e1ca4..18137aed 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.21.3)
+policy_module(networkmanager, 1.22.0)
########################################
#
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index fd4f79d8..d2371f57 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -1,4 +1,4 @@
-policy_module(openoffice, 1.2.2)
+policy_module(openoffice, 1.3.0)
##############################
#
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index b98a9f1e..19915e31 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -1,4 +1,4 @@
-policy_module(pkcs, 1.4.1)
+policy_module(pkcs, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index cd042c51..0fd3d3f6 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.7.2)
+policy_module(policykit, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 44bdca53..224eedc0 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -1,4 +1,4 @@
-policy_module(portage, 1.15.3)
+policy_module(portage, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index eba65a15..5463a21c 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.18.3)
+policy_module(postfix, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 27c7c27c..de77b591 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.10.3)
+policy_module(pulseaudio, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
index 0dbef954..e6ff2d00 100644
--- a/policy/modules/contrib/radius.te
+++ b/policy/modules/contrib/radius.te
@@ -1,4 +1,4 @@
-policy_module(radius, 1.16.1)
+policy_module(radius, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/rkhunter.te b/policy/modules/contrib/rkhunter.te
index 17a9e603..e87a37fe 100644
--- a/policy/modules/contrib/rkhunter.te
+++ b/policy/modules/contrib/rkhunter.te
@@ -1,4 +1,4 @@
-policy_module(rkhunter, 1.0.1)
+policy_module(rkhunter, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 9e8d1541..2eaf02af 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.20.3)
+policy_module(rpc, 1.21.0)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 52c78614..8fa6dc4c 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.20.1)
+policy_module(rpm, 1.21.0)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 58dc60fb..f6042e7d 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.21.1)
+policy_module(samba, 1.22.0)
#################################
#
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
index c5b864a6..8d2669ee 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -1,4 +1,4 @@
-policy_module(sendmail, 1.15.1)
+policy_module(sendmail, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 37226963..000c67ea 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.11.5)
+policy_module(spamassassin, 2.12.0)
########################################
#
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index bba3a103..05a87c13 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.16.1)
+policy_module(squid, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te
index 4881d0cd..a68d2b78 100644
--- a/policy/modules/contrib/stunnel.te
+++ b/policy/modules/contrib/stunnel.te
@@ -1,4 +1,4 @@
-policy_module(stunnel, 1.12.1)
+policy_module(stunnel, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index 76e78e01..0f9b81a8 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -1,4 +1,4 @@
-policy_module(thunderbird, 2.6.1)
+policy_module(thunderbird, 2.7.0)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 1b783ca7..dd4ae9b5 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.12.3)
+policy_module(virt, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te
index 40de9304..30dd6af8 100644
--- a/policy/modules/contrib/wireshark.te
+++ b/policy/modules/contrib/wireshark.te
@@ -1,4 +1,4 @@
-policy_module(wireshark, 2.5.1)
+policy_module(wireshark, 2.6.0)
########################################
#
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index f9f0fd2d..c7296a25 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.7.5)
+policy_module(wm, 1.8.0)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-01-18 16:37 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
To: gentoo-commits
commit: 809e957e64f147b25cc5bdb1f02d0cfe9669af96
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Mon Jan 1 11:22:30 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:26:14 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=809e957e
dkim: update
policy/modules/contrib/dkim.te | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 4ddefbf8..29880efb 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -23,23 +23,24 @@ init_daemon_pid_file(dkim_milter_data_t, dir, "opendkim")
# Local policy
#
-allow dkim_milter_t self:capability { dac_override setgid setuid };
+allow dkim_milter_t self:capability { dac_read_search dac_override setgid setuid };
allow dkim_milter_t self:process { signal signull };
allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+# /proc/sys/kernel/ngroups_max
kernel_read_kernel_sysctls(dkim_milter_t)
kernel_read_vm_overcommit_sysctl(dkim_milter_t)
corenet_udp_bind_generic_node(dkim_milter_t)
corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
-corenet_dontaudit_udp_bind_all_ports(dkim_milter_t)
dev_read_urand(dkim_milter_t)
# for cpu/online
dev_read_sysfs(dkim_milter_t)
+files_pid_filetrans(dkim_milter_t, dkim_milter_data_t, { dir file })
files_read_usr_files(dkim_milter_t)
files_search_spool(dkim_milter_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-01-18 16:37 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
To: gentoo-commits
commit: 9ae63d2cac826369362aa84bb228823e435b57bc
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Dec 20 16:52:41 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:26:13 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ae63d2c
gssproxy: allow writing kerberos rcache
policy/modules/contrib/gssproxy.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
index c1dcc556..a2519dde 100644
--- a/policy/modules/contrib/gssproxy.te
+++ b/policy/modules/contrib/gssproxy.te
@@ -63,4 +63,5 @@ optional_policy(`
kerberos_manage_host_rcache(gssproxy_t)
kerberos_read_keytab(gssproxy_t)
kerberos_use(gssproxy_t)
+ kerberos_tmp_filetrans_host_rcache(gssproxy_t, file)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-01-18 16:37 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
To: gentoo-commits
commit: 43da5040356ecd17cf2ca9c31ef4a6ea5141639b
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Dec 29 20:20:06 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:26:14 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=43da5040
monit: update
- usage of socket interface (/run/monit.socket as monit_runtime_t)
- allow simple checks (entropy, systemctl is-system-running, getenforce)
policy/modules/contrib/monit.fc | 3 ++-
policy/modules/contrib/monit.if | 4 ++--
policy/modules/contrib/monit.te | 40 ++++++++++++++++++++++++++++------------
3 files changed, 32 insertions(+), 15 deletions(-)
diff --git a/policy/modules/contrib/monit.fc b/policy/modules/contrib/monit.fc
index 273aad3e..1cd0238e 100644
--- a/policy/modules/contrib/monit.fc
+++ b/policy/modules/contrib/monit.fc
@@ -2,7 +2,8 @@
/etc/monit(/.*)? gen_context(system_u:object_r:monit_conf_t,s0)
-/run/monit\.pid -- gen_context(system_u:object_r:monit_pid_t,s0)
+/run/monit\.pid -- gen_context(system_u:object_r:monit_runtime_t,s0)
+/run/monit\.socket -s gen_context(system_u:object_r:monit_runtime_t,s0)
/usr/bin/monit -- gen_context(system_u:object_r:monit_exec_t,s0)
diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if
index d249dfbd..832cdca8 100644
--- a/policy/modules/contrib/monit.if
+++ b/policy/modules/contrib/monit.if
@@ -102,7 +102,7 @@ interface(`monit_startstop_service',`
interface(`monit_admin',`
gen_require(`
type monit_t, monit_conf_t, monit_initrc_exec_t;
- type monit_log_t, monit_pid_t;
+ type monit_log_t, monit_runtime_t;
type monit_unit_t, monit_var_lib_t;
')
@@ -117,7 +117,7 @@ interface(`monit_admin',`
admin_pattern($1, monit_log_t)
files_search_pids($1)
- admin_pattern($1, monit_pid_t)
+ admin_pattern($1, monit_runtime_t)
files_search_var_lib($1)
admin_pattern($1, monit_var_lib_t)
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index 9b7a605b..e9c940a1 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -33,8 +33,8 @@ role monit_cli_roles types monit_cli_t;
type monit_log_t;
logging_log_file(monit_log_t)
-type monit_pid_t alias monit_run_t;
-files_pid_file(monit_pid_t)
+type monit_runtime_t alias monit_pid_t;
+files_pid_file(monit_runtime_t)
type monit_unit_t;
init_unit_file(monit_unit_t)
@@ -63,15 +63,21 @@ kernel_read_system_state(monit_domain)
dev_read_sysfs(monit_domain)
dev_read_urand(monit_domain)
+files_getattr_all_mountpoints(monit_domain)
+
fs_getattr_dos_fs(monit_domain)
fs_getattr_dos_dirs(monit_domain)
fs_getattr_tmpfs(monit_domain)
fs_getattr_xattr_fs(monit_domain)
+miscfiles_read_generic_certs(monit_domain)
miscfiles_read_localization(monit_domain)
+logging_send_syslog_msg(monit_domain)
+
# disk usage of sd card
storage_getattr_removable_dev(monit_domain)
+storage_getattr_fixed_disk_dev(monit_domain)
########################################
#
@@ -88,43 +94,50 @@ dontaudit monit_t self:capability net_admin;
allow monit_t self:fifo_file rw_fifo_file_perms;
allow monit_t self:rawip_socket connected_socket_perms;
allow monit_t self:tcp_socket server_stream_socket_perms;
-allow monit_t self:unix_dgram_socket { connect create };
allow monit_t monit_log_t:file { create read_file_perms append_file_perms };
logging_log_filetrans(monit_t, monit_log_t, file)
-allow monit_t monit_pid_t:file manage_file_perms;
-files_pid_filetrans(monit_t, monit_pid_t, file)
+allow monit_t monit_runtime_t:file manage_file_perms;
+allow monit_t monit_runtime_t:sock_file manage_sock_file_perms;
+files_pid_filetrans(monit_t, monit_runtime_t, { file sock_file })
allow monit_t monit_var_lib_t:dir manage_dir_perms;
allow monit_t monit_var_lib_t:file manage_file_perms;
+# entropy
+kernel_read_kernel_sysctls(monit_t)
+kernel_read_vm_overcommit_sysctl(monit_t)
+
auth_use_nsswitch(monit_t)
corecmd_exec_bin(monit_t)
+corecmd_exec_shell(monit_t)
corenet_tcp_bind_generic_node(monit_t)
corenet_tcp_bind_monit_port(monit_t)
corenet_tcp_connect_all_ports(monit_t)
+domain_getattr_all_domains(monit_t)
domain_getpgid_all_domains(monit_t)
domain_read_all_domains_state(monit_t)
files_read_all_pids(monit_t)
-logging_send_syslog_msg(monit_t)
+selinux_get_enforce_mode(monit_t)
-ifdef(`hide_broken_symptoms',`
- # kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6
- dontaudit monit_t self:capability dac_override;
+userdom_dontaudit_search_user_home_dirs(monit_t)
+
+ifdef(`init_systemd',`
+ # systemctl is-system-running
+ init_stream_connect(monit_t)
+ init_get_system_status(monit_t)
')
tunable_policy(`monit_startstop_services',`
init_get_all_units_status(monit_t)
- init_get_system_status(monit_t)
init_start_all_units(monit_t)
init_stop_all_units(monit_t)
- init_stream_connect(monit_t)
')
optional_policy(`
@@ -136,9 +149,12 @@ optional_policy(`
# Client policy
#
+allow monit_cli_t monit_t:unix_stream_socket connectto;
+
allow monit_cli_t monit_log_t:file { append_file_perms read_file_perms };
-allow monit_cli_t monit_pid_t:file rw_file_perms;
+allow monit_cli_t monit_runtime_t:file rw_file_perms;
+allow monit_cli_t monit_runtime_t:sock_file write;
allow monit_cli_t monit_var_lib_t:dir search_dir_perms;
allow monit_cli_t monit_var_lib_t:file rw_file_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2018-01-18 16:37 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
To: gentoo-commits
commit: 5f2f2b2576d4ecf0955e04e6b469288f431cec60
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Dec 26 10:38:25 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:26:13 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5f2f2b25
gssproxy: Module version bump.
policy/modules/contrib/gssproxy.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
index a2519dde..3ad1f620 100644
--- a/policy/modules/contrib/gssproxy.te
+++ b/policy/modules/contrib/gssproxy.te
@@ -1,4 +1,4 @@
-policy_module(gssproxy, 1.0.0)
+policy_module(gssproxy, 1.0.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-23 15:58 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-23 15:58 UTC (permalink / raw
To: gentoo-commits
commit: 2fc780e90665d3d003fa879a83d478c9f7da2196
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Dec 23 15:41:47 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Dec 23 15:41:47 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2fc780e9
portage: allow compile domains to map portage_tmp_t
policy/modules/contrib/portage.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 240838d2..23c15ba7 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -117,7 +117,7 @@ interface(`portage_compile_domain',`
manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t)
files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })
# SELinux-enabled programs running in the sandbox
- allow $1 portage_tmp_t:file relabel_file_perms;
+ allow $1 portage_tmp_t:file { relabel_file_perms map };
allow $1 portage_tmp_t:dir relabel_dir_perms;
manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-23 15:58 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-23 15:58 UTC (permalink / raw
To: gentoo-commits
commit: 6f30ae2e7e7c4cc92ce84b78423ecafe721d3dea
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Dec 23 15:23:38 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Dec 23 15:23:38 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6f30ae2e
portage: allow to map font files
policy/modules/contrib/portage.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 067afc97..44bdca53 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -207,6 +207,7 @@ init_exec(portage_t)
libs_run_ldconfig(portage_t, portage_roles)
miscfiles_read_localization(portage_t)
+miscfiles_read_fonts(portage_t)
# run setfiles -r
seutil_run_setfiles(portage_t, portage_roles)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-23 15:58 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-23 15:58 UTC (permalink / raw
To: gentoo-commits
commit: bbccb371e1eb5326abda8f934a66471c29fe4290
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Dec 23 15:01:03 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Dec 23 15:01:03 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bbccb371
portage: sandbox must be able to map usr_t files
policy/modules/contrib/portage.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index a81a4d0d..240838d2 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -164,6 +164,7 @@ interface(`portage_compile_domain',`
files_exec_etc_files($1)
files_exec_usr_src_files($1)
+ files_map_usr_files($1)
# Came up with bug #496328
fs_getattr_tmpfs($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-23 15:58 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-23 15:58 UTC (permalink / raw
To: gentoo-commits
commit: 0cb16fbd5d7bc0dfa8c5201e6dbb3f450f6e97a1
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Dec 23 15:26:22 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Dec 23 15:26:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0cb16fbd
dropbox: mmap_file_perms is deprecated, use mmap_exec_file_perms instead
policy/modules/contrib/dropbox.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dropbox.te b/policy/modules/contrib/dropbox.te
index f7f6125f..63f95c25 100644
--- a/policy/modules/contrib/dropbox.te
+++ b/policy/modules/contrib/dropbox.te
@@ -40,7 +40,7 @@ userdom_user_tmpfs_file(dropbox_tmpfs_t)
allow dropbox_t self:process { execmem signal_perms };
allow dropbox_t self:fifo_file rw_fifo_file_perms;
-allow dropbox_t dropbox_home_t:file mmap_file_perms;
+allow dropbox_t dropbox_home_t:file mmap_exec_file_perms;
# dropbox updates itself in /tmp then in ~/.dropbox-dist/
can_exec(dropbox_t, dropbox_exec_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-14 5:15 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-14 5:15 UTC (permalink / raw
To: gentoo-commits
commit: f535dde10ac78ef53ae5dae23f848c2a2cafa55c
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Dec 13 18:17:21 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 05:09:40 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f535dde1
cachefilesd: make cachefilesd_cache_t a mountpoint
policy/modules/contrib/cachefilesd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index d225d745..d09ac561 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -13,7 +13,7 @@ type cachefilesd_initrc_exec_t;
init_script_file(cachefilesd_initrc_exec_t)
type cachefilesd_cache_t;
-files_type(cachefilesd_cache_t)
+files_mountpoint(cachefilesd_cache_t)
type cachefilesd_var_run_t;
files_pid_file(cachefilesd_var_run_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-14 5:15 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-14 5:15 UTC (permalink / raw
To: gentoo-commits
commit: a7744e40641af7c4564f532f5711709ae46e69ab
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Dec 13 18:17:22 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 05:09:40 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a7744e40
Set user_runtime_content_type for all remaining types in /run/user/%{UID}/
policy/modules/contrib/dbus.te | 1 +
policy/modules/contrib/dirmngr.te | 1 +
policy/modules/contrib/gnome.te | 2 ++
policy/modules/contrib/gpg.te | 2 ++
policy/modules/contrib/pulseaudio.te | 1 +
5 files changed, 7 insertions(+)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 1aa6dba1..142b02e6 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -49,6 +49,7 @@ init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
type session_dbusd_runtime_t;
files_pid_file(session_dbusd_runtime_t)
+userdom_user_runtime_content(session_dbusd_runtime_t)
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 75833a42..fa5898e4 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -20,6 +20,7 @@ logging_log_file(dirmngr_log_t)
type dirmngr_tmp_t;
userdom_user_tmp_file(dirmngr_tmp_t)
+userdom_user_runtime_content(dirmngr_tmp_t)
type dirmngr_var_lib_t;
files_type(dirmngr_var_lib_t)
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index b6f14dbc..2988a541 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -45,9 +45,11 @@ userdom_user_home_content(gnome_keyring_home_t)
type gnome_keyring_tmp_t;
userdom_user_tmp_file(gnome_keyring_tmp_t)
+userdom_user_runtime_content(gnome_keyring_tmp_t)
type gstreamer_orcexec_t;
application_executable_file(gstreamer_orcexec_t)
+userdom_user_runtime_content(gstreamer_orcexec_t)
##############################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 6e8f80d5..f020c0a1 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -39,6 +39,7 @@ role gpg_roles types gpg_t;
type gpg_runtime_t;
files_pid_file(gpg_runtime_t)
+userdom_user_runtime_content(gpg_runtime_t)
type gpg_agent_t;
type gpg_agent_exec_t;
@@ -47,6 +48,7 @@ role gpg_agent_roles types gpg_agent_t;
type gpg_agent_tmp_t;
userdom_user_tmp_file(gpg_agent_tmp_t)
+userdom_user_runtime_content(gpg_agent_tmp_t)
type gpg_secret_t;
userdom_user_home_content(gpg_secret_t)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index cc1db3d4..aa6042d7 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -29,6 +29,7 @@ userdom_user_home_content(pulseaudio_home_t)
type pulseaudio_tmp_t;
userdom_user_tmp_file(pulseaudio_tmp_t)
+userdom_user_runtime_content(pulseaudio_tmp_t)
type pulseaudio_tmpfs_t;
userdom_user_tmpfs_file(pulseaudio_tmpfs_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-14 5:15 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-14 5:15 UTC (permalink / raw
To: gentoo-commits
commit: 1979ea290f6c6e381a1c1cd9219a68227f2febb5
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec 13 23:29:02 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 05:09:40 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1979ea29
cachefilesd, dbus, dirmngr, gnome, gpg, pulseaudio: Module version bump.
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/dirmngr.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index d09ac561..97a70718 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.4.0)
+policy_module(cachefilesd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 142b02e6..395f0981 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.23.3)
+policy_module(dbus, 1.23.4)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index fa5898e4..064750e1 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -1,4 +1,4 @@
-policy_module(dirmngr, 1.3.0)
+policy_module(dirmngr, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 2988a541..502e23e8 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.8.1)
+policy_module(gnome, 2.8.2)
##############################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index f020c0a1..96b9cd12 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.12.3)
+policy_module(gpg, 2.12.4)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index aa6042d7..27c7c27c 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.10.2)
+policy_module(pulseaudio, 1.10.3)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-14 5:15 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-14 5:15 UTC (permalink / raw
To: gentoo-commits
commit: d56f72e0072b149d996caa98425c90be16aa5410
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Dec 13 18:17:19 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 05:09:40 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d56f72e0
dirmngr: allow filetrans in gpg_runtime_t
commit 1b9cd3bd9c44732bdf756301408582bcfe9073c9
("gpg: manage user runtime socket files and directories")
changed /run/user/%{USERID}/gnupg/ to gpg_runtime_t, so the filetrans
for gpg_agent_tmp_t needs updating.
policy/modules/contrib/dirmngr.te | 3 +++
policy/modules/contrib/gpg.if | 19 +++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 8f4cb991..75833a42 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -69,6 +69,7 @@ dev_read_rand(dirmngr_t)
sysnet_dns_name_resolve(dirmngr_t)
corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
+corenet_udp_bind_generic_node(dirmngr_t)
files_read_etc_files(dirmngr_t)
@@ -81,5 +82,7 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
optional_policy(`
gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+ gpg_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
+ gpg_stream_connect_agent(dirmngr_t)
')
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 6266019b..359560f8 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -239,6 +239,25 @@ interface(`gpg_agent_tmp_filetrans',`
########################################
## <summary>
+## filetrans in gpg_runtime_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_runtime_filetrans',`
+ gen_require(`
+ type gpg_runtime_t;
+ ')
+
+ filetrans_pattern($1, gpg_runtime_t, $2, $3, $4)
+ userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
## filetrans in gpg_secret_t dirs
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-14 5:15 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-14 5:15 UTC (permalink / raw
To: gentoo-commits
commit: 5e18d3eb437717c6ad25e614c617b0cad5700879
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec 13 23:55:43 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 05:09:40 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5e18d3eb
Replace deprecated mmap perm sets and pattern usage.
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/cobbler.te | 2 +-
policy/modules/contrib/dpkg.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/ftp.if | 2 +-
policy/modules/contrib/gnome.if | 2 +-
policy/modules/contrib/pingd.te | 2 +-
policy/modules/contrib/portage.te | 2 +-
policy/modules/contrib/postfix.te | 4 ++--
policy/modules/contrib/prelink.te | 6 +++---
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/ulogd.te | 2 +-
12 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index d28f4c2f..be12966a 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -415,7 +415,7 @@ read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+mmap_exec_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
diff --git a/policy/modules/contrib/cobbler.te b/policy/modules/contrib/cobbler.te
index 6177ef41..a3a4453a 100644
--- a/policy/modules/contrib/cobbler.te
+++ b/policy/modules/contrib/cobbler.te
@@ -72,7 +72,7 @@ allow cobblerd_t cobbler_etc_t:dir list_dir_perms;
allow cobblerd_t cobbler_etc_t:file read_file_perms;
allow cobblerd_t cobbler_etc_t:lnk_file read_lnk_file_perms;
-allow cobblerd_t cobbler_tmp_t:file mmap_file_perms;
+allow cobblerd_t cobbler_tmp_t:file mmap_exec_file_perms;
manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index e165fec3..0ff59b94 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -84,7 +84,7 @@ manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
+allow dpkg_t dpkg_var_lib_t:file mmap_exec_file_perms;
manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t)
files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 2c930fe5..aa1c637d 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -47,7 +47,7 @@ logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
-allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
+allow firewalld_t firewalld_tmp_t:file mmap_exec_file_perms;
manage_dirs_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
index 349d1b3b..3bfe581d 100644
--- a/policy/modules/contrib/ftp.if
+++ b/policy/modules/contrib/ftp.if
@@ -53,7 +53,7 @@ interface(`ftp_check_exec',`
')
corecmd_search_bin($1)
- allow $1 ftpd_exec_t:file mmap_file_perms;
+ allow $1 ftpd_exec_t:file mmap_exec_file_perms;
')
########################################
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 8ed95ee2..8b27d15a 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -805,5 +805,5 @@ interface(`gnome_mmap_gstreamer_orcexec',`
type gstreamer_orcexec_t;
')
- allow $1 gstreamer_orcexec_t:file mmap_file_perms;
+ allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms;
')
diff --git a/policy/modules/contrib/pingd.te b/policy/modules/contrib/pingd.te
index 8dad7633..e20b15f8 100644
--- a/policy/modules/contrib/pingd.te
+++ b/policy/modules/contrib/pingd.te
@@ -30,7 +30,7 @@ allow pingd_t self:rawip_socket create_socket_perms;
allow pingd_t pingd_etc_t:file read_file_perms;
read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
-mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
+mmap_exec_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
corenet_all_recvfrom_unlabeled(pingd_t)
corenet_all_recvfrom_netlabel(pingd_t)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 5905d4dc..067afc97 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -103,7 +103,7 @@ read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)
allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t)
-allow gcc_config_t portage_exec_t:file mmap_file_perms;
+allow gcc_config_t portage_exec_t:file mmap_exec_file_perms;
kernel_read_system_state(gcc_config_t)
kernel_read_kernel_sysctls(gcc_config_t)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 383be1fc..eba65a15 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -120,7 +120,7 @@ allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;
allow postfix_domain postfix_master_t:file read_file_perms;
-allow postfix_domain postfix_exec_t:file { mmap_file_perms lock };
+allow postfix_domain postfix_exec_t:file { mmap_exec_file_perms lock };
allow postfix_domain postfix_master_t:process sigchld;
@@ -217,7 +217,7 @@ allow postfix_master_t postfix_data_t:file manage_file_perms;
allow postfix_master_t postfix_keytab_t:file read_file_perms;
-allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
+allow postfix_master_t postfix_map_exec_t:file { mmap_exec_file_perms ioctl lock };
allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
diff --git a/policy/modules/contrib/prelink.te b/policy/modules/contrib/prelink.te
index db7d5974..43276472 100644
--- a/policy/modules/contrib/prelink.te
+++ b/policy/modules/contrib/prelink.te
@@ -53,10 +53,10 @@ append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
logging_log_filetrans(prelink_t, prelink_log_t, file)
-allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod };
+allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_exec_file_perms relabel_file_perms execmod };
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
-allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod };
+allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_exec_file_perms relabel_file_perms execmod };
fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
@@ -64,7 +64,7 @@ manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
-allow prelink_t prelink_object:file { manage_file_perms mmap_file_perms relabel_file_perms };
+allow prelink_t prelink_object:file { manage_file_perms mmap_exec_file_perms relabel_file_perms };
kernel_read_system_state(prelink_t)
kernel_read_kernel_sysctls(prelink_t)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 78af52df..58dc60fb 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -763,7 +763,7 @@ manage_files_pattern(swat_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(swat_t, samba_var_t, samba_var_t)
files_var_filetrans(swat_t, samba_var_t, dir, "samba")
-allow swat_t smbd_exec_t:file mmap_file_perms ;
+allow swat_t smbd_exec_t:file mmap_exec_file_perms ;
allow swat_t { winbind_t smbd_t }:process { signal signull };
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
index ef4c5fa4..18779e5d 100644
--- a/policy/modules/contrib/ulogd.te
+++ b/policy/modules/contrib/ulogd.te
@@ -35,7 +35,7 @@ allow ulogd_t self:tcp_socket create_stream_socket_perms;
read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
-mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
+mmap_exec_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
append_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-14 5:15 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-14 5:15 UTC (permalink / raw
To: gentoo-commits
commit: f884129ee59182688f70ddba6600f0b63d3afa94
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Dec 13 18:17:20 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 05:09:40 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f884129e
gpg: Add gpg_agent_use_card boolean for OpenPGP cards
policy/modules/contrib/gpg.te | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index ca600218..6e8f80d5 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -14,6 +14,14 @@ policy_module(gpg, 2.12.3)
## </desc>
gen_tunable(gpg_agent_env_file, false)
+## <desc>
+## <p>
+## Determine whether GPG agent can use OpenPGP
+## cards or Yubikeys over USB
+## </p>
+## </desc>
+gen_tunable(gpg_agent_use_card, false)
+
attribute_role gpg_roles;
roleattribute system_r gpg_roles;
@@ -274,6 +282,11 @@ tunable_policy(`gpg_agent_env_file',`
userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
')
+tunable_policy(`gpg_agent_use_card',`
+ dev_read_sysfs(gpg_agent_t)
+ dev_rw_generic_usb_dev(gpg_agent_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(gpg_agent_t)
fs_manage_nfs_files(gpg_agent_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-14 5:15 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-14 5:15 UTC (permalink / raw
To: gentoo-commits
commit: d959ec112471aa95de755bc7ec46fc0ca06031d7
Author: Chad Hanson <dahchanson <AT> gmail <DOT> com>
AuthorDate: Mon Dec 11 04:04:36 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Dec 13 14:26:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d959ec11
Allow rpm to relabel files at all levels
This patch adds MLS relabel ability to rpm per the previous email request: http://oss.tresys.com/pipermail/refpolicy/2016-July/008038.html
Signed-off-by: Chad Hanson <dahchanson <AT> gmail.com>
policy/modules/contrib/rpm.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 44e8c7b5..9b1c1048 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -174,6 +174,7 @@ fs_search_auto_mountpoints(rpm_t)
mls_file_read_all_levels(rpm_t)
mls_file_write_all_levels(rpm_t)
+mls_file_relabel(rpm_t)
mls_file_upgrade(rpm_t)
mls_file_downgrade(rpm_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-14 5:15 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-14 5:15 UTC (permalink / raw
To: gentoo-commits
commit: 45bc0742f768a7c1e1b180e6580ac471bba8f12a
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec 13 01:25:08 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Dec 13 14:29:19 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=45bc0742
rpm: Module version bump.
policy/modules/contrib/rpm.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 9b1c1048..52c78614 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.20.0)
+policy_module(rpm, 1.20.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-13 10:34 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-13 10:34 UTC (permalink / raw
To: gentoo-commits
commit: 46ecc9be82dfb821a26ecee1787c3261d79cf04c
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Dec 12 09:05:17 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 09:05:17 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=46ecc9be
chromium: map mime types
policy/modules/contrib/chromium.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 76f2583a..29e7fee7 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -132,6 +132,7 @@ manage_dirs_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
xdg_config_home_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium")
manage_files_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
+allow chromium_t chromium_xdg_cache_t:file map;
manage_dirs_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
xdg_cache_home_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium")
@@ -162,6 +163,7 @@ domain_dontaudit_search_all_domains_state(chromium_t)
files_list_home(chromium_t)
files_search_home(chromium_t)
files_read_usr_files(chromium_t)
+files_map_usr_files(chromium_t)
files_read_etc_files(chromium_t)
# During find for /etc/whatever-release we get lots of output otherwise
files_dontaudit_getattr_all_dirs(chromium_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-12 7:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-12 7:59 UTC (permalink / raw
To: gentoo-commits
commit: bc4e25c63e5f4ec7536c59e64867e0ff97b4ffb4
Author: Laurent Bigonville <bigon <AT> debian <DOT> org>
AuthorDate: Mon Dec 11 10:23:44 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:07:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bc4e25c6
Call systemd_write_inherited_logind_inhibit_pipes() where needed
Multiple domains need to talk to logind to set inhibits
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/devicekit.te | 4 ++++
policy/modules/contrib/modemmanager.te | 4 ++++
policy/modules/contrib/networkmanager.te | 1 +
policy/modules/contrib/virt.te | 4 ++++
5 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 7281c0a4..d7e41c7e 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -164,8 +164,8 @@ ifdef(`init_systemd', `
optional_policy(`
# for /run/systemd/users/*
systemd_read_logind_pids(system_dbusd_t)
+ systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
- systemd_write_logind_pid_pipes(system_dbusd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 1730193d..53dff76e 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -345,6 +345,10 @@ optional_policy(`
')
optional_policy(`
+ systemd_write_inherited_logind_inhibit_pipes(devicekit_power_t)
+')
+
+optional_policy(`
udev_read_db(devicekit_power_t)
udev_manage_pid_files(devicekit_power_t)
')
diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te
index 8dcbeead..9e064a40 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -56,3 +56,7 @@ optional_policy(`
udev_read_db(modemmanager_t)
udev_manage_pid_files(modemmanager_t)
')
+
+optional_policy(`
+ systemd_write_inherited_logind_inhibit_pipes(modemmanager_t)
+')
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 1aecd329..779b3c69 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -350,6 +350,7 @@ optional_policy(`
optional_policy(`
systemd_read_logind_sessions_files(NetworkManager_t)
+ systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index de57096e..546f3375 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -818,6 +818,10 @@ optional_policy(`
')
optional_policy(`
+ systemd_write_inherited_logind_inhibit_pipes(virtd_t)
+')
+
+optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-12 7:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-12 7:59 UTC (permalink / raw
To: gentoo-commits
commit: 6bf6d37d86061151c0b5340c3ebafc931c3027ff
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Dec 1 21:34:24 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:07:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6bf6d37d
pkcs: Rename pkcs_slotd_unit_file_t.
policy/modules/contrib/pkcs.fc | 2 +-
policy/modules/contrib/pkcs.te | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/pkcs.fc b/policy/modules/contrib/pkcs.fc
index 9dbb5d54..e920f427 100644
--- a/policy/modules/contrib/pkcs.fc
+++ b/policy/modules/contrib/pkcs.fc
@@ -2,7 +2,7 @@
/usr/bin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0)
-/usr/lib/systemd/system/pkcsslotd.service gen_context(system_u:object_r:pkcs_slotd_unit_file_t,s0)
+/usr/lib/systemd/system/pkcsslotd.service gen_context(system_u:object_r:pkcs_slotd_unit_t,s0)
/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0)
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index 339b1176..b150fad9 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -24,8 +24,8 @@ files_tmp_file(pkcs_slotd_tmp_t)
type pkcs_slotd_tmpfs_t;
files_tmpfs_file(pkcs_slotd_tmpfs_t)
-type pkcs_slotd_unit_file_t;
-init_unit_file(pkcs_slotd_unit_file_t)
+type pkcs_slotd_unit_t;
+init_unit_file(pkcs_slotd_unit_t)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-12 7:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-12 7:59 UTC (permalink / raw
To: gentoo-commits
commit: d3d524c7ff452197e596d9b3b07b799922d2d727
Author: Eduardo Barretto <ebarretto <AT> linux <DOT> vnet <DOT> ibm <DOT> com>
AuthorDate: Wed Nov 29 13:27:18 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:07:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d3d524c7
Update missing permissions for pkcs
pkcsslotd needs access to tmpfs files and /etc/group file.
Signed-off-by: Eduardo Barretto <ebarretto <AT> linux.vnet.ibm.com>
policy/modules/contrib/pkcs.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index 1ede749f..339b1176 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -54,10 +54,12 @@ files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir)
manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
-fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir)
+fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, { dir file })
files_read_etc_files(pkcs_slotd_t)
+auth_use_nsswitch(pkcs_slotd_t)
+
logging_send_syslog_msg(pkcs_slotd_t)
miscfiles_read_localization(pkcs_slotd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-12 7:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-12 7:59 UTC (permalink / raw
To: gentoo-commits
commit: 3610cece6a9ea23c3ee52d6dda6605c78443df34
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Dec 12 00:14:55 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:07:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3610cece
dbus, devicekit, modemmanager, networkmanager, virt: Module version bump.
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/modemmanager.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index d7e41c7e..1aa6dba1 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.23.2)
+policy_module(dbus, 1.23.3)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 53dff76e..ecb13e14 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.7.0)
+policy_module(devicekit, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te
index 9e064a40..3a7fa066 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -1,4 +1,4 @@
-policy_module(modemmanager, 1.5.0)
+policy_module(modemmanager, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 779b3c69..b66e1ca4 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.21.2)
+policy_module(networkmanager, 1.21.3)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 546f3375..1b783ca7 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.12.2)
+policy_module(virt, 1.12.3)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-12 7:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-12 7:59 UTC (permalink / raw
To: gentoo-commits
commit: 13592efb44efe763f5794527560eaca1ec81290b
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Dec 1 21:40:12 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:07:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=13592efb
pkcs: Module version bump.
policy/modules/contrib/pkcs.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index b150fad9..b98a9f1e 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -1,4 +1,4 @@
-policy_module(pkcs, 1.4.0)
+policy_module(pkcs, 1.4.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-12 7:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-12 7:59 UTC (permalink / raw
To: gentoo-commits
commit: def337a58787d041b4f6161cf1ee16bc70eed400
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Dec 8 00:01:43 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:07:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=def337a5
accountsd, policykit: Module version bump.
policy/modules/contrib/accountsd.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/accountsd.te b/policy/modules/contrib/accountsd.te
index f56058cc..dcc0cfe2 100644
--- a/policy/modules/contrib/accountsd.te
+++ b/policy/modules/contrib/accountsd.te
@@ -1,4 +1,4 @@
-policy_module(accountsd, 1.1.0)
+policy_module(accountsd, 1.1.1)
gen_require(`
class passwd all_passwd_perms;
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index 8f2035a0..cd042c51 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.7.1)
+policy_module(policykit, 1.7.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-12 7:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-12 7:59 UTC (permalink / raw
To: gentoo-commits
commit: 9709ab7f3b847dc842f51e899d3495af5aa39eb7
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Nov 29 01:32:31 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:07:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9709ab7f
networkmanager: Move line.
policy/modules/contrib/networkmanager.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index b94e7ef3..ead66d15 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -127,6 +127,8 @@ corenet_tcp_connect_all_ports(NetworkManager_t)
corenet_rw_tun_tap_dev(NetworkManager_t)
corenet_getattr_ppp_dev(NetworkManager_t)
+corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
+
corecmd_exec_shell(NetworkManager_t)
corecmd_exec_bin(NetworkManager_t)
@@ -189,8 +191,6 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
-corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
-
optional_policy(`
avahi_domtrans(NetworkManager_t)
avahi_kill(NetworkManager_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-12 7:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-12 7:59 UTC (permalink / raw
To: gentoo-commits
commit: b1a1e693bd27051324b2d7b1f3af2f5ed5576a1b
Author: Eduardo Barretto <ebarretto <AT> linux <DOT> vnet <DOT> ibm <DOT> com>
AuthorDate: Wed Nov 29 13:29:55 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:07:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1a1e693
Update pkcs policy to include pkccsslotd.service
pkcsslotd.service was running, incorrectly, with default systemd label. Fixed it
by creating the pkcs_slotd_unit_file_t type and updating the file context.
Signed-off-by: Eduardo Barretto <ebarretto <AT> linux.vnet.ibm.com>
policy/modules/contrib/pkcs.fc | 2 ++
policy/modules/contrib/pkcs.te | 3 +++
2 files changed, 5 insertions(+)
diff --git a/policy/modules/contrib/pkcs.fc b/policy/modules/contrib/pkcs.fc
index 148293a9..9dbb5d54 100644
--- a/policy/modules/contrib/pkcs.fc
+++ b/policy/modules/contrib/pkcs.fc
@@ -2,6 +2,8 @@
/usr/bin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0)
+/usr/lib/systemd/system/pkcsslotd.service gen_context(system_u:object_r:pkcs_slotd_unit_file_t,s0)
+
/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0)
/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0)
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index 17b471d6..1ede749f 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -24,6 +24,9 @@ files_tmp_file(pkcs_slotd_tmp_t)
type pkcs_slotd_tmpfs_t;
files_tmpfs_file(pkcs_slotd_tmpfs_t)
+type pkcs_slotd_unit_file_t;
+init_unit_file(pkcs_slotd_unit_file_t)
+
########################################
#
# Local policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-12 7:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-12 7:59 UTC (permalink / raw
To: gentoo-commits
commit: ef41fd3bd8a365f6a83bb32707f053dfa0d07203
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Nov 29 01:36:39 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:07:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef41fd3b
networkmanager: Module version bump.
policy/modules/contrib/networkmanager.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index ead66d15..1aecd329 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.21.1)
+policy_module(networkmanager, 1.21.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-12 7:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-12 7:59 UTC (permalink / raw
To: gentoo-commits
commit: 9fd7c1d7cd40977f22af7970e1d4d943912ed5d2
Author: David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Wed Dec 6 18:23:41 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:07:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9fd7c1d7
Allow to read /proc/sys/crypto/fips_enabled
Allow accountsd_t and policykitd_t to read /proc/sys/crypto/fips_enabled
policy/modules/contrib/accountsd.te | 1 +
policy/modules/contrib/policykit.te | 1 +
2 files changed, 2 insertions(+)
diff --git a/policy/modules/contrib/accountsd.te b/policy/modules/contrib/accountsd.te
index d435a2d6..f56058cc 100644
--- a/policy/modules/contrib/accountsd.te
+++ b/policy/modules/contrib/accountsd.te
@@ -30,6 +30,7 @@ manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, dir)
+kernel_read_crypto_sysctls(accountsd_t)
kernel_read_kernel_sysctls(accountsd_t)
kernel_read_system_state(accountsd_t)
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index 9a0c4d5c..8f2035a0 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -85,6 +85,7 @@ can_exec(policykit_t, policykit_exec_t)
domtrans_pattern(policykit_t, policykit_auth_exec_t, policykit_auth_t)
domtrans_pattern(policykit_t, policykit_resolve_exec_t, policykit_resolve_t)
+kernel_read_crypto_sysctls(policykit_t)
kernel_read_kernel_sysctls(policykit_t)
kernel_read_system_state(policykit_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-12 7:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-12 7:59 UTC (permalink / raw
To: gentoo-commits
commit: b134083f41043e5d688992b5da43208e75fcedd6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Dec 12 00:15:52 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:07:31 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b134083f
modemmanager: Move lines.
policy/modules/contrib/modemmanager.te | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te
index 3a7fa066..32493977 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -53,10 +53,10 @@ optional_policy(`
')
optional_policy(`
- udev_read_db(modemmanager_t)
- udev_manage_pid_files(modemmanager_t)
+ systemd_write_inherited_logind_inhibit_pipes(modemmanager_t)
')
optional_policy(`
- systemd_write_inherited_logind_inhibit_pipes(modemmanager_t)
+ udev_read_db(modemmanager_t)
+ udev_manage_pid_files(modemmanager_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-12 7:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-12 7:59 UTC (permalink / raw
To: gentoo-commits
commit: 5cfc4edfbba3ddfa0f748596ce6dfee08f091d7b
Author: David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Fri Nov 17 14:48:11 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:07:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5cfc4edf
Label /usr/bin/mutter
Label /usr/bin/mutter as wm_exec_t
policy/modules/contrib/wm.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/wm.fc b/policy/modules/contrib/wm.fc
index 304ae09d..05129fea 100644
--- a/policy/modules/contrib/wm.fc
+++ b/policy/modules/contrib/wm.fc
@@ -1,4 +1,5 @@
/usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0)
/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0)
/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/mutter -- gen_context(system_u:object_r:wm_exec_t,s0)
/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-12 7:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-12 7:59 UTC (permalink / raw
To: gentoo-commits
commit: bd251f8ed143ea319b0ee449ab9397480ae5adda
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Nov 18 12:28:47 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:07:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bd251f8e
wm: Module version bump.
policy/modules/contrib/wm.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index bba860b1..f9f0fd2d 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.7.4)
+policy_module(wm, 1.7.5)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-12-12 7:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-12-12 7:59 UTC (permalink / raw
To: gentoo-commits
commit: b271394b4c9d85aa2bc49c5c3542365f7af575ec
Author: Daniel Jurgens <danielj <AT> mellanox <DOT> com>
AuthorDate: Mon Nov 27 14:23:08 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:07:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b271394b
networkmanager: Grant access to unlabeled PKeys
For controlling IPoIB VLANs
Reported-by: Honggang LI <honli <AT> redhat.com>
Signed-off-by: Daniel Jurgens <danielj <AT> mellanox.com>
Tested-by: Honggang LI <honli <AT> redhat.com>
policy/modules/contrib/networkmanager.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index e8a60aec..b94e7ef3 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -189,6 +189,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
+corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
+
optional_policy(`
avahi_domtrans(NetworkManager_t)
avahi_kill(NetworkManager_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-11-17 14:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-11-17 14:59 UTC (permalink / raw
To: gentoo-commits
commit: f4583e39915721de06d103dad1e172aaa9c760cb
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Tue Nov 14 02:03:36 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Nov 15 01:12:48 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f4583e39
Allow gtk apps to map usr_t files
This is required to access gtk's icon cache. IIRC, past discussion on
the ML came to the conclusion that adding a new domain for this would be
overkill.
policy/modules/contrib/blueman.te | 1 +
policy/modules/contrib/evolution.te | 1 +
policy/modules/contrib/gpg.te | 1 +
policy/modules/contrib/mozilla.te | 1 +
policy/modules/contrib/openoffice.te | 1 +
policy/modules/contrib/thunderbird.te | 1 +
policy/modules/contrib/wireshark.te | 1 +
policy/modules/contrib/wm.te | 1 +
8 files changed, 8 insertions(+)
diff --git a/policy/modules/contrib/blueman.te b/policy/modules/contrib/blueman.te
index 3a5032e0..c00e3ccc 100644
--- a/policy/modules/contrib/blueman.te
+++ b/policy/modules/contrib/blueman.te
@@ -45,6 +45,7 @@ dev_rw_wireless(blueman_t)
domain_use_interactive_fds(blueman_t)
files_list_tmp(blueman_t)
+files_map_usr_files(blueman_t)
files_read_usr_files(blueman_t)
auth_use_nsswitch(blueman_t)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index ed56f433..a9ffea32 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -182,6 +182,7 @@ dev_read_urand(evolution_t)
domain_dontaudit_read_all_domains_state(evolution_t)
+files_map_usr_files(evolution_t)
files_read_usr_files(evolution_t)
fs_dontaudit_getattr_xattr_fs(evolution_t)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 03bbd9c3..262d8cc6 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -338,6 +338,7 @@ dev_read_rand(gpg_pinentry_t)
domain_use_interactive_fds(gpg_pinentry_t)
+files_map_usr_files(gpg_pinentry_t)
files_read_usr_files(gpg_pinentry_t)
fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index ddccbc79..ed6f3592 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -173,6 +173,7 @@ dev_write_sound(mozilla_t)
domain_dontaudit_read_all_domains_state(mozilla_t)
files_read_etc_runtime_files(mozilla_t)
+files_map_usr_files(mozilla_t)
files_read_usr_files(mozilla_t)
files_read_var_files(mozilla_t)
files_read_var_lib_files(mozilla_t)
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index 3c42014d..eb10349d 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -80,6 +80,7 @@ files_getattr_all_dirs(ooffice_t)
files_getattr_all_files(ooffice_t)
files_getattr_all_symlinks(ooffice_t)
files_read_etc_files(ooffice_t)
+files_map_usr_files(ooffice_t)
files_read_usr_files(ooffice_t)
fs_getattr_xattr_fs(ooffice_t)
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index eb9ab43e..c1387eac 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -86,6 +86,7 @@ dev_read_urand(thunderbird_t)
dev_dontaudit_search_sysfs(thunderbird_t)
files_list_tmp(thunderbird_t)
+files_map_usr_files(thunderbird_t)
files_read_usr_files(thunderbird_t)
files_read_etc_runtime_files(thunderbird_t)
files_read_var_files(thunderbird_t)
diff --git a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te
index a398fd7d..ca4289f4 100644
--- a/policy/modules/contrib/wireshark.te
+++ b/policy/modules/contrib/wireshark.te
@@ -86,6 +86,7 @@ dev_read_rand(wireshark_t)
dev_read_sysfs(wireshark_t)
dev_read_urand(wireshark_t)
+files_map_usr_files(wireshark_t)
files_read_usr_files(wireshark_t)
fs_getattr_all_fs(wireshark_t)
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index b9c04988..e54f2830 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -56,6 +56,7 @@ dev_rw_wireless(wm_domain)
dev_write_sound(wm_domain)
files_read_etc_runtime_files(wm_domain)
+files_map_usr_files(wm_domain)
files_read_usr_files(wm_domain)
fs_getattr_all_fs(wm_domain)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-11-17 14:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-11-17 14:59 UTC (permalink / raw
To: gentoo-commits
commit: b63a1d7204e00b434c02af11a2bf80a58674c9e1
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Nov 14 23:31:15 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Nov 15 01:12:48 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b63a1d72
blueman, evolution, gpg, mozilla, openoffice, thunderbird, wireshark, wm: Module version bump.
policy/modules/contrib/blueman.te | 2 +-
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/openoffice.te | 2 +-
policy/modules/contrib/thunderbird.te | 2 +-
policy/modules/contrib/wireshark.te | 2 +-
policy/modules/contrib/wm.te | 2 +-
8 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/policy/modules/contrib/blueman.te b/policy/modules/contrib/blueman.te
index c00e3ccc..06d9d1d0 100644
--- a/policy/modules/contrib/blueman.te
+++ b/policy/modules/contrib/blueman.te
@@ -1,4 +1,4 @@
-policy_module(blueman, 1.1.0)
+policy_module(blueman, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index a9ffea32..e31a843a 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.7.0)
+policy_module(evolution, 2.7.1)
########################################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 262d8cc6..ca600218 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.12.2)
+policy_module(gpg, 2.12.3)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index ed6f3592..1bc1e707 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.12.3)
+policy_module(mozilla, 2.12.4)
########################################
#
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index eb10349d..fd4f79d8 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -1,4 +1,4 @@
-policy_module(openoffice, 1.2.1)
+policy_module(openoffice, 1.2.2)
##############################
#
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index c1387eac..76e78e01 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -1,4 +1,4 @@
-policy_module(thunderbird, 2.6.0)
+policy_module(thunderbird, 2.6.1)
########################################
#
diff --git a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te
index ca4289f4..40de9304 100644
--- a/policy/modules/contrib/wireshark.te
+++ b/policy/modules/contrib/wireshark.te
@@ -1,4 +1,4 @@
-policy_module(wireshark, 2.5.0)
+policy_module(wireshark, 2.5.1)
########################################
#
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index e54f2830..bba860b1 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.7.3)
+policy_module(wm, 1.7.4)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-11-17 14:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-11-17 14:59 UTC (permalink / raw
To: gentoo-commits
commit: 085875d9884125f544a60814d315830e55208eb0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Nov 10 01:36:30 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Nov 15 01:12:48 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=085875d9
Several module version bumps.
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/cyrus.te | 2 +-
policy/modules/contrib/dovecot.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/java.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/postfix.te | 2 +-
policy/modules/contrib/radius.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/sendmail.te | 2 +-
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/stunnel.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
15 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 68a9731a..d28f4c2f 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.13.1)
+policy_module(apache, 2.13.2)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 4aeef605..bee20f04 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.19.0)
+policy_module(bind, 1.19.1)
########################################
#
diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
index d12d9633..e0089870 100644
--- a/policy/modules/contrib/cyrus.te
+++ b/policy/modules/contrib/cyrus.te
@@ -1,4 +1,4 @@
-policy_module(cyrus, 1.16.0)
+policy_module(cyrus, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index ba326a28..be73cbec 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.20.0)
+policy_module(dovecot, 1.20.1)
########################################
#
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 4949f4a4..60263b43 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.11.0)
+policy_module(exim, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 7d7b035d..193ba99d 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.10.1)
+policy_module(java, 2.10.2)
########################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 549a3f48..72a829de 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.16.0)
+policy_module(ldap, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 550dc7b9..383be1fc 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.18.2)
+policy_module(postfix, 1.18.3)
########################################
#
diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
index d23ce825..0dbef954 100644
--- a/policy/modules/contrib/radius.te
+++ b/policy/modules/contrib/radius.te
@@ -1,4 +1,4 @@
-policy_module(radius, 1.16.0)
+policy_module(radius, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 3f20e54f..9e8d1541 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.20.2)
+policy_module(rpc, 1.20.3)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 28107903..78af52df 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.21.0)
+policy_module(samba, 1.21.1)
#################################
#
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
index 84924c9a..c5b864a6 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -1,4 +1,4 @@
-policy_module(sendmail, 1.15.0)
+policy_module(sendmail, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 81c9a8f9..bba3a103 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.16.0)
+policy_module(squid, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te
index 411f842d..4881d0cd 100644
--- a/policy/modules/contrib/stunnel.te
+++ b/policy/modules/contrib/stunnel.te
@@ -1,4 +1,4 @@
-policy_module(stunnel, 1.12.0)
+policy_module(stunnel, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index f4d05cfb..de57096e 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.12.1)
+policy_module(virt, 1.12.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-11-17 14:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-11-17 14:59 UTC (permalink / raw
To: gentoo-commits
commit: fc75045908d6c2275c0b8a87205b92225fe03245
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> com>
AuthorDate: Wed Nov 8 17:30:30 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Nov 15 01:12:48 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc750459
contrib: use the new SSL private keys type (was: "let the mozilla and other domains read generic SSL certificates")
Use the newly created interfaces for operations on SSL/TLS private
key files.
Normally such interfaces should only be used for web servers
such as apache and for secure mail servers. A few other exceptions
exists.
This part (2/2) refers to the contrib policy changes.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.com>
policy/modules/contrib/apache.te | 2 ++
policy/modules/contrib/bind.te | 1 +
policy/modules/contrib/cyrus.te | 1 +
policy/modules/contrib/dovecot.te | 1 +
policy/modules/contrib/exim.te | 1 +
policy/modules/contrib/java.te | 2 ++
policy/modules/contrib/ldap.te | 1 +
policy/modules/contrib/postfix.te | 1 +
policy/modules/contrib/radius.te | 1 +
policy/modules/contrib/rpc.te | 2 ++
policy/modules/contrib/samba.te | 1 +
policy/modules/contrib/sendmail.te | 1 +
policy/modules/contrib/squid.te | 1 +
policy/modules/contrib/stunnel.te | 1 +
policy/modules/contrib/virt.te | 1 +
15 files changed, 18 insertions(+)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 24399860..68a9731a 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -529,6 +529,7 @@ miscfiles_read_localization(httpd_t)
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
+miscfiles_read_generic_tls_privkey(httpd_t)
miscfiles_read_tetex_data(httpd_t)
seutil_dontaudit_search_config(httpd_t)
@@ -1425,6 +1426,7 @@ auth_use_nsswitch(httpd_passwd_t)
miscfiles_read_generic_certs(httpd_passwd_t)
miscfiles_read_localization(httpd_passwd_t)
+miscfiles_read_generic_tls_privkey(httpd_passwd_t)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index c97c6a22..4aeef605 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -165,6 +165,7 @@ logging_send_syslog_msg(named_t)
miscfiles_read_generic_certs(named_t)
miscfiles_read_localization(named_t)
+miscfiles_read_generic_tls_privkey(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
index 816cf457..d12d9633 100644
--- a/policy/modules/contrib/cyrus.te
+++ b/policy/modules/contrib/cyrus.te
@@ -109,6 +109,7 @@ logging_send_syslog_msg(cyrus_t)
miscfiles_read_localization(cyrus_t)
miscfiles_read_generic_certs(cyrus_t)
+miscfiles_read_generic_tls_privkey(cyrus_t)
userdom_use_unpriv_users_fds(cyrus_t)
userdom_dontaudit_search_user_home_dirs(cyrus_t)
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index 3827d093..ba326a28 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -172,6 +172,7 @@ init_getattr_utmp(dovecot_t)
auth_use_nsswitch(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
+miscfiles_read_generic_tls_privkey(dovecot_t)
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_use_user_terminals(dovecot_t)
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 4f884c99..4949f4a4 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -157,6 +157,7 @@ logging_send_syslog_msg(exim_t)
miscfiles_read_localization(exim_t)
miscfiles_read_generic_certs(exim_t)
+miscfiles_read_generic_tls_privkey(exim_t)
userdom_dontaudit_search_user_home_dirs(exim_t)
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 2b5a17df..7d7b035d 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -95,6 +95,7 @@ dev_read_rand(java_domain)
dev_dontaudit_append_rand(java_domain)
files_read_usr_files(java_domain)
+files_read_etc_files(java_domain)
files_read_etc_runtime_files(java_domain)
fs_getattr_all_fs(java_domain)
@@ -102,6 +103,7 @@ fs_dontaudit_rw_tmpfs_files(java_domain)
logging_send_syslog_msg(java_domain)
+miscfiles_read_generic_certs(java_domain)
miscfiles_read_localization(java_domain)
miscfiles_read_fonts(java_domain)
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index c3e52459..549a3f48 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -127,6 +127,7 @@ logging_send_syslog_msg(slapd_t)
miscfiles_read_generic_certs(slapd_t)
miscfiles_read_localization(slapd_t)
+miscfiles_read_generic_tls_privkey(slapd_t)
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
userdom_dontaudit_search_user_home_dirs(slapd_t)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index dcb86c72..550dc7b9 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -159,6 +159,7 @@ logging_send_syslog_msg(postfix_domain)
miscfiles_read_localization(postfix_domain)
miscfiles_read_generic_certs(postfix_domain)
+miscfiles_read_generic_tls_privkey(postfix_domain)
userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
index 1411e381..d23ce825 100644
--- a/policy/modules/contrib/radius.te
+++ b/policy/modules/contrib/radius.te
@@ -111,6 +111,7 @@ logging_send_syslog_msg(radiusd_t)
miscfiles_read_localization(radiusd_t)
miscfiles_read_generic_certs(radiusd_t)
+miscfiles_read_generic_tls_privkey(radiusd_t)
sysnet_use_ldap(radiusd_t)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 67f19ac9..3f20e54f 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -182,6 +182,7 @@ storage_getattr_fixed_disk_dev(rpcd_t)
selinux_dontaudit_read_fs(rpcd_t)
miscfiles_read_generic_certs(rpcd_t)
+miscfiles_read_generic_tls_privkey(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@@ -320,6 +321,7 @@ files_dontaudit_write_var_dirs(gssd_t)
auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
+miscfiles_read_generic_tls_privkey(gssd_t)
userdom_signal_all_users(gssd_t)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index f61077fa..28107903 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -943,6 +943,7 @@ logging_send_syslog_msg(winbind_t)
miscfiles_read_localization(winbind_t)
miscfiles_read_generic_certs(winbind_t)
+miscfiles_read_generic_tls_privkey(winbind_t)
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
index dbfab0a0..84924c9a 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -113,6 +113,7 @@ logging_dontaudit_write_generic_logs(sendmail_t)
miscfiles_read_generic_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
+miscfiles_read_generic_tls_privkey(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index a9093f5f..81c9a8f9 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -185,6 +185,7 @@ logging_send_syslog_msg(squid_t)
miscfiles_read_generic_certs(squid_t)
miscfiles_read_localization(squid_t)
+miscfiles_read_generic_tls_privkey(squid_t)
userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_search_user_home_dirs(squid_t)
diff --git a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te
index f7e315ed..411f842d 100644
--- a/policy/modules/contrib/stunnel.te
+++ b/policy/modules/contrib/stunnel.te
@@ -76,6 +76,7 @@ logging_send_syslog_msg(stunnel_t)
miscfiles_read_generic_certs(stunnel_t)
miscfiles_read_localization(stunnel_t)
+miscfiles_read_generic_tls_privkey(stunnel_t)
userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
userdom_dontaudit_search_user_home_dirs(stunnel_t)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3759d2d9..f4d05cfb 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -685,6 +685,7 @@ auth_use_nsswitch(virtd_t)
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
+miscfiles_read_generic_tls_privkey(virtd_t)
modutils_read_module_deps(virtd_t)
modutils_manage_module_config(virtd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-11-05 8:01 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-11-05 8:01 UTC (permalink / raw
To: gentoo-commits
commit: 5d6a23fe60fd1230b2559ed8b75538c9d2613769
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Nov 2 17:31:19 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 5 06:40:35 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5d6a23fe
gssproxy: add policy
borrowed and modified from Fedora
policy/modules/contrib/gssproxy.fc | 8 ++
policy/modules/contrib/gssproxy.if | 168 +++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gssproxy.te | 66 +++++++++++++++
3 files changed, 242 insertions(+)
diff --git a/policy/modules/contrib/gssproxy.fc b/policy/modules/contrib/gssproxy.fc
new file mode 100644
index 00000000..a9970159
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0)
+
+/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0)
+/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0)
diff --git a/policy/modules/contrib/gssproxy.if b/policy/modules/contrib/gssproxy.if
new file mode 100644
index 00000000..1f8a4461
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.if
@@ -0,0 +1,168 @@
+## <summary>policy for gssproxy - daemon to proxy GSSAPI context establishment and channel handling</summary>
+
+########################################
+## <summary>
+## Execute gssproxy in the gssproxy domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_domtrans',`
+ gen_require(`
+ type gssproxy_t, gssproxy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Search gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_search_lib',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_dirs',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read gssproxy PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_pid_files',`
+ gen_require(`
+ type gssproxy_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
+')
+
+########################################
+## <summary>
+## Connect to gssproxy over an unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_stream_connect',`
+ gen_require(`
+ type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
+ stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an gssproxy environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`gssproxy_admin',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_var_lib_t;
+ type gssproxy_run_t;
+ type gssproxy_unit_t;
+ ')
+
+ allow $1 gssproxy_t:process { ptrace signal_perms };
+ ps_process_pattern($1, gssproxy_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, gssproxy_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, gssproxy_run_t)
+
+ admin_pattern($1, gssproxy_unit_t)
+')
diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
new file mode 100644
index 00000000..c1dcc556
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.te
@@ -0,0 +1,66 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gssproxy_t;
+type gssproxy_exec_t;
+init_daemon_domain(gssproxy_t, gssproxy_exec_t)
+
+type gssproxy_var_lib_t;
+files_type(gssproxy_var_lib_t)
+
+type gssproxy_run_t;
+files_pid_file(gssproxy_run_t)
+
+type gssproxy_unit_t;
+init_unit_file(gssproxy_unit_t)
+
+########################################
+#
+# gssproxy local policy
+#
+allow gssproxy_t self:capability { setuid setgid };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file })
+
+kernel_rw_rpc_sysctls(gssproxy_t)
+
+domain_use_interactive_fds(gssproxy_t)
+
+files_read_etc_files(gssproxy_t)
+
+fs_getattr_all_fs(gssproxy_t)
+
+auth_use_nsswitch(gssproxy_t)
+
+dev_read_urand(gssproxy_t)
+
+logging_send_syslog_msg(gssproxy_t)
+
+miscfiles_read_localization(gssproxy_t)
+
+userdom_read_all_users_keys(gssproxy_t)
+userdom_manage_user_tmp_dirs(gssproxy_t)
+userdom_manage_user_tmp_files(gssproxy_t)
+
+optional_policy(`
+ kerberos_manage_host_rcache(gssproxy_t)
+ kerberos_read_keytab(gssproxy_t)
+ kerberos_use(gssproxy_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-11-05 8:01 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-11-05 8:01 UTC (permalink / raw
To: gentoo-commits
commit: a92040a6bd344145b2df9a88910993f0ff0dfbcc
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Nov 4 18:16:06 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 5 06:40:35 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a92040a6
gpg, mozilla, rpc: Module version bump.
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 048ff0f0..03bbd9c3 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.12.1)
+policy_module(gpg, 2.12.2)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 2ffed447..ddccbc79 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.12.2)
+policy_module(mozilla, 2.12.3)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 85a68b23..67f19ac9 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.20.1)
+policy_module(rpc, 1.20.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-11-05 8:01 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-11-05 8:01 UTC (permalink / raw
To: gentoo-commits
commit: 09b3bbc4d767812375a72461e0247a6d6e8da97f
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Nov 2 17:31:21 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 5 06:40:35 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=09b3bbc4
gpg: search dir when connecting to agent socket
commit 96ac8920f55e5a652c20aba99a599ce23a4d3c0d
(gpg: manage user runtime socket files and directories)
moved /run/user/UID/gnupg/ to gpg_runtime_t. this updates the interface
so it grants search perms on the dir too.
policy/modules/contrib/gpg.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index c4b7c4cd..6266019b 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -191,11 +191,11 @@ interface(`gpg_rw_agent_pipes',`
interface(`gpg_stream_connect_agent',`
gen_require(`
type gpg_agent_t, gpg_agent_tmp_t;
- type gpg_secret_t;
+ type gpg_secret_t, gpg_runtime_t;
')
stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
- allow $1 gpg_secret_t:dir search_dir_perms;
+ allow $1 { gpg_secret_t gpg_runtime_t }:dir search_dir_perms;
userdom_search_user_runtime($1)
userdom_search_user_home_dirs($1)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-11-05 8:01 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-11-05 8:01 UTC (permalink / raw
To: gentoo-commits
commit: 476affd27d6b3ebff81017f637a774a284ebdb2d
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> com>
AuthorDate: Sat Nov 4 19:21:23 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 5 06:40:35 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=476affd2
mozilla: read generic SSL certificates
Let mozilla read generic SSL certificates so that the browser
can verify them for HTTPS web pages.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.com>
policy/modules/contrib/mozilla.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index b37f3a32..2ffed447 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -191,6 +191,7 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
+miscfiles_read_generic_certs(mozilla_t)
miscfiles_read_localization(mozilla_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-11-05 8:01 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-11-05 8:01 UTC (permalink / raw
To: gentoo-commits
commit: 2509630e0353e15b70bd82f8d1bb1eb65b383aef
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Nov 2 17:31:20 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 5 06:40:35 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2509630e
rpc: Allow stream connect to gssproxy
policy/modules/contrib/rpc.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 9fcbce2f..85a68b23 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -339,6 +339,9 @@ optional_policy(`
')
optional_policy(`
+ gssproxy_stream_connect(gssd_t)
+')
+optional_policy(`
kerberos_manage_host_rcache(gssd_t)
kerberos_read_keytab(gssd_t)
kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-10-31 5:40 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-10-31 5:40 UTC (permalink / raw
To: gentoo-commits
commit: 52e9add16fe67920ed2456ca26f555f63f4e16e8
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Tue Oct 31 01:36:16 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 31 05:15:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=52e9add1
refpolicy and certs
The following patch allows mon_t to set limits for it's children and removes
cert_t labelling from CA public keys (that aren't secret) so that processes
which only need to verify keys (EG https clients) don't need cert_t access.
policy/modules/contrib/mon.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index ab03877b..b00c0762 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -45,6 +45,8 @@ files_tmp_file(mon_tmp_t)
allow mon_t self:fifo_file rw_fifo_file_perms;
allow mon_t self:tcp_socket create_stream_socket_perms;
+# for mailxmpp.alert to set ulimit
+allow mon_t self:process setrlimit;
domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-10-31 5:40 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-10-31 5:40 UTC (permalink / raw
To: gentoo-commits
commit: e9f5151a6a5bacc2d4d45c9d5a2f7a7e32c313ef
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Oct 31 01:19:55 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 31 05:15:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e9f5151a
virt: Move a line.
policy/modules/contrib/virt.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 98d510fd..5d7926dd 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1364,13 +1364,13 @@ allow virtlogd_t virtd_t:dir list_dir_perms;
allow virtlogd_t virtd_t:file read_file_perms;
allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+can_exec(virtlogd_t, virtlogd_exec_t)
+
manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
-can_exec(virtlogd_t, virtlogd_exec_t)
-
kernel_read_system_state(virtlogd_t)
files_read_etc_files(virtlogd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-10-31 5:40 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-10-31 5:40 UTC (permalink / raw
To: gentoo-commits
commit: 570a767ab83e4540059afccfd833590cecba9a95
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Oct 30 06:38:45 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 31 05:15:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=570a767a
virt: updated perms for starting guests
virtlockd doesnt need ps_process_pattern
need to relabel to set categories and allow mount root in slave mode
allow mounting devfs in run
Already has dac_override so read_search is harmless
libvirt errors:
libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to switch root mount into slave mode: Permission denied
Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to mount devfs on /var/run/libvirt/qemu/selinux.dev type tmpfs (mode=755,size=65536): Permission denied
Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to mount devfs on /var/run/libvirt/qemu/selinux.dev type tmpfs (mode=755,size=65536): Permission denied
Error starting domain: internal error: Process exited prior to exec: libvirt: QEMU Driver error : Failed to make device /var/run/libvirt/qemu/selinux.dev/null: Permission denied
Error starting domain: internal error: Process exited prior to exec: libvirt: QEMU Driver error : Unable to set SELinux label on /var/run/libvirt/qemu/selinux.dev/null: Permission denied
avc denials:
avc: denied { mounton } for pid=11279 comm="libvirtd" path="/run/libvirt/qemu/selinux.dev" dev="tmpfs" ino=4428609 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_var_run_t:s0 tclass=dir permissive=0
avc: denied { mount } for pid=17844 comm="libvirtd" name="/" dev="tmpfs" ino=4436959 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
avc: denied { create } for pid=24198 comm="libvirtd" name="null" scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_tmpfs_t:s0 tclass=chr_file permissive=0
avc: denied { relabelfrom } for pid=539 comm="libvirtd" name="null" dev="tmpfs" ino=4452253 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_tmpfs_t:s0 tclass=chr_file permissive=0
policy/modules/contrib/virt.te | 33 +++++++++++++++++++++++++--------
1 file changed, 25 insertions(+), 8 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 1de48461..98d510fd 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -467,8 +467,8 @@ tunable_policy(`virt_use_vfio',`
# virtd local policy
#
-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
allow virtd_t self:tcp_socket { accept listen };
@@ -478,7 +478,7 @@ allow virtd_t self:packet_socket create_socket_perms;
allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow virtd_t self:netlink_route_socket nlmsg_write;
-allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virtd_t virt_domain:process { getattr getsched setsched transition rlimitinh signal signull sigkill };
dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir { mounton relabel_dir_perms };
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
@@ -529,9 +530,10 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
+allow virtd_t virt_image_type:sock_file manage_sock_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -541,7 +543,14 @@ files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+manage_lnk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+manage_blk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+manage_chr_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+relabel_blk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+relabel_chr_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+relabel_lnk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir })
+allow virtd_t virt_tmpfs_t:dir mounton;
# This needs a file context specification
manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
@@ -571,7 +580,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
@@ -620,6 +629,9 @@ dev_rw_mtrr(virtd_t)
dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
+dev_relabel_all_dev_nodes(virtd_t)
+dev_relabel_generic_symlinks(virtd_t)
+dev_mounton(virtd_t)
domain_use_interactive_fds(virtd_t)
domain_read_all_domains_state(virtd_t)
@@ -629,6 +641,7 @@ files_read_etc_runtime_files(virtd_t)
files_search_all(virtd_t)
files_read_kernel_modules(virtd_t)
files_read_usr_src_files(virtd_t)
+files_mounton_root(virtd_t)
# Manages /etc/sysconfig/system-config-firewall
# files_relabelto_system_conf_files(virtd_t)
@@ -643,6 +656,8 @@ fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
fs_manage_hugetlbfs_dirs(virtd_t)
fs_rw_hugetlbfs_files(virtd_t)
+fs_read_nsfs_files(virtd_t)
+fs_mount_tmpfs(virtd_t)
mls_fd_share_all_levels(virtd_t)
mls_file_read_to_clearance(virtd_t)
@@ -713,8 +728,6 @@ tunable_policy(`virt_use_samba',`
tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
- allow virtd_t self:process setrlimit;
- allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
')
@@ -1308,6 +1321,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1326,7 +1343,7 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
+kernel_read_system_state(virtlockd_t)
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-10-31 5:40 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-10-31 5:40 UTC (permalink / raw
To: gentoo-commits
commit: 19c03186a5f4f2ccf705e3ec298521189eb6a1e1
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Oct 31 01:38:58 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 31 05:15:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=19c03186
alsa, mon, virt: Module version bump.
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/mon.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index ca72c533..ce97649f 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.17.1)
+policy_module(alsa, 1.17.2)
########################################
#
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index b00c0762..ea7cd4c2 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -1,4 +1,4 @@
-policy_module(mon, 1.1.2)
+policy_module(mon, 1.1.3)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 5d7926dd..3759d2d9 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.12.0)
+policy_module(virt, 1.12.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-10-31 5:40 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-10-31 5:40 UTC (permalink / raw
To: gentoo-commits
commit: c4f04fef1796b7194b7a4bad2d49a48192a818b5
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Oct 30 09:40:09 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 31 05:15:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4f04fef
alsa: needs to map its tmpfs files
policy/modules/contrib/alsa.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 3acaa84e..ca72c533 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -66,7 +66,7 @@ manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
-allow alsa_t alsa_tmpfs_t:file manage_file_perms;
+allow alsa_t alsa_tmpfs_t:file { manage_file_perms map };
fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-10-31 5:40 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-10-31 5:40 UTC (permalink / raw
To: gentoo-commits
commit: db4c09d266e2c1f0537a82f5ff740ab43bde38d9
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Oct 30 06:38:44 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 31 05:15:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=db4c09d2
virt: add policy for virtlogd
policy/modules/contrib/virt.fc | 2 ++
policy/modules/contrib/virt.te | 46 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 48 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index b1f9b1c8..eb5ff0d8 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -30,6 +30,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/bin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
/usr/bin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/bin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -37,6 +38,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index fce37958..1de48461 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1319,3 +1335,33 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+kernel_read_system_state(virtlogd_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+sysnet_dns_name_resolve(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-10-30 15:07 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-10-30 15:07 UTC (permalink / raw
To: gentoo-commits
commit: 53699de58543c87fc116e7ed9fcd3e89555cb890
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Oct 30 07:46:01 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 30 09:37:46 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=53699de5
rtorrent: session dir fixes and allow exec for post download hooks
policy/modules/contrib/rtorrent.fc | 1 +
policy/modules/contrib/rtorrent.if | 4 ++--
policy/modules/contrib/rtorrent.te | 8 +++++++-
3 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/rtorrent.fc b/policy/modules/contrib/rtorrent.fc
index fb391dfc..65a77bf0 100644
--- a/policy/modules/contrib/rtorrent.fc
+++ b/policy/modules/contrib/rtorrent.fc
@@ -1,4 +1,5 @@
HOME_DIR/.rtorrent.rc -- gen_context(system_u:object_r:rtorrent_home_t,s0)
HOME_DIR/.rtsession(/.*)? gen_context(system_u:object_r:rtorrent_session_t,s0)
+HOME_DIR/.rtorrent(/.*)? gen_context(system_u:object_r:rtorrent_session_t,s0)
/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0)
diff --git a/policy/modules/contrib/rtorrent.if b/policy/modules/contrib/rtorrent.if
index 790f8893..8818b654 100644
--- a/policy/modules/contrib/rtorrent.if
+++ b/policy/modules/contrib/rtorrent.if
@@ -28,8 +28,8 @@ interface(`rtorrent_role',`
manage_files_pattern($2, rtorrent_home_t, rtorrent_home_t)
- read_files_pattern($2, rtorrent_session_t, rtorrent_session_t)
- list_dirs_pattern($2, rtorrent_session_t, rtorrent_session_t)
+ manage_files_pattern($2, rtorrent_session_t, rtorrent_session_t)
+ manage_dirs_pattern($2, rtorrent_session_t, rtorrent_session_t)
ps_process_pattern($2, rtorrent_t)
')
diff --git a/policy/modules/contrib/rtorrent.te b/policy/modules/contrib/rtorrent.te
index bf12b0c0..e7f7c354 100644
--- a/policy/modules/contrib/rtorrent.te
+++ b/policy/modules/contrib/rtorrent.te
@@ -54,10 +54,15 @@ corenet_tcp_sendrecv_all_ports(rtorrent_t)
domain_use_interactive_fds(rtorrent_t)
files_list_home(rtorrent_t)
+files_list_tmp(rtorrent_t)
+files_list_var(rtorrent_t)
files_read_etc_files(rtorrent_t)
fs_getattr_xattr_fs(rtorrent_t)
+kernel_read_system_state(rtorrent_t)
+
+miscfiles_read_generic_certs(rtorrent_t)
miscfiles_read_localization(rtorrent_t)
sysnet_read_config(rtorrent_t)
@@ -75,7 +80,8 @@ tunable_policy(`rtorrent_use_dht',`
tunable_policy(`rtorrent_use_rsync',`
allow rtorrent_t self:unix_stream_socket { create connect write read };
- corecmd_search_bin(rtorrent_t)
+ corecmd_exec_bin(rtorrent_t)
+ corecmd_exec_shell(rtorrent_t)
corenet_sendrecv_rsync_client_packets(rtorrent_t)
corenet_tcp_connect_rsync_port(rtorrent_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-10-30 15:07 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-10-30 15:07 UTC (permalink / raw
To: gentoo-commits
commit: ec7d886c63f83a6e50cbe816f255a653c2d8b17c
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Oct 30 07:32:33 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 30 08:39:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ec7d886c
salt: master and minion need to map tmpfs files
policy/modules/contrib/salt.te | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 9a8a4ad8..2eb7b7db 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -72,6 +72,9 @@ files_type(salt_minion_pki_t)
type salt_minion_tmp_t;
files_tmp_file(salt_minion_tmp_t)
+type salt_minion_tmpfs_t;
+files_tmpfs_file(salt_minion_tmpfs_t)
+
type salt_minion_var_run_t;
init_daemon_pid_file(salt_minion_var_run_t, file, "salt-minion.pid")
files_pid_file(salt_minion_var_run_t)
@@ -144,7 +147,7 @@ files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { file dir })
can_exec(salt_master_t, salt_master_tmp_t)
# salt_master_tmpfs_t
-allow salt_master_t salt_master_tmpfs_t:file manage_file_perms;
+allow salt_master_t salt_master_tmpfs_t:file { manage_file_perms map };
fs_tmpfs_filetrans(salt_master_t, salt_master_tmpfs_t, file)
# salt_master_var_run_t
@@ -262,6 +265,10 @@ files_tmp_filetrans(salt_minion_t, salt_minion_tmp_t, { file dir })
# libffi, screw you
can_exec(salt_minion_t, salt_minion_tmp_t)
+# salt_minion_tmpfs_t
+allow salt_minion_t salt_minion_tmpfs_t:file { manage_file_perms map };
+fs_tmpfs_filetrans(salt_minion_t, salt_minion_tmpfs_t, file)
+
# salt_minion_var_run_t
allow salt_minion_t salt_minion_var_run_t:file manage_file_perms;
allow salt_minion_t salt_minion_var_run_t:sock_file manage_sock_file_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-10-30 15:07 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-10-30 15:07 UTC (permalink / raw
To: gentoo-commits
commit: cd4387cc41bcddb622de2bc67738eaa5ceb2c626
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Oct 30 07:39:10 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 30 08:39:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cd4387cc
subsonic: allow lnk files for transcode links
policy/modules/contrib/subsonic.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/subsonic.te b/policy/modules/contrib/subsonic.te
index a64a814c..bc8f80cd 100644
--- a/policy/modules/contrib/subsonic.te
+++ b/policy/modules/contrib/subsonic.te
@@ -32,6 +32,7 @@ files_pid_filetrans(subsonic_t, subsonic_run_t, dir)
manage_dirs_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t)
manage_files_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t)
+allow subsonic_t subsonic_var_lib_t:lnk_file manage_lnk_file_perms;
files_var_lib_filetrans(subsonic_t, subsonic_var_lib_t, dir)
corecmd_exec_bin(subsonic_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-10-29 20:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-10-29 20:42 UTC (permalink / raw
To: gentoo-commits
commit: c988737ef7f93819a734d799b1b36e4eb5e3f0ee
Author: Amadeusz Sławiński <amade <AT> asmblr <DOT> net>
AuthorDate: Tue Oct 17 21:25:45 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 13:57:28 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c988737e
allow dac_read_search along with dac_override
newer kernels check dac_read_search first and then for more permissions
which are allowed by dac_override
Signed-off-by: Amadeusz Sławiński <amade <AT> asmblr.net>
policy/modules/contrib/portage.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 637b0d0d..a81a4d0d 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -72,7 +72,7 @@ interface(`portage_compile_domain',`
type portage_tmp_t, portage_tmpfs_t;
')
- allow $1 self:capability { chown dac_override fowner fsetid mknod net_raw setgid setuid };
+ allow $1 self:capability { chown dac_override dac_read_search fowner fsetid mknod net_raw setgid setuid };
dontaudit $1 self:capability sys_chroot;
allow $1 self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
allow $1 self:fd use;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-10-29 20:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-10-29 20:42 UTC (permalink / raw
To: gentoo-commits
commit: 3e79b102bdd4d366b25dc30190100f303c1bdae9
Author: Amadeusz Sławiński <amade <AT> asmblr <DOT> net>
AuthorDate: Wed Oct 18 10:38:25 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 13:57:28 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3e79b102
elinks can reuse links policy
Signed-off-by: Amadeusz Sławiński <amade <AT> asmblr.net>
policy/modules/contrib/links.fc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/links.fc b/policy/modules/contrib/links.fc
index d973b307..1bf9f543 100644
--- a/policy/modules/contrib/links.fc
+++ b/policy/modules/contrib/links.fc
@@ -1,2 +1,5 @@
/usr/bin/links -- gen_context(system_u:object_r:links_exec_t,s0)
HOME_DIR/\.links(/.*)? gen_context(system_u:object_r:links_home_t,s0)
+
+/usr/bin/elinks -- gen_context(system_u:object_r:links_exec_t,s0)
+HOME_DIR/\.elinks(/.*)? gen_context(system_u:object_r:links_home_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-10-29 20:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-10-29 20:42 UTC (permalink / raw
To: gentoo-commits
commit: 34d4b8c35425a73e8b372a6f64862baa8e254e8b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Oct 29 20:37:09 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 20:38:24 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=34d4b8c3
rtorrent: allow map session files
policy/modules/contrib/rtorrent.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/rtorrent.te b/policy/modules/contrib/rtorrent.te
index 746b5f5f..bf12b0c0 100644
--- a/policy/modules/contrib/rtorrent.te
+++ b/policy/modules/contrib/rtorrent.te
@@ -44,6 +44,7 @@ read_files_pattern(rtorrent_t, rtorrent_home_t, rtorrent_home_t)
manage_dirs_pattern(rtorrent_t, rtorrent_session_t, rtorrent_session_t)
manage_files_pattern(rtorrent_t, rtorrent_session_t, rtorrent_session_t)
+allow rtorrent_t rtorrent_session_t:file map;
corenet_tcp_bind_generic_node(rtorrent_t)
corenet_tcp_bind_rtorrent_port(rtorrent_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-10-29 20:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-10-29 20:42 UTC (permalink / raw
To: gentoo-commits
commit: 35dd9ad44e3ebda3311fce8b2f29cbb922c4f05d
Author: Amadeusz Sławiński <amade <AT> asmblr <DOT> net>
AuthorDate: Wed Oct 18 10:46:33 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 13:57:28 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35dd9ad4
allow links to validate certificates
Signed-off-by: Amadeusz Sławiński <amade <AT> asmblr.net>
policy/modules/contrib/links.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/links.te b/policy/modules/contrib/links.te
index a36703f2..9ef2dd0c 100644
--- a/policy/modules/contrib/links.te
+++ b/policy/modules/contrib/links.te
@@ -45,7 +45,6 @@ manage_fifo_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t)
manage_sock_files_pattern(links_t, links_tmpfs_t, links_tmpfs_t)
fs_tmpfs_filetrans(links_t, links_tmpfs_t, { file lnk_file sock_file fifo_file })
-
domain_use_interactive_fds(links_t)
auth_use_nsswitch(links_t)
@@ -54,6 +53,7 @@ userdom_use_user_terminals(links_t)
corenet_tcp_connect_http_port(links_t)
+miscfiles_read_all_certs(links_t)
miscfiles_read_localization(links_t)
tunable_policy(`links_manage_user_files',`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-10-29 20:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-10-29 20:42 UTC (permalink / raw
To: gentoo-commits
commit: a0fdf53ebd17756a85e551a25a99acfd64c9fdd6
Author: Amadeusz Sławiński <amade <AT> asmblr <DOT> net>
AuthorDate: Wed Oct 18 08:42:26 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 13:57:28 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a0fdf53e
allow dac_read_search for portage_fetch_t
it already has dac_override allowed, so it just quiets denial
Signed-off-by: Amadeusz Sławiński <amade <AT> asmblr.net>
policy/modules/contrib/portage.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 5d58b326..5905d4dc 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -251,7 +251,7 @@ dontaudit portage_t device_type:blk_file read_blk_file_perms;
#
allow portage_fetch_t self:process signal;
-allow portage_fetch_t self:capability { chown dac_override fowner fsetid };
+allow portage_fetch_t self:capability { chown dac_read_search dac_override fowner fsetid };
allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
allow portage_fetch_t self:tcp_socket { accept listen };
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-10-29 20:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-10-29 20:42 UTC (permalink / raw
To: gentoo-commits
commit: 34a5c9f83485ba36ea21940a6ecc3932636f51f3
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Wed Oct 25 00:37:05 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 13:57:28 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=34a5c9f8
portage: Allow portage compile domains to map portage_tmpfs_t files
This is required by a python script in the firefox build system.
Bug: https://bugs.gentoo.org/635384
policy/modules/contrib/portage.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 6388110e..637b0d0d 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -124,6 +124,7 @@ interface(`portage_compile_domain',`
manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
+ allow $1 portage_tmpfs_t:file map;
fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file })
kernel_read_system_state($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-10-29 20:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-10-29 20:42 UTC (permalink / raw
To: gentoo-commits
commit: 09ae324ada3f3abee00abf15a5c902f2c33b9f99
Author: Amadeusz Sławiński <amade <AT> asmblr <DOT> net>
AuthorDate: Tue Oct 17 20:48:42 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 13:57:28 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=09ae324a
allow tor to map tor_var_lib_t files
Signed-off-by: Amadeusz Sławiński <amade <AT> asmblr.net>
policy/modules/contrib/tor.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 51de8fd1..990ea8c4 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -55,6 +55,7 @@ allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+allow tor_t tor_var_lib_t:file map;
manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
files_var_lib_filetrans(tor_t, tor_var_lib_t, dir)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-17 4:21 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-17 4:21 UTC (permalink / raw
To: gentoo-commits
commit: 7cbbfd7a20f904db1c3b0611022f211b3d51aaff
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 12:56:26 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 17 03:25:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7cbbfd7a
pulseaudio: Add neccessary map permissions
policy/modules/contrib/pulseaudio.if | 2 +-
policy/modules/contrib/pulseaudio.te | 5 ++++-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if
index 921e519c..3073fd4a 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -33,7 +33,7 @@ interface(`pulseaudio_role',`
allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms };
+ allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms map };
allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index b4154208..4dcc776f 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -54,7 +54,7 @@ allow pulseaudio_t self:tcp_socket { accept listen };
allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
-allow pulseaudio_t pulseaudio_home_t:file manage_file_perms;
+allow pulseaudio_t pulseaudio_home_t:file { manage_file_perms map };
allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms;
userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse")
@@ -73,6 +73,7 @@ userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, { pulseaudio_tmpfs_t pulseaudio_tmpfsfile })
+allow pulseaudio_t { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file map;
fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file })
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
@@ -138,6 +139,7 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
userdom_read_user_tmpfs_files(pulseaudio_t)
+userdom_map_user_tmpfs_files(pulseaudio_t)
userdom_delete_user_tmpfs_files(pulseaudio_t)
userdom_search_user_home_dirs(pulseaudio_t)
userdom_search_user_home_content(pulseaudio_t)
@@ -238,6 +240,7 @@ allow pulseaudio_client pulseaudio_tmp_t:file manage_file_perms;
allow pulseaudio_client pulseaudio_tmp_t:sock_file manage_sock_file_perms;
rw_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t })
+allow pulseaudio_client pulseaudio_tmpfs_t:file map;
delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile)
fs_getattr_tmpfs(pulseaudio_client)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-17 4:21 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-17 4:21 UTC (permalink / raw
To: gentoo-commits
commit: c1b3210166bf5ffc97bbc5f2e59367ebe2f68876
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Sep 16 17:29:38 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 17 03:25:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c1b32101
gpg, pulseaudio, rpc: Module version bump.
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index a235627e..048ff0f0 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.12.0)
+policy_module(gpg, 2.12.1)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 4dcc776f..7bf49fb5 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.10.0)
+policy_module(pulseaudio, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 970e5b31..9fcbce2f 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.20.0)
+policy_module(rpc, 1.20.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-17 4:21 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-17 4:21 UTC (permalink / raw
To: gentoo-commits
commit: e18120024faf4b04bba1a291f78a57f61d6f9ba9
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Sep 14 21:20:36 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 17 03:23:43 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e1812002
dphysswapfile: Module version bump.
policy/modules/contrib/dphysswapfile.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dphysswapfile.te b/policy/modules/contrib/dphysswapfile.te
index 4bfe7826..26132dd8 100644
--- a/policy/modules/contrib/dphysswapfile.te
+++ b/policy/modules/contrib/dphysswapfile.te
@@ -1,4 +1,4 @@
-policy_module(dphysswapfile, 1.1.0)
+policy_module(dphysswapfile, 1.1.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-17 4:21 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-17 4:21 UTC (permalink / raw
To: gentoo-commits
commit: cdc58022a0b11cea7084de37e62a17f743b320d3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri Sep 15 07:03:12 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 17 03:25:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cdc58022
gpg: add fcontexts for user runtime sockets
Without this, restorecon relabels them and the agent connection breaks
policy/modules/contrib/gpg.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/gpg.fc b/policy/modules/contrib/gpg.fc
index c2c1236d..c9362398 100644
--- a/policy/modules/contrib/gpg.fc
+++ b/policy/modules/contrib/gpg.fc
@@ -12,3 +12,5 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s
/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0)
+/run/user/%{USERID}/gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+/run/user/%{USERID}/gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-17 4:21 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-17 4:21 UTC (permalink / raw
To: gentoo-commits
commit: 33e05534acddbd2fee61e5dd45cec0ee32ed1183
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri Sep 15 07:11:38 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 17 03:25:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=33e05534
rpc: add sm-notify pid fcontext
policy/modules/contrib/rpc.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc
index 6674a53e..6dfd4516 100644
--- a/policy/modules/contrib/rpc.fc
+++ b/policy/modules/contrib/rpc.fc
@@ -29,3 +29,4 @@
/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/run/sm-notify\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-17 4:21 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-17 4:21 UTC (permalink / raw
To: gentoo-commits
commit: 56dd0a71e0ed5a64b1a35987cb1b296e97dd38ea
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Sep 14 11:47:48 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 17 03:23:43 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=56dd0a71
dphysswapfile: fix swapfile creation
Currently the policy only works when the swapfile already exists.
During creation swapfile_t is hard coded in `mkswap` and needs to be used.
v2:
move swapfile file context into fstools module
policy/modules/contrib/dphysswapfile.fc | 6 +++---
policy/modules/contrib/dphysswapfile.if | 6 ++++--
policy/modules/contrib/dphysswapfile.te | 14 +++++++++++++-
3 files changed, 20 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/dphysswapfile.fc b/policy/modules/contrib/dphysswapfile.fc
index 70b0ee3a..dd8ab602 100644
--- a/policy/modules/contrib/dphysswapfile.fc
+++ b/policy/modules/contrib/dphysswapfile.fc
@@ -2,8 +2,8 @@
/etc/rc\.d/init\.d/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_initrc_exec_t,s0)
-/usr/bin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+/usr/bin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
-/usr/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+/usr/lib/systemd/system/dphys-swapfile\.service -- gen_context(system_u:object_r:dphysswapfile_unit_t,s0)
-/var/swap -- gen_context(system_u:object_r:dphysswapfile_swap_t,s0)
+/usr/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
diff --git a/policy/modules/contrib/dphysswapfile.if b/policy/modules/contrib/dphysswapfile.if
index 7dda9553..c39464e4 100644
--- a/policy/modules/contrib/dphysswapfile.if
+++ b/policy/modules/contrib/dphysswapfile.if
@@ -11,6 +11,8 @@
## </param>
#
interface(`dphysswapfile_dontaudit_read_swap',`
+ refpolicywarn(`$0($*) has been deprecated')
+
gen_require(`
type dphysswapfile_swap_t;
')
@@ -38,12 +40,12 @@ interface(`dphysswapfile_dontaudit_read_swap',`
interface(`dphysswapfile_admin',`
gen_require(`
type dphysswapfile_t, dphysswapfile_conf_t;
- type dphysswapfile_initrc_exec_t;
+ type dphysswapfile_initrc_exec_t, dphysswapfile_unit_t;
')
admin_process_pattern($1, dphysswapfile_t)
- init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t)
+ init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t, dphysswapfile_unit_t)
files_search_etc($1)
admin_pattern($1, dphysswapfile_conf_t)
diff --git a/policy/modules/contrib/dphysswapfile.te b/policy/modules/contrib/dphysswapfile.te
index dfd04e32..4bfe7826 100644
--- a/policy/modules/contrib/dphysswapfile.te
+++ b/policy/modules/contrib/dphysswapfile.te
@@ -18,6 +18,9 @@ init_script_file(dphysswapfile_initrc_exec_t)
type dphysswapfile_swap_t;
files_type(dphysswapfile_swap_t)
+type dphysswapfile_unit_t;
+init_unit_file(dphysswapfile_unit_t)
+
########################################
#
# Policy
@@ -32,20 +35,29 @@ allow dphysswapfile_t dphysswapfile_conf_t:file read_file_perms;
allow dphysswapfile_t dphysswapfile_exec_t:file execute_no_trans;
-allow dphysswapfile_t dphysswapfile_swap_t:file manage_file_perms;
+allow dphysswapfile_t dphysswapfile_swap_t:file { manage_file_perms relabelfrom };
kernel_read_system_state(dphysswapfile_t)
corecmd_exec_bin(dphysswapfile_t)
corecmd_exec_shell(dphysswapfile_t)
+dev_read_rand(dphysswapfile_t)
+dev_read_urand(dphysswapfile_t)
+
# ignore ls -l /var/swap noise
files_dontaudit_getattr_pid_dirs(dphysswapfile_t)
files_read_etc_files(dphysswapfile_t)
files_search_var(dphysswapfile_t)
+files_var_filetrans(dphysswapfile_t, dphysswapfile_swap_t, file)
fstools_exec(dphysswapfile_t)
+# swapfile_t is hardcoded in mkswap
+fstools_manage_swap_files(dphysswapfile_t)
+fstools_relabelto_swap_files(dphysswapfile_t)
miscfiles_read_localization(dphysswapfile_t)
+storage_getattr_removable_dev(dphysswapfile_t)
+
userdom_dontaudit_search_user_home_dirs(dphysswapfile_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 17:19 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 17:19 UTC (permalink / raw
To: gentoo-commits
commit: e544807b2603f481a895a630a28e25fe4f350b38
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri Sep 15 02:45:27 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 15 05:33:37 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e544807b
chromium: allow mapping own types
policy/modules/contrib/chromium.if | 4 ++++
policy/modules/contrib/chromium.te | 3 +++
2 files changed, 7 insertions(+)
diff --git a/policy/modules/contrib/chromium.if b/policy/modules/contrib/chromium.if
index 3f9301b7..26eb0259 100644
--- a/policy/modules/contrib/chromium.if
+++ b/policy/modules/contrib/chromium.if
@@ -45,6 +45,7 @@ interface(`chromium_role',`
allow chromium_sandbox_t $2:fd use;
allow chromium_naclhelper_t $2:fd use;
')
+
#######################################
## <summary>
## Read-write access to Chromiums' temporary fifo files
@@ -62,6 +63,7 @@ interface(`chromium_rw_tmp_pipes',`
rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t)
')
+
##############################################
## <summary>
## Automatically use the specified type for resources created in chromium's
@@ -91,6 +93,7 @@ interface(`chromium_tmp_filetrans',`
search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t)
filetrans_pattern($1, chromium_tmp_t, $2, $3, $4)
')
+
#######################################
## <summary>
## Execute a domain transition to the chromium domain (chromium_t)
@@ -110,6 +113,7 @@ interface(`chromium_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, chromium_exec_t, chromium_t)
')
+
#######################################
## <summary>
## Execute chromium in the chromium domain and allow the specified role to access the chromium domain
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index a4fba97c..76f2583a 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -113,6 +113,7 @@ allow chromium_t chromium_naclhelper_t:process { share };
# tmp has a wide class access (used for plugins)
manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+allow chromium_t chromium_tmp_t:file map;
manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
@@ -120,10 +121,12 @@ manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
+allow chromium_t chromium_tmpfs_t:file map;
fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, file)
manage_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
+allow chromium_t chromium_xdg_config_t:file map;
manage_lnk_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
manage_dirs_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
xdg_config_home_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium")
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: 59aea5a7886d7d1a1d975048b9f0478dca29ad81
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Sep 14 00:00:28 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=59aea5a7
spamassassin: Add missing requirement in spamassassin_admin().
policy/modules/contrib/spamassassin.if | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/spamassassin.if b/policy/modules/contrib/spamassassin.if
index 9d835e6e..75550eec 100644
--- a/policy/modules/contrib/spamassassin.if
+++ b/policy/modules/contrib/spamassassin.if
@@ -405,7 +405,7 @@ interface(`spamassassin_admin',`
type spamd_t, spamd_tmp_t, spamd_log_t;
type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
type spamd_initrc_exec_t, spamassassin_unit_t;
- type spamd_gpg_t, spamd_update_t;
+ type spamd_gpg_t, spamd_update_t, spamd_update_tmp_t;
')
admin_process_pattern($1, { spamd_t spamd_gpg_t spamd_update_t })
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 2e6cc9ef..9bc81030 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.11.3)
+policy_module(spamassassin, 2.11.4)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: e8cb49a7372634a8cadf4b765b6e7dad53c5acb2
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Sep 13 23:37:53 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e8cb49a7
spamassassin: Fix build error.
Remove nonexistant interface references.
policy/modules/contrib/spamassassin.te | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index d8aa47a1..2e6cc9ef 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.11.2)
+policy_module(spamassassin, 2.11.3)
########################################
#
@@ -553,9 +553,6 @@ optional_policy(`
allow spamd_gpg_t spamd_var_lib_t:file rw_file_perms;
allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms;
- # fips
- kernel_search_crypto_sysctls(spamd_gpg_t)
-
domain_use_interactive_fds(spamd_gpg_t)
files_read_etc_files(spamd_gpg_t)
@@ -565,7 +562,6 @@ optional_policy(`
files_search_tmp(spamd_gpg_t)
init_use_fds(spamd_gpg_t)
- init_rw_inherited_stream_socket(spamd_gpg_t)
miscfiles_read_localization(spamd_gpg_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: 8bfaafbdc8b78591c80c31a16ee2475fb7170c63
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Sep 12 09:54:23 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8bfaafbd
fakehwclock: update
- add initrc filecontext
- deprecate domtrans/run interface in favor of new admin interface
v2:
- deprecate interfaces instead of dropping
policy/modules/contrib/fakehwclock.fc | 6 ++++--
policy/modules/contrib/fakehwclock.if | 34 ++++++++++++++++++++++++++++++++++
policy/modules/contrib/fakehwclock.te | 3 +++
3 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/fakehwclock.fc b/policy/modules/contrib/fakehwclock.fc
index 0ab3bd87..85ea9317 100644
--- a/policy/modules/contrib/fakehwclock.fc
+++ b/policy/modules/contrib/fakehwclock.fc
@@ -1,7 +1,9 @@
/etc/fake-hwclock\.data -- gen_context(system_u:object_r:fakehwclock_backup_t,s0)
-/usr/bin/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_exec_t,s0)
+/etc/rc\.d/init\.d/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_initrc_exec_t,s0)
-/usr/sbin/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_exec_t,s0)
+/usr/bin/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_exec_t,s0)
/usr/lib/systemd/system/fake-hwclock\.service -- gen_context(system_u:object_r:fakehwclock_unit_t,s0)
+
+/usr/sbin/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_exec_t,s0)
diff --git a/policy/modules/contrib/fakehwclock.if b/policy/modules/contrib/fakehwclock.if
index 24cc7d1f..3e5afb14 100644
--- a/policy/modules/contrib/fakehwclock.if
+++ b/policy/modules/contrib/fakehwclock.if
@@ -11,6 +11,8 @@
## </param>
#
interface(`fakehwclock_domtrans',`
+ refpolicywarn(`$0($*) has been deprecated')
+
gen_require(`
type fakehwclock_t, fakehwclock_exec_t;
')
@@ -37,6 +39,8 @@ interface(`fakehwclock_domtrans',`
## </param>
#
interface(`fakehwclock_run',`
+ refpolicywarn(`$0($*) has been deprecated')
+
gen_require(`
attribute_role fakehwclock_roles;
')
@@ -44,3 +48,33 @@ interface(`fakehwclock_run',`
fakehwclock_domtrans($1)
roleattribute $2 fakehwclock_roles;
')
+
+########################################
+## <summary>
+## All the rules required to
+## administrate an fake-hwclock environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`fakehwclock_admin',`
+ gen_require(`
+ type fakehwclock_t, fakehwclock_exec_t, fakehwclock_backup_t;
+ type fakehwclock_initrc_exec_t, fakehwclock_unit_t;
+ ')
+
+ admin_process_pattern($1, fakehwclock_t)
+
+ init_startstop_service($1, $2, fakehwclock_t, fakehwclock_initrc_exec_t, fakehwclock_unit_t)
+
+ files_search_etc($1)
+ admin_pattern($1, fakehwclock_backup_t)
+')
diff --git a/policy/modules/contrib/fakehwclock.te b/policy/modules/contrib/fakehwclock.te
index 0a896a38..20bc5a01 100644
--- a/policy/modules/contrib/fakehwclock.te
+++ b/policy/modules/contrib/fakehwclock.te
@@ -15,6 +15,9 @@ role fakehwclock_roles types fakehwclock_t;
type fakehwclock_backup_t;
files_type(fakehwclock_backup_t)
+type fakehwclock_initrc_exec_t;
+init_script_file(fakehwclock_initrc_exec_t)
+
type fakehwclock_unit_t;
init_unit_file(fakehwclock_unit_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: 8f768d7696d74a197b524d4d9a61053e050fb250
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Wed Sep 13 08:23:14 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f768d76
spamassassin: update
- add filecontexts
- review admin interfaces
- enhance sa-update policy
v2:
- drop list -> search changes in admin interface
- use run instead of role interface for spamd_update
- drop runtime_t rename
- drop alias removal
v3:
- fix 21 spelling
- fix order of auth_ interfaces
policy/modules/contrib/spamassassin.fc | 8 +++-
policy/modules/contrib/spamassassin.if | 43 ++++++++++++++---
policy/modules/contrib/spamassassin.te | 87 ++++++++++++++++++++++++----------
3 files changed, 105 insertions(+), 33 deletions(-)
diff --git a/policy/modules/contrib/spamassassin.fc b/policy/modules/contrib/spamassassin.fc
index 18fa75f8..a8b3c019 100644
--- a/policy/modules/contrib/spamassassin.fc
+++ b/policy/modules/contrib/spamassassin.fc
@@ -1,6 +1,7 @@
HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
+/etc/rc\.d/init\.d/spamassassin -- gen_context(system_u:object_r:spamassassin_initrc_exec_t,s0)
/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
@@ -17,14 +18,19 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/lib/systemd/system/spamassassin\.service -- gen_context(system_u:object_r:spamassassin_unit_t,s0)
+
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
/var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
+/var/vmail/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+
/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
-/run/spamassassin\.pid gen_context(system_u:object_r:spamd_var_run_t,s0)
+/run/spamassassin\.pid -- gen_context(system_u:object_r:spamd_var_run_t,s0)
+/run/spamd\.pid -- gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
diff --git a/policy/modules/contrib/spamassassin.if b/policy/modules/contrib/spamassassin.if
index e915b5f9..9d835e6e 100644
--- a/policy/modules/contrib/spamassassin.if
+++ b/policy/modules/contrib/spamassassin.if
@@ -27,8 +27,7 @@ interface(`spamassassin_role',`
domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
domtrans_pattern($2, spamc_exec_t, spamc_t)
- allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms };
- ps_process_pattern($2, { spamc_t spamassassin_t })
+ admin_process_pattern($2, { spamc_t spamassassin_t })
allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms };
@@ -39,6 +38,33 @@ interface(`spamassassin_role',`
########################################
## <summary>
+## Execute sa-update in the spamd-update domain,
+## and allow the specified role
+## the spamd-update domain. Also allow transitive
+## access to the private gpg domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_run_update',`
+ gen_require(`
+ type spamd_gpg_t, spamd_update_exec_t, spamd_update_t;
+ ')
+
+ role $2 types { spamd_gpg_t spamd_update_t };
+ domtrans_pattern($1, spamd_update_exec_t, spamd_update_t)
+')
+
+########################################
+## <summary>
## Execute the standalone spamassassin
## program in the caller directory.
## </summary>
@@ -378,16 +404,16 @@ interface(`spamassassin_admin',`
gen_require(`
type spamd_t, spamd_tmp_t, spamd_log_t;
type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
- type spamd_initrc_exec_t;
+ type spamd_initrc_exec_t, spamassassin_unit_t;
+ type spamd_gpg_t, spamd_update_t;
')
- allow $1 spamd_t:process { ptrace signal_perms };
- ps_process_pattern($1, spamd_t)
+ admin_process_pattern($1, { spamd_t spamd_gpg_t spamd_update_t })
- init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t)
+ init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t, spamassassin_unit_t)
files_list_tmp($1)
- admin_pattern($1, spamd_tmp_t)
+ admin_pattern($1, { spamd_tmp_t spamd_update_tmp_t })
logging_list_logs($1)
admin_pattern($1, spamd_log_t)
@@ -403,4 +429,7 @@ interface(`spamassassin_admin',`
# This makes it impossible to apply _admin if _role has already been applied
#spamassassin_role($2, $1)
+
+ # sa-update
+ spamassassin_run_update($1, $2)
')
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 72e781ef..476d0b12 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -25,6 +25,9 @@ type spamd_update_t;
type spamd_update_exec_t;
init_system_domain(spamd_update_t, spamd_update_exec_t)
+type spamd_update_tmp_t;
+files_tmp_file(spamd_update_tmp_t)
+
type spamassassin_t;
type spamassassin_exec_t;
typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
@@ -36,11 +39,17 @@ typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassi
typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
userdom_user_home_content(spamassassin_home_t)
+type spamassassin_initrc_exec_t;
+init_script_file(spamassassin_initrc_exec_t)
+
type spamassassin_tmp_t;
typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
userdom_user_tmp_file(spamassassin_tmp_t)
+type spamassassin_unit_t;
+init_unit_file(spamassassin_unit_t)
+
type spamc_t;
type spamc_exec_t;
typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
@@ -63,6 +72,9 @@ files_type(spamd_compiled_t)
type spamd_etc_t;
files_config_file(spamd_etc_t)
+type spamd_gpg_t;
+domain_type(spamd_gpg_t)
+
type spamd_home_t;
userdom_user_home_content(spamd_home_t)
@@ -119,7 +131,6 @@ files_read_etc_files(spamassassin_t)
files_read_etc_runtime_files(spamassassin_t)
files_list_home(spamassassin_t)
files_read_usr_files(spamassassin_t)
-files_dontaudit_search_var(spamassassin_t)
logging_send_syslog_msg(spamassassin_t)
@@ -216,7 +227,6 @@ fs_search_auto_mountpoints(spamc_t)
files_read_etc_runtime_files(spamc_t)
files_read_usr_files(spamc_t)
-files_dontaudit_search_var(spamc_t)
files_list_home(spamc_t)
files_list_var_lib(spamc_t)
@@ -276,8 +286,7 @@ optional_policy(`
# Daemon local policy
#
-allow spamd_t self:capability { dac_override kill setgid setuid sys_tty_config };
-dontaudit spamd_t self:capability sys_tty_config;
+allow spamd_t self:capability { dac_override kill setgid setuid };
allow spamd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow spamd_t self:fd use;
allow spamd_t self:fifo_file rw_fifo_file_perms;
@@ -369,10 +378,8 @@ files_read_etc_runtime_files(spamd_t)
fs_getattr_all_fs(spamd_t)
fs_search_auto_mountpoints(spamd_t)
-auth_use_nsswitch(spamd_t)
auth_dontaudit_read_shadow(spamd_t)
-
-init_dontaudit_rw_utmp(spamd_t)
+auth_use_nsswitch(spamd_t)
libs_use_ld_so(spamd_t)
libs_use_shared_libs(spamd_t)
@@ -383,8 +390,6 @@ miscfiles_read_localization(spamd_t)
sysnet_use_ldap(spamd_t)
-userdom_use_unpriv_users_fds(spamd_t)
-
tunable_policy(`spamd_enable_home_dirs',`
userdom_manage_user_home_content_dirs(spamd_t)
userdom_manage_user_home_content_files(spamd_t)
@@ -440,6 +445,10 @@ optional_policy(`
')
optional_policy(`
+ mta_getattr_spool(spamd_t)
+')
+
+optional_policy(`
mysql_stream_connect(spamd_t)
mysql_tcp_connect(spamd_t)
')
@@ -465,10 +474,6 @@ optional_policy(`
')
optional_policy(`
- seutil_sigchld_newrole(spamd_t)
-')
-
-optional_policy(`
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
mta_send_mail(spamd_t)
@@ -483,13 +488,14 @@ optional_policy(`
# Update local policy
#
-allow spamd_update_t self:capability dac_override;
+allow spamd_update_t self:capability dac_read_search;
+allow spamd_update_t self:process signal;
allow spamd_update_t self:fifo_file manage_fifo_file_perms;
allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
-manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
-manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
-files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
+manage_dirs_pattern(spamd_update_t, spamd_update_tmp_t, spamd_update_tmp_t)
+manage_files_pattern(spamd_update_t, spamd_update_tmp_t, spamd_update_tmp_t)
+files_tmp_filetrans(spamd_update_t, spamd_update_tmp_t, { file dir })
manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
@@ -507,6 +513,9 @@ corenet_sendrecv_http_client_packets(spamd_update_t)
corenet_tcp_connect_http_port(spamd_update_t)
corenet_tcp_sendrecv_http_port(spamd_update_t)
+corenet_tcp_bind_generic_node(spamd_update_t)
+corenet_udp_bind_generic_node(spamd_update_t)
+
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
@@ -516,23 +525,51 @@ domain_use_interactive_fds(spamd_update_t)
files_read_usr_files(spamd_update_t)
+fs_getattr_xattr_fs(spamd_update_t)
+
auth_use_nsswitch(spamd_update_t)
auth_dontaudit_read_shadow(spamd_update_t)
miscfiles_read_localization(spamd_update_t)
-userdom_use_user_terminals(spamd_update_t)
+userdom_use_inherited_user_terminals(spamd_update_t)
+userdom_dontaudit_search_user_home_dirs(spamd_update_t)
+userdom_dontaudit_search_user_home_content(spamd_update_t)
optional_policy(`
cron_system_entry(spamd_update_t, spamd_update_exec_t)
')
-# probably want a solution same as httpd_use_gpg since this will
-# give spamd_update a path to users gpg keys
-# optional_policy(`
-# gpg_domtrans(spamd_update_t)
-# ')
-
optional_policy(`
- mta_read_config(spamd_update_t)
+ gpg_spec_domtrans(spamd_update_t, spamd_gpg_t)
+ gpg_entry_type(spamd_gpg_t)
+ role system_r types spamd_gpg_t;
+
+ allow spamd_gpg_t self:capability { dac_override dac_read_search };
+ allow spamd_gpg_t self:unix_stream_socket { connect create };
+
+ allow spamd_gpg_t spamd_update_t:fd use;
+ allow spamd_gpg_t spamd_update_t:process sigchld;
+ allow spamd_gpg_t spamd_update_t:fifo_file { getattr write };
+ allow spamd_gpg_t spamd_var_lib_t:dir search_dir_perms;
+ allow spamd_gpg_t spamd_var_lib_t:file rw_file_perms;
+ allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms;
+
+ # fips
+ kernel_search_crypto_sysctls(spamd_gpg_t)
+
+ domain_use_interactive_fds(spamd_gpg_t)
+
+ files_read_etc_files(spamd_gpg_t)
+ files_read_usr_files(spamd_gpg_t)
+ files_search_var_lib(spamd_gpg_t)
+ files_search_pids(spamd_gpg_t)
+ files_search_tmp(spamd_gpg_t)
+
+ init_use_fds(spamd_gpg_t)
+ init_rw_inherited_stream_socket(spamd_gpg_t)
+
+ miscfiles_read_localization(spamd_gpg_t)
+
+ userdom_use_inherited_user_terminals(spamd_gpg_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: f24ab168b8a32baf2019b4ac68b5c591ec78e779
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Tue Sep 12 07:16:30 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f24ab168
mandb: man-db needs to map its 'index.db' cache
policy/modules/contrib/mandb.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 5c759da4..015e2813 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -46,6 +46,7 @@ files_search_pids(mandb_t)
fs_getattr_xattr_fs(mandb_t)
miscfiles_manage_man_cache(mandb_t)
+miscfiles_map_man_cache(mandb_t)
miscfiles_read_man_pages(mandb_t)
miscfiles_read_localization(mandb_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: 910541fc85a07a081c07afb8ffbba8c856addc4f
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Tue Sep 12 07:16:37 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=910541fc
portage: Remove nonsensical dontaudit of an allowed permission
policy/modules/contrib/portage.te | 1 -
1 file changed, 1 deletion(-)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 398b05c3..9c406a8b 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -178,7 +178,6 @@ rsync_entry_domtrans(portage_t, portage_fetch_t)
allow portage_fetch_t portage_t:fd use;
allow portage_fetch_t portage_t:fifo_file rw_fifo_file_perms;
allow portage_fetch_t portage_t:process sigchld;
-dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
# transition to sandbox for compiling
spec_domtrans_pattern(portage_t, portage_exec_t, portage_sandbox_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: d584a320adcd016b935185c95f0f088d899cfac6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Sep 13 00:16:06 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d584a320
Module version bumps.
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/cgmanager.te | 2 +-
policy/modules/contrib/fakehwclock.te | 2 +-
policy/modules/contrib/mandb.te | 2 +-
policy/modules/contrib/milter.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mta.te | 2 +-
policy/modules/contrib/portage.te | 2 +-
policy/modules/contrib/postfix.te | 2 +-
9 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 898b6f19..3acaa84e 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.17.0)
+policy_module(alsa, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/cgmanager.te b/policy/modules/contrib/cgmanager.te
index 2674193f..64cecfc3 100644
--- a/policy/modules/contrib/cgmanager.te
+++ b/policy/modules/contrib/cgmanager.te
@@ -1,4 +1,4 @@
-policy_module(cgmanager, 1.0.0)
+policy_module(cgmanager, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/fakehwclock.te b/policy/modules/contrib/fakehwclock.te
index 20bc5a01..22630f22 100644
--- a/policy/modules/contrib/fakehwclock.te
+++ b/policy/modules/contrib/fakehwclock.te
@@ -1,4 +1,4 @@
-policy_module(fakehwclock, 1.1.0)
+policy_module(fakehwclock, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 015e2813..6abed374 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.4.0)
+policy_module(mandb, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
index a299b8e1..3b615940 100644
--- a/policy/modules/contrib/milter.te
+++ b/policy/modules/contrib/milter.te
@@ -1,4 +1,4 @@
-policy_module(milter, 1.7.0)
+policy_module(milter, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index fdc25f9c..4cc1b3be 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.12.0)
+policy_module(mozilla, 2.12.1)
########################################
#
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 86833600..f7b89ad3 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.9.0)
+policy_module(mta, 2.9.1)
########################################
#
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index f64d5b6c..80537932 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -1,4 +1,4 @@
-policy_module(portage, 1.15.1)
+policy_module(portage, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 620e81b1..daeeb4d1 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.18.0)
+policy_module(postfix, 1.18.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: bbed3e0a06d6248027b0ed1413ebad0784d9bd53
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Tue Sep 12 22:07:26 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bbed3e0a
alsa: alsactl needs to map its configuration
The code is in alsactl/init_parse.c; there's no fallback.
policy/modules/contrib/alsa.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index f297b903..898b6f19 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -53,6 +53,7 @@ allow alsa_t alsa_home_t:file read_file_perms;
list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+allow alsa_t alsa_etc_t:file map;
can_exec(alsa_t, alsa_exec_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: b3610b7a3b119e7d912087d14b982a0287e1c25c
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Tue Sep 12 22:07:27 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b3610b7a
mozilla: Add neccessary map permissions
The mozilla_home_t access is needed for sqlite (ff won't even start up
without it), while the mozilla_tmp_t mapping appears to be related to
the handling of addons.
policy/modules/contrib/mozilla.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index c6c51570..fdc25f9c 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -93,7 +93,7 @@ allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms;
allow mozilla_t mozilla_plugin_t:fd use;
allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms;
-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms;
+allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms map };
allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms;
userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon")
userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla")
@@ -105,6 +105,7 @@ filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugin
manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
manage_lnk_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+allow mozilla_t mozilla_tmp_t:file map;
files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: a2d0a9f349eb5d9ff37e1ffcc8cc8157af1af6b1
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Sep 12 07:32:21 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a2d0a9f3
cgmanager: Apply auth_use_nsswitch interface
cgmanager looks up usernames in /etc/passwd, for which a map permission
may become neccessary.
policy/modules/contrib/cgmanager.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/cgmanager.te b/policy/modules/contrib/cgmanager.te
index c3cc5217..2674193f 100644
--- a/policy/modules/contrib/cgmanager.te
+++ b/policy/modules/contrib/cgmanager.te
@@ -40,6 +40,8 @@ allow cgmanager_t cgmanager_run_t:dir mounton;
kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
kernel_read_system_state(cgmanager_t)
+auth_use_nsswitch(cgmanager_t)
+
corecmd_exec_bin(cgmanager_t)
domain_read_all_domains_state(cgmanager_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: a605fd2918c450c34933b68eef93d14c432695f0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Sep 13 22:49:32 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a605fd29
spamassassin: Move lines.
policy/modules/contrib/spamassassin.te | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 476d0b12..3a3a0ee7 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -503,22 +503,20 @@ manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
kernel_read_system_state(spamd_update_t)
+corecmd_exec_bin(spamd_update_t)
+corecmd_exec_shell(spamd_update_t)
+
corenet_all_recvfrom_unlabeled(spamd_update_t)
corenet_all_recvfrom_netlabel(spamd_update_t)
corenet_tcp_sendrecv_generic_if(spamd_update_t)
corenet_tcp_sendrecv_generic_node(spamd_update_t)
corenet_tcp_sendrecv_all_ports(spamd_update_t)
-
corenet_sendrecv_http_client_packets(spamd_update_t)
corenet_tcp_connect_http_port(spamd_update_t)
corenet_tcp_sendrecv_http_port(spamd_update_t)
-
corenet_tcp_bind_generic_node(spamd_update_t)
corenet_udp_bind_generic_node(spamd_update_t)
-corecmd_exec_bin(spamd_update_t)
-corecmd_exec_shell(spamd_update_t)
-
dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: d1ae8f61ff2f9b933afff01404579acb96deedf7
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Sep 12 09:18:57 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d1ae8f61
milter: update
- add initrc filecontext
- drop generic dontaudit macro
- sort some permissions
policy/modules/contrib/milter.fc | 2 ++
policy/modules/contrib/milter.te | 15 ++++++++++-----
2 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/milter.fc b/policy/modules/contrib/milter.fc
index 93104017..42fe5e94 100644
--- a/policy/modules/contrib/milter.fc
+++ b/policy/modules/contrib/milter.fc
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/spamass-milter -- gen_context(system_u:object_r:spamass_milter_initrc_exec_t,s0)
+
/usr/bin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/bin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/bin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
index d0e9c1b0..a299b8e1 100644
--- a/policy/modules/contrib/milter.te
+++ b/policy/modules/contrib/milter.te
@@ -12,6 +12,9 @@ milter_template(greylist)
milter_template(regex)
milter_template(spamass)
+type spamass_milter_initrc_exec_t;
+init_script_file(spamass_milter_initrc_exec_t)
+
type spamass_milter_state_t;
files_type(spamass_milter_state_t)
@@ -23,8 +26,6 @@ files_type(spamass_milter_state_t)
allow milter_domains self:fifo_file rw_fifo_file_perms;
allow milter_domains self:tcp_socket { accept listen };
-kernel_dontaudit_read_system_state(milter_domains)
-
corenet_all_recvfrom_unlabeled(milter_domains)
corenet_all_recvfrom_netlabel(milter_domains)
corenet_tcp_sendrecv_generic_if(milter_domains)
@@ -44,7 +45,7 @@ logging_send_syslog_msg(milter_domains)
#
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
-allow greylist_milter_t self:process { setsched getsched };
+allow greylist_milter_t self:process { getsched setsched };
files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
@@ -93,8 +94,10 @@ mta_read_config(regex_milter_t)
# spamass local policy
#
-allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
allow spamass_milter_t self:process sigkill;
+allow spamass_milter_t self:unix_stream_socket { accept listen };
+
+allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
kernel_read_system_state(spamass_milter_t)
kernel_read_vm_overcommit_sysctl(spamass_milter_t)
@@ -105,7 +108,9 @@ dev_read_sysfs(spamass_milter_t)
files_search_var_lib(spamass_milter_t)
-mta_send_mail(spamass_milter_t)
+optional_policy(`
+ mta_send_mail(spamass_milter_t)
+')
optional_policy(`
postfix_search_spool(spamass_milter_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: 3d86b290dcb2b50f55acb6b74757df29e3c19bf7
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Sep 12 09:24:03 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3d86b290
mandb: fixes for systemd timer and /usr/local/man label
policy/modules/contrib/mandb.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 6abed374..f3113386 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -10,7 +10,7 @@ roleattribute system_r mandb_roles;
type mandb_t;
type mandb_exec_t;
-application_domain(mandb_t, mandb_exec_t)
+init_system_domain(mandb_t, mandb_exec_t)
role mandb_roles types mandb_t;
type mandb_unit_t;
@@ -40,6 +40,8 @@ domain_use_interactive_fds(mandb_t)
files_dontaudit_search_home(mandb_t)
files_read_etc_files(mandb_t)
+# /usr/local/man
+files_read_usr_symlinks(mandb_t)
# search /var/run/nscd/socket
files_search_pids(mandb_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: b568312c05904f85f5bd56ac32646ecb53ac02e7
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Sep 13 22:57:34 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b568312c
mandb, spamassassin: Module version bumps.
policy/modules/contrib/mandb.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index f3113386..d4e691f1 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.4.1)
+policy_module(mandb, 1.4.2)
########################################
#
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 3a3a0ee7..d8aa47a1 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.11.1)
+policy_module(spamassassin, 2.11.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: a4743ad2640e89594cd3e992e1aae01f527f4ecc
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Tue Sep 12 07:16:57 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4743ad2
portage: Transition to ldconfig_t when calling ldconfig
portage_t used to have all neccessary permissions to run ldconfig in its
own domain, but ldconfig now needs map access to its cache, so it's
either this or allowing portage_t to map ldconfig_cache_t.
policy/modules/contrib/portage.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 9c406a8b..f64d5b6c 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -202,6 +202,8 @@ auth_manage_shadow(portage_t)
# merging baselayout will need this:
init_exec(portage_t)
+libs_run_ldconfig(portage_t, portage_roles)
+
miscfiles_read_localization(portage_t)
# run setfiles -r
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: 6b54fc6b1cdce2f92d2843a36d3abb2bfda29ea0
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Sep 10 15:28:50 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:43 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b54fc6b
dmidecode: use userdom_use_inherited_user_terminals
policy/modules/contrib/dmidecode.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te
index 1c6fc9b5..0e3a6aef 100644
--- a/policy/modules/contrib/dmidecode.te
+++ b/policy/modules/contrib/dmidecode.te
@@ -31,4 +31,4 @@ mls_file_read_all_levels(dmidecode_t)
locallogin_use_fds(dmidecode_t)
-userdom_use_user_terminals(dmidecode_t)
+userdom_use_inherited_user_terminals(dmidecode_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: 855cc1c93352b29d1e2f7e1f65f9ac91ae49d174
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Sep 10 15:49:48 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:43 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=855cc1c9
rkhunter: add several missing permission
policy/modules/contrib/rkhunter.te | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rkhunter.te b/policy/modules/contrib/rkhunter.te
index 4ebfdf6c..caa1680d 100644
--- a/policy/modules/contrib/rkhunter.te
+++ b/policy/modules/contrib/rkhunter.te
@@ -35,7 +35,7 @@ files_type(rkhunter_var_lib_t)
# Application local policy
#
-allow rkhunter_t self:capability { dac_override dac_read_search net_admin setgid setuid sys_nice sys_ptrace };
+allow rkhunter_t self:capability { dac_read_search kill net_admin setgid setuid sys_nice sys_ptrace };
allow rkhunter_t self:process { getsched setsched signal };
allow rkhunter_t self:netlink_route_socket r_netlink_socket_perms;
allow rkhunter_t self:tcp_socket { bind connect create listen read write };
@@ -68,6 +68,7 @@ corenet_udp_bind_all_ports(rkhunter_t)
corenet_tcp_bind_generic_node(rkhunter_t)
corenet_udp_bind_generic_node(rkhunter_t)
+dev_getattr_fs(rkhunter_t)
dev_read_urand(rkhunter_t)
dev_getattr_all_chr_files(rkhunter_t)
dev_getattr_all_blk_files(rkhunter_t)
@@ -76,15 +77,22 @@ domain_read_all_domains_state(rkhunter_t)
domain_use_interactive_fds(rkhunter_t)
domain_getattr_all_sockets(rkhunter_t)
domain_getattr_all_pipes(rkhunter_t)
+domain_getpgid_all_domains(rkhunter_t)
+domain_getsched_all_domains(rkhunter_t)
+domain_getsession_all_domains(rkhunter_t)
+domain_signull_all_domains(rkhunter_t)
files_read_non_auth_files(rkhunter_t)
files_read_all_symlinks(rkhunter_t)
files_read_all_chr_files(rkhunter_t)
files_getattr_all_pipes(rkhunter_t)
files_getattr_all_sockets(rkhunter_t)
+files_check_write_lock_dirs(rkhunter_t)
+files_check_write_pid_dirs(rkhunter_t)
fs_getattr_tracefs(rkhunter_t)
fs_getattr_tracefs_dirs(rkhunter_t)
+fs_getattr_xattr_fs(rkhunter_t)
hostname_exec(rkhunter_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: db15b995c6a8f565f1c6c6ea3334d2d1b4dead2f
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Tue Sep 12 02:41:57 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=db15b995
postfix: Some table drivers (notably cdb) need to mmap() their databases
policy/modules/contrib/mta.if | 18 ++++++++++++++++++
policy/modules/contrib/postfix.te | 8 ++++++--
2 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if
index 0602746b..4384caae 100644
--- a/policy/modules/contrib/mta.if
+++ b/policy/modules/contrib/mta.if
@@ -608,6 +608,24 @@ interface(`mta_read_aliases',`
########################################
## <summary>
+## Read mail address alias files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_map_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ allow $1 etc_aliases_t:file map;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## mail address alias content.
## </summary>
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 62eaeba3..620e81b1 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -115,7 +115,7 @@ allow postfix_domain self:fifo_file rw_fifo_file_perms;
allow postfix_domain self:unix_stream_socket { accept connectto listen };
allow postfix_domain postfix_etc_t:dir list_dir_perms;
-allow postfix_domain postfix_etc_t:file read_file_perms;
+allow postfix_domain postfix_etc_t:file { read_file_perms map };
allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;
allow postfix_domain postfix_master_t:file read_file_perms;
@@ -405,6 +405,7 @@ corenet_tcp_connect_kismet_port(postfix_cleanup_t)
corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
mta_read_aliases(postfix_cleanup_t)
+mta_map_aliases(postfix_cleanup_t)
optional_policy(`
dkim_stream_connect(postfix_cleanup_t)
@@ -436,6 +437,7 @@ logging_dontaudit_search_logs(postfix_local_t)
mta_delete_spool(postfix_local_t)
mta_read_aliases(postfix_local_t)
+mta_map_aliases(postfix_local_t)
mta_read_config(postfix_local_t)
mta_send_mail(postfix_local_t)
@@ -489,7 +491,7 @@ allow postfix_map_t self:capability { dac_override setgid setuid };
allow postfix_map_t self:tcp_socket { accept listen };
allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
-allow postfix_map_t postfix_etc_t:file manage_file_perms;
+allow postfix_map_t postfix_etc_t:file { manage_file_perms map };
allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
@@ -776,6 +778,7 @@ fs_getattr_all_dirs(postfix_smtpd_t)
fs_getattr_all_fs(postfix_smtpd_t)
mta_read_aliases(postfix_smtpd_t)
+mta_map_aliases(postfix_smtpd_t)
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
@@ -817,6 +820,7 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
corecmd_exec_bin(postfix_virtual_t)
mta_read_aliases(postfix_virtual_t)
+mta_map_aliases(postfix_virtual_t)
mta_delete_spool(postfix_virtual_t)
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: 86cb44cbdb6a3622e09333b6038b0f48d5859e36
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Sep 10 15:38:08 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:43 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=86cb44cb
chkrootkit: update
- drop unneeded dac_override permission
- add getattr permissions on filesystems
policy/modules/contrib/chkrootkit.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/chkrootkit.te b/policy/modules/contrib/chkrootkit.te
index f62eb493..007b0623 100644
--- a/policy/modules/contrib/chkrootkit.te
+++ b/policy/modules/contrib/chkrootkit.te
@@ -20,7 +20,7 @@ logging_log_file(chkrootkit_log_t)
# Application local policy
#
-allow chkrootkit_t self:capability { dac_override dac_read_search setuid sys_ptrace };
+allow chkrootkit_t self:capability { dac_read_search setuid sys_ptrace };
allow chkrootkit_t self:fifo_file rw_fifo_file_perms;
allow chkrootkit_t self:udp_socket { create ioctl };
@@ -32,6 +32,7 @@ kernel_getattr_message_if(chkrootkit_t)
corecmd_exec_bin(chkrootkit_t)
corecmd_exec_shell(chkrootkit_t)
+dev_getattr_fs(chkrootkit_t)
dev_read_rand(chkrootkit_t)
dev_read_urand(chkrootkit_t)
dev_getattr_all_chr_files(chkrootkit_t)
@@ -46,6 +47,8 @@ files_read_all_symlinks(chkrootkit_t)
files_read_all_chr_files(chkrootkit_t)
files_getattr_all_pipes(chkrootkit_t)
+fs_getattr_xattr_fs(chkrootkit_t)
+
init_signal(chkrootkit_t)
logging_send_syslog_msg(chkrootkit_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: acd71bc1086f82d88adb99dbfcb468ef06ee2942
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Sep 10 15:11:57 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:43 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=acd71bc1
apache: align filecontexts
policy/modules/contrib/apache.fc | 377 ++++++++++++++++++++-------------------
1 file changed, 189 insertions(+), 188 deletions(-)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index f55535e7..c0e8fbdb 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -1,193 +1,194 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
-HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
-
-/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/hiawatha(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
-/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
-/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
-/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/hiawatha -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-
-/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-
-/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-
-/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-
-/usr/bin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
-/usr/bin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/bin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/bin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
-
-/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
-/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
-
-/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
-
-/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
+
+/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/hiawatha(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
+/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
+/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hiawatha -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+
+/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+
+/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/usr/bin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+/usr/bin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/bin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
+/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
+
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+
+/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
ifdef(`distro_suse',`
-/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
-/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/postfixadmin/templates_c(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-
-/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
-
-/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/hiawatha(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/hiawatha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
-
-/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-
-/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+#/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/postfixadmin/templates_c(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
+
+/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/hiawatha(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/hiawatha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+
+/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+
+/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: 32dc3aeea8d00e80b661b7d5a637af3fa88f236a
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Sep 10 14:39:37 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:43 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=32dc3aee
spamassassin: align filecontexts
policy/modules/contrib/spamassassin.fc | 42 +++++++++++++++++-----------------
1 file changed, 21 insertions(+), 21 deletions(-)
diff --git a/policy/modules/contrib/spamassassin.fc b/policy/modules/contrib/spamassassin.fc
index bc2dbadf..18fa75f8 100644
--- a/policy/modules/contrib/spamassassin.fc
+++ b/policy/modules/contrib/spamassassin.fc
@@ -1,33 +1,33 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
-HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
-/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
-/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
-/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
-/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
-/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-/usr/bin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0)
+/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0)
-/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
+/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
-/var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
-/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
+/var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
+/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
-/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
-/run/spamassassin\.pid gen_context(system_u:object_r:spamd_var_run_t,s0)
+/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/run/spamassassin\.pid gen_context(system_u:object_r:spamd_var_run_t,s0)
-/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
-/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: c33f11a936d20aa6ab8975386525a267656f8e1b
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Sep 11 03:18:29 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:43 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c33f11a9
portage: Allow portage_t and portage_sandbox_t to access locale_t
This didn't crop out until now due to portage's wideranging access, but
it's neccessary now for the map permission.
I'm aware adding the interface directly for portage_t is redundant, but
I'm doing it nevertheless in case we ever remove
portage_compile_domain(portage_t).
policy/modules/contrib/portage.if | 2 ++
policy/modules/contrib/portage.te | 2 ++
2 files changed, 4 insertions(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 70f657ab..9f7be361 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -186,6 +186,8 @@ interface(`portage_compile_domain',`
logging_send_syslog_msg($1)
+ miscfiles_read_localization($1)
+
userdom_use_user_terminals($1)
# SELinux-enabled programs running in the sandbox
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 2387c941..b0175d83 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -203,6 +203,8 @@ auth_manage_shadow(portage_t)
# merging baselayout will need this:
init_exec(portage_t)
+miscfiles_read_localization(portage_t)
+
# run setfiles -r
seutil_run_setfiles(portage_t, portage_roles)
# run semodule
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: 553716fd62a9e2fa69786b099562a965eefd49c8
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Sep 11 06:40:21 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=553716fd
portage: Grant the map permissions neccessary for git and install
policy/modules/contrib/portage.if | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 9f7be361..6388110e 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -105,6 +105,7 @@ interface(`portage_compile_domain',`
manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+ allow $1 portage_srcrepo_t:file map;
# run scripts out of the build directory
can_exec(portage_sandbox_t, portage_tmp_t)
@@ -193,6 +194,9 @@ interface(`portage_compile_domain',`
# SELinux-enabled programs running in the sandbox
seutil_libselinux_linked($1)
+ # required by install
+ seutil_read_file_contexts($1)
+
tunable_policy(`portage_use_nfs',`
fs_getattr_nfs($1)
fs_manage_nfs_dirs($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-15 3:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-15 3:42 UTC (permalink / raw
To: gentoo-commits
commit: 4c8158252151145ddfc2895c096b739346b23eb2
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Sep 12 00:33:22 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4c815825
Module version bumps for chkrootkit, dkim, dmidecode, portage, and rkhunter.
policy/modules/contrib/chkrootkit.te | 2 +-
policy/modules/contrib/dkim.te | 2 +-
policy/modules/contrib/dmidecode.te | 2 +-
policy/modules/contrib/portage.te | 2 +-
policy/modules/contrib/rkhunter.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/chkrootkit.te b/policy/modules/contrib/chkrootkit.te
index 007b0623..0d7ceb09 100644
--- a/policy/modules/contrib/chkrootkit.te
+++ b/policy/modules/contrib/chkrootkit.te
@@ -1,4 +1,4 @@
-policy_module(chkrootkit, 1.0.0)
+policy_module(chkrootkit, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index c853c1cb..4ddefbf8 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.6.0)
+policy_module(dkim, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te
index 0e3a6aef..6c97a440 100644
--- a/policy/modules/contrib/dmidecode.te
+++ b/policy/modules/contrib/dmidecode.te
@@ -1,4 +1,4 @@
-policy_module(dmidecode, 1.7.0)
+policy_module(dmidecode, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index b0175d83..398b05c3 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -1,4 +1,4 @@
-policy_module(portage, 1.15.0)
+policy_module(portage, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/rkhunter.te b/policy/modules/contrib/rkhunter.te
index caa1680d..17a9e603 100644
--- a/policy/modules/contrib/rkhunter.te
+++ b/policy/modules/contrib/rkhunter.te
@@ -1,4 +1,4 @@
-policy_module(rkhunter, 1.0.0)
+policy_module(rkhunter, 1.0.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-09 2:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-09 2:43 UTC (permalink / raw
To: gentoo-commits
commit: a4ef2b0ef38b8fd901431af5c42297ebbb4f1474
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Sep 1 01:24:47 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4ef2b0e
Module version bumps for patches from David Sugar.
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/mon.te | 2 +-
policy/modules/contrib/wm.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index a8818d56..0e03ba14 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.12.0)
+policy_module(cron, 2.12.1)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index 5e93c7c9..75919cff 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -1,4 +1,4 @@
-policy_module(mon, 1.1.0)
+policy_module(mon, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 5986812f..5d5c2630 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.7.0)
+policy_module(wm, 1.7.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-09 2:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-09 2:43 UTC (permalink / raw
To: gentoo-commits
commit: 1164ecd9b8fb754da79e1d4f3806225d5148e055
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Sep 6 15:03:33 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1164ecd9
dhcp, logrotate: Module version bump.
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index 51fc256b..08a5571c 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.15.0)
+policy_module(dhcp, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 77c36f66..0e936771 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.19.0)
+policy_module(logrotate, 1.19.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-09 2:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-09 2:43 UTC (permalink / raw
To: gentoo-commits
commit: 0c3ef6276b664ad06dce7ef4bea5d3509148f249
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Sep 3 20:19:56 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0c3ef627
logrotate: allow systemd to start logrotate
On Arch Linux, logrotate is a service launched by systemd:
avc: denied { execute_no_trans } for pid=216 comm="(ogrotate)"
path="/usr/bin/logrotate" dev="vda1" ino=396833
scontext=system_u:system_r:init_t
tcontext=system_u:object_r:logrotate_exec_t tclass=file
permissive=1
policy/modules/contrib/logrotate.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index ab2c6152..77c36f66 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -14,6 +14,7 @@ domain_type(logrotate_t)
domain_obj_id_change_exemption(logrotate_t)
domain_system_change_exemption(logrotate_t)
domain_entry_file(logrotate_t, logrotate_exec_t)
+init_system_domain(logrotate_t, logrotate_exec_t)
role logrotate_roles types logrotate_t;
type logrotate_lock_t;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-09 2:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-09 2:43 UTC (permalink / raw
To: gentoo-commits
commit: 1e01df2ec1241b6ba16abb4b42ab82796ede37b2
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Wed Sep 6 14:50:37 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1e01df2e
udev and dhcpd
Allow udev to talk to init via dbus and get generic unit status.
Add correct labeling for dhcpd6.leases file.
policy/modules/contrib/dhcp.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/dhcp.fc b/policy/modules/contrib/dhcp.fc
index c4166794..a58b1103 100644
--- a/policy/modules/contrib/dhcp.fc
+++ b/policy/modules/contrib/dhcp.fc
@@ -8,5 +8,6 @@
/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
+/var/lib/dhcp/dhcpd6\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-09 2:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-09 2:43 UTC (permalink / raw
To: gentoo-commits
commit: c5fa34fb27569f5e6710a0b323221219e03b025c
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> com>
AuthorDate: Fri Aug 25 16:51:24 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c5fa34fb
libmtp: read symlinks in user home directories
Let libmtp read symbolic links in the user home
directories, if the "libmtp_enable_home_dirs"
boolean is enabled.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.com>
policy/modules/contrib/libmtp.te | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/libmtp.te b/policy/modules/contrib/libmtp.te
index 64c851e3..bacfb1b7 100644
--- a/policy/modules/contrib/libmtp.te
+++ b/policy/modules/contrib/libmtp.te
@@ -7,8 +7,8 @@ policy_module(libmtp, 1.0.0)
## <desc>
## <p>
-## Determine whether libmtp can
-## manage the user home directories
+## Determine whether libmtp can read
+## and manage the user home directories
## and files.
## </p>
## </desc>
@@ -55,5 +55,6 @@ optional_policy(`
tunable_policy(`libmtp_enable_home_dirs',`
userdom_manage_user_home_content_files(libmtp_t)
+ userdom_read_user_home_content_symlinks(libmtp_t)
userdom_user_home_dir_filetrans_user_home_content(libmtp_t, file )
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-09 2:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-09 2:43 UTC (permalink / raw
To: gentoo-commits
commit: 6a83af6917028efbce2bc00e2f9c8d850f42ed4d
Author: David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Wed Aug 30 16:09:53 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6a83af69
wm: consolidate networkmanger interface calls into single optional
There was a networkmanager_* interface use not in an optional block. I moved it into an existing optional block that already had another networkmanager_* interface use.
policy/modules/contrib/wm.te | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 65b57a4a..5986812f 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -70,8 +70,6 @@ miscfiles_read_fonts(wm_domain)
miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
-networkmanager_read_etc_files(wm_domain)
-
udev_read_pid_files(wm_domain)
# the following is needed by gnome-shell
@@ -123,6 +121,7 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(wm_domain)
+ networkmanager_read_etc_files(wm_domain)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-09 2:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-09 2:43 UTC (permalink / raw
To: gentoo-commits
commit: dbc0cc1a246bd7680fdaa81da3ee493366cf3115
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Aug 5 16:59:42 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dbc0cc1a
Update Changelog for release.
policy/modules/contrib/Changelog | 171 +++++++++++++++++++++++++++++++++++++++
1 file changed, 171 insertions(+)
diff --git a/policy/modules/contrib/Changelog b/policy/modules/contrib/Changelog
index 907847ca..2a6e15b4 100644
--- a/policy/modules/contrib/Changelog
+++ b/policy/modules/contrib/Changelog
@@ -1,3 +1,174 @@
+* Sat Aug 05 2017 Chris PeBenito <pebenito@ieee.org> - 2.20170805
+Chris PeBenito (82):
+ Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.
+ Module version bump for usrmerge FC fixes from Jason Zaman.
+ mon policy from Russell Coker.
+ Module version bump for cups patches from Guido Trentalancia.
+ Module version bump for tbird and mozilla printing from Guido
+ Trentalancia.
+ Revert "cups/lpd: read permission for cupsd_var_run_t socket files"
+ Module version bump for cups revert.
+ Sort capabilities permissions from Russell Coker.
+ Little misc patch from Russell Coker.
+ mon: Fix deprecated interface usage.
+ dpkg: Updates from Russell Coker.
+ Monit policy from Russell Coker and cgzones.
+ monit: Fix build error.
+ fetchmail, mysql, tor: Misc fixes from Russell Coker.
+ Merge branch 'alsa_module' of git://github.com/cgzones/refpolicy-contrib
+ Merge branch 'vnstat_module' of git://github.com/cgzones/refpolicy-contrib
+ Module version bump for alsa and vnstatd fixes from cgzones.
+ Merge branch 'ntp_module' of git://github.com/cgzones/refpolicy-contrib
+ Module version bump for ntp fixes from cgzones.
+ samba: A few line moves.
+ Module version bump for samba patch from Russell Coker.
+ Systemd fixes from Russell Coker.
+ Xen fixes from Russell Coker.
+ mailman: Fixes from Russell Coker.
+ MTA fixes from Russell Coker.
+ Network daemon patches from Russell Coker.
+ apache: Fix CI error.
+ Merge branch 'modutils_adapt_interfaces' of
+ git://github.com/cgzones/refpolicy-contrib
+ Merge branch 'corecmd_read_bin_symlinks' of
+ git://github.com/cgzones/refpolicy-contrib
+ Module version bumps for fixes from cgzones.
+ Merge branch 'mandb' of git://github.com/cgzones/refpolicy-contrib
+ Merge branch 'dphysswapfile' of git://github.com/cgzones/refpolicy-contrib
+ Module version bump for dphysswapfile and mandb fixes from cgzones.
+ Merge branch 'var_run_filecontext' of
+ git://github.com/cgzones/refpolicy-contrib
+ Merge branch 'vnstatd' of git://github.com/cgzones/refpolicy-contrib
+ Module version bump for fixes from cgzones.
+ dontaudit net_admin for SO_SNDBUFFORCE
+ /var/run -> /run again
+ Merge branch 'monit' of git://github.com/cgzones/refpolicy-contrib
+ Module version bump for monit patch from cgzones.
+ systemd-resolvd, sessions, and tmpfiles take2
+ Misc fc changes from Russell Coker.
+ Systemd-related changes from Russell Coker.
+ networkmanager: adjust interface docs format.
+ wm: interface docs adjustment.
+ Module version bump for misc fixes from Guido Trentalancia.
+ systemd init from Russell Coker
+ misc daemons from Russell Coker.
+ logging patches from Russell Coker
+ kmod, lvm, brctl patches from Russell Coker
+ devicekit, mount, xserver, and selinuxutil from Russell Coker
+ some userdomain patches from Russell Coker
+ Module version bump for gnome fix from Guido Trentalancia.
+ apache: Move blocks. No rule changes.
+ Module version bump for changes from Sven Vermeulen and Guido
+ Trentalancia.
+ login take 4 from Russell Coker.
+ Rename apm to acpi from Russell Coker.
+ Module version bump for patches from Russell Coker.
+ some little misc things from Russell Coker.
+ apt/dpkg strict patches from Russell Coker.
+ Module version bump for minor fixes from Guido Trentalancia.
+ Merge branch 'usr_bin_fc' of
+ git://github.com/fishilico/selinux-refpolicy-contrib
+ Module version bump for /usr/bin fc fixes from Nicolas Iooss.
+ Module version bump for chronyd changes from Luis Ressel.
+ openoffice: Move ooffice_rw_tmp_files() implementation.
+ Module version bump for openoffice fix from Guido Trentalancia.
+ libmtp: move lines
+ Module version bump for fixes from Guido Trentalancia.
+ Module version bump for mmap fixes from Stephen Smalley.
+ Module version bump for misc patches from Guido Trentalancia.
+ gpg: Fix overspecified dependencies in gpg_agent_tmp_filetrans.
+ dirmngr: Whitespace fixes.
+ Module version bumps for patches from Jason Zaman.
+ cgmanager: Move lines
+ Module version bumps for patches from Jason Zaman.
+ gpg: Module version bump for patch from Guido Trentalancia.
+ mozilla: Module version bump for patch from Luis Ressel.
+ rkhunter: Fix module version and move lines.
+ Module version bump for patches from cgzones.
+ chkrootkit: Fix module version.
+ Module version bump for patches from cgzones.
+ Bump module versions for release.
+
+Guido Trentalancia (28):
+ cups: read permission for cupsd_var_run_t socket files in
+ cups_stream_connect()
+ cups/lpd: read permission for cupsd_var_run_t socket files
+ thunderbird: allow stream connections to cups so that it can print
+ mozilla: allow stream connections to cups so that it can print
+ java: enable interactive use
+ evolution: add dbus acquire service permission
+ evolution: do not audit kernel read state
+ evolution: add some critical permissions
+ mozilla: read hardware state information
+ mozilla: add a permission
+ wm: load the NetworkManager applet
+ wm: interactive start
+ Gnome and Evolution dbus chat permissions
+ openoffice: support starting it from the window manager
+ evolution: minor fixes and updates
+ java: error messages terminal printout
+ loadkeys: use init fds (system bootup)
+ plymouth: pid interface usability
+ shutdown: send msg to syslog
+ openoffice: open files retrieved using mozilla
+ contrib: new libmtp module
+ openoffice: minor update
+ gnome: improved integration with openoffice
+ cups: let hplip read udev pid files
+ dbus: let session bus daemon manage user runtime dirs
+ zabbix: Grant zabbix_agent_t to call setrlimit on self
+ ntp: fix the drift file context and transition
+ gpg: manage user runtime socket files and directories
+
+Jason Zaman (12):
+ usrmerge: Add missed /usr fcontexts
+ java: update fcontexts for new versions of icedtea
+ dirmngr: add to roles and allow gpg to domtrans
+ gpg dirmngr: create and connect to socket
+ dirmngr: fcontext for ~/.gnupg/crls.d/
+ dirmngr: Network rules to connect to keyserver
+ cgmanager: add policy from gentoo
+ consolekit: Add support for consolekit2
+ consolekit: allow purging tmp
+ consolekit: introduce consolekit_use_inhibit_lock interface
+ dbus: use consolekit inhibit locks
+ networkmanager: use consolekit inhibit locks
+
+Luis Ressel (3):
+ chronyd: Re-align fc file
+ chronyd: Allow init scripts to create /run/chrony
+ mozilla: Add fc for the files used by the firefox addon "vimperator"
+
+Nicolas Iooss (1):
+ Support systems with a single /usr/bin directory
+
+Russell Coker (1):
+ patch for samba
+
+Stephen Smalley (1):
+ contrib: allow map permission where needed
+
+Sven Vermeulen (1):
+ rpc_* interfaces should be wrapped by optional_policy()
+
+cgzones (16):
+ update ntp module
+ update alsa module
+ vnstatd: update module
+ corecmd_read_bin_symlinks(): remove deprecated and redundant calls
+ modutils: adopt calls to new interfaces
+ vnstatd: update
+ dphysswapfile: update
+ monit: update
+ mandb: update
+ logrotate: reload monit after log rotation
+ remove /var/run file context lefovers, add dbus exception
+ monit: add syslog access and support for monit systemd service
+ rkhunter: add policy module
+ arpwatch: align file contexts
+ chkrootkit: add policy module
+ arpwatch: update
+
* Sat Feb 04 2017 Chris PeBenito <pebenito@ieee.org> - 2.20170204
Chris PeBenito (41):
Module version bump for patches from Jason Zaman.
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-09 2:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-09 2:43 UTC (permalink / raw
To: gentoo-commits
commit: a43e66289e81dcc53f4069387a15929f67db476f
Author: David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Wed Aug 30 16:07:07 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a43e6628
cron: optional_policy for mta_* interfaces
Patch to allow turning off of the mta module and still have cron module available.
This version consolidates all mta_* interface uses into single optional block.
policy/modules/contrib/cron.te | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 27467232..a8818d56 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -43,7 +43,6 @@ application_executable_file(anacron_exec_t)
type cron_spool_t;
files_type(cron_spool_t)
-mta_system_content(cron_spool_t)
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -74,14 +73,12 @@ init_script_file(crond_initrc_exec_t)
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
files_poly_parent(crond_tmp_t)
-mta_system_content(crond_tmp_t)
type crond_unit_t;
init_unit_file(crond_unit_t)
type crond_var_run_t;
files_pid_file(crond_var_run_t)
-mta_system_content(crond_var_run_t)
type crontab_exec_t;
application_executable_file(crontab_exec_t)
@@ -98,7 +95,6 @@ typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
-mta_system_content(system_cron_spool_t)
type system_cronjob_t alias system_crond_t;
init_daemon_domain(system_cronjob_t, anacron_exec_t)
@@ -122,7 +118,23 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
-mta_system_content(user_cron_spool_t)
+
+type user_cron_spool_log_t;
+logging_log_file(user_cron_spool_log_t)
+ubac_constrained(user_cron_spool_log_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
+')
+
+optional_policy(`
+ mta_system_content(cron_spool_t)
+ mta_system_content(crond_tmp_t)
+ mta_system_content(crond_var_run_t)
+ mta_system_content(system_cron_spool_t)
+ mta_system_content(user_cron_spool_t)
+ mta_system_content(user_cron_spool_log_t)
+')
ifdef(`distro_gentoo',`
# Logging for atd jobs
@@ -132,10 +144,6 @@ ifdef(`distro_gentoo',`
logging_syslog_managed_log_file(cron_log_t, "cron.log")
')
-ifdef(`enable_mcs',`
- init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
-')
-
##############################
#
# Common crontab local policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-09 2:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-09 2:43 UTC (permalink / raw
To: gentoo-commits
commit: 59f50e30e06ae7cd6351301188d46b7be6b705f2
Author: Tom Gundersen <teg <AT> jklm <DOT> no>
AuthorDate: Sat Aug 12 18:10:09 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=59f50e30
dbus: add policy for dbus-broker
dbus-broker is a drop in replacement for dbus-daemon. It can therefore
mostly simply rely on the existing dbus policy module. However, it also
needs to have its binaries labeled correctly, and it needs permission to
perform the D-Bus method call StartTransientUnit on PID1, which
dbus-daemon did not.
For details see <https://github.com/bus1/dbus-broker/wiki>.
policy/modules/contrib/dbus.fc | 2 ++
policy/modules/contrib/dbus.te | 1 +
2 files changed, 3 insertions(+)
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index eba45221..c18fd7fd 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -8,6 +8,8 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-broker-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0) # needed by dbus-broker
+/usr/bin/dbus-broker -- gen_context(system_u:object_r:dbusd_exec_t,s0) # needed by dbus-broker
/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 280dd8de..bd8a7d54 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -133,6 +133,7 @@ auth_read_pam_console_data(system_dbusd_t)
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
init_all_labeled_script_domtrans(system_dbusd_t)
+init_start_system(system_dbusd_t) # needed by dbus-broker
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-09 2:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-09 2:43 UTC (permalink / raw
To: gentoo-commits
commit: 86c6eda1c337276e058efa31d79fb26f65b7f643
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Aug 16 23:59:56 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=86c6eda1
dbus: Module version bump for dbus-broker patch from Tom Gundersen.
policy/modules/contrib/dbus.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index bd8a7d54..419a04bc 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.23.0)
+policy_module(dbus, 1.23.1)
gen_require(`
class dbus all_dbus_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-09 2:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-09 2:43 UTC (permalink / raw
To: gentoo-commits
commit: 6e4ce53825874b005a6d13c2fbd08d6b7d89472b
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Wed Aug 23 19:36:42 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6e4ce538
dbus: move comments out of the file context definitions
When loading module dbus from Reference Policy's git master, semodule
fails:
Invalid syntax
Bad context
Bad filecon declaration at
/var/lib/selinux/refpolicy/tmp/modules/400/dbus/cil:734
semodule: Failed!
"/usr/lib/selinux/hll/pp dbus.pp" generates the following lines
(prefixed by the line number):
733 (filecon "/usr/bin/dbus-daemon(-1)?" file (system_u object_r
dbusd_exec_t (systemlow systemlow)))
734 (filecon "/usr/bin/dbus-broker-launch" file (system_u object_r
dbusd_exec_t # needed by dbus-broker (systemlow systemlow)))
735 (filecon "/usr/bin/dbus-broker" file (system_u object_r
dbusd_exec_t # needed by dbus-broker (systemlow systemlow)))
The comments need to be on their own lines in order to be ignored by
semodule.
policy/modules/contrib/dbus.fc | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index c18fd7fd..e9a13ee9 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -8,8 +8,10 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-/usr/bin/dbus-broker-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0) # needed by dbus-broker
-/usr/bin/dbus-broker -- gen_context(system_u:object_r:dbusd_exec_t,s0) # needed by dbus-broker
+
+# needed by dbus-broker
+/usr/bin/dbus-broker-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-broker -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-09 2:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-09 2:43 UTC (permalink / raw
To: gentoo-commits
commit: dcfaea2c5b06a3c34147b7a51894eca31430f25b
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> com>
AuthorDate: Fri Aug 25 19:12:34 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dcfaea2c
spamassassin: update rules for the Bayesian classifier trainer
Update the spamassassin module with rules for the
Bayesian classifier trainer.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.com>
policy/modules/contrib/spamassassin.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index fc2a0ac4..21ed2b4c 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -206,6 +206,9 @@ corenet_tcp_connect_all_ports(spamc_t)
corecmd_exec_bin(spamc_t)
+dev_read_rand(spamc_t)
+dev_read_urand(spamc_t)
+
domain_use_interactive_fds(spamc_t)
fs_getattr_all_fs(spamc_t)
@@ -223,6 +226,8 @@ logging_send_syslog_msg(spamc_t)
miscfiles_read_localization(spamc_t)
+userdom_use_inherited_user_terminals(spamc_t)
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(spamc_t)
fs_manage_nfs_files(spamc_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-09 2:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-09 2:43 UTC (permalink / raw
To: gentoo-commits
commit: 4415515602830a864de3212284013eac37767b5c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 13 20:14:05 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44155156
Remove complement and wildcard in allow rules.
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/cron.te | 4 ++--
policy/modules/contrib/cyrus.te | 2 +-
policy/modules/contrib/dbus.if | 4 ++--
policy/modules/contrib/dpkg.te | 2 +-
policy/modules/contrib/imaze.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/nscd.if | 2 +-
policy/modules/contrib/portage.if | 3 +--
policy/modules/contrib/portslave.te | 3 +--
policy/modules/contrib/razor.te | 2 +-
policy/modules/contrib/remotelogin.te | 2 +-
policy/modules/contrib/rpm.te | 5 ++---
| 2 +-
policy/modules/contrib/samba.te | 4 ++--
policy/modules/contrib/spamassassin.te | 6 +++---
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/userhelper.te | 2 +-
policy/modules/contrib/usernetctl.te | 2 +-
policy/modules/contrib/vmware.te | 3 +--
policy/modules/contrib/webalizer.te | 2 +-
policy/modules/contrib/yam.te | 2 +-
22 files changed, 28 insertions(+), 32 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 7c41358d..e39b7951 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -379,7 +379,7 @@ optional_policy(`
allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
dontaudit httpd_t self:capability net_admin;
-allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
allow httpd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 8991b2c8..27467232 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -219,8 +219,8 @@ tunable_policy(`fcron_crond',`
allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
-allow crond_t self:process { setexec setfscreate };
+
+allow crond_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
allow crond_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
index 02c0a746..816cf457 100644
--- a/policy/modules/contrib/cyrus.te
+++ b/policy/modules/contrib/cyrus.te
@@ -31,7 +31,7 @@ files_pid_file(cyrus_var_run_t)
allow cyrus_t self:capability { dac_override setgid setuid sys_resource };
dontaudit cyrus_t self:capability sys_tty_config;
-allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow cyrus_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow cyrus_t self:process setrlimit;
allow cyrus_t self:fd use;
allow cyrus_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index 32824d9a..4f62c23a 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -460,10 +460,10 @@ interface(`dbus_send_system_bus',`
interface(`dbus_system_bus_unconfined',`
gen_require(`
type system_dbusd_t;
- class dbus all_dbus_perms;
+ class dbus { acquire_svc send_msg };
')
- allow $1 system_dbusd_t:dbus *;
+ allow $1 system_dbusd_t:dbus { acquire_svc send_msg };
')
########################################
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 9c59f073..e165fec3 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -203,7 +203,7 @@ optional_policy(`
#
allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setfcap setgid setuid sys_chroot sys_nice sys_ptrace };
-allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+allow dpkg_script_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/contrib/imaze.te b/policy/modules/contrib/imaze.te
index f7b386b4..7649b91a 100644
--- a/policy/modules/contrib/imaze.te
+++ b/policy/modules/contrib/imaze.te
@@ -25,7 +25,7 @@ files_pid_file(imazesrv_var_run_t)
#
dontaudit imazesrv_t self:capability sys_tty_config;
-allow imazesrv_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow imazesrv_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow imazesrv_t self:fifo_file rw_fifo_file_perms;
allow imazesrv_t self:tcp_socket { accept listen };
allow imazesrv_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 4593e98f..ab2c6152 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -37,7 +37,7 @@ role system_r types logrotate_mail_t;
#
allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
-allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap };
+allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow logrotate_t self:fd use;
allow logrotate_t self:key manage_key_perms;
allow logrotate_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/nscd.if b/policy/modules/contrib/nscd.if
index c83635fe..d6b3687a 100644
--- a/policy/modules/contrib/nscd.if
+++ b/policy/modules/contrib/nscd.if
@@ -226,7 +226,7 @@ interface(`nscd_unconfined',`
class nscd all_nscd_perms;
')
- allow $1 nscd_t:nscd *;
+ allow $1 nscd_t:nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost getserv shmemserv };
')
########################################
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index cad9b9f1..32f39a22 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -74,8 +74,7 @@ interface(`portage_compile_domain',`
allow $1 self:capability { chown dac_override fowner fsetid mknod net_raw setgid setuid };
dontaudit $1 self:capability sys_chroot;
- allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate };
- allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+ allow $1 self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
allow $1 self:fd use;
allow $1 self:fifo_file rw_fifo_file_perms;
allow $1 self:shm create_shm_perms;
diff --git a/policy/modules/contrib/portslave.te b/policy/modules/contrib/portslave.te
index 64282695..1d61734d 100644
--- a/policy/modules/contrib/portslave.te
+++ b/policy/modules/contrib/portslave.te
@@ -23,8 +23,7 @@ files_lock_file(portslave_lock_t)
allow portslave_t self:capability { fsetid net_admin net_bind_service setgid setuid sys_tty_config };
dontaudit portslave_t self:capability sys_admin;
-allow portslave_t self:process signal_perms;
-allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow portslave_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow portslave_t self:fd use;
allow portslave_t self:fifo_file rw_fifo_file_perms;
allow portslave_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/razor.te b/policy/modules/contrib/razor.te
index 68455f90..8497f9af 100644
--- a/policy/modules/contrib/razor.te
+++ b/policy/modules/contrib/razor.te
@@ -45,7 +45,7 @@ role system_r types system_razor_t;
# Common razor domain local policy
#
-allow razor_domain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow razor_domain self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow razor_domain self:fd use;
allow razor_domain self:fifo_file rw_fifo_file_perms;
allow razor_domain self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/remotelogin.te b/policy/modules/contrib/remotelogin.te
index 0d171e23..bc2292e3 100644
--- a/policy/modules/contrib/remotelogin.te
+++ b/policy/modules/contrib/remotelogin.te
@@ -19,7 +19,7 @@ files_tmp_file(remote_login_tmp_t)
#
allow remote_login_t self:capability { chown dac_override fowner fsetid kill net_bind_service setgid setuid sys_nice sys_resource sys_tty_config };
-allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow remote_login_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow remote_login_t self:process { setrlimit setexec };
allow remote_login_t self:fd use;
allow remote_login_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 4f7edc84..44e8c7b5 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -74,8 +74,7 @@ files_tmpfs_file(rpm_script_tmpfs_t)
#
allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config };
-allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
-allow rpm_t self:process { getattr setexec setfscreate setrlimit };
+allow rpm_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
allow rpm_t self:unix_dgram_socket sendto;
@@ -242,7 +241,7 @@ optional_policy(`
#
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setgid setuid sys_admin sys_chroot sys_nice sys_rawio };
-allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
+allow rpm_script_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket sendto;
--git a/policy/modules/contrib/rssh.te b/policy/modules/contrib/rssh.te
index cf6dd81e..91a89f65 100644
--- a/policy/modules/contrib/rssh.te
+++ b/policy/modules/contrib/rssh.te
@@ -42,7 +42,7 @@ userdom_user_home_content(rssh_rw_t)
# Local policy
#
-allow rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow rssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow rssh_t self:fd use;
allow rssh_t self:fifo_file rw_fifo_file_perms;
allow rssh_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 12e9f567..f61077fa 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -269,7 +269,7 @@ optional_policy(`
allow smbd_t self:capability { chown dac_override dac_read_search fowner fsetid kill lease setgid setuid sys_admin sys_chroot sys_nice sys_resource };
dontaudit smbd_t self:capability sys_tty_config;
-allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
+allow smbd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow smbd_t self:fd use;
allow smbd_t self:fifo_file rw_fifo_file_perms;
allow smbd_t self:msg { send receive };
@@ -518,7 +518,7 @@ optional_policy(`
#
dontaudit nmbd_t self:capability sys_tty_config;
-allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow nmbd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow nmbd_t self:fd use;
allow nmbd_t self:fifo_file rw_fifo_file_perms;
allow nmbd_t self:msg { send receive };
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index f402bc7d..fc2a0ac4 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -89,7 +89,7 @@ files_pid_file(spamd_var_run_t)
# Standalone local policy
#
-allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamassassin_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow spamassassin_t self:fd use;
allow spamassassin_t self:fifo_file rw_fifo_file_perms;
allow spamassassin_t self:unix_dgram_socket sendto;
@@ -169,7 +169,7 @@ optional_policy(`
#
allow spamc_t self:capability dac_override;
-allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamc_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow spamc_t self:fd use;
allow spamc_t self:fifo_file rw_fifo_file_perms;
allow spamc_t self:unix_dgram_socket sendto;
@@ -273,7 +273,7 @@ optional_policy(`
allow spamd_t self:capability { dac_override kill setgid setuid sys_tty_config };
dontaudit spamd_t self:capability sys_tty_config;
-allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow spamd_t self:fd use;
allow spamd_t self:fifo_file rw_fifo_file_perms;
allow spamd_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 41b0b75b..a9093f5f 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -61,7 +61,7 @@ files_pid_file(squid_var_run_t)
allow squid_t self:capability { dac_override kill setgid setuid sys_resource };
dontaudit squid_t self:capability sys_tty_config;
-allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
+allow squid_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow squid_t self:fifo_file rw_fifo_file_perms;
allow squid_t self:fd use;
allow squid_t self:shm create_shm_perms;
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index 35fbda6f..bffbc94c 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -95,7 +95,7 @@ optional_policy(`
#
allow userhelper_type self:capability { chown dac_override net_bind_service setgid setuid sys_tty_config };
-allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap };
+allow userhelper_type self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow userhelper_type self:fd use;
allow userhelper_type self:fifo_file rw_fifo_file_perms;
allow userhelper_type self:shm create_shm_perms;
diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te
index 97ebe828..4ef6f9b2 100644
--- a/policy/modules/contrib/usernetctl.te
+++ b/policy/modules/contrib/usernetctl.te
@@ -19,7 +19,7 @@ role usernetctl_roles types usernetctl_t;
#
allow usernetctl_t self:capability { dac_override setgid setuid };
-allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow usernetctl_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow usernetctl_t self:fd use;
allow usernetctl_t self:fifo_file rw_fifo_file_perms;
allow usernetctl_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
index 6d2e10d6..441fe9ef 100644
--- a/policy/modules/contrib/vmware.te
+++ b/policy/modules/contrib/vmware.te
@@ -188,8 +188,7 @@ optional_policy(`
allow vmware_t self:capability { chown dac_override setgid setuid sys_admin sys_nice sys_rawio sys_resource };
dontaudit vmware_t self:capability sys_tty_config;
-allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow vmware_t self:process { execmem execstack };
+allow vmware_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit };
allow vmware_t self:fd use;
allow vmware_t self:fifo_file rw_fifo_file_perms;
allow vmware_t self:unix_dgram_socket { create_socket_perms sendto };
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index faea9beb..da454655 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -31,7 +31,7 @@ files_type(webalizer_var_lib_t)
#
allow webalizer_t self:capability dac_override;
-allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow webalizer_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow webalizer_t self:fd use;
allow webalizer_t self:fifo_file rw_fifo_file_perms;
allow webalizer_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/yam.te b/policy/modules/contrib/yam.te
index 4927d4d7..b451e6e8 100644
--- a/policy/modules/contrib/yam.te
+++ b/policy/modules/contrib/yam.te
@@ -27,7 +27,7 @@ files_tmp_file(yam_tmp_t)
#
allow yam_t self:capability { chown dac_override fowner fsetid };
-allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
+allow yam_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
allow yam_t self:fd use;
allow yam_t self:fifo_file rw_fifo_file_perms;
allow yam_t self:unix_stream_socket { accept connectto listen };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-09 2:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-09 2:43 UTC (permalink / raw
To: gentoo-commits
commit: 0743b2a440f9fc6b9c2156489941dbff78b4dc5a
Author: David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Wed Aug 30 16:12:55 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0743b2a4
mon: move rpc_* into optional
Move use of rpc_* interface into optional block so rpc module can be turned off.
policy/modules/contrib/mon.te | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index f69cad31..5e93c7c9 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -207,8 +207,6 @@ logging_send_syslog_msg(mon_local_test_t)
miscfiles_read_localization(mon_local_test_t)
-rpc_read_nfs_content(mon_local_test_t)
-
sysnet_read_config(mon_local_test_t)
optional_policy(`
@@ -220,5 +218,9 @@ optional_policy(`
')
optional_policy(`
+ rpc_read_nfs_content(mon_local_test_t)
+')
+
+optional_policy(`
xserver_rw_console(mon_local_test_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-09 2:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-09 2:43 UTC (permalink / raw
To: gentoo-commits
commit: 192f02005a5673e022d3cc7ff18af83855faceba
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 6 21:03:06 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=192f0200
Remove deprecated interfaces more than one year old.
policy/modules/contrib/abrt.if | 16 --------
policy/modules/contrib/alsa.if | 51 ------------------------
policy/modules/contrib/automount.if | 15 -------
policy/modules/contrib/awstats.if | 28 -------------
policy/modules/contrib/bind.if | 14 -------
policy/modules/contrib/bluetooth.if | 40 -------------------
policy/modules/contrib/certwatch.if | 29 --------------
policy/modules/contrib/clogd.if | 15 -------
policy/modules/contrib/cobbler.if | 22 ----------
policy/modules/contrib/corosync.if | 22 ----------
policy/modules/contrib/cups.if | 14 -------
policy/modules/contrib/dbus.if | 75 -----------------------------------
policy/modules/contrib/dictd.if | 15 -------
policy/modules/contrib/finger.if | 14 -------
policy/modules/contrib/ftp.if | 14 -------
policy/modules/contrib/glusterfs.if | 22 ----------
policy/modules/contrib/gnome.if | 66 ------------------------------
policy/modules/contrib/gpg.if | 14 -------
policy/modules/contrib/i18n_input.if | 14 -------
policy/modules/contrib/inetd.if | 28 -------------
policy/modules/contrib/iodine.if | 22 ----------
policy/modules/contrib/jabber.if | 14 -------
policy/modules/contrib/kerberos.if | 41 -------------------
policy/modules/contrib/ldap.if | 14 -------
policy/modules/contrib/mandb.if | 57 --------------------------
policy/modules/contrib/mojomojo.if | 22 ----------
policy/modules/contrib/mozilla.if | 31 ---------------
policy/modules/contrib/mpd.if | 19 ---------
policy/modules/contrib/mta.if | 14 -------
policy/modules/contrib/mysql.if | 34 ----------------
policy/modules/contrib/nessus.if | 14 -------
policy/modules/contrib/nis.if | 28 -------------
policy/modules/contrib/nsd.if | 28 -------------
policy/modules/contrib/oident.if | 19 ---------
policy/modules/contrib/pcscd.if | 45 ---------------------
policy/modules/contrib/perdition.if | 14 -------
policy/modules/contrib/portmap.if | 42 --------------------
policy/modules/contrib/postfix.if | 32 ---------------
policy/modules/contrib/ppp.if | 19 ---------
policy/modules/contrib/pulseaudio.if | 31 ---------------
policy/modules/contrib/radius.if | 14 -------
policy/modules/contrib/rpc.if | 28 -------------
policy/modules/contrib/rpm.if | 16 --------
policy/modules/contrib/sendmail.if | 16 --------
policy/modules/contrib/slocate.if | 14 -------
policy/modules/contrib/snmp.if | 14 -------
policy/modules/contrib/soundserver.if | 14 -------
policy/modules/contrib/squid.if | 14 -------
policy/modules/contrib/virt.if | 16 --------
49 files changed, 1214 deletions(-)
diff --git a/policy/modules/contrib/abrt.if b/policy/modules/contrib/abrt.if
index 39b6d291..9d1f00da 100644
--- a/policy/modules/contrib/abrt.if
+++ b/policy/modules/contrib/abrt.if
@@ -164,22 +164,6 @@ interface(`abrt_run_helper',`
########################################
## <summary>
## Create, read, write, and delete
-## abrt cache files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`abrt_cache_manage',`
- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
- abrt_manage_cache($1)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
## abrt cache content.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index d50f5e33..9cff9efb 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -2,25 +2,6 @@
########################################
## <summary>
-## Role access for alsa.
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-template(`alsa_role',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
## Execute a domain transition to run Alsa.
## </summary>
## <param name="domain">
@@ -102,22 +83,6 @@ interface(`alsa_rw_shared_mem',`
########################################
## <summary>
-## Read writable Alsa configuration
-## content. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`alsa_read_rw_config',`
- refpolicywarn(`$0($*) has been deprecated, use alsa_read_config() instead.')
- alsa_read_config($1)
-')
-
-########################################
-## <summary>
## Read Alsa configuration content.
## </summary>
## <param name="domain">
@@ -139,22 +104,6 @@ interface(`alsa_read_config',`
########################################
## <summary>
-## Manage writable Alsa config
-## files. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`alsa_manage_rw_config',`
- refpolicywarn(`$0($*) has been deprecated, use alsa_manage_config() instead.')
- alsa_manage_config($1)
-')
-
-########################################
-## <summary>
## Manage Alsa config files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/automount.if b/policy/modules/contrib/automount.if
index 37847d93..fbaa3220 100644
--- a/policy/modules/contrib/automount.if
+++ b/policy/modules/contrib/automount.if
@@ -40,21 +40,6 @@ interface(`automount_signal',`
########################################
## <summary>
-## Execute automount in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`automount_exec_config',`
- refpolicywarn(`$0(): has been deprecated, please use files_exec_etc_files() instead.')
- files_exec_etc_files($1)
-')
-
-########################################
-## <summary>
## Read automount process state.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/awstats.if b/policy/modules/contrib/awstats.if
index 68616dd9..e86fe87f 100644
--- a/policy/modules/contrib/awstats.if
+++ b/policy/modules/contrib/awstats.if
@@ -19,31 +19,3 @@ interface(`awstats_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, awstats_exec_t, awstats_t)
')
-
-########################################
-## <summary>
-## Read and write awstats unnamed pipes. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`awstats_rw_pipes',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-## Execute awstats cgi scripts in the caller domain. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`awstats_cgi_exec',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if
index 7193af63..a99bae9c 100644
--- a/policy/modules/contrib/bind.if
+++ b/policy/modules/contrib/bind.if
@@ -331,20 +331,6 @@ interface(`bind_manage_zone',`
########################################
## <summary>
-## Send and receive datagrams to and from named. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`bind_udp_chat_named',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## All of the rules required to
## administrate an bind environment.
## </summary>
diff --git a/policy/modules/contrib/bluetooth.if b/policy/modules/contrib/bluetooth.if
index 09d6248d..dc61988c 100644
--- a/policy/modules/contrib/bluetooth.if
+++ b/policy/modules/contrib/bluetooth.if
@@ -130,46 +130,6 @@ interface(`bluetooth_dbus_chat',`
########################################
## <summary>
-## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`bluetooth_domtrans_helper',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-## Execute bluetooth_helper in the bluetooth_helper domain, and
-## allow the specified role the bluetooth_helper domain. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the bluetooth_helper domain to use.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`bluetooth_run_helper',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## Do not audit attempts to read
## bluetooth process state files.
## </summary>
diff --git a/policy/modules/contrib/certwatch.if b/policy/modules/contrib/certwatch.if
index 9291c5cc..54e6e661 100644
--- a/policy/modules/contrib/certwatch.if
+++ b/policy/modules/contrib/certwatch.if
@@ -46,32 +46,3 @@ interface(`certwatch_run',`
certwatch_domtrans($1)
roleattribute $2 certwatch_roles;
')
-
-########################################
-## <summary>
-## Execute certwatch in the certwatch domain, and
-## allow the specified role the certwatch domain,
-## and use the caller's terminal. Has a sigchld
-## backchannel. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the terminal allow the certwatch domain to use.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`certwatach_run',`
- refpolicywarn(`$0($*) has been deprecated, please use certwatch_run() instead.')
- certwatch_run($*)
-')
diff --git a/policy/modules/contrib/clogd.if b/policy/modules/contrib/clogd.if
index 221d9143..dce4cb19 100644
--- a/policy/modules/contrib/clogd.if
+++ b/policy/modules/contrib/clogd.if
@@ -21,21 +21,6 @@ interface(`clogd_domtrans',`
#####################################
## <summary>
-## Connect to clogd over a unix domain
-## stream socket. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`clogd_stream_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-#####################################
-## <summary>
## Read and write clogd semaphores.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/cobbler.if b/policy/modules/contrib/cobbler.if
index 376fa84b..40f89990 100644
--- a/policy/modules/contrib/cobbler.if
+++ b/policy/modules/contrib/cobbler.if
@@ -151,28 +151,6 @@ interface(`cobbler_manage_lib_files',`
## </param>
## <rolecap/>
#
-interface(`cobblerd_admin',`
- refpolicywarn(`$0($*) has been deprecated, use cobbler_admin() instead.')
- cobbler_admin($1, $2)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an cobbler environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
interface(`cobbler_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
diff --git a/policy/modules/contrib/corosync.if b/policy/modules/contrib/corosync.if
index 57736aab..2b2d11af 100644
--- a/policy/modules/contrib/corosync.if
+++ b/policy/modules/contrib/corosync.if
@@ -133,28 +133,6 @@ interface(`corosync_rw_tmpfs',`
## </param>
## <rolecap/>
#
-interface(`corosyncd_admin',`
- refpolicywarn(`$0($*) has been deprecated, use corosync_admin() instead.')
- corosync_admin($1, $2)
-')
-
-######################################
-## <summary>
-## All of the rules required to
-## administrate an corosync environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
interface(`corosync_admin',`
gen_require(`
type corosync_t, corosync_var_lib_t, corosync_var_log_t;
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index bd6b77f4..73887e50 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -75,20 +75,6 @@ interface(`cups_stream_connect',`
########################################
## <summary>
-## Connect to cups over TCP. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cups_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## Send and receive messages from
## cups over dbus.
## </summary>
diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index 3893df7c..32824d9a 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -139,22 +139,6 @@ interface(`dbus_system_bus_client',`
#######################################
## <summary>
-## Acquire service on DBUS
-## session bus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dbus_connect_session_bus',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.')
- dbus_connect_all_session_bus($1)
-')
-
-#######################################
-## <summary>
## Acquire service on all DBUS
## session busses.
## </summary>
@@ -201,22 +185,6 @@ interface(`dbus_connect_spec_session_bus',`
#######################################
## <summary>
-## Creating connections to DBUS
-## session bus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dbus_session_bus_client',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.')
- dbus_all_session_bus_client($1)
-')
-
-#######################################
-## <summary>
## Creating connections to all
## DBUS session busses.
## </summary>
@@ -276,21 +244,6 @@ interface(`dbus_spec_session_bus_client',`
#######################################
## <summary>
-## Send messages to DBUS session bus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dbus_send_session_bus',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.')
- dbus_send_all_session_bus($1)
-')
-
-#######################################
-## <summary>
## Send messages to all DBUS
## session busses.
## </summary>
@@ -399,34 +352,6 @@ interface(`dbus_manage_lib_files',`
## Allow a application domain to be
## started by the specified session bus.
## </summary>
-## <param name="role_prefix">
-## <summary>
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Type to be used as a domain.
-## </summary>
-## </param>
-## <param name="entry_point">
-## <summary>
-## Type of the program to be used as an
-## entry point to this domain.
-## </summary>
-## </param>
-#
-interface(`dbus_session_domain',`
- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.')
- dbus_all_session_domain($1, $2)
-')
-
-########################################
-## <summary>
-## Allow a application domain to be
-## started by the specified session bus.
-## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
diff --git a/policy/modules/contrib/dictd.if b/policy/modules/contrib/dictd.if
index 3878acc7..6feb8280 100644
--- a/policy/modules/contrib/dictd.if
+++ b/policy/modules/contrib/dictd.if
@@ -2,21 +2,6 @@
########################################
## <summary>
-## Use dictionary services by connecting
-## over TCP. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dictd_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## All of the rules required to
## administrate an dictd environment.
## </summary>
diff --git a/policy/modules/contrib/finger.if b/policy/modules/contrib/finger.if
index 2656d2b5..a071cfd4 100644
--- a/policy/modules/contrib/finger.if
+++ b/policy/modules/contrib/finger.if
@@ -18,17 +18,3 @@ interface(`finger_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, fingerd_exec_t, fingerd_t)
')
-
-########################################
-## <summary>
-## Connect to fingerd with a tcp socket. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`finger_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
index 93fd4be4..349d1b3b 100644
--- a/policy/modules/contrib/ftp.if
+++ b/policy/modules/contrib/ftp.if
@@ -20,20 +20,6 @@ interface(`ftp_dyntrans_anon_sftpd',`
########################################
## <summary>
-## Connect to over ftpd over TCP. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ftp_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## Read ftpd configuration files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/glusterfs.if b/policy/modules/contrib/glusterfs.if
index 0945d876..b4f5d01c 100644
--- a/policy/modules/contrib/glusterfs.if
+++ b/policy/modules/contrib/glusterfs.if
@@ -17,28 +17,6 @@
## </param>
## <rolecap/>
#
-interface(`glusterd_admin',`
- refpolicywarn(`$0($*) has been deprecated, use glusterfs_admin() instead.')
- glusterfs_admin($1, $2)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an glusterfs environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
interface(`glusterfs_admin',`
gen_require(`
type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index edf4d4e6..2eb4f047 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -1,24 +1,5 @@
## <summary>GNU network object model environment.</summary>
-########################################
-## <summary>
-## Role access for gnome. (Deprecated)
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-interface(`gnome_role',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
#######################################
## <summary>
## The role template for gnome.
@@ -267,22 +248,6 @@ interface(`gnome_create_generic_home_dirs',`
########################################
## <summary>
## Set attributes of generic gnome
-## user home directories. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_setattr_config_dirs',`
- refpolicywarn(`$0($*) has been deprecated, use gnome_setattr_generic_home_dirs() instead.')
- gnome_setattr_generic_home_dirs($1)
-')
-
-########################################
-## <summary>
-## Set attributes of generic gnome
## user home directories.
## </summary>
## <param name="domain">
@@ -302,21 +267,6 @@ interface(`gnome_setattr_generic_home_dirs',`
########################################
## <summary>
-## Read generic gnome user home content. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_read_config',`
- refpolicywarn(`$0($*) has been deprecated, use gnome_read_generic_home_content() instead.')
- gnome_read_generic_home_content($1)
-')
-
-########################################
-## <summary>
## Read generic gnome home content.
## </summary>
## <param name="domain">
@@ -341,22 +291,6 @@ interface(`gnome_read_generic_home_content',`
########################################
## <summary>
## Create, read, write, and delete
-## generic gnome user home content. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`gnome_manage_config',`
- refpolicywarn(`$0($*) has been deprecated, use gnome_manage_generic_home_content() instead.')
- gnome_manage_generic_home_content($1)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
## generic gnome home content.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 4f118bf3..c4b7c4cd 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -125,20 +125,6 @@ interface(`gpg_spec_domtrans',`
######################################
## <summary>
-## Execute gpg in the gpg web domain. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`gpg_domtrans_web',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-######################################
-## <summary>
## Make gpg executable files an
## entrypoint for the specified domain.
## </summary>
diff --git a/policy/modules/contrib/i18n_input.if b/policy/modules/contrib/i18n_input.if
index b9082642..4e08c3cf 100644
--- a/policy/modules/contrib/i18n_input.if
+++ b/policy/modules/contrib/i18n_input.if
@@ -2,20 +2,6 @@
########################################
## <summary>
-## Use i18n_input over a TCP connection. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`i18n_use',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## All of the rules required to
## administrate an i18n input environment.
## </summary>
diff --git a/policy/modules/contrib/inetd.if b/policy/modules/contrib/inetd.if
index fbb54e7d..593cd40b 100644
--- a/policy/modules/contrib/inetd.if
+++ b/policy/modules/contrib/inetd.if
@@ -140,20 +140,6 @@ interface(`inetd_use_fds',`
########################################
## <summary>
-## Connect to the inetd service using a TCP connection. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`inetd_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## Run inetd child process in the
## inet child domain.
## </summary>
@@ -174,20 +160,6 @@ interface(`inetd_domtrans_child',`
########################################
## <summary>
-## Send UDP network traffic to inetd. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`inetd_udp_send',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## Read and write inetd TCP sockets.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/iodine.if b/policy/modules/contrib/iodine.if
index 87e47eb2..99f1afd1 100644
--- a/policy/modules/contrib/iodine.if
+++ b/policy/modules/contrib/iodine.if
@@ -17,28 +17,6 @@
## </param>
## <rolecap/>
#
-interface(`iodined_admin',`
- refpolicywarn(`$0($*) has been deprecated, use iodine_admin() instead.')
- iodine_admin($1, $2)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an iodined environment
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
interface(`iodine_admin',`
gen_require(`
type iodined_t, iodined_initrc_exec_t;
diff --git a/policy/modules/contrib/jabber.if b/policy/modules/contrib/jabber.if
index 549dac1f..9a31ee51 100644
--- a/policy/modules/contrib/jabber.if
+++ b/policy/modules/contrib/jabber.if
@@ -42,20 +42,6 @@ interface(`jabber_manage_lib_files',`
########################################
## <summary>
-## Connect to jabber over a TCP socket (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`jabber_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## All of the rules required to
## administrate an jabber environment.
## </summary>
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index 01caeead..c8c5a37d 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -2,25 +2,6 @@
########################################
## <summary>
-## Role access for kerberos.
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-template(`kerberos_role',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
## Execute kadmind in the caller domain.
## </summary>
## <param name="domain">
@@ -339,28 +320,6 @@ interface(`kerberos_etc_filetrans_keytab',`
########################################
## <summary>
-## Create a derived type for kerberos
-## keytab files.
-## </summary>
-## <param name="prefix">
-## <summary>
-## The prefix to be used for deriving type names.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-template(`kerberos_keytab_template',`
- refpolicywarn(`$0($*) has been deprecated.')
- kerberos_read_keytab($2)
- kerberos_use($2)
-')
-
-########################################
-## <summary>
## Read kerberos kdc configuration files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if
index b4eabc96..59752140 100644
--- a/policy/modules/contrib/ldap.if
+++ b/policy/modules/contrib/ldap.if
@@ -41,20 +41,6 @@ interface(`ldap_read_config',`
########################################
## <summary>
-## Use LDAP over TCP connection. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`ldap_use',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## Connect to slapd over an unix
## stream socket.
## </summary>
diff --git a/policy/modules/contrib/mandb.if b/policy/modules/contrib/mandb.if
index 2b5d5385..e880655d 100644
--- a/policy/modules/contrib/mandb.if
+++ b/policy/modules/contrib/mandb.if
@@ -48,63 +48,6 @@ interface(`mandb_run',`
########################################
## <summary>
-## Search mandb cache directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mandb_search_cache',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
-## Delete mandb cache content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mandb_delete_cache_content',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
-## Read mandb cache content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mandb_read_cache_content',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## mandb cache files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mandb_manage_cache_content',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
## All of the rules required to
## administrate an mandb environment.
## </summary>
diff --git a/policy/modules/contrib/mojomojo.if b/policy/modules/contrib/mojomojo.if
index 73952f4c..6680a087 100644
--- a/policy/modules/contrib/mojomojo.if
+++ b/policy/modules/contrib/mojomojo.if
@@ -1,23 +1 @@
## <summary>MojoMojo Wiki.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an mojomojo environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`mojomojo_admin',`
- refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.')
- apache_admin($1, $2)
-')
diff --git a/policy/modules/contrib/mozilla.if b/policy/modules/contrib/mozilla.if
index 70390632..178d68d8 100644
--- a/policy/modules/contrib/mozilla.if
+++ b/policy/modules/contrib/mozilla.if
@@ -242,21 +242,6 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
########################################
## <summary>
-## Execute mozilla home directory files. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mozilla_exec_user_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use mozilla_exec_user_plugin_home_files() instead.')
- mozilla_exec_user_plugin_home_files($1)
-')
-
-########################################
-## <summary>
## Execute mozilla plugin home directory files.
## </summary>
## <param name="domain">
@@ -276,22 +261,6 @@ interface(`mozilla_exec_user_plugin_home_files',`
########################################
## <summary>
-## Mozilla home directory file
-## text relocation. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mozilla_execmod_user_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use mozilla_execmod_user_plugin_home_files() instead.')
- mozilla_execmod_user_plugin_home_files($1)
-')
-
-########################################
-## <summary>
## Mozilla plugin home directory file
## text relocation.
## </summary>
diff --git a/policy/modules/contrib/mpd.if b/policy/modules/contrib/mpd.if
index 384599fd..02faa37e 100644
--- a/policy/modules/contrib/mpd.if
+++ b/policy/modules/contrib/mpd.if
@@ -2,25 +2,6 @@
########################################
## <summary>
-## Role access for mpd.
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-template(`mpd_role',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
## Execute a domain transition to run mpd.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if
index 7e268b80..0602746b 100644
--- a/policy/modules/contrib/mta.if
+++ b/policy/modules/contrib/mta.if
@@ -753,20 +753,6 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
#######################################
## <summary>
-## Connect to all mail servers over TCP. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mta_tcp_connect_all_mailservers',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-#######################################
-## <summary>
## Do not audit attempts to read
## mail spool symlinks.
## </summary>
diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if
index e7250f7f..af59114a 100644
--- a/policy/modules/contrib/mysql.if
+++ b/policy/modules/contrib/mysql.if
@@ -1,24 +1,5 @@
## <summary>Open source database.</summary>
-########################################
-## <summary>
-## Role access for mysql.
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-interface(`mysql_role',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
######################################
## <summary>
## Execute MySQL in the mysql domain.
@@ -263,21 +244,6 @@ interface(`mysql_manage_db_files',`
########################################
## <summary>
-## Read and write mysqld database sockets.
-## named socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mysql_rw_db_sockets',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## Create, read, write, and delete
## mysqld home files.
## </summary>
diff --git a/policy/modules/contrib/nessus.if b/policy/modules/contrib/nessus.if
index f41ec5f3..57bed033 100644
--- a/policy/modules/contrib/nessus.if
+++ b/policy/modules/contrib/nessus.if
@@ -2,20 +2,6 @@
########################################
## <summary>
-## Connect to nessus over a TCP socket (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nessus_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## All of the rules required to
## administrate an nessus environment.
## </summary>
diff --git a/policy/modules/contrib/nis.if b/policy/modules/contrib/nis.if
index 718db6ea..66a3ba28 100644
--- a/policy/modules/contrib/nis.if
+++ b/policy/modules/contrib/nis.if
@@ -215,34 +215,6 @@ interface(`nis_list_var_yp',`
########################################
## <summary>
-## Send UDP network traffic to NIS clients. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nis_udp_send_ypbind',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-## Connect to ypbind over TCP. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nis_tcp_connect_ypbind',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## Read ypbind pid files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/nsd.if b/policy/modules/contrib/nsd.if
index 8ec6ec4e..e071bcd0 100644
--- a/policy/modules/contrib/nsd.if
+++ b/policy/modules/contrib/nsd.if
@@ -2,34 +2,6 @@
########################################
## <summary>
-## Send and receive datagrams from NSD. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nsd_udp_chat',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-## Connect to NSD over a TCP socket (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nsd_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## All of the rules required to
## administrate an nsd environment.
## </summary>
diff --git a/policy/modules/contrib/oident.if b/policy/modules/contrib/oident.if
index c317a3aa..95b329ef 100644
--- a/policy/modules/contrib/oident.if
+++ b/policy/modules/contrib/oident.if
@@ -2,25 +2,6 @@
########################################
## <summary>
-## Role access for oident.
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-interface(`oident_role',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
## Read oidentd user home content.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/pcscd.if b/policy/modules/contrib/pcscd.if
index b5c522d3..412c24aa 100644
--- a/policy/modules/contrib/pcscd.if
+++ b/policy/modules/contrib/pcscd.if
@@ -29,21 +29,6 @@ interface(`pcscd_domtrans',`
## </summary>
## </param>
#
-interface(`pcscd_read_pub_files',`
- refpolicywarn(`$0($*) has been deprecated, use pcscd_read_pid_files() instead.')
- pcscd_read_pid_files($1)
-')
-
-########################################
-## <summary>
-## Read pcscd pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
interface(`pcscd_read_pid_files',`
gen_require(`
type pcscd_var_run_t;
@@ -55,36 +40,6 @@ interface(`pcscd_read_pid_files',`
########################################
## <summary>
-## Create, read, write, and delete
-## pcscd pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`pcscd_manage_pub_files',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## pcscd pid fifo files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`pcscd_manage_pub_pipes',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
## Connect to pcscd over an unix
## domain stream socket.
## </summary>
diff --git a/policy/modules/contrib/perdition.if b/policy/modules/contrib/perdition.if
index 092ac614..4d69d909 100644
--- a/policy/modules/contrib/perdition.if
+++ b/policy/modules/contrib/perdition.if
@@ -2,20 +2,6 @@
########################################
## <summary>
-## Connect to perdition over a TCP socket (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`perdition_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## All of the rules required to
## administrate an perdition environment.
## </summary>
diff --git a/policy/modules/contrib/portmap.if b/policy/modules/contrib/portmap.if
index f0af3fe3..52208ce0 100644
--- a/policy/modules/contrib/portmap.if
+++ b/policy/modules/contrib/portmap.if
@@ -48,48 +48,6 @@ interface(`portmap_run_helper',`
########################################
## <summary>
-## Send UDP network traffic to portmap. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`portmap_udp_send',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-## Send and receive UDP network traffic from portmap. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`portmap_udp_chat',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
-## Connect to portmap over a TCP socket (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`portmap_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## All of the rules required to
## administrate an portmap environment.
## </summary>
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index 19fe6132..fa17bde4 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -428,22 +428,6 @@ interface(`postfix_stream_connect_master',`
########################################
## <summary>
-## Read and write postfix master
-## unnamed pipes. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`postfix_rw_master_pipes',`
- refpolicywarn(`$0($*) has been deprecated, use postfix_rw_inherited_master_pipes() instead.')
- postfix_rw_inherited_master_pipes($1)
-')
-
-########################################
-## <summary>
## Execute the master postdrop in the
## postfix postdrop domain.
## </summary>
@@ -484,22 +468,6 @@ interface(`postfix_domtrans_postqueue',`
#######################################
## <summary>
-## Execute the master postqueue in
-## the caller domain. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`posftix_exec_postqueue',`
- refpolicywarn(`$0($*) has been deprecated.')
- postfix_exec_postqueue($1)
-')
-
-#######################################
-## <summary>
## Execute postfix postqueue in
## the caller domain.
## </summary>
diff --git a/policy/modules/contrib/ppp.if b/policy/modules/contrib/ppp.if
index 0376e92f..070e565c 100644
--- a/policy/modules/contrib/ppp.if
+++ b/policy/modules/contrib/ppp.if
@@ -2,25 +2,6 @@
########################################
## <summary>
-## Role access for ppp.
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-interface(`ppp_role',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
## Create, read, write, and delete
## ppp home files.
## </summary>
diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if
index 7236f624..921e519c 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -254,21 +254,6 @@ interface(`pulseaudio_setattr_home_dir',`
## </summary>
## </param>
#
-interface(`pulseaudio_read_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_read_home() instead.')
- pulseaudio_read_home($1)
-')
-
-########################################
-## <summary>
-## Read pulseaudio home content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
interface(`pulseaudio_read_home',`
gen_require(`
type pulseaudio_home_t;
@@ -311,22 +296,6 @@ interface(`pulseaudio_rw_home_files',`
## </summary>
## </param>
#
-interface(`pulseaudio_manage_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.')
- pulseaudio_manage_home($1)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## pulseaudio home content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
interface(`pulseaudio_manage_home',`
gen_require(`
type pulseaudio_home_t;
diff --git a/policy/modules/contrib/radius.if b/policy/modules/contrib/radius.if
index 7703bc78..bce89c30 100644
--- a/policy/modules/contrib/radius.if
+++ b/policy/modules/contrib/radius.if
@@ -2,20 +2,6 @@
########################################
## <summary>
-## Use radius over a UDP connection. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`radius_use',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## All of the rules required to
## administrate an radius environment.
## </summary>
diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if
index fbf5995d..7063c42f 100644
--- a/policy/modules/contrib/rpc.if
+++ b/policy/modules/contrib/rpc.if
@@ -52,20 +52,6 @@ template(`rpc_domain_template',`
########################################
## <summary>
-## Send UDP network traffic to rpc and recieve UDP traffic from rpc. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rpc_udp_send',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## Do not audit attempts to get
## attributes of export files.
## </summary>
@@ -298,20 +284,6 @@ interface(`rpc_udp_rw_nfs_sockets',`
########################################
## <summary>
-## Send UDP traffic to NFSd. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rpc_udp_send_nfs',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## Search nfs lib directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index 304e97cb..016cdb2a 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -564,22 +564,6 @@ interface(`rpm_manage_pid_files',`
files_search_pids($1)
')
-######################################
-## <summary>
-## Create files in pid directories
-## with the rpm pid file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`rpm_pid_filetrans',`
- refpolicywarn(`$0($*) has been deprecated, rpm_pid_filetrans_rpm_pid() instead.')
- rpm_pid_filetrans_rpm_pid($1, file)
-')
-
########################################
## <summary>
## Create specified objects in pid directories
diff --git a/policy/modules/contrib/sendmail.if b/policy/modules/contrib/sendmail.if
index d60de843..5358d159 100644
--- a/policy/modules/contrib/sendmail.if
+++ b/policy/modules/contrib/sendmail.if
@@ -228,22 +228,6 @@ interface(`sendmail_manage_log',`
## Domain allowed access.
## </summary>
## </param>
-#
-interface(`sendmail_create_log',`
- refpolicywarn(`$0($*) has been deprecated, use sendmail_log_filetrans_sendmail_log() instead.')
- sendmail_log_filetrans_sendmail_log($1, $2, $3)
-')
-
-########################################
-## <summary>
-## Create specified objects in generic
-## log directories sendmail log file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
## <param name="object_class">
## <summary>
## Class of the object being created.
diff --git a/policy/modules/contrib/slocate.if b/policy/modules/contrib/slocate.if
index 1f25803d..82de1b68 100644
--- a/policy/modules/contrib/slocate.if
+++ b/policy/modules/contrib/slocate.if
@@ -2,20 +2,6 @@
########################################
## <summary>
-## Create the locate log with append mode.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`slocate_create_append_log',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
## Read locate lib files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/snmp.if b/policy/modules/contrib/snmp.if
index 96775032..d8a75680 100644
--- a/policy/modules/contrib/snmp.if
+++ b/policy/modules/contrib/snmp.if
@@ -43,20 +43,6 @@ interface(`snmp_tcp_connect',`
########################################
## <summary>
-## Send and receive UDP traffic to SNMP (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`snmp_udp_chat',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## Create, read, write, and delete
## snmp lib directories.
## </summary>
diff --git a/policy/modules/contrib/soundserver.if b/policy/modules/contrib/soundserver.if
index 8dc1c0f4..106e0700 100644
--- a/policy/modules/contrib/soundserver.if
+++ b/policy/modules/contrib/soundserver.if
@@ -2,20 +2,6 @@
########################################
## <summary>
-## Connect to the sound server over a TCP socket (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`soundserver_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## All of the rules required to
## administrate an soundd environment.
## </summary>
diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if
index b5adfad3..2443afbd 100644
--- a/policy/modules/contrib/squid.if
+++ b/policy/modules/contrib/squid.if
@@ -177,20 +177,6 @@ interface(`squid_manage_logs',`
########################################
## <summary>
-## Use squid services by connecting over TCP. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`squid_use',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## dontaudit statting tmpfs files
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
index 8016cccb..993ee6c8 100644
--- a/policy/modules/contrib/virt.if
+++ b/policy/modules/contrib/virt.if
@@ -1069,22 +1069,6 @@ interface(`virt_rw_all_image_chr_files',`
########################################
## <summary>
## Create, read, write, and delete
-## svirt cache files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_manage_svirt_cache',`
- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
- virt_manage_virt_cache($1)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
## virt cache content.
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-09 2:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-09 2:43 UTC (permalink / raw
To: gentoo-commits
commit: 44d0fa325a094a752b4686aacfcea36eba9a74b5
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Aug 29 23:13:33 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44d0fa32
Module version bump for patches from Guido Trentalancia.
policy/modules/contrib/libmtp.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/libmtp.te b/policy/modules/contrib/libmtp.te
index bacfb1b7..3bdb3ed8 100644
--- a/policy/modules/contrib/libmtp.te
+++ b/policy/modules/contrib/libmtp.te
@@ -1,4 +1,4 @@
-policy_module(libmtp, 1.0.0)
+policy_module(libmtp, 1.0.1)
##############################
#
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 21ed2b4c..72e781ef 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.11.0)
+policy_module(spamassassin, 2.11.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-09-09 2:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-09-09 2:43 UTC (permalink / raw
To: gentoo-commits
commit: ea19f747a606d52a2971921943b3740816dfac64
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Aug 5 16:59:42 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 8 22:48:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ea19f747
Bump module versions for release.
policy/modules/contrib/abrt.te | 2 +-
policy/modules/contrib/acct.te | 2 +-
policy/modules/contrib/acpi.te | 2 +-
policy/modules/contrib/afs.te | 2 +-
policy/modules/contrib/aiccu.te | 2 +-
policy/modules/contrib/aisexec.te | 2 +-
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/amanda.te | 2 +-
policy/modules/contrib/amavis.te | 2 +-
policy/modules/contrib/anaconda.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apcupsd.te | 2 +-
policy/modules/contrib/apt.te | 2 +-
policy/modules/contrib/arpwatch.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/backup.te | 2 +-
policy/modules/contrib/bacula.te | 2 +-
policy/modules/contrib/bcfg2.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/bird.te | 2 +-
policy/modules/contrib/bitlbee.te | 2 +-
policy/modules/contrib/bluetooth.te | 2 +-
policy/modules/contrib/brctl.te | 2 +-
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/callweaver.te | 2 +-
policy/modules/contrib/canna.te | 2 +-
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/certmonger.te | 2 +-
policy/modules/contrib/cfengine.te | 2 +-
policy/modules/contrib/cgroup.te | 2 +-
policy/modules/contrib/chronyd.te | 2 +-
policy/modules/contrib/cipe.te | 2 +-
policy/modules/contrib/clamav.te | 2 +-
policy/modules/contrib/clogd.te | 2 +-
policy/modules/contrib/cmirrord.te | 2 +-
policy/modules/contrib/collectd.te | 2 +-
policy/modules/contrib/comsat.te | 2 +-
policy/modules/contrib/condor.te | 2 +-
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/corosync.te | 2 +-
policy/modules/contrib/courier.te | 2 +-
policy/modules/contrib/cpucontrol.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/ctdb.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/dante.te | 2 +-
policy/modules/contrib/dbskk.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/dcc.te | 2 +-
policy/modules/contrib/ddclient.te | 2 +-
policy/modules/contrib/ddcprobe.te | 2 +-
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/dictd.te | 2 +-
policy/modules/contrib/dirmngr.te | 2 +-
policy/modules/contrib/dkim.te | 2 +-
policy/modules/contrib/dmidecode.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/dnssectrigger.te | 2 +-
policy/modules/contrib/dovecot.te | 2 +-
policy/modules/contrib/dphysswapfile.te | 2 +-
policy/modules/contrib/dpkg.te | 2 +-
policy/modules/contrib/drbd.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/fakehwclock.te | 2 +-
policy/modules/contrib/fcoe.te | 2 +-
policy/modules/contrib/fetchmail.te | 2 +-
policy/modules/contrib/finger.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/firstboot.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/gatekeeper.te | 2 +-
policy/modules/contrib/glusterfs.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/gpm.te | 2 +-
policy/modules/contrib/gpsd.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/hddtemp.te | 2 +-
policy/modules/contrib/hwloc.te | 2 +-
policy/modules/contrib/hypervkvp.te | 2 +-
policy/modules/contrib/i18n_input.te | 2 +-
policy/modules/contrib/ifplugd.te | 2 +-
policy/modules/contrib/inetd.te | 2 +-
policy/modules/contrib/inn.te | 2 +-
policy/modules/contrib/iodine.te | 2 +-
policy/modules/contrib/ircd.te | 2 +-
policy/modules/contrib/irqbalance.te | 2 +-
policy/modules/contrib/iscsi.te | 2 +-
policy/modules/contrib/isns.te | 2 +-
policy/modules/contrib/jabber.te | 2 +-
policy/modules/contrib/java.te | 2 +-
policy/modules/contrib/jockey.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/kerberos.te | 2 +-
policy/modules/contrib/kerneloops.te | 2 +-
policy/modules/contrib/ksmtuned.te | 2 +-
policy/modules/contrib/ktalk.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/l2tp.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/likewise.te | 2 +-
policy/modules/contrib/lircd.te | 2 +-
policy/modules/contrib/lldpad.te | 2 +-
policy/modules/contrib/loadkeys.te | 2 +-
policy/modules/contrib/lockdev.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/logwatch.te | 2 +-
policy/modules/contrib/lpd.te | 2 +-
policy/modules/contrib/mailman.te | 2 +-
policy/modules/contrib/mailscanner.te | 2 +-
policy/modules/contrib/mandb.te | 2 +-
policy/modules/contrib/mcelog.te | 2 +-
policy/modules/contrib/milter.te | 2 +-
policy/modules/contrib/minidlna.te | 2 +-
policy/modules/contrib/minissdpd.te | 2 +-
policy/modules/contrib/modemmanager.te | 2 +-
policy/modules/contrib/mon.te | 2 +-
policy/modules/contrib/monit.te | 2 +-
policy/modules/contrib/monop.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mrtg.te | 2 +-
policy/modules/contrib/mta.te | 2 +-
policy/modules/contrib/munin.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/nagios.te | 2 +-
policy/modules/contrib/ncftool.te | 2 +-
policy/modules/contrib/nessus.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nis.te | 2 +-
policy/modules/contrib/nscd.te | 2 +-
policy/modules/contrib/nsd.te | 2 +-
policy/modules/contrib/nslcd.te | 2 +-
policy/modules/contrib/ntop.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/oav.te | 2 +-
policy/modules/contrib/oddjob.te | 2 +-
policy/modules/contrib/oident.te | 2 +-
policy/modules/contrib/openct.te | 2 +-
policy/modules/contrib/openhpi.te | 2 +-
policy/modules/contrib/openoffice.te | 2 +-
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/pacemaker.te | 2 +-
policy/modules/contrib/pcmcia.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
policy/modules/contrib/pegasus.te | 2 +-
policy/modules/contrib/perdition.te | 2 +-
policy/modules/contrib/pingd.te | 2 +-
policy/modules/contrib/pkcs.te | 2 +-
policy/modules/contrib/plymouthd.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
policy/modules/contrib/portage.te | 2 +-
policy/modules/contrib/portmap.te | 2 +-
policy/modules/contrib/portreserve.te | 2 +-
policy/modules/contrib/portslave.te | 2 +-
policy/modules/contrib/postfix.te | 2 +-
policy/modules/contrib/postfixpolicyd.te | 2 +-
policy/modules/contrib/postgrey.te | 2 +-
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/prelink.te | 2 +-
policy/modules/contrib/prelude.te | 2 +-
policy/modules/contrib/privoxy.te | 2 +-
policy/modules/contrib/procmail.te | 2 +-
policy/modules/contrib/psad.te | 2 +-
policy/modules/contrib/pxe.te | 2 +-
policy/modules/contrib/qemu.te | 2 +-
policy/modules/contrib/qmail.te | 2 +-
policy/modules/contrib/qpid.te | 2 +-
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/radius.te | 2 +-
policy/modules/contrib/radvd.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/rdisc.te | 2 +-
policy/modules/contrib/readahead.te | 2 +-
policy/modules/contrib/redis.te | 2 +-
policy/modules/contrib/remotelogin.te | 2 +-
policy/modules/contrib/resmgr.te | 2 +-
policy/modules/contrib/rgmanager.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/ricci.te | 2 +-
policy/modules/contrib/rlogin.te | 2 +-
policy/modules/contrib/rngd.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/rshd.te | 2 +-
policy/modules/contrib/rsync.te | 2 +-
policy/modules/contrib/rtkit.te | 2 +-
policy/modules/contrib/rwho.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/samhain.te | 2 +-
policy/modules/contrib/sanlock.te | 2 +-
policy/modules/contrib/sasl.te | 2 +-
policy/modules/contrib/sblim.te | 2 +-
policy/modules/contrib/screen.te | 2 +-
policy/modules/contrib/sensord.te | 2 +-
policy/modules/contrib/setroubleshoot.te | 2 +-
policy/modules/contrib/shibboleth.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/shutdown.te | 2 +-
policy/modules/contrib/slpd.te | 2 +-
policy/modules/contrib/smartmon.te | 2 +-
policy/modules/contrib/smokeping.te | 2 +-
policy/modules/contrib/smstools.te | 2 +-
policy/modules/contrib/snmp.te | 2 +-
policy/modules/contrib/snort.te | 2 +-
policy/modules/contrib/sosreport.te | 2 +-
policy/modules/contrib/soundserver.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
policy/modules/contrib/speedtouch.te | 2 +-
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/sssd.te | 2 +-
policy/modules/contrib/sxid.te | 2 +-
policy/modules/contrib/sysstat.te | 2 +-
policy/modules/contrib/tboot.te | 2 +-
policy/modules/contrib/tcpd.te | 2 +-
policy/modules/contrib/tcsd.te | 2 +-
policy/modules/contrib/telnet.te | 2 +-
policy/modules/contrib/tftp.te | 2 +-
policy/modules/contrib/tgtd.te | 2 +-
policy/modules/contrib/thunderbird.te | 2 +-
policy/modules/contrib/tmpreaper.te | 2 +-
policy/modules/contrib/tor.te | 2 +-
policy/modules/contrib/transproxy.te | 2 +-
policy/modules/contrib/tripwire.te | 2 +-
policy/modules/contrib/tuned.te | 2 +-
policy/modules/contrib/tzdata.te | 2 +-
policy/modules/contrib/ulogd.te | 2 +-
policy/modules/contrib/updfstab.te | 2 +-
policy/modules/contrib/uptime.te | 2 +-
policy/modules/contrib/usbmodules.te | 2 +-
policy/modules/contrib/usbmuxd.te | 2 +-
policy/modules/contrib/userhelper.te | 2 +-
policy/modules/contrib/usernetctl.te | 2 +-
policy/modules/contrib/uucp.te | 2 +-
policy/modules/contrib/uuidd.te | 2 +-
policy/modules/contrib/varnishd.te | 2 +-
policy/modules/contrib/vbetool.te | 2 +-
policy/modules/contrib/vdagent.te | 2 +-
policy/modules/contrib/vhostmd.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
policy/modules/contrib/vlock.te | 2 +-
policy/modules/contrib/vmware.te | 2 +-
policy/modules/contrib/vnstatd.te | 2 +-
policy/modules/contrib/vpn.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/wdmd.te | 2 +-
policy/modules/contrib/webalizer.te | 2 +-
policy/modules/contrib/wm.te | 2 +-
policy/modules/contrib/xen.te | 2 +-
policy/modules/contrib/xfs.te | 2 +-
policy/modules/contrib/zabbix.te | 2 +-
policy/modules/contrib/zebra.te | 2 +-
policy/modules/contrib/zosremote.te | 2 +-
259 files changed, 259 insertions(+), 259 deletions(-)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index 1d7baa2d..718736b5 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.7.2)
+policy_module(abrt, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/acct.te b/policy/modules/contrib/acct.te
index dfe0ec7c..4f3550cf 100644
--- a/policy/modules/contrib/acct.te
+++ b/policy/modules/contrib/acct.te
@@ -1,4 +1,4 @@
-policy_module(acct, 1.7.3)
+policy_module(acct, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/acpi.te b/policy/modules/contrib/acpi.te
index 083dfe92..3a7320d7 100644
--- a/policy/modules/contrib/acpi.te
+++ b/policy/modules/contrib/acpi.te
@@ -1,4 +1,4 @@
-policy_module(acpi, 1.0.1)
+policy_module(acpi, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
index 8b7c7765..9ebe863a 100644
--- a/policy/modules/contrib/afs.te
+++ b/policy/modules/contrib/afs.te
@@ -1,4 +1,4 @@
-policy_module(afs, 1.10.1)
+policy_module(afs, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/aiccu.te b/policy/modules/contrib/aiccu.te
index a3ea7e6a..82c6dff3 100644
--- a/policy/modules/contrib/aiccu.te
+++ b/policy/modules/contrib/aiccu.te
@@ -1,4 +1,4 @@
-policy_module(aiccu, 1.3.2)
+policy_module(aiccu, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te
index 1e5dffe4..dfacbf51 100644
--- a/policy/modules/contrib/aisexec.te
+++ b/policy/modules/contrib/aisexec.te
@@ -1,4 +1,4 @@
-policy_module(aisexec, 1.4.1)
+policy_module(aisexec, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 7654ae0e..f297b903 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.16.3)
+policy_module(alsa, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te
index 6b058e02..ea74ccd7 100644
--- a/policy/modules/contrib/amanda.te
+++ b/policy/modules/contrib/amanda.te
@@ -1,4 +1,4 @@
-policy_module(amanda, 1.16.1)
+policy_module(amanda, 1.17.0)
#######################################
#
diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te
index f0722742..9517486e 100644
--- a/policy/modules/contrib/amavis.te
+++ b/policy/modules/contrib/amavis.te
@@ -1,4 +1,4 @@
-policy_module(amavis, 1.17.1)
+policy_module(amavis, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/anaconda.te b/policy/modules/contrib/anaconda.te
index 6f5418f6..307f1e8f 100644
--- a/policy/modules/contrib/anaconda.te
+++ b/policy/modules/contrib/anaconda.te
@@ -1,4 +1,4 @@
-policy_module(anaconda, 1.7.1)
+policy_module(anaconda, 1.8.0)
gen_require(`
class passwd all_passwd_perms;
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 47e47b05..7c41358d 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.12.6)
+policy_module(apache, 2.13.0)
########################################
#
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index fcb60aa3..3e4a2465 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.12.2)
+policy_module(apcupsd, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index 154944d2..c54e2126 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.10.4)
+policy_module(apt, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index 36fc3b86..87aed96f 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.14.3)
+policy_module(arpwatch, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index 3291031a..2e0a687c 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.17.1)
+policy_module(asterisk, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index f99ecc18..34922281 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.18.1)
+policy_module(automount, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index e38e0b09..c9020826 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.18.1)
+policy_module(avahi, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/backup.te b/policy/modules/contrib/backup.te
index 135f94a3..ca3727ca 100644
--- a/policy/modules/contrib/backup.te
+++ b/policy/modules/contrib/backup.te
@@ -1,4 +1,4 @@
-policy_module(backup, 1.7.1)
+policy_module(backup, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te
index aac922f7..8def92c1 100644
--- a/policy/modules/contrib/bacula.te
+++ b/policy/modules/contrib/bacula.te
@@ -1,4 +1,4 @@
-policy_module(bacula, 1.4.1)
+policy_module(bacula, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/bcfg2.te b/policy/modules/contrib/bcfg2.te
index cc84cd9f..3897511e 100644
--- a/policy/modules/contrib/bcfg2.te
+++ b/policy/modules/contrib/bcfg2.te
@@ -1,4 +1,4 @@
-policy_module(bcfg2, 1.3.1)
+policy_module(bcfg2, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 2351e024..c97c6a22 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.18.2)
+policy_module(bind, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/bird.te b/policy/modules/contrib/bird.te
index 27df06b2..e525f326 100644
--- a/policy/modules/contrib/bird.te
+++ b/policy/modules/contrib/bird.te
@@ -1,4 +1,4 @@
-policy_module(bird, 1.3.1)
+policy_module(bird, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te
index b30a5ec4..b71fff2d 100644
--- a/policy/modules/contrib/bitlbee.te
+++ b/policy/modules/contrib/bitlbee.te
@@ -1,4 +1,4 @@
-policy_module(bitlbee, 1.7.2)
+policy_module(bitlbee, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index 208a146b..45e5a361 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -1,4 +1,4 @@
-policy_module(bluetooth, 3.7.1)
+policy_module(bluetooth, 3.8.0)
########################################
#
diff --git a/policy/modules/contrib/brctl.te b/policy/modules/contrib/brctl.te
index 4582159b..fad61476 100644
--- a/policy/modules/contrib/brctl.te
+++ b/policy/modules/contrib/brctl.te
@@ -1,4 +1,4 @@
-policy_module(brctl, 1.7.2)
+policy_module(brctl, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index 954dc2a8..d225d745 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.3.2)
+policy_module(cachefilesd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te
index 6bf2d777..3c8fff6f 100644
--- a/policy/modules/contrib/callweaver.te
+++ b/policy/modules/contrib/callweaver.te
@@ -1,4 +1,4 @@
-policy_module(callweaver, 1.3.1)
+policy_module(callweaver, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te
index 9fee410c..d4a2b787 100644
--- a/policy/modules/contrib/canna.te
+++ b/policy/modules/contrib/canna.te
@@ -1,4 +1,4 @@
-policy_module(canna, 1.14.1)
+policy_module(canna, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index 7da9d409..84eab68b 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.10.2)
+policy_module(ccs, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index 0770f117..6e569dff 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.5.1)
+policy_module(certmonger, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/cfengine.te b/policy/modules/contrib/cfengine.te
index d381792e..be8509b5 100644
--- a/policy/modules/contrib/cfengine.te
+++ b/policy/modules/contrib/cfengine.te
@@ -1,4 +1,4 @@
-policy_module(cfengine, 1.2.1)
+policy_module(cfengine, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index 9705e1af..ac7294a2 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.5.2)
+policy_module(cgroup, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index d1763c87..0de7b520 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.4.2)
+policy_module(chronyd, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/cipe.te b/policy/modules/contrib/cipe.te
index 8b31ca11..18e06be9 100644
--- a/policy/modules/contrib/cipe.te
+++ b/policy/modules/contrib/cipe.te
@@ -1,4 +1,4 @@
-policy_module(cipe, 1.7.1)
+policy_module(cipe, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index 5706540d..2f78260f 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.14.2)
+policy_module(clamav, 1.15.0)
## <desc>
## <p>
diff --git a/policy/modules/contrib/clogd.te b/policy/modules/contrib/clogd.te
index 6a667109..3f0c47ff 100644
--- a/policy/modules/contrib/clogd.te
+++ b/policy/modules/contrib/clogd.te
@@ -1,4 +1,4 @@
-policy_module(clogd, 1.2.1)
+policy_module(clogd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te
index 22c88cfd..61247747 100644
--- a/policy/modules/contrib/cmirrord.te
+++ b/policy/modules/contrib/cmirrord.te
@@ -1,4 +1,4 @@
-policy_module(cmirrord, 1.3.1)
+policy_module(cmirrord, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/collectd.te b/policy/modules/contrib/collectd.te
index 4d375ce5..5feefa30 100644
--- a/policy/modules/contrib/collectd.te
+++ b/policy/modules/contrib/collectd.te
@@ -1,4 +1,4 @@
-policy_module(collectd, 1.3.1)
+policy_module(collectd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/comsat.te b/policy/modules/contrib/comsat.te
index 9a4a146e..76323528 100644
--- a/policy/modules/contrib/comsat.te
+++ b/policy/modules/contrib/comsat.te
@@ -1,4 +1,4 @@
-policy_module(comsat, 1.8.1)
+policy_module(comsat, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 18012be1..0d04d4cb 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -1,4 +1,4 @@
-policy_module(condor, 1.4.1)
+policy_module(condor, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 773945cc..0a10396a 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -1,4 +1,4 @@
-policy_module(consolekit, 1.12.2)
+policy_module(consolekit, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te
index c8ecef1c..6f8d20c6 100644
--- a/policy/modules/contrib/corosync.te
+++ b/policy/modules/contrib/corosync.te
@@ -1,4 +1,4 @@
-policy_module(corosync, 1.3.1)
+policy_module(corosync, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 57ef751c..1d873ae4 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -1,4 +1,4 @@
-policy_module(courier, 1.16.2)
+policy_module(courier, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/cpucontrol.te b/policy/modules/contrib/cpucontrol.te
index 0d255fce..aee03750 100644
--- a/policy/modules/contrib/cpucontrol.te
+++ b/policy/modules/contrib/cpucontrol.te
@@ -1,4 +1,4 @@
-policy_module(cpucontrol, 1.6.2)
+policy_module(cpucontrol, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index b6e2fe17..8991b2c8 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.7)
+policy_module(cron, 2.12.0)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/ctdb.te b/policy/modules/contrib/ctdb.te
index e62f3912..f52a9a4f 100644
--- a/policy/modules/contrib/ctdb.te
+++ b/policy/modules/contrib/ctdb.te
@@ -1,4 +1,4 @@
-policy_module(ctdb, 1.4.1)
+policy_module(ctdb, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index b57f58c1..0719ef4f 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.21.6)
+policy_module(cups, 1.22.0)
########################################
#
diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te
index bcabb498..55d8dad3 100644
--- a/policy/modules/contrib/dante.te
+++ b/policy/modules/contrib/dante.te
@@ -1,4 +1,4 @@
-policy_module(dante, 1.11.1)
+policy_module(dante, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/dbskk.te b/policy/modules/contrib/dbskk.te
index 6b5a7471..41d6beb8 100644
--- a/policy/modules/contrib/dbskk.te
+++ b/policy/modules/contrib/dbskk.te
@@ -1,4 +1,4 @@
-policy_module(dbskk, 1.6.1)
+policy_module(dbskk, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 76f4e148..280dd8de 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.22.8)
+policy_module(dbus, 1.23.0)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/dcc.te b/policy/modules/contrib/dcc.te
index eb05bbda..9b8a0bc1 100644
--- a/policy/modules/contrib/dcc.te
+++ b/policy/modules/contrib/dcc.te
@@ -1,4 +1,4 @@
-policy_module(dcc, 1.13.1)
+policy_module(dcc, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/ddclient.te b/policy/modules/contrib/ddclient.te
index 6e3f3bd2..ff6500ab 100644
--- a/policy/modules/contrib/ddclient.te
+++ b/policy/modules/contrib/ddclient.te
@@ -1,4 +1,4 @@
-policy_module(ddclient, 1.12.1)
+policy_module(ddclient, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/ddcprobe.te b/policy/modules/contrib/ddcprobe.te
index 4e67816a..212316cb 100644
--- a/policy/modules/contrib/ddcprobe.te
+++ b/policy/modules/contrib/ddcprobe.te
@@ -1,4 +1,4 @@
-policy_module(ddcprobe, 1.3.1)
+policy_module(ddcprobe, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index d2d3f830..1730193d 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.6.4)
+policy_module(devicekit, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index 77d18aee..51fc256b 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.14.1)
+policy_module(dhcp, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te
index 13947f21..acf5c932 100644
--- a/policy/modules/contrib/dictd.te
+++ b/policy/modules/contrib/dictd.te
@@ -1,4 +1,4 @@
-policy_module(dictd, 1.10.1)
+policy_module(dictd, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 057c6baf..8f4cb991 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -1,4 +1,4 @@
-policy_module(dirmngr, 1.2.2)
+policy_module(dirmngr, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 2cb15e39..54513892 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.5.2)
+policy_module(dkim, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te
index 93000a01..1c6fc9b5 100644
--- a/policy/modules/contrib/dmidecode.te
+++ b/policy/modules/contrib/dmidecode.te
@@ -1,4 +1,4 @@
-policy_module(dmidecode, 1.6.1)
+policy_module(dmidecode, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index e7278d0a..2fe4c9b7 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.14.1)
+policy_module(dnsmasq, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/dnssectrigger.te b/policy/modules/contrib/dnssectrigger.te
index c48910d0..27d900a1 100644
--- a/policy/modules/contrib/dnssectrigger.te
+++ b/policy/modules/contrib/dnssectrigger.te
@@ -1,4 +1,4 @@
-policy_module(dnssectrigger, 1.3.1)
+policy_module(dnssectrigger, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index 208d9957..3827d093 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.19.2)
+policy_module(dovecot, 1.20.0)
########################################
#
diff --git a/policy/modules/contrib/dphysswapfile.te b/policy/modules/contrib/dphysswapfile.te
index fe11baec..dfd04e32 100644
--- a/policy/modules/contrib/dphysswapfile.te
+++ b/policy/modules/contrib/dphysswapfile.te
@@ -1,4 +1,4 @@
-policy_module(dphysswapfile, 1.0.3)
+policy_module(dphysswapfile, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 730e38f6..9c59f073 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.8)
+policy_module(dpkg, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/drbd.te b/policy/modules/contrib/drbd.te
index e7907f2b..308e1488 100644
--- a/policy/modules/contrib/drbd.te
+++ b/policy/modules/contrib/drbd.te
@@ -1,4 +1,4 @@
-policy_module(drbd, 1.2.2)
+policy_module(drbd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index a788c570..4acc526b 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.11.1)
+policy_module(entropyd, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index f97985e1..ed56f433 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.6.3)
+policy_module(evolution, 2.7.0)
########################################
#
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 57032186..4f884c99 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.10.2)
+policy_module(exim, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/fakehwclock.te b/policy/modules/contrib/fakehwclock.te
index 5a6e57ca..0a896a38 100644
--- a/policy/modules/contrib/fakehwclock.te
+++ b/policy/modules/contrib/fakehwclock.te
@@ -1,4 +1,4 @@
-policy_module(fakehwclock, 1.0.2)
+policy_module(fakehwclock, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/fcoe.te b/policy/modules/contrib/fcoe.te
index 20714983..3ec9397c 100644
--- a/policy/modules/contrib/fcoe.te
+++ b/policy/modules/contrib/fcoe.te
@@ -1,4 +1,4 @@
-policy_module(fcoe, 1.3.1)
+policy_module(fcoe, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te
index 7e796c31..ca6f269f 100644
--- a/policy/modules/contrib/fetchmail.te
+++ b/policy/modules/contrib/fetchmail.te
@@ -1,4 +1,4 @@
-policy_module(fetchmail, 1.16.2)
+policy_module(fetchmail, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te
index 2619a20b..92a0161f 100644
--- a/policy/modules/contrib/finger.te
+++ b/policy/modules/contrib/finger.te
@@ -1,4 +1,4 @@
-policy_module(finger, 1.12.1)
+policy_module(finger, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index c05dff4e..2c930fe5 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.5.2)
+policy_module(firewalld, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/firstboot.te b/policy/modules/contrib/firstboot.te
index a1afc1b7..3c934675 100644
--- a/policy/modules/contrib/firstboot.te
+++ b/policy/modules/contrib/firstboot.te
@@ -1,4 +1,4 @@
-policy_module(firstboot, 1.13.2)
+policy_module(firstboot, 1.14.0)
gen_require(`
class passwd { passwd chfn chsh rootok };
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index f18dc97b..0a5465a6 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.20.1)
+policy_module(ftp, 1.21.0)
########################################
#
diff --git a/policy/modules/contrib/gatekeeper.te b/policy/modules/contrib/gatekeeper.te
index 504f10e4..a2a4b41c 100644
--- a/policy/modules/contrib/gatekeeper.te
+++ b/policy/modules/contrib/gatekeeper.te
@@ -1,4 +1,4 @@
-policy_module(gatekeeper, 1.10.1)
+policy_module(gatekeeper, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index c32ed752..54bd1807 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -1,4 +1,4 @@
-policy_module(glusterfs, 1.4.1)
+policy_module(glusterfs, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 89a336c4..e442dced 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.7.4)
+policy_module(gnome, 2.8.0)
##############################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 016e8893..a235627e 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.11.3)
+policy_module(gpg, 2.12.0)
########################################
#
diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
index 4452e0e6..39000d85 100644
--- a/policy/modules/contrib/gpm.te
+++ b/policy/modules/contrib/gpm.te
@@ -1,4 +1,4 @@
-policy_module(gpm, 1.11.2)
+policy_module(gpm, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te
index 20c377aa..d4aacb79 100644
--- a/policy/modules/contrib/gpsd.te
+++ b/policy/modules/contrib/gpsd.te
@@ -1,4 +1,4 @@
-policy_module(gpsd, 1.4.1)
+policy_module(gpsd, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index bce0de22..9bfd37fb 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.17.3)
+policy_module(hal, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/hddtemp.te b/policy/modules/contrib/hddtemp.te
index 135d8844..2f925799 100644
--- a/policy/modules/contrib/hddtemp.te
+++ b/policy/modules/contrib/hddtemp.te
@@ -1,4 +1,4 @@
-policy_module(hddtemp, 1.3.1)
+policy_module(hddtemp, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/hwloc.te b/policy/modules/contrib/hwloc.te
index e6d6e0ae..e0e2243f 100644
--- a/policy/modules/contrib/hwloc.te
+++ b/policy/modules/contrib/hwloc.te
@@ -1,4 +1,4 @@
-policy_module(hwloc, 1.1.1)
+policy_module(hwloc, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/hypervkvp.te b/policy/modules/contrib/hypervkvp.te
index 8af768a4..33623eba 100644
--- a/policy/modules/contrib/hypervkvp.te
+++ b/policy/modules/contrib/hypervkvp.te
@@ -1,4 +1,4 @@
-policy_module(hypervkvp, 1.1.1)
+policy_module(hypervkvp, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/i18n_input.te b/policy/modules/contrib/i18n_input.te
index 6cb963ca..a61725be 100644
--- a/policy/modules/contrib/i18n_input.te
+++ b/policy/modules/contrib/i18n_input.te
@@ -1,4 +1,4 @@
-policy_module(i18n_input, 1.11.1)
+policy_module(i18n_input, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te
index 46cc865a..9267c1b8 100644
--- a/policy/modules/contrib/ifplugd.te
+++ b/policy/modules/contrib/ifplugd.te
@@ -1,4 +1,4 @@
-policy_module(ifplugd, 1.3.1)
+policy_module(ifplugd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te
index 678cacdf..277a8ad4 100644
--- a/policy/modules/contrib/inetd.te
+++ b/policy/modules/contrib/inetd.te
@@ -1,4 +1,4 @@
-policy_module(inetd, 1.14.2)
+policy_module(inetd, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/inn.te b/policy/modules/contrib/inn.te
index fd579875..a1575e90 100644
--- a/policy/modules/contrib/inn.te
+++ b/policy/modules/contrib/inn.te
@@ -1,4 +1,4 @@
-policy_module(inn, 1.13.1)
+policy_module(inn, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index f0896487..c918bbf4 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -1,4 +1,4 @@
-policy_module(iodine, 1.2.3)
+policy_module(iodine, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/ircd.te b/policy/modules/contrib/ircd.te
index 75aaa8f9..a50373e0 100644
--- a/policy/modules/contrib/ircd.te
+++ b/policy/modules/contrib/ircd.te
@@ -1,4 +1,4 @@
-policy_module(ircd, 1.10.1)
+policy_module(ircd, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te
index 0c78171b..a71058d8 100644
--- a/policy/modules/contrib/irqbalance.te
+++ b/policy/modules/contrib/irqbalance.te
@@ -1,4 +1,4 @@
-policy_module(irqbalance, 1.9.1)
+policy_module(irqbalance, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index ebd7b255..9457ef29 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -1,4 +1,4 @@
-policy_module(iscsi, 1.11.2)
+policy_module(iscsi, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/isns.te b/policy/modules/contrib/isns.te
index 1afc0a09..b6780d1e 100644
--- a/policy/modules/contrib/isns.te
+++ b/policy/modules/contrib/isns.te
@@ -1,4 +1,4 @@
-policy_module(isns, 1.2.1)
+policy_module(isns, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te
index 954f3613..7bed09fd 100644
--- a/policy/modules/contrib/jabber.te
+++ b/policy/modules/contrib/jabber.te
@@ -1,4 +1,4 @@
-policy_module(jabber, 1.12.2)
+policy_module(jabber, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 9c5c7f2c..fcf083a7 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.9.3)
+policy_module(java, 2.10.0)
########################################
#
diff --git a/policy/modules/contrib/jockey.te b/policy/modules/contrib/jockey.te
index be4deb65..520543c0 100644
--- a/policy/modules/contrib/jockey.te
+++ b/policy/modules/contrib/jockey.te
@@ -1,4 +1,4 @@
-policy_module(jockey, 1.0.1)
+policy_module(jockey, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 659b3aeb..4e27a84f 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.5.3)
+policy_module(kdump, 1.6.0)
#######################################
#
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
index 2c75d8ec..91ca8aac 100644
--- a/policy/modules/contrib/kerberos.te
+++ b/policy/modules/contrib/kerberos.te
@@ -1,4 +1,4 @@
-policy_module(kerberos, 1.14.1)
+policy_module(kerberos, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/kerneloops.te b/policy/modules/contrib/kerneloops.te
index f974f045..acf8d073 100644
--- a/policy/modules/contrib/kerneloops.te
+++ b/policy/modules/contrib/kerneloops.te
@@ -1,4 +1,4 @@
-policy_module(kerneloops, 1.6.3)
+policy_module(kerneloops, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/ksmtuned.te b/policy/modules/contrib/ksmtuned.te
index bbfdb4c8..97cfdc2d 100644
--- a/policy/modules/contrib/ksmtuned.te
+++ b/policy/modules/contrib/ksmtuned.te
@@ -1,4 +1,4 @@
-policy_module(ksmtuned, 1.4.1)
+policy_module(ksmtuned, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/ktalk.te b/policy/modules/contrib/ktalk.te
index bcd12a05..f190b5b2 100644
--- a/policy/modules/contrib/ktalk.te
+++ b/policy/modules/contrib/ktalk.te
@@ -1,4 +1,4 @@
-policy_module(ktalk, 1.10.1)
+policy_module(ktalk, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index e893b789..1ec6b513 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -1,4 +1,4 @@
-policy_module(kudzu, 1.12.3)
+policy_module(kudzu, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/l2tp.te b/policy/modules/contrib/l2tp.te
index a0f598e1..2fd53698 100644
--- a/policy/modules/contrib/l2tp.te
+++ b/policy/modules/contrib/l2tp.te
@@ -1,4 +1,4 @@
-policy_module(l2tp, 1.3.1)
+policy_module(l2tp, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 35a1ff33..c3e52459 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.15.1)
+policy_module(ldap, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te
index a0673fd5..d2a736ef 100644
--- a/policy/modules/contrib/likewise.te
+++ b/policy/modules/contrib/likewise.te
@@ -1,4 +1,4 @@
-policy_module(likewise, 1.5.1)
+policy_module(likewise, 1.6.0)
#################################
#
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index 1be40213..e85b2aa9 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -1,4 +1,4 @@
-policy_module(lircd, 1.4.1)
+policy_module(lircd, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te
index b30a33d1..3251f91d 100644
--- a/policy/modules/contrib/lldpad.te
+++ b/policy/modules/contrib/lldpad.te
@@ -1,4 +1,4 @@
-policy_module(lldpad, 1.3.1)
+policy_module(lldpad, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index ce63f0ee..1976e2cb 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -1,4 +1,4 @@
-policy_module(loadkeys, 1.11.3)
+policy_module(loadkeys, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/lockdev.te b/policy/modules/contrib/lockdev.te
index f60ee157..b9c34625 100644
--- a/policy/modules/contrib/lockdev.te
+++ b/policy/modules/contrib/lockdev.te
@@ -1,4 +1,4 @@
-policy_module(lockdev, 1.5.1)
+policy_module(lockdev, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index b0176afb..4593e98f 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.18.4)
+policy_module(logrotate, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
index 0e115309..f20454ab 100644
--- a/policy/modules/contrib/logwatch.te
+++ b/policy/modules/contrib/logwatch.te
@@ -1,4 +1,4 @@
-policy_module(logwatch, 1.14.2)
+policy_module(logwatch, 1.15.0)
#################################
#
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index 64fd6e50..149a30ac 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -1,4 +1,4 @@
-policy_module(lpd, 1.15.3)
+policy_module(lpd, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
index ee5de49c..ca7f7b45 100644
--- a/policy/modules/contrib/mailman.te
+++ b/policy/modules/contrib/mailman.te
@@ -1,4 +1,4 @@
-policy_module(mailman, 1.12.2)
+policy_module(mailman, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/mailscanner.te b/policy/modules/contrib/mailscanner.te
index 2da0a226..1011e3b2 100644
--- a/policy/modules/contrib/mailscanner.te
+++ b/policy/modules/contrib/mailscanner.te
@@ -1,4 +1,4 @@
-policy_module(mailscanner, 1.3.1)
+policy_module(mailscanner, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 70fb5072..5c759da4 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.3.2)
+policy_module(mandb, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te
index d5e1cba0..1c342132 100644
--- a/policy/modules/contrib/mcelog.te
+++ b/policy/modules/contrib/mcelog.te
@@ -1,4 +1,4 @@
-policy_module(mcelog, 1.5.1)
+policy_module(mcelog, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
index 96c0c59d..d0e9c1b0 100644
--- a/policy/modules/contrib/milter.te
+++ b/policy/modules/contrib/milter.te
@@ -1,4 +1,4 @@
-policy_module(milter, 1.6.2)
+policy_module(milter, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/minidlna.te b/policy/modules/contrib/minidlna.te
index 7b8aa39d..9358462f 100644
--- a/policy/modules/contrib/minidlna.te
+++ b/policy/modules/contrib/minidlna.te
@@ -1,4 +1,4 @@
-policy_module(minidlna, 1.1.1)
+policy_module(minidlna, 1.2.0)
#############################################
#
diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te
index 5145a16a..86d0d54e 100644
--- a/policy/modules/contrib/minissdpd.te
+++ b/policy/modules/contrib/minissdpd.te
@@ -1,4 +1,4 @@
-policy_module(minissdpd, 1.3.1)
+policy_module(minissdpd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te
index b4236dd7..8dcbeead 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -1,4 +1,4 @@
-policy_module(modemmanager, 1.4.1)
+policy_module(modemmanager, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index b8a92025..f69cad31 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -1,4 +1,4 @@
-policy_module(mon, 1.0.4)
+policy_module(mon, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index 3f929253..9b7a605b 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -1,4 +1,4 @@
-policy_module(monit, 1.0.2)
+policy_module(monit, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/monop.te b/policy/modules/contrib/monop.te
index 9337497d..b27c06c3 100644
--- a/policy/modules/contrib/monop.te
+++ b/policy/modules/contrib/monop.te
@@ -1,4 +1,4 @@
-policy_module(monop, 1.10.1)
+policy_module(monop, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index ecd97b65..7b901dff 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.11.4)
+policy_module(mozilla, 2.12.0)
########################################
#
diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
index 96d48f37..953738e9 100644
--- a/policy/modules/contrib/mrtg.te
+++ b/policy/modules/contrib/mrtg.te
@@ -1,4 +1,4 @@
-policy_module(mrtg, 1.11.1)
+policy_module(mrtg, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index a330ed83..86833600 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.7)
+policy_module(mta, 2.9.0)
########################################
#
diff --git a/policy/modules/contrib/munin.te b/policy/modules/contrib/munin.te
index fba6470b..137c82e6 100644
--- a/policy/modules/contrib/munin.te
+++ b/policy/modules/contrib/munin.te
@@ -1,4 +1,4 @@
-policy_module(munin, 1.12.1)
+policy_module(munin, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 04d9c9e9..df8e7899 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.19.2)
+policy_module(mysql, 1.20.0)
########################################
#
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
index 15e98965..031c43e4 100644
--- a/policy/modules/contrib/nagios.te
+++ b/policy/modules/contrib/nagios.te
@@ -1,4 +1,4 @@
-policy_module(nagios, 1.15.2)
+policy_module(nagios, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/ncftool.te b/policy/modules/contrib/ncftool.te
index 736e159b..676567d8 100644
--- a/policy/modules/contrib/ncftool.te
+++ b/policy/modules/contrib/ncftool.te
@@ -1,4 +1,4 @@
-policy_module(ncftool, 1.2.1)
+policy_module(ncftool, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/nessus.te b/policy/modules/contrib/nessus.te
index ba5114fa..a9eaab63 100644
--- a/policy/modules/contrib/nessus.te
+++ b/policy/modules/contrib/nessus.te
@@ -1,4 +1,4 @@
-policy_module(nessus, 1.11.1)
+policy_module(nessus, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index e3a9f6d6..a07ad8f9 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.8)
+policy_module(networkmanager, 1.21.0)
########################################
#
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index 11a3bde2..cb1fc97a 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.15.2)
+policy_module(nis, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index 93daee41..6a905d98 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.15.1)
+policy_module(nscd, 1.16.0)
gen_require(`
class nscd all_nscd_perms;
diff --git a/policy/modules/contrib/nsd.te b/policy/modules/contrib/nsd.te
index 8851506f..eb405114 100644
--- a/policy/modules/contrib/nsd.te
+++ b/policy/modules/contrib/nsd.te
@@ -1,4 +1,4 @@
-policy_module(nsd, 1.10.1)
+policy_module(nsd, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te
index eb6ed983..9f30667a 100644
--- a/policy/modules/contrib/nslcd.te
+++ b/policy/modules/contrib/nslcd.te
@@ -1,4 +1,4 @@
-policy_module(nslcd, 1.7.1)
+policy_module(nslcd, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te
index 1b5251a5..178bbb1d 100644
--- a/policy/modules/contrib/ntop.te
+++ b/policy/modules/contrib/ntop.te
@@ -1,4 +1,4 @@
-policy_module(ntop, 1.12.1)
+policy_module(ntop, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 04e82eb3..66c8eaa9 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.16.6)
+policy_module(ntp, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index 0a12ac89..05be0195 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -1,4 +1,4 @@
-policy_module(nut, 1.6.2)
+policy_module(nut, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/oav.te b/policy/modules/contrib/oav.te
index 4a171f13..e2b36d4f 100644
--- a/policy/modules/contrib/oav.te
+++ b/policy/modules/contrib/oav.te
@@ -1,4 +1,4 @@
-policy_module(oav, 1.10.1)
+policy_module(oav, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/oddjob.te b/policy/modules/contrib/oddjob.te
index dd34cec0..39e2dcf5 100644
--- a/policy/modules/contrib/oddjob.te
+++ b/policy/modules/contrib/oddjob.te
@@ -1,4 +1,4 @@
-policy_module(oddjob, 1.11.2)
+policy_module(oddjob, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/oident.te b/policy/modules/contrib/oident.te
index 6d19804e..96e4d87c 100644
--- a/policy/modules/contrib/oident.te
+++ b/policy/modules/contrib/oident.te
@@ -1,4 +1,4 @@
-policy_module(oident, 2.4.1)
+policy_module(oident, 2.5.0)
########################################
#
diff --git a/policy/modules/contrib/openct.te b/policy/modules/contrib/openct.te
index c4157e74..3f424656 100644
--- a/policy/modules/contrib/openct.te
+++ b/policy/modules/contrib/openct.te
@@ -1,4 +1,4 @@
-policy_module(openct, 1.9.1)
+policy_module(openct, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/openhpi.te b/policy/modules/contrib/openhpi.te
index d33d901a..65b538c0 100644
--- a/policy/modules/contrib/openhpi.te
+++ b/policy/modules/contrib/openhpi.te
@@ -1,4 +1,4 @@
-policy_module(openhpi, 1.3.1)
+policy_module(openhpi, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index 7f250ca4..ce93d314 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -1,4 +1,4 @@
-policy_module(openoffice, 1.1.3)
+policy_module(openoffice, 1.2.0)
##############################
#
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index 49c3dc0e..f282b1fe 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.15.2)
+policy_module(openvpn, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/pacemaker.te b/policy/modules/contrib/pacemaker.te
index d5509e77..a7c5c2f9 100644
--- a/policy/modules/contrib/pacemaker.te
+++ b/policy/modules/contrib/pacemaker.te
@@ -1,4 +1,4 @@
-policy_module(pacemaker, 1.3.1)
+policy_module(pacemaker, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te
index 63a42663..9074bcbd 100644
--- a/policy/modules/contrib/pcmcia.te
+++ b/policy/modules/contrib/pcmcia.te
@@ -1,4 +1,4 @@
-policy_module(pcmcia, 1.8.3)
+policy_module(pcmcia, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index 1b3b1302..247fe5c8 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.12.1)
+policy_module(pcscd, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te
index 1648e483..2af2dda5 100644
--- a/policy/modules/contrib/pegasus.te
+++ b/policy/modules/contrib/pegasus.te
@@ -1,4 +1,4 @@
-policy_module(pegasus, 1.12.1)
+policy_module(pegasus, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te
index 42df124f..82e24cc8 100644
--- a/policy/modules/contrib/perdition.te
+++ b/policy/modules/contrib/perdition.te
@@ -1,4 +1,4 @@
-policy_module(perdition, 1.10.2)
+policy_module(perdition, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/pingd.te b/policy/modules/contrib/pingd.te
index 6614fd9e..8dad7633 100644
--- a/policy/modules/contrib/pingd.te
+++ b/policy/modules/contrib/pingd.te
@@ -1,4 +1,4 @@
-policy_module(pingd, 1.2.1)
+policy_module(pingd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index eeb4bacd..17b471d6 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -1,4 +1,4 @@
-policy_module(pkcs, 1.3.1)
+policy_module(pkcs, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index 71467854..89000ec9 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.4.3)
+policy_module(plymouthd, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index fc89a486..b8188a51 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.6.2)
+policy_module(policykit, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 9566409e..2387c941 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -1,4 +1,4 @@
-policy_module(portage, 1.14.1)
+policy_module(portage, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
index b894502e..4620bb8c 100644
--- a/policy/modules/contrib/portmap.te
+++ b/policy/modules/contrib/portmap.te
@@ -1,4 +1,4 @@
-policy_module(portmap, 1.13.2)
+policy_module(portmap, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te
index 298d5905..4a42d7ce 100644
--- a/policy/modules/contrib/portreserve.te
+++ b/policy/modules/contrib/portreserve.te
@@ -1,4 +1,4 @@
-policy_module(portreserve, 1.6.2)
+policy_module(portreserve, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/portslave.te b/policy/modules/contrib/portslave.te
index 217bebaf..64282695 100644
--- a/policy/modules/contrib/portslave.te
+++ b/policy/modules/contrib/portslave.te
@@ -1,4 +1,4 @@
-policy_module(portslave, 1.8.1)
+policy_module(portslave, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 33f2cdd1..62eaeba3 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.17.3)
+policy_module(postfix, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
index 082b2a06..78e565be 100644
--- a/policy/modules/contrib/postfixpolicyd.te
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -1,4 +1,4 @@
-policy_module(postfixpolicyd, 1.5.2)
+policy_module(postfixpolicyd, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te
index 0628a4e5..70aaf77e 100644
--- a/policy/modules/contrib/postgrey.te
+++ b/policy/modules/contrib/postgrey.te
@@ -1,4 +1,4 @@
-policy_module(postgrey, 1.11.2)
+policy_module(postgrey, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index 8f05b2d6..d5c80292 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.17.3)
+policy_module(ppp, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/prelink.te b/policy/modules/contrib/prelink.te
index 3198c925..db7d5974 100644
--- a/policy/modules/contrib/prelink.te
+++ b/policy/modules/contrib/prelink.te
@@ -1,4 +1,4 @@
-policy_module(prelink, 1.11.2)
+policy_module(prelink, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te
index 5c8efc5d..187cac12 100644
--- a/policy/modules/contrib/prelude.te
+++ b/policy/modules/contrib/prelude.te
@@ -1,4 +1,4 @@
-policy_module(prelude, 1.7.2)
+policy_module(prelude, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/privoxy.te b/policy/modules/contrib/privoxy.te
index 5205da69..8f6b50cb 100644
--- a/policy/modules/contrib/privoxy.te
+++ b/policy/modules/contrib/privoxy.te
@@ -1,4 +1,4 @@
-policy_module(privoxy, 1.14.1)
+policy_module(privoxy, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te
index cdd23cc9..deb10b38 100644
--- a/policy/modules/contrib/procmail.te
+++ b/policy/modules/contrib/procmail.te
@@ -1,4 +1,4 @@
-policy_module(procmail, 1.14.1)
+policy_module(procmail, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te
index 53fc70b2..a18acb8c 100644
--- a/policy/modules/contrib/psad.te
+++ b/policy/modules/contrib/psad.te
@@ -1,4 +1,4 @@
-policy_module(psad, 1.4.1)
+policy_module(psad, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/pxe.te b/policy/modules/contrib/pxe.te
index c9ef2a2c..66b5fda4 100644
--- a/policy/modules/contrib/pxe.te
+++ b/policy/modules/contrib/pxe.te
@@ -1,4 +1,4 @@
-policy_module(pxe, 1.7.1)
+policy_module(pxe, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 6581907a..0fe74b0f 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.9.2)
+policy_module(qemu, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te
index 99b31343..8abb5f9b 100644
--- a/policy/modules/contrib/qmail.te
+++ b/policy/modules/contrib/qmail.te
@@ -1,4 +1,4 @@
-policy_module(qmail, 1.7.1)
+policy_module(qmail, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/qpid.te b/policy/modules/contrib/qpid.te
index 4a7e0bf9..533fbb16 100644
--- a/policy/modules/contrib/qpid.te
+++ b/policy/modules/contrib/qpid.te
@@ -1,4 +1,4 @@
-policy_module(qpid, 1.3.1)
+policy_module(qpid, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index 6100ff21..e85d6d8b 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -1,4 +1,4 @@
-policy_module(quota, 1.9.2)
+policy_module(quota, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
index 0d3a0c57..1411e381 100644
--- a/policy/modules/contrib/radius.te
+++ b/policy/modules/contrib/radius.te
@@ -1,4 +1,4 @@
-policy_module(radius, 1.15.1)
+policy_module(radius, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te
index b9972ee5..e06e52e6 100644
--- a/policy/modules/contrib/radvd.te
+++ b/policy/modules/contrib/radvd.te
@@ -1,4 +1,4 @@
-policy_module(radvd, 1.16.1)
+policy_module(radvd, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index 011b2967..4b9a6af1 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.17.2)
+policy_module(raid, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/rdisc.te b/policy/modules/contrib/rdisc.te
index d4b488de..cd8ead33 100644
--- a/policy/modules/contrib/rdisc.te
+++ b/policy/modules/contrib/rdisc.te
@@ -1,4 +1,4 @@
-policy_module(rdisc, 1.8.2)
+policy_module(rdisc, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te
index e70c52a6..4b40fe71 100644
--- a/policy/modules/contrib/readahead.te
+++ b/policy/modules/contrib/readahead.te
@@ -1,4 +1,4 @@
-policy_module(readahead, 1.15.2)
+policy_module(readahead, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index 362cc355..fda6e5b2 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.4.1)
+policy_module(redis, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/remotelogin.te b/policy/modules/contrib/remotelogin.te
index defe4c3a..0d171e23 100644
--- a/policy/modules/contrib/remotelogin.te
+++ b/policy/modules/contrib/remotelogin.te
@@ -1,4 +1,4 @@
-policy_module(remotelogin, 1.8.1)
+policy_module(remotelogin, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/resmgr.te b/policy/modules/contrib/resmgr.te
index 3fce4733..d3a7890f 100644
--- a/policy/modules/contrib/resmgr.te
+++ b/policy/modules/contrib/resmgr.te
@@ -1,4 +1,4 @@
-policy_module(resmgr, 1.5.2)
+policy_module(resmgr, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te
index e63c628f..2329f8e3 100644
--- a/policy/modules/contrib/rgmanager.te
+++ b/policy/modules/contrib/rgmanager.te
@@ -1,4 +1,4 @@
-policy_module(rgmanager, 1.6.1)
+policy_module(rgmanager, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 2cf91164..c0a7c3d5 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -1,4 +1,4 @@
-policy_module(rhcs, 1.6.1)
+policy_module(rhcs, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te
index f2e9c806..d808ab66 100644
--- a/policy/modules/contrib/ricci.te
+++ b/policy/modules/contrib/ricci.te
@@ -1,4 +1,4 @@
-policy_module(ricci, 1.10.2)
+policy_module(ricci, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te
index fa544703..0348564d 100644
--- a/policy/modules/contrib/rlogin.te
+++ b/policy/modules/contrib/rlogin.te
@@ -1,4 +1,4 @@
-policy_module(rlogin, 1.12.1)
+policy_module(rlogin, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
index 6f41db77..8cf7921d 100644
--- a/policy/modules/contrib/rngd.te
+++ b/policy/modules/contrib/rngd.te
@@ -1,4 +1,4 @@
-policy_module(rngd, 1.4.1)
+policy_module(rngd, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index a8a83400..970e5b31 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.19.3)
+policy_module(rpc, 1.20.0)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 75b5725f..5914af99 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.11.3)
+policy_module(rpcbind, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 368a865f..4f7edc84 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.19.4)
+policy_module(rpm, 1.20.0)
########################################
#
diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te
index 4cff9508..0f4caffc 100644
--- a/policy/modules/contrib/rshd.te
+++ b/policy/modules/contrib/rshd.te
@@ -1,4 +1,4 @@
-policy_module(rshd, 1.9.2)
+policy_module(rshd, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index 11c7041a..abe4c43f 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -1,4 +1,4 @@
-policy_module(rsync, 1.15.1)
+policy_module(rsync, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index cfee1a14..94edc206 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.5.1)
+policy_module(rtkit, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/rwho.te b/policy/modules/contrib/rwho.te
index 9b731982..7be17dda 100644
--- a/policy/modules/contrib/rwho.te
+++ b/policy/modules/contrib/rwho.te
@@ -1,4 +1,4 @@
-policy_module(rwho, 1.8.1)
+policy_module(rwho, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 2bde1870..12e9f567 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.20.2)
+policy_module(samba, 1.21.0)
#################################
#
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index 20972aa3..aee1fbbe 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -1,4 +1,4 @@
-policy_module(samhain, 1.4.2)
+policy_module(samhain, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/sanlock.te b/policy/modules/contrib/sanlock.te
index b818f2b6..6fc33eb8 100644
--- a/policy/modules/contrib/sanlock.te
+++ b/policy/modules/contrib/sanlock.te
@@ -1,4 +1,4 @@
-policy_module(sanlock, 1.3.1)
+policy_module(sanlock, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te
index daf996eb..231d6b2b 100644
--- a/policy/modules/contrib/sasl.te
+++ b/policy/modules/contrib/sasl.te
@@ -1,4 +1,4 @@
-policy_module(sasl, 1.18.1)
+policy_module(sasl, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/sblim.te b/policy/modules/contrib/sblim.te
index 9a901bd5..d05bc1a6 100644
--- a/policy/modules/contrib/sblim.te
+++ b/policy/modules/contrib/sblim.te
@@ -1,4 +1,4 @@
-policy_module(sblim, 1.3.1)
+policy_module(sblim, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
index c83d82bf..845c61c8 100644
--- a/policy/modules/contrib/screen.te
+++ b/policy/modules/contrib/screen.te
@@ -1,4 +1,4 @@
-policy_module(screen, 2.8.1)
+policy_module(screen, 2.9.0)
########################################
#
diff --git a/policy/modules/contrib/sensord.te b/policy/modules/contrib/sensord.te
index 572bf7cf..e880ae30 100644
--- a/policy/modules/contrib/sensord.te
+++ b/policy/modules/contrib/sensord.te
@@ -1,4 +1,4 @@
-policy_module(sensord, 1.2.1)
+policy_module(sensord, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/setroubleshoot.te b/policy/modules/contrib/setroubleshoot.te
index 2d8adf9e..4888855e 100644
--- a/policy/modules/contrib/setroubleshoot.te
+++ b/policy/modules/contrib/setroubleshoot.te
@@ -1,4 +1,4 @@
-policy_module(setroubleshoot, 1.15.1)
+policy_module(setroubleshoot, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/shibboleth.te b/policy/modules/contrib/shibboleth.te
index 7ed9e3f9..8b52f701 100644
--- a/policy/modules/contrib/shibboleth.te
+++ b/policy/modules/contrib/shibboleth.te
@@ -1,4 +1,4 @@
-policy_module(shibboleth, 1.2.1)
+policy_module(shibboleth, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index a56cab4a..89ed7d03 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.6.3)
+policy_module(shorewall, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index 881f6c1f..2168d03f 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -1,4 +1,4 @@
-policy_module(shutdown, 1.4.3)
+policy_module(shutdown, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/slpd.te b/policy/modules/contrib/slpd.te
index 116f3e35..a76acb7f 100644
--- a/policy/modules/contrib/slpd.te
+++ b/policy/modules/contrib/slpd.te
@@ -1,4 +1,4 @@
-policy_module(slpd, 1.3.1)
+policy_module(slpd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te
index 74925838..f1d7e36d 100644
--- a/policy/modules/contrib/smartmon.te
+++ b/policy/modules/contrib/smartmon.te
@@ -1,4 +1,4 @@
-policy_module(smartmon, 1.14.2)
+policy_module(smartmon, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te
index ed86ad9a..65a3441d 100644
--- a/policy/modules/contrib/smokeping.te
+++ b/policy/modules/contrib/smokeping.te
@@ -1,4 +1,4 @@
-policy_module(smokeping, 1.4.1)
+policy_module(smokeping, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/smstools.te b/policy/modules/contrib/smstools.te
index e18a79b6..c5ec9f95 100644
--- a/policy/modules/contrib/smstools.te
+++ b/policy/modules/contrib/smstools.te
@@ -1,4 +1,4 @@
-policy_module(smstools, 1.2.1)
+policy_module(smstools, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te
index 134094e8..af4897d8 100644
--- a/policy/modules/contrib/snmp.te
+++ b/policy/modules/contrib/snmp.te
@@ -1,4 +1,4 @@
-policy_module(snmp, 1.16.1)
+policy_module(snmp, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 6ccb88d2..9eaaa70a 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -1,4 +1,4 @@
-policy_module(snort, 1.14.1)
+policy_module(snort, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te
index 0adbde7e..a2521051 100644
--- a/policy/modules/contrib/sosreport.te
+++ b/policy/modules/contrib/sosreport.te
@@ -1,4 +1,4 @@
-policy_module(sosreport, 1.4.1)
+policy_module(sosreport, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/soundserver.te b/policy/modules/contrib/soundserver.te
index 18386afd..651420ca 100644
--- a/policy/modules/contrib/soundserver.te
+++ b/policy/modules/contrib/soundserver.te
@@ -1,4 +1,4 @@
-policy_module(soundserver, 1.11.1)
+policy_module(soundserver, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 74d30072..f402bc7d 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.10.2)
+policy_module(spamassassin, 2.11.0)
########################################
#
diff --git a/policy/modules/contrib/speedtouch.te b/policy/modules/contrib/speedtouch.te
index e91ca9e4..68b45e06 100644
--- a/policy/modules/contrib/speedtouch.te
+++ b/policy/modules/contrib/speedtouch.te
@@ -1,4 +1,4 @@
-policy_module(speedtouch, 1.6.1)
+policy_module(speedtouch, 1.7.0)
#######################################
#
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 626e10bc..41b0b75b 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.15.2)
+policy_module(squid, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index 2e9b28ac..833944b8 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -1,4 +1,4 @@
-policy_module(sssd, 1.4.1)
+policy_module(sssd, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/sxid.te b/policy/modules/contrib/sxid.te
index 3c9f9a73..ae7e27b3 100644
--- a/policy/modules/contrib/sxid.te
+++ b/policy/modules/contrib/sxid.te
@@ -1,4 +1,4 @@
-policy_module(sxid, 1.8.1)
+policy_module(sxid, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te
index deca783e..bfb44a33 100644
--- a/policy/modules/contrib/sysstat.te
+++ b/policy/modules/contrib/sysstat.te
@@ -1,4 +1,4 @@
-policy_module(sysstat, 1.9.1)
+policy_module(sysstat, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/tboot.te b/policy/modules/contrib/tboot.te
index 02bae3b7..57b55ee9 100644
--- a/policy/modules/contrib/tboot.te
+++ b/policy/modules/contrib/tboot.te
@@ -1,4 +1,4 @@
-policy_module(tboot, 1.0.1)
+policy_module(tboot, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/tcpd.te b/policy/modules/contrib/tcpd.te
index 32485347..aa4585de 100644
--- a/policy/modules/contrib/tcpd.te
+++ b/policy/modules/contrib/tcpd.te
@@ -1,4 +1,4 @@
-policy_module(tcpd, 1.5.1)
+policy_module(tcpd, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index 36434768..6ad0cacb 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -1,4 +1,4 @@
-policy_module(tcsd, 1.3.1)
+policy_module(tcsd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te
index f0da2757..76e257b5 100644
--- a/policy/modules/contrib/telnet.te
+++ b/policy/modules/contrib/telnet.te
@@ -1,4 +1,4 @@
-policy_module(telnet, 1.12.1)
+policy_module(telnet, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/tftp.te b/policy/modules/contrib/tftp.te
index 02dfb404..5c508ab2 100644
--- a/policy/modules/contrib/tftp.te
+++ b/policy/modules/contrib/tftp.te
@@ -1,4 +1,4 @@
-policy_module(tftp, 1.13.1)
+policy_module(tftp, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/tgtd.te b/policy/modules/contrib/tgtd.te
index d21cf4b4..c0f74009 100644
--- a/policy/modules/contrib/tgtd.te
+++ b/policy/modules/contrib/tgtd.te
@@ -1,4 +1,4 @@
-policy_module(tgtd, 1.6.1)
+policy_module(tgtd, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index 9f88912c..eb9ab43e 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -1,4 +1,4 @@
-policy_module(thunderbird, 2.5.1)
+policy_module(thunderbird, 2.6.0)
########################################
#
diff --git a/policy/modules/contrib/tmpreaper.te b/policy/modules/contrib/tmpreaper.te
index f6fad636..f4ce8dba 100644
--- a/policy/modules/contrib/tmpreaper.te
+++ b/policy/modules/contrib/tmpreaper.te
@@ -1,4 +1,4 @@
-policy_module(tmpreaper, 1.8.1)
+policy_module(tmpreaper, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 3b48ba5e..51de8fd1 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.13.2)
+policy_module(tor, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/transproxy.te b/policy/modules/contrib/transproxy.te
index 2e7c2f7e..f267800c 100644
--- a/policy/modules/contrib/transproxy.te
+++ b/policy/modules/contrib/transproxy.te
@@ -1,4 +1,4 @@
-policy_module(transproxy, 1.10.1)
+policy_module(transproxy, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/tripwire.te b/policy/modules/contrib/tripwire.te
index 0a098f30..ea532de5 100644
--- a/policy/modules/contrib/tripwire.te
+++ b/policy/modules/contrib/tripwire.te
@@ -1,4 +1,4 @@
-policy_module(tripwire, 1.3.1)
+policy_module(tripwire, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/tuned.te b/policy/modules/contrib/tuned.te
index 5aef872b..f853dff3 100644
--- a/policy/modules/contrib/tuned.te
+++ b/policy/modules/contrib/tuned.te
@@ -1,4 +1,4 @@
-policy_module(tuned, 1.4.1)
+policy_module(tuned, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/tzdata.te b/policy/modules/contrib/tzdata.te
index 55656375..cbfb2299 100644
--- a/policy/modules/contrib/tzdata.te
+++ b/policy/modules/contrib/tzdata.te
@@ -1,4 +1,4 @@
-policy_module(tzdata, 1.5.1)
+policy_module(tzdata, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
index d2ac9c3c..ef4c5fa4 100644
--- a/policy/modules/contrib/ulogd.te
+++ b/policy/modules/contrib/ulogd.te
@@ -1,4 +1,4 @@
-policy_module(ulogd, 1.4.1)
+policy_module(ulogd, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/updfstab.te b/policy/modules/contrib/updfstab.te
index 735a3cc2..e63ef612 100644
--- a/policy/modules/contrib/updfstab.te
+++ b/policy/modules/contrib/updfstab.te
@@ -1,4 +1,4 @@
-policy_module(updfstab, 1.6.2)
+policy_module(updfstab, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/uptime.te b/policy/modules/contrib/uptime.te
index 8130870c..c131e543 100644
--- a/policy/modules/contrib/uptime.te
+++ b/policy/modules/contrib/uptime.te
@@ -1,4 +1,4 @@
-policy_module(uptime, 1.8.1)
+policy_module(uptime, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/usbmodules.te b/policy/modules/contrib/usbmodules.te
index 84312dd4..dd6bfe57 100644
--- a/policy/modules/contrib/usbmodules.te
+++ b/policy/modules/contrib/usbmodules.te
@@ -1,4 +1,4 @@
-policy_module(usbmodules, 1.3.2)
+policy_module(usbmodules, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/usbmuxd.te b/policy/modules/contrib/usbmuxd.te
index 77f7a7e6..32036a2e 100644
--- a/policy/modules/contrib/usbmuxd.te
+++ b/policy/modules/contrib/usbmuxd.te
@@ -1,4 +1,4 @@
-policy_module(usbmuxd, 1.3.1)
+policy_module(usbmuxd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index d620c666..35fbda6f 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -1,4 +1,4 @@
-policy_module(userhelper, 1.10.1)
+policy_module(userhelper, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te
index 3a4d5caa..97ebe828 100644
--- a/policy/modules/contrib/usernetctl.te
+++ b/policy/modules/contrib/usernetctl.te
@@ -1,4 +1,4 @@
-policy_module(usernetctl, 1.7.2)
+policy_module(usernetctl, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/uucp.te b/policy/modules/contrib/uucp.te
index 7547ba14..c18f3557 100644
--- a/policy/modules/contrib/uucp.te
+++ b/policy/modules/contrib/uucp.te
@@ -1,4 +1,4 @@
-policy_module(uucp, 1.14.1)
+policy_module(uucp, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/uuidd.te b/policy/modules/contrib/uuidd.te
index fc83244f..8c0defb3 100644
--- a/policy/modules/contrib/uuidd.te
+++ b/policy/modules/contrib/uuidd.te
@@ -1,4 +1,4 @@
-policy_module(uuidd, 1.3.1)
+policy_module(uuidd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index bc464524..665e31c8 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -1,4 +1,4 @@
-policy_module(varnishd, 1.5.1)
+policy_module(varnishd, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/vbetool.te b/policy/modules/contrib/vbetool.te
index ed76f796..b3757d02 100644
--- a/policy/modules/contrib/vbetool.te
+++ b/policy/modules/contrib/vbetool.te
@@ -1,4 +1,4 @@
-policy_module(vbetool, 1.7.1)
+policy_module(vbetool, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te
index dca28b43..1c7919c3 100644
--- a/policy/modules/contrib/vdagent.te
+++ b/policy/modules/contrib/vdagent.te
@@ -1,4 +1,4 @@
-policy_module(vdagent, 1.4.1)
+policy_module(vdagent, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te
index 8720c22f..685e7b8b 100644
--- a/policy/modules/contrib/vhostmd.te
+++ b/policy/modules/contrib/vhostmd.te
@@ -1,4 +1,4 @@
-policy_module(vhostmd, 1.3.1)
+policy_module(vhostmd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 4fb34894..fce37958 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.11.1)
+policy_module(virt, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te
index 4e49bd9c..f025f7c1 100644
--- a/policy/modules/contrib/vlock.te
+++ b/policy/modules/contrib/vlock.te
@@ -1,4 +1,4 @@
-policy_module(vlock, 1.2.2)
+policy_module(vlock, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
index 2332cc12..6d2e10d6 100644
--- a/policy/modules/contrib/vmware.te
+++ b/policy/modules/contrib/vmware.te
@@ -1,4 +1,4 @@
-policy_module(vmware, 2.8.2)
+policy_module(vmware, 2.9.0)
########################################
#
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index 1170dc37..3aa1fee2 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -1,4 +1,4 @@
-policy_module(vnstatd, 1.3.3)
+policy_module(vnstatd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te
index a6769a65..65de9063 100644
--- a/policy/modules/contrib/vpn.te
+++ b/policy/modules/contrib/vpn.te
@@ -1,4 +1,4 @@
-policy_module(vpn, 1.17.2)
+policy_module(vpn, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index c58a46bc..d1e4ea8c 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.12.1)
+policy_module(watchdog, 1.13.0)
#################################
#
diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te
index 03351241..b1a6a482 100644
--- a/policy/modules/contrib/wdmd.te
+++ b/policy/modules/contrib/wdmd.te
@@ -1,4 +1,4 @@
-policy_module(wdmd, 1.3.1)
+policy_module(wdmd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 9ea1bdad..faea9beb 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -1,4 +1,4 @@
-policy_module(webalizer, 1.14.1)
+policy_module(webalizer, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 2bc2c8d9..65b57a4a 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.6.1)
+policy_module(wm, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index 5886a0c2..04dd1ea7 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -1,4 +1,4 @@
-policy_module(xen, 1.15.2)
+policy_module(xen, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/xfs.te b/policy/modules/contrib/xfs.te
index 839f15cf..1469f2fd 100644
--- a/policy/modules/contrib/xfs.te
+++ b/policy/modules/contrib/xfs.te
@@ -1,4 +1,4 @@
-policy_module(xfs, 1.9.1)
+policy_module(xfs, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index 5d57a2af..68b8d99c 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.10.2)
+policy_module(zabbix, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
index 25e66cae..19bc9943 100644
--- a/policy/modules/contrib/zebra.te
+++ b/policy/modules/contrib/zebra.te
@@ -1,4 +1,4 @@
-policy_module(zebra, 1.15.1)
+policy_module(zebra, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/zosremote.te b/policy/modules/contrib/zosremote.te
index 67ea8925..b4e61106 100644
--- a/policy/modules/contrib/zosremote.te
+++ b/policy/modules/contrib/zosremote.te
@@ -1,4 +1,4 @@
-policy_module(zosremote, 1.2.2)
+policy_module(zosremote, 1.3.0)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-13 8:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-13 8:25 UTC (permalink / raw
To: gentoo-commits
commit: 6e7d828a4d2748dafa6e56bfe59894e2a579c52a
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jun 8 17:16:24 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:03:23 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6e7d828a
arpwatch: align file contexts
policy/modules/contrib/arpwatch.fc | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/arpwatch.fc b/policy/modules/contrib/arpwatch.fc
index b439c10c..304f4622 100644
--- a/policy/modules/contrib/arpwatch.fc
+++ b/policy/modules/contrib/arpwatch.fc
@@ -1,13 +1,13 @@
-/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
-/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
+/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
-/usr/bin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
+/usr/bin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
-/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
+/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
-/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
+/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
-/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
+/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
-/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0)
+/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-13 8:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-13 8:25 UTC (permalink / raw
To: gentoo-commits
commit: 083c41d2616bd88fa7014fe87e863570b7ccb439
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jun 9 13:39:07 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:03:23 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=083c41d2
chkrootkit: add policy module
v2:
- remove bin_t fc
policy/modules/contrib/chkrootkit.fc | 5 +++
policy/modules/contrib/chkrootkit.if | 46 +++++++++++++++++++++++
policy/modules/contrib/chkrootkit.te | 73 ++++++++++++++++++++++++++++++++++++
policy/modules/contrib/cron.if | 20 ++++++++++
4 files changed, 144 insertions(+)
diff --git a/policy/modules/contrib/chkrootkit.fc b/policy/modules/contrib/chkrootkit.fc
new file mode 100644
index 00000000..fa780c34
--- /dev/null
+++ b/policy/modules/contrib/chkrootkit.fc
@@ -0,0 +1,5 @@
+/usr/bin/chkrootkit -- gen_context(system_u:object_r:chkrootkit_exec_t,s0)
+
+/usr/sbin/chkrootkit -- gen_context(system_u:object_r:chkrootkit_exec_t,s0)
+
+/var/log/chkrootkit(/.*)? gen_context(system_u:object_r:chkrootkit_log_t,s0)
diff --git a/policy/modules/contrib/chkrootkit.if b/policy/modules/contrib/chkrootkit.if
new file mode 100644
index 00000000..12589bd9
--- /dev/null
+++ b/policy/modules/contrib/chkrootkit.if
@@ -0,0 +1,46 @@
+## <summary>chkrootkit - rootkit checker.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run chkrootkit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chkrootkit_domtrans',`
+ gen_require(`
+ type chkrootkit_t, chkrootkit_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chkrootkit_exec_t, chkrootkit_t)
+')
+
+########################################
+## <summary>
+## Execute chkrootkit in the chkrootkit domain,
+## and allow the specified role
+## the chkrootkit domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`chkrootkit_run',`
+ gen_require(`
+ attribute_role chkrootkit_roles;
+ ')
+
+ chkrootkit_domtrans($1)
+ roleattribute $2 chkrootkit_roles;
+')
diff --git a/policy/modules/contrib/chkrootkit.te b/policy/modules/contrib/chkrootkit.te
new file mode 100644
index 00000000..4bfbb787
--- /dev/null
+++ b/policy/modules/contrib/chkrootkit.te
@@ -0,0 +1,73 @@
+policy_module(chkrootkit, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role chkrootkit_roles;
+
+type chkrootkit_t;
+type chkrootkit_exec_t;
+application_domain(chkrootkit_t, chkrootkit_exec_t)
+role chkrootkit_roles types chkrootkit_t;
+
+type chkrootkit_log_t;
+logging_log_file(chkrootkit_log_t)
+
+########################################
+#
+# Application local policy
+#
+
+allow chkrootkit_t self:capability { dac_override dac_read_search setuid sys_ptrace };
+allow chkrootkit_t self:fifo_file rw_fifo_file_perms;
+allow chkrootkit_t self:udp_socket { create ioctl };
+
+kernel_read_all_sysctls(chkrootkit_t)
+kernel_getattr_proc(chkrootkit_t)
+kernel_read_network_state(chkrootkit_t)
+kernel_getattr_message_if(chkrootkit_t)
+
+corecmd_exec_bin(chkrootkit_t)
+corecmd_exec_shell(chkrootkit_t)
+
+dev_read_rand(chkrootkit_t)
+dev_read_urand(chkrootkit_t)
+dev_getattr_all_chr_files(chkrootkit_t)
+
+domain_read_all_domains_state(chkrootkit_t)
+domain_use_interactive_fds(chkrootkit_t)
+domain_getattr_all_sockets(chkrootkit_t)
+domain_getattr_all_pipes(chkrootkit_t)
+
+files_read_non_auth_files(chkrootkit_t)
+files_read_all_symlinks(chkrootkit_t)
+files_read_all_chr_files(chkrootkit_t)
+files_getattr_all_pipes(chkrootkit_t)
+
+init_signal(chkrootkit_t)
+
+logging_send_syslog_msg(chkrootkit_t)
+
+miscfiles_read_localization(chkrootkit_t)
+
+term_getattr_unallocated_ttys(chkrootkit_t)
+
+userdom_use_inherited_user_terminals(chkrootkit_t)
+
+usermanage_check_exec_passwd(chkrootkit_t)
+
+ifdef(`init_systemd',`
+ # start as systemd timer
+ init_system_domain(chkrootkit_t, chkrootkit_exec_t)
+')
+
+optional_policy(`
+ cron_system_entry(chkrootkit_t, chkrootkit_exec_t)
+ cron_exec_crontab(chkrootkit_t)
+')
+
+optional_policy(`
+ ssh_exec(chkrootkit_t)
+')
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index d5aff32a..7bb5d6e6 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -893,6 +893,26 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`
########################################
## <summary>
+## Execute crontab in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cron_exec_crontab',`
+ gen_require(`
+ type crontab_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, crontab_exec_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate a cron environment.
## </summary>
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-13 8:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-13 8:25 UTC (permalink / raw
To: gentoo-commits
commit: d14a17d668122568037f0f2600b915c43403e7fc
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jun 9 13:41:00 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:03:23 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d14a17d6
arpwatch: update
v2:
- do not deprecate arpwatch_initrc_domtrans
policy/modules/contrib/arpwatch.fc | 4 ++--
policy/modules/contrib/arpwatch.if | 15 +++++++--------
policy/modules/contrib/arpwatch.te | 17 ++++++++++-------
3 files changed, 19 insertions(+), 17 deletions(-)
diff --git a/policy/modules/contrib/arpwatch.fc b/policy/modules/contrib/arpwatch.fc
index 304f4622..9b0eadc8 100644
--- a/policy/modules/contrib/arpwatch.fc
+++ b/policy/modules/contrib/arpwatch.fc
@@ -1,6 +1,6 @@
/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
-/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
+/usr/lib/systemd/system/arpwatch[^/]*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
/usr/bin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
@@ -10,4 +10,4 @@
/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
-/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0)
+/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_pid_t,s0)
diff --git a/policy/modules/contrib/arpwatch.if b/policy/modules/contrib/arpwatch.if
index 76389b79..63e1b571 100644
--- a/policy/modules/contrib/arpwatch.if
+++ b/policy/modules/contrib/arpwatch.if
@@ -137,20 +137,19 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
interface(`arpwatch_admin',`
gen_require(`
type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
- type arpwatch_data_t, arpwatch_var_run_t;
+ type arpwatch_data_t, arpwatch_pid_t, arpwatch_unit_t;
')
- allow $1 arpwatch_t:process { ptrace signal_perms };
- ps_process_pattern($1, arpwatch_t)
+ admin_process_pattern($1, arpwatch_t)
- init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t)
+ init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t, arpwatch_unit_t)
- files_list_tmp($1)
+ files_search_tmp($1)
admin_pattern($1, arpwatch_tmp_t)
- files_list_var($1)
+ files_search_var_lib($1)
admin_pattern($1, arpwatch_data_t)
- files_list_pids($1)
- admin_pattern($1, arpwatch_var_run_t)
+ files_search_pids($1)
+ admin_pattern($1, arpwatch_pid_t)
')
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index 935e8614..7bc0d9ce 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -21,21 +21,21 @@ files_tmp_file(arpwatch_tmp_t)
type arpwatch_unit_t;
init_unit_file(arpwatch_unit_t)
-type arpwatch_var_run_t;
-files_pid_file(arpwatch_var_run_t)
+type arpwatch_pid_t alias arpwatch_var_run_t;
+files_pid_file(arpwatch_pid_t)
########################################
#
# Local policy
#
-allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
-dontaudit arpwatch_t self:capability sys_tty_config;
+allow arpwatch_t self:capability { dac_override net_admin net_raw setgid setuid };
allow arpwatch_t self:process signal_perms;
allow arpwatch_t self:unix_stream_socket { accept listen };
allow arpwatch_t self:tcp_socket { accept listen };
allow arpwatch_t self:packet_socket create_socket_perms;
-allow arpwatch_t self:socket create_socket_perms;
+allow arpwatch_t self:socket { create ioctl };
+allow arpwatch_t self:netlink_netfilter_socket { create read write };
manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
@@ -45,14 +45,17 @@ manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
-manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
-files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
+manage_files_pattern(arpwatch_t, arpwatch_pid_t, arpwatch_pid_t)
+files_pid_filetrans(arpwatch_t, arpwatch_pid_t, file)
kernel_read_kernel_sysctls(arpwatch_t)
kernel_read_network_state(arpwatch_t)
kernel_read_system_state(arpwatch_t)
kernel_request_load_module(arpwatch_t)
+# /sys/kernel/debug/usb/usbmon/\d+t
+kernel_dontaudit_search_debugfs(arpwatch_t)
+# /sys/class/net
dev_read_sysfs(arpwatch_t)
dev_read_usbmon_dev(arpwatch_t)
dev_rw_generic_usb_dev(arpwatch_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-13 8:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-13 8:25 UTC (permalink / raw
To: gentoo-commits
commit: 0e8ae23b050eca650f8d5bbe4ecc86e715a46944
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Jun 12 22:35:26 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:03:23 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0e8ae23b
chkrootkit: Fix module version.
policy/modules/contrib/chkrootkit.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/chkrootkit.te b/policy/modules/contrib/chkrootkit.te
index 4bfbb787..f62eb493 100644
--- a/policy/modules/contrib/chkrootkit.te
+++ b/policy/modules/contrib/chkrootkit.te
@@ -1,4 +1,4 @@
-policy_module(chkrootkit, 0.0.1)
+policy_module(chkrootkit, 1.0.0)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-13 8:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-13 8:25 UTC (permalink / raw
To: gentoo-commits
commit: 20a102d7dc14b1ad8f84d886fc6cbcb6b1c64a3c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jun 8 22:52:54 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:03:23 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=20a102d7
Module version bump for patches from cgzones.
policy/modules/contrib/apt.te | 2 +-
policy/modules/contrib/arpwatch.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index d6d18a56..154944d2 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.10.3)
+policy_module(apt, 1.10.4)
########################################
#
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index 441c0f3c..935e8614 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.14.1)
+policy_module(arpwatch, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 49e58a0b..4f41fd5e 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.5)
+policy_module(cron, 2.11.6)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 389aa302..57032186 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.10.1)
+policy_module(exim, 1.10.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-13 8:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-13 8:25 UTC (permalink / raw
To: gentoo-commits
commit: a7358e326d09145a6fcc18532bc35bf6efecff1e
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Jun 12 22:48:35 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:03:23 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a7358e32
Module version bump for patches from cgzones.
policy/modules/contrib/arpwatch.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index 7bc0d9ce..36fc3b86 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.14.2)
+policy_module(arpwatch, 1.14.3)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 4f41fd5e..b6e2fe17 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.6)
+policy_module(cron, 2.11.7)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-13 8:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-13 8:25 UTC (permalink / raw
To: gentoo-commits
commit: ff01f4a1c8a703bd6fee22d8071a348ad4dda49e
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jun 8 14:15:32 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:03:23 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff01f4a1
rkhunter: add policy module
policy/modules/contrib/apt.te | 5 ++
policy/modules/contrib/cron.if | 18 ++++++
policy/modules/contrib/exim.if | 19 ++++++
policy/modules/contrib/rkhunter.fc | 5 ++
policy/modules/contrib/rkhunter.if | 46 ++++++++++++++
policy/modules/contrib/rkhunter.te | 126 +++++++++++++++++++++++++++++++++++++
6 files changed, 219 insertions(+)
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index 63b93257..d6d18a56 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -148,6 +148,11 @@ optional_policy(`
')
optional_policy(`
+ # rkhunter trigger
+ rkhunter_domtrans(apt_t)
+')
+
+optional_policy(`
rpm_read_db(apt_t)
rpm_domtrans(apt_t)
')
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 5739d4f0..d5aff32a 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -856,6 +856,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
########################################
## <summary>
+## Read and write to inherited system cron job temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_inherited_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
+ ')
+
+ allow $1 system_cronjob_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write temporary
## system cron job files.
## </summary>
diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
index c75f5fa0..495adb85 100644
--- a/policy/modules/contrib/exim.if
+++ b/policy/modules/contrib/exim.if
@@ -2,6 +2,25 @@
########################################
## <summary>
+## Execute exim in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_exec',`
+ gen_require(`
+ type exim_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, exim_exec_t)
+')
+
+########################################
+## <summary>
## Execute a domain transition to run exim.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/rkhunter.fc b/policy/modules/contrib/rkhunter.fc
new file mode 100644
index 00000000..d3c949c8
--- /dev/null
+++ b/policy/modules/contrib/rkhunter.fc
@@ -0,0 +1,5 @@
+/usr/bin/rkhunter -- gen_context(system_u:object_r:rkhunter_exec_t,s0)
+
+/var/lib/rkhunter(/.*)? gen_context(system_u:object_r:rkhunter_var_lib_t,s0)
+
+/var/log/rkhunter\.log.* -- gen_context(system_u:object_r:rkhunter_log_t,s0)
diff --git a/policy/modules/contrib/rkhunter.if b/policy/modules/contrib/rkhunter.if
new file mode 100644
index 00000000..9537e1f5
--- /dev/null
+++ b/policy/modules/contrib/rkhunter.if
@@ -0,0 +1,46 @@
+## <summary>rkhunter - rootkit checker.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run rkhunter.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rkhunter_domtrans',`
+ gen_require(`
+ type rkhunter_t, rkhunter_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rkhunter_exec_t, rkhunter_t)
+')
+
+########################################
+## <summary>
+## Execute rkhunter in the rkhunter domain,
+## and allow the specified role
+## the rkhunter domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`rkhunter_run',`
+ gen_require(`
+ attribute_role rkhunter_roles;
+ ')
+
+ rkhunter_domtrans($1)
+ roleattribute $2 rkhunter_roles;
+')
diff --git a/policy/modules/contrib/rkhunter.te b/policy/modules/contrib/rkhunter.te
new file mode 100644
index 00000000..a57c826b
--- /dev/null
+++ b/policy/modules/contrib/rkhunter.te
@@ -0,0 +1,126 @@
+policy_module(rkhunter, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether rkhunter can connect
+## to http ports. This is required by the
+## --update option.
+## </p>
+## </desc>
+gen_tunable(rkhunter_connect_http, false)
+
+attribute_role rkhunter_roles;
+
+type rkhunter_t;
+type rkhunter_exec_t;
+application_domain(rkhunter_t, rkhunter_exec_t)
+role rkhunter_roles types rkhunter_t;
+
+type rkhunter_var_lib_t;
+files_type(rkhunter_var_lib_t)
+
+type rkhunter_log_t;
+logging_log_file(rkhunter_log_t)
+
+type rkhunter_tmpfs_t;
+files_tmpfs_file(rkhunter_tmpfs_t)
+
+########################################
+#
+# Application local policy
+#
+
+allow rkhunter_t self:capability { dac_override dac_read_search net_admin setgid setuid sys_nice sys_ptrace };
+allow rkhunter_t self:process { getsched setsched signal };
+allow rkhunter_t self:netlink_route_socket r_netlink_socket_perms;
+allow rkhunter_t self:tcp_socket { bind connect create listen read write };
+allow rkhunter_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow rkhunter_t self:udp_socket { bind connect create ioctl read write };
+allow rkhunter_t self:fifo_file rw_fifo_file_perms;
+
+allow rkhunter_t rkhunter_log_t:file { append_file_perms create_file_perms setattr };
+logging_log_filetrans(rkhunter_t, rkhunter_log_t, file)
+
+allow rkhunter_t rkhunter_tmpfs_t:file manage_file_perms;
+fs_tmpfs_filetrans(rkhunter_t, rkhunter_tmpfs_t, file)
+
+allow rkhunter_t rkhunter_var_lib_t:dir manage_dir_perms;
+allow rkhunter_t rkhunter_var_lib_t:file manage_file_perms;
+
+kernel_request_load_module(rkhunter_t)
+kernel_read_all_sysctls(rkhunter_t)
+kernel_read_network_state(rkhunter_t)
+kernel_getattr_message_if(rkhunter_t)
+kernel_get_sysvipc_info(rkhunter_t)
+
+auth_dontaudit_read_shadow(rkhunter_t)
+
+corecmd_exec_bin(rkhunter_t)
+corecmd_exec_shell(rkhunter_t)
+
+corenet_tcp_bind_all_ports(rkhunter_t)
+corenet_udp_bind_all_ports(rkhunter_t)
+corenet_tcp_bind_generic_node(rkhunter_t)
+corenet_udp_bind_generic_node(rkhunter_t)
+
+dev_read_urand(rkhunter_t)
+dev_getattr_all_chr_files(rkhunter_t)
+dev_getattr_all_blk_files(rkhunter_t)
+
+domain_read_all_domains_state(rkhunter_t)
+domain_use_interactive_fds(rkhunter_t)
+domain_getattr_all_sockets(rkhunter_t)
+domain_getattr_all_pipes(rkhunter_t)
+
+hostname_exec(rkhunter_t)
+
+files_read_non_auth_files(rkhunter_t)
+files_read_all_symlinks(rkhunter_t)
+files_read_all_chr_files(rkhunter_t)
+files_getattr_all_pipes(rkhunter_t)
+files_getattr_all_sockets(rkhunter_t)
+
+fs_getattr_tracefs(rkhunter_t)
+fs_getattr_tracefs_dirs(rkhunter_t)
+
+modutils_exec(rkhunter_t)
+
+logging_send_syslog_msg(rkhunter_t)
+
+sysnet_exec_ifconfig(rkhunter_t)
+
+userdom_use_inherited_user_terminals(rkhunter_t)
+
+ifdef(`init_systemd',`
+ # start as systemd timer
+ init_system_domain(rkhunter_t, rkhunter_exec_t)
+')
+
+tunable_policy(`rkhunter_connect_http',`
+ corenet_tcp_connect_http_port(rkhunter_t)
+')
+
+optional_policy(`
+ cron_system_entry(rkhunter_t, rkhunter_exec_t)
+ cron_rw_inherited_system_job_tmp_files(rkhunter_t)
+')
+
+optional_policy(`
+ # exim check
+ exim_exec(rkhunter_t)
+')
+
+optional_policy(`
+ # gpg check
+ gpg_exec(rkhunter_t)
+')
+
+optional_policy(`
+ # ssh check
+ ssh_exec_sshd(rkhunter_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-13 8:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-13 8:25 UTC (permalink / raw
To: gentoo-commits
commit: 2a223d71c2fd8d5db85c837e66a7c2df7c983fa6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Jun 7 23:25:35 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:03:23 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a223d71
mozilla: Module version bump for patch from Luis Ressel.
policy/modules/contrib/mozilla.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 24a36b4e..ecd97b65 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.11.3)
+policy_module(mozilla, 2.11.4)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-13 8:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-13 8:25 UTC (permalink / raw
To: gentoo-commits
commit: 15e38fe163ace0db3a27689e0376b1b964ff9838
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Jun 7 00:10:26 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:02:53 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=15e38fe1
gpg: Module version bump for patch from Guido Trentalancia.
policy/modules/contrib/gpg.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 60b701cf..016e8893 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.11.2)
+policy_module(gpg, 2.11.3)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-13 8:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-13 8:25 UTC (permalink / raw
To: gentoo-commits
commit: 96ac8920f55e5a652c20aba99a599ce23a4d3c0d
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Mon Jun 5 14:42:24 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:02:53 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=96ac8920
gpg: manage user runtime socket files and directories
Update the gpg module so that it can correctly manage socket files
and directories in the user runtime directories.
Some other minor gpg fixes are also included in this patch.
This is the fifth version (v5) of this patch and it features some
improvements thanks to feedback received from Christopher PeBenito.
The dirmngr policy introduced in version 3 has now been removed
because dirmngr is handled in a separate module (although this
approach is probably wrong, it should be part of the gpg module).
Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
policy/modules/contrib/gpg.fc | 2 +-
policy/modules/contrib/gpg.te | 23 ++++++++++++++++-------
2 files changed, 17 insertions(+), 8 deletions(-)
diff --git a/policy/modules/contrib/gpg.fc b/policy/modules/contrib/gpg.fc
index c428eb5c..c2c1236d 100644
--- a/policy/modules/contrib/gpg.fc
+++ b/policy/modules/contrib/gpg.fc
@@ -11,4 +11,4 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
-/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index bd8e0c96..60b701cf 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -29,6 +29,9 @@ type gpg_exec_t;
userdom_user_application_domain(gpg_t, gpg_exec_t)
role gpg_roles types gpg_t;
+type gpg_runtime_t;
+files_pid_file(gpg_runtime_t)
+
type gpg_agent_t;
type gpg_agent_exec_t;
userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
@@ -72,8 +75,12 @@ dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms;
allow gpg_t self:fifo_file rw_fifo_file_perms;
allow gpg_t self:tcp_socket { accept listen };
+manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
+userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
+
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
@@ -124,6 +131,7 @@ miscfiles_read_localization(gpg_t)
userdom_use_user_terminals(gpg_t)
+userdom_manage_user_tmp_dirs(gpg_t)
userdom_manage_user_tmp_files(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
@@ -220,17 +228,16 @@ manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
+
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file)
+filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file)
domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)
@@ -255,7 +262,7 @@ miscfiles_read_localization(gpg_agent_t)
userdom_use_user_terminals(gpg_agent_t)
userdom_search_user_home_dirs(gpg_agent_t)
userdom_search_user_runtime(gpg_agent_t)
-userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file })
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -315,6 +322,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
+kernel_dontaudit_search_sysctl(gpg_pinentry_t)
kernel_read_system_state(gpg_pinentry_t)
corecmd_exec_shell(gpg_pinentry_t)
@@ -332,6 +340,7 @@ domain_use_interactive_fds(gpg_pinentry_t)
files_read_usr_files(gpg_pinentry_t)
+fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
auth_use_nsswitch(gpg_pinentry_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-13 8:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-13 8:25 UTC (permalink / raw
To: gentoo-commits
commit: aec1d2a8145335f43aa482f9127a11febf45091c
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Wed Jun 7 16:00:05 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:03:23 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aec1d2a8
mozilla: Add fc for the files used by the firefox addon "vimperator"
vimperator uses both ~/.vimperatorrc and ~/.vimperator/.
policy/modules/contrib/mozilla.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/mozilla.fc b/policy/modules/contrib/mozilla.fc
index ef317668..867ba3e8 100644
--- a/policy/modules/contrib/mozilla.fc
+++ b/policy/modules/contrib/mozilla.fc
@@ -4,6 +4,7 @@ HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.vimperator.* gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-13 8:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-13 8:25 UTC (permalink / raw
To: gentoo-commits
commit: c5190f916e9d71de114558b6768c8fd83e38173c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jun 8 22:28:50 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:03:23 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c5190f91
rkhunter: Fix module version and move lines.
policy/modules/contrib/rkhunter.te | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/rkhunter.te b/policy/modules/contrib/rkhunter.te
index a57c826b..4ebfdf6c 100644
--- a/policy/modules/contrib/rkhunter.te
+++ b/policy/modules/contrib/rkhunter.te
@@ -1,4 +1,4 @@
-policy_module(rkhunter, 0.0.1)
+policy_module(rkhunter, 1.0.0)
########################################
#
@@ -21,15 +21,15 @@ type rkhunter_exec_t;
application_domain(rkhunter_t, rkhunter_exec_t)
role rkhunter_roles types rkhunter_t;
-type rkhunter_var_lib_t;
-files_type(rkhunter_var_lib_t)
-
type rkhunter_log_t;
logging_log_file(rkhunter_log_t)
type rkhunter_tmpfs_t;
files_tmpfs_file(rkhunter_tmpfs_t)
+type rkhunter_var_lib_t;
+files_type(rkhunter_var_lib_t)
+
########################################
#
# Application local policy
@@ -77,8 +77,6 @@ domain_use_interactive_fds(rkhunter_t)
domain_getattr_all_sockets(rkhunter_t)
domain_getattr_all_pipes(rkhunter_t)
-hostname_exec(rkhunter_t)
-
files_read_non_auth_files(rkhunter_t)
files_read_all_symlinks(rkhunter_t)
files_read_all_chr_files(rkhunter_t)
@@ -88,10 +86,12 @@ files_getattr_all_sockets(rkhunter_t)
fs_getattr_tracefs(rkhunter_t)
fs_getattr_tracefs_dirs(rkhunter_t)
-modutils_exec(rkhunter_t)
+hostname_exec(rkhunter_t)
logging_send_syslog_msg(rkhunter_t)
+modutils_exec(rkhunter_t)
+
sysnet_exec_ifconfig(rkhunter_t)
userdom_use_inherited_user_terminals(rkhunter_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: 66efc8fa9cbad81408b0bab276c5b988891e7c9e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Jun 4 15:23:50 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:16:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=66efc8fa
networkmanager: use consolekit inhibit locks
policy/modules/contrib/networkmanager.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index dee77c73..4190eaae 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -228,6 +228,7 @@ optional_policy(`
optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
+ consolekit_use_inhibit_lock(NetworkManager_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: d9e6a9e06e931a63cc6e2668874fc24e8b35e1c2
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Jun 5 00:43:03 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:16:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d9e6a9e0
Module version bumps for patches from Jason Zaman.
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index ea4db82b..773945cc 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -1,4 +1,4 @@
-policy_module(consolekit, 1.12.1)
+policy_module(consolekit, 1.12.2)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index c811338b..76f4e148 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.22.7)
+policy_module(dbus, 1.22.8)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 4190eaae..e3a9f6d6 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.7)
+policy_module(networkmanager, 1.20.8)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: 2873694ba1cc11acf324afb6778b947452d060ec
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Jun 4 15:23:48 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:16:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2873694b
consolekit: introduce consolekit_use_inhibit_lock interface
Applications hold FDs while they hold the lock.
Implements this API:
https://www.freedesktop.org/wiki/Software/systemd/inhibit/
policy/modules/contrib/consolekit.if | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/policy/modules/contrib/consolekit.if b/policy/modules/contrib/consolekit.if
index 5b830ec9..e5cc8434 100644
--- a/policy/modules/contrib/consolekit.if
+++ b/policy/modules/contrib/consolekit.if
@@ -42,6 +42,29 @@ interface(`consolekit_dbus_chat',`
########################################
## <summary>
+## Use consolekit inhibit locks.
+##
+## The program gets passed an FD to a fifo_file to hold.
+## When the application is done with the lock, it closes the FD.
+## Implements this API: https://www.freedesktop.org/wiki/Software/systemd/inhibit/
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_use_inhibit_lock',`
+ gen_require(`
+ type consolekit_t, consolekit_var_run_t;
+ ')
+
+ allow $1 consolekit_t:fd use;
+ allow $1 consolekit_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
## Read consolekit log files.
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: 5fb5e3e0d746b95431dabd0dd758f72da5f2f7ed
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Jun 4 15:23:47 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:16:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5fb5e3e0
consolekit: allow purging tmp
Needs to be able to clear out /run/user/UID on logout
policy/modules/contrib/consolekit.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index d51634ea..ea4db82b 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -64,6 +64,7 @@ domain_dontaudit_ptrace_all_domains(consolekit_t)
files_read_usr_files(consolekit_t)
files_read_var_lib_files(consolekit_t)
files_search_all_mountpoints(consolekit_t)
+files_purge_tmp(consolekit_t)
fs_list_inotifyfs(consolekit_t)
fs_mount_tmpfs(consolekit_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: cc89c1c492171236a8134b84906858858a9be498
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Jun 4 15:23:49 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:16:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cc89c1c4
dbus: use consolekit inhibit locks
policy/modules/contrib/dbus.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 921a8384..c811338b 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -170,6 +170,10 @@ optional_policy(`
')
optional_policy(`
+ consolekit_use_inhibit_lock(system_dbusd_t)
+')
+
+optional_policy(`
policykit_read_lib(system_dbusd_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: cf36b3514d4db2806437cdd1ed63cd328f40a3e2
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Jun 5 00:30:25 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:16:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cf36b351
cgmanager: Move lines
policy/modules/contrib/cgmanager.fc | 15 ++++++++-------
policy/modules/contrib/cgmanager.te | 26 ++++++++++++--------------
2 files changed, 20 insertions(+), 21 deletions(-)
diff --git a/policy/modules/contrib/cgmanager.fc b/policy/modules/contrib/cgmanager.fc
index d53e92f5..d638d196 100644
--- a/policy/modules/contrib/cgmanager.fc
+++ b/policy/modules/contrib/cgmanager.fc
@@ -1,9 +1,10 @@
-/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
-/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
-/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/sys/fs/cgroup/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
-/sys/fs/cgroup/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
+/run/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_run_t,s0)
+/run/cgmanager.pid gen_context(system_u:object_r:cgmanager_run_t,s0)
+/run/cgmanager/fs(/.*)? <<none>>
-/run/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_run_t,s0)
-/run/cgmanager.pid gen_context(system_u:object_r:cgmanager_run_t,s0)
-/run/cgmanager/fs(/.*)? <<none>>
+/usr/libexec/cgmanager/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+
+/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
diff --git a/policy/modules/contrib/cgmanager.te b/policy/modules/contrib/cgmanager.te
index 5c322954..c3cc5217 100644
--- a/policy/modules/contrib/cgmanager.te
+++ b/policy/modules/contrib/cgmanager.te
@@ -9,12 +9,12 @@ type cgmanager_t;
type cgmanager_exec_t;
init_daemon_domain(cgmanager_t, cgmanager_exec_t)
-type cgmanager_run_t;
-files_pid_file(cgmanager_run_t)
-
type cgmanager_cgroup_t;
files_type(cgmanager_cgroup_t)
+type cgmanager_run_t;
+files_pid_file(cgmanager_run_t)
+
########################################
#
# CGManager local policy
@@ -23,40 +23,38 @@ files_type(cgmanager_cgroup_t)
allow cgmanager_t self:capability { sys_admin dac_override };
allow cgmanager_t self:fifo_file rw_fifo_file_perms;
+manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
+
+can_exec(cgmanager_t, cgmanager_exec_t)
+
manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
allow cgmanager_t cgmanager_run_t:dir mounton;
-manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
-manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
-manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
-fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
-
+# for the release agent
kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
kernel_read_system_state(cgmanager_t)
corecmd_exec_bin(cgmanager_t)
-can_exec(cgmanager_t, cgmanager_exec_t)
domain_read_all_domains_state(cgmanager_t)
files_read_etc_files(cgmanager_t)
-
# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
files_mounton_all_mountpoints(cgmanager_t)
files_unmount_all_file_type_fs(cgmanager_t)
-fs_unmount_xattr_fs(cgmanager_t)
+fs_unmount_xattr_fs(cgmanager_t)
fs_manage_cgroup_dirs(cgmanager_t)
fs_manage_cgroup_files(cgmanager_t)
-
fs_getattr_tmpfs(cgmanager_t)
-
fs_manage_tmpfs_dirs(cgmanager_t)
fs_manage_tmpfs_files(cgmanager_t)
-
fs_mount_cgroup(cgmanager_t)
fs_mount_tmpfs(cgmanager_t)
fs_mounton_tmpfs(cgmanager_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: 4b88828fafc5dd53c5b406a2409069883d8b078a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jun 5 17:21:04 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:21:04 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4b88828f
portage: add filetrans for go and hg src dirs
policy/modules/contrib/portage.fc | 1 +
policy/modules/contrib/portage.te | 2 ++
2 files changed, 3 insertions(+)
diff --git a/policy/modules/contrib/portage.fc b/policy/modules/contrib/portage.fc
index e5479b34..7f6ab05b 100644
--- a/policy/modules/contrib/portage.fc
+++ b/policy/modules/contrib/portage.fc
@@ -24,6 +24,7 @@
/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage/distfiles/git.?-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/go-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage/distfiles/hg-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index bf993155..9566409e 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -487,6 +487,8 @@ gen_tunable(portage_enable_test, false)
filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "cvs-src")
filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "egit-src") # git-2.eclass
filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "git3-src") # git-r3.eclass
+ filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "go-src")
+ filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "hg-src")
filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "svn-src")
# install-xattr does listxattr() which throws a lot of this
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: dc4b834ff33bf929c375c90c3c66ffab913fb8c2
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jun 1 01:09:27 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:16:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dc4b834f
Module version bumps for patches from Jason Zaman.
policy/modules/contrib/dirmngr.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index a3ecd76b..057c6baf 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -1,4 +1,4 @@
-policy_module(dirmngr, 1.2.1)
+policy_module(dirmngr, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 140d8d94..bd8e0c96 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.11.1)
+policy_module(gpg, 2.11.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: 1cc19640d0f855197333f3edce61d1607dd76a87
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jun 1 00:56:07 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:16:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1cc19640
dirmngr: Whitespace fixes.
policy/modules/contrib/dirmngr.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 4cec7fcd..a3ecd76b 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -40,6 +40,7 @@ allow dirmngr_t self:fifo_file rw_file_perms;
allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
allow dirmngr_t dirmngr_conf_t:file read_file_perms;
allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms;
+
allow dirmngr_t dirmngr_home_t:dir list_dir_perms;
allow dirmngr_t dirmngr_home_t:file read_file_perms;
@@ -62,7 +63,9 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
kernel_read_crypto_sysctls(dirmngr_t)
+
dev_read_rand(dirmngr_t)
+
sysnet_dns_name_resolve(dirmngr_t)
corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: 16ad490b87e5629bafc5251261fc294340096fe9
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu May 25 10:53:07 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:16:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=16ad490b
zabbix: Grant zabbix_agent_t to call setrlimit on self
Zabbix Agent wants to disable core dumps on its process
or it refuses to start.
See zabbix bug ZBX-10542
policy/modules/contrib/zabbix.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index 3f45497a..5d57a2af 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.10.1)
+policy_module(zabbix, 1.10.2)
########################################
#
@@ -133,7 +133,7 @@ optional_policy(`
#
allow zabbix_agent_t self:capability { setgid setuid };
-allow zabbix_agent_t self:process { setsched getsched signal };
+allow zabbix_agent_t self:process { setsched getsched signal setrlimit };
allow zabbix_agent_t self:fifo_file rw_fifo_file_perms;
allow zabbix_agent_t self:sem create_sem_perms;
allow zabbix_agent_t self:shm create_shm_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: 996e3b5ef2273ae294ef466afcd37bac49083998
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 26 15:57:58 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:16:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=996e3b5e
dirmngr: fcontext for ~/.gnupg/crls.d/
policy/modules/contrib/dirmngr.fc | 2 ++
policy/modules/contrib/dirmngr.te | 7 +++++++
policy/modules/contrib/gpg.if | 20 ++++++++++++++++++++
3 files changed, 29 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc
index a9cf15a8..60f19f47 100644
--- a/policy/modules/contrib/dirmngr.fc
+++ b/policy/modules/contrib/dirmngr.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.gnupg/crls\.d(/.+)? gen_context(system_u:object_r:dirmngr_home_t,s0)
+
/etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0)
/etc/rc\.d/init\.d/dirmngr -- gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0)
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 8e4a1a89..17cce56a 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -27,6 +27,9 @@ files_type(dirmngr_var_lib_t)
type dirmngr_var_run_t;
files_pid_file(dirmngr_var_run_t)
+type dirmngr_home_t;
+userdom_user_home_content(dirmngr_home_t)
+
########################################
#
# Local policy
@@ -37,6 +40,8 @@ allow dirmngr_t self:fifo_file rw_file_perms;
allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
allow dirmngr_t dirmngr_conf_t:file read_file_perms;
allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms;
+allow dirmngr_t dirmngr_home_t:dir list_dir_perms;
+allow dirmngr_t dirmngr_home_t:file read_file_perms;
manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
@@ -61,6 +66,7 @@ kernel_read_crypto_sysctls(dirmngr_t)
files_read_etc_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
+miscfiles_read_generic_certs(dirmngr_t)
userdom_search_user_home_dirs(dirmngr_t)
userdom_search_user_runtime(dirmngr_t)
@@ -68,4 +74,5 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
optional_policy(`
gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+ gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
')
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 8bad95c4..4f118bf3 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -253,6 +253,26 @@ interface(`gpg_agent_tmp_filetrans',`
########################################
## <summary>
+## filetrans in gpg_secret_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_secret_filetrans',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ filetrans_pattern($1, gpg_secret_t, $2, $3, $4)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Send messages to and from gpg
## pinentry over DBUS.
## </summary>
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: 938cfb8b4b1441bef3822a9a236affa194dcae12
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri May 26 01:00:27 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:16:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=938cfb8b
Module version bump for misc patches from Guido Trentalancia.
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 007de863..921a8384 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.22.6)
+policy_module(dbus, 1.22.7)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 30071e2d..04e82eb3 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.16.5)
+policy_module(ntp, 1.16.6)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: 0d5a67bab403751c675d21a93b13f6e2189997c0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jun 1 00:50:51 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:16:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d5a67ba
gpg: Fix overspecified dependencies in gpg_agent_tmp_filetrans.
policy/modules/contrib/gpg.if | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 4480f9c6..8bad95c4 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -244,8 +244,7 @@ interface(`gpg_search_agent_tmp_dirs',`
#
interface(`gpg_agent_tmp_filetrans',`
gen_require(`
- type gpg_agent_t, gpg_agent_tmp_t;
- type gpg_secret_t;
+ type gpg_agent_tmp_t;
')
filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: e2346cfeb76c46e1dbf2afc99f792f053693c899
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu May 25 11:23:26 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:16:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e2346cfe
dbus: let session bus daemon manage user runtime dirs
Let the session dbus process manage user runtime directories (with
its own file type).
This is the fifth version (v5) of the patch, thanks to Dominick
Grift for revising the previous versions and suggesting improvements,
although unfortunately this new version needs to revert one of the
suggested amendments because it was misleading.
Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
policy/modules/contrib/dbus.fc | 2 ++
policy/modules/contrib/dbus.te | 8 ++++++++
2 files changed, 10 insertions(+)
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index c2a15358..eba45221 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -4,6 +4,8 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/run/user/%{USERID}/bus -s gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
+/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0)
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index ca39fb6b..007de863 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -47,6 +47,9 @@ type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
+type session_dbusd_runtime_t;
+files_pid_file(session_dbusd_runtime_t)
+
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
')
@@ -210,6 +213,11 @@ manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
+manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
+userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
+
kernel_read_system_state(session_bus_type)
kernel_read_kernel_sysctls(session_bus_type)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: 194609ea0eabce3979dcfa3775c86aa86cce4d78
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu May 25 19:27:17 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:16:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=194609ea
ntp: fix the drift file context and transition
Fix the ntp module by adding a new file context for the default
location of the drift file (frequency of the local clock oscillator)
and by adding the appropriate file transition interface call.
Otherwise, the drift file cannot be created and the following error
message is generated:
frequency file /etc/ntp.drift.TEMP: Permission denied
Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
policy/modules/contrib/ntp.fc | 1 +
policy/modules/contrib/ntp.te | 1 +
2 files changed, 2 insertions(+)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 9c8c35c9..38436f38 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -3,6 +3,7 @@
/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntp\.drift -- gen_context(system_u:object_r:ntp_drift_t,s0)
/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index cbd5fd18..30071e2d 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -66,6 +66,7 @@ allow ntpd_t ntp_conf_t:file read_file_perms;
manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+files_etc_filetrans(ntpd_t, ntp_drift_t, file)
files_var_filetrans(ntpd_t, ntp_drift_t, file)
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: 9e3ce22d7df35dfa009df551d42dfa449df3c311
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 26 15:57:59 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:16:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9e3ce22d
dirmngr: Network rules to connect to keyserver
type=AVC msg=audit(1494163667.921:24917): avc: denied { name_bind } for pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
policy/modules/contrib/dirmngr.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 17cce56a..4cec7fcd 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -62,6 +62,10 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
kernel_read_crypto_sysctls(dirmngr_t)
+dev_read_rand(dirmngr_t)
+sysnet_dns_name_resolve(dirmngr_t)
+
+corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
files_read_etc_files(dirmngr_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: 68d8230a67e0d7898e142c74fcb9c78a1c165e76
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 26 15:57:57 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:16:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68d8230a
gpg dirmngr: create and connect to socket
policy/modules/contrib/dirmngr.fc | 2 ++
policy/modules/contrib/dirmngr.if | 25 +++++++++++++++++++++++++
policy/modules/contrib/dirmngr.te | 13 +++++++++++++
policy/modules/contrib/gpg.if | 38 ++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gpg.te | 1 +
5 files changed, 79 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc
index a0f261c9..a9cf15a8 100644
--- a/policy/modules/contrib/dirmngr.fc
+++ b/policy/modules/contrib/dirmngr.fc
@@ -12,3 +12,5 @@
/run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0)
/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0)
+
+/run/user/%{USERID}/gnupg/S.dirmngr -s gen_context(system_u:object_r:dirmngr_tmp_t,s0)
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
index 2f6875a6..07af5063 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -18,6 +18,7 @@
interface(`dirmngr_role',`
gen_require(`
type dirmngr_t, dirmngr_exec_t;
+ type dirmngr_tmp_t;
')
role $1 types dirmngr_t;
@@ -29,6 +30,8 @@ interface(`dirmngr_role',`
allow dirmngr_t $2:fd use;
allow dirmngr_t $2:fifo_file { read write };
+
+ allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
')
########################################
@@ -71,6 +74,28 @@ interface(`dirmngr_exec',`
########################################
## <summary>
+## Connect to dirmngr socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirmngr_stream_connect',`
+ gen_require(`
+ type dirmngr_t, dirmngr_tmp_t;
+ ')
+
+ gpg_search_agent_tmp_dirs($1)
+ allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms;
+ allow $1 dirmngr_t:unix_stream_socket connectto;
+ userdom_search_user_runtime($1)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an dirmngr environment.
## </summary>
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index 23f40456..8e4a1a89 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t)
type dirmngr_log_t;
logging_log_file(dirmngr_log_t)
+type dirmngr_tmp_t;
+userdom_user_tmp_file(dirmngr_tmp_t)
+
type dirmngr_var_lib_t;
files_type(dirmngr_var_lib_t)
@@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir)
+manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t)
+
manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
@@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t)
files_read_etc_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
+
+userdom_search_user_home_dirs(dirmngr_t)
+userdom_search_user_runtime(dirmngr_t)
+userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
+
+optional_policy(`
+ gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+')
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index efffff87..4480f9c6 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -216,6 +216,44 @@ interface(`gpg_stream_connect_agent',`
########################################
## <summary>
+## Search gpg agent dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_search_agent_tmp_dirs',`
+ gen_require(`
+ type gpg_agent_tmp_t;
+ ')
+
+ allow $1 gpg_agent_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## filetrans in gpg_agent_tmp_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_agent_tmp_filetrans',`
+ gen_require(`
+ type gpg_agent_t, gpg_agent_tmp_t;
+ type gpg_secret_t;
+ ')
+
+ filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4)
+ userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
## Send messages to and from gpg
## pinentry over DBUS.
## </summary>
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 1b8448c7..140d8d94 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -140,6 +140,7 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dirmngr_domtrans(gpg_t)
+ dirmngr_stream_connect(gpg_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-06-05 17:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-06-05 17:25 UTC (permalink / raw
To: gentoo-commits
commit: eb4243483e9aab2e37ec39334dbff1acedb5351d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 26 15:57:56 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 5 17:16:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eb424348
dirmngr: add to roles and allow gpg to domtrans
policy/modules/contrib/dirmngr.if | 69 +++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gpg.te | 4 +++
2 files changed, 73 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
index 4cd2810e..2f6875a6 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -1,5 +1,74 @@
## <summary>Server for managing and downloading certificate revocation lists.</summary>
+############################################################
+## <summary>
+## Role access for dirmngr.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`dirmngr_role',`
+ gen_require(`
+ type dirmngr_t, dirmngr_exec_t;
+ ')
+
+ role $1 types dirmngr_t;
+
+ domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
+
+ allow $2 dirmngr_t:process { ptrace signal_perms };
+ ps_process_pattern($2, dirmngr_t)
+
+ allow dirmngr_t $2:fd use;
+ allow dirmngr_t $2:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Execute dirmngr in the dirmngr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dirmngr_domtrans',`
+ gen_require(`
+ type dirmngr_t, dirmngr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
+')
+
+########################################
+## <summary>
+## Execute the dirmngr in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirmngr_exec',`
+ gen_require(`
+ type dirmngr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, dirmngr_exec_t)
+')
+
########################################
## <summary>
## All of the rules required to
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index c145fb4c..1b8448c7 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ dirmngr_domtrans(gpg_t)
+')
+
+optional_policy(`
evolution_read_orbit_tmp_files(gpg_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-25 17:04 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-25 17:04 UTC (permalink / raw
To: gentoo-commits
commit: 8327ce0c3856f07497d5df5d9b77fa820e915cfb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 25 17:03:37 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:37 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8327ce0c
consolekit: remove gentoo blocks now that its upstreamed
policy/modules/contrib/consolekit.fc | 5 -----
policy/modules/contrib/consolekit.te | 31 +++++++++++--------------------
2 files changed, 11 insertions(+), 25 deletions(-)
diff --git a/policy/modules/contrib/consolekit.fc b/policy/modules/contrib/consolekit.fc
index 8b440c56..d4623586 100644
--- a/policy/modules/contrib/consolekit.fc
+++ b/policy/modules/contrib/consolekit.fc
@@ -9,8 +9,3 @@
/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
-
-ifdef(`distro_gentoo',`
-# Bug 497986
-/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-')
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 19d4d1b4..d51634ea 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -54,7 +54,8 @@ corecmd_exec_bin(consolekit_t)
corecmd_exec_shell(consolekit_t)
dev_read_urand(consolekit_t)
-dev_read_sysfs(consolekit_t)
+dev_rw_sysfs(consolekit_t)
+dev_setattr_all_chr_files(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
@@ -105,6 +106,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ cgmanager_stream_connect(consolekit_t)
+')
+
+optional_policy(`
dbus_read_lib_files(consolekit_t)
dbus_system_domain(consolekit_t, consolekit_exec_t)
@@ -126,6 +131,10 @@ optional_policy(`
')
optional_policy(`
+ devicekit_manage_log_files(consolekit_t)
+')
+
+optional_policy(`
hal_ptrace(consolekit_t)
')
@@ -157,28 +166,10 @@ optional_policy(`
optional_policy(`
udev_domtrans(consolekit_t)
udev_read_db(consolekit_t)
+ udev_read_pid_files(consolekit_t)
udev_signal(consolekit_t)
')
optional_policy(`
unconfined_stream_connect(consolekit_t)
')
-
-ifdef(`distro_gentoo',`
- # consolekit needs to be able to chown /dev nodes when logging in
- dev_setattr_all_chr_files(consolekit_t)
-
- optional_policy(`
- udev_read_pid_files(consolekit_t)
- ')
-
- # needs to write to sys for suspend
- dev_rw_sysfs(consolekit_t)
- optional_policy(`
- devicekit_manage_log_files(consolekit_t)
- ')
-
- optional_policy(`
- cgmanager_stream_connect(consolekit_t)
- ')
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-25 16:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-25 16:43 UTC (permalink / raw
To: gentoo-commits
commit: 72a11e865ba2ee22f8648e776eb8c8f69a54f26e
Author: Stephen Smalley <sds <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed May 24 19:41:22 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 16:31:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=72a11e86
contrib: allow map permission where needed
Allow map permission where needed, based on limited testing.
Introduced in the kernel in commit 6941857e82ae ("selinux: add a map
permission check for mmap"). Depends on "refpolicy: Define and
allow map permission" to define the permission.
Signed-off-by: Stephen Smalley <sds <AT> tycho.nsa.gov>
policy/modules/contrib/abrt.te | 2 ++
policy/modules/contrib/gnome.if | 2 +-
policy/modules/contrib/networkmanager.if | 3 +++
policy/modules/contrib/rpm.if | 3 +++
4 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index 9fb4f3ff..6098ee58 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -397,6 +397,8 @@ domain_use_interactive_fds(abrt_dump_oops_t)
fs_list_inotifyfs(abrt_dump_oops_t)
logging_read_generic_logs(abrt_dump_oops_t)
+logging_mmap_generic_logs(abrt_dump_oops_t)
+logging_mmap_journal(abrt_dump_oops_t)
#######################################
#
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 4fcc6905..edf4d4e6 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -332,7 +332,7 @@ interface(`gnome_read_generic_home_content',`
userdom_search_user_home_dirs($1)
allow $1 gnome_home_t:dir list_dir_perms;
- allow $1 gnome_home_t:file read_file_perms;
+ allow $1 gnome_home_t:file { read_file_perms map };
allow $1 gnome_home_t:fifo_file read_fifo_file_perms;
allow $1 gnome_home_t:lnk_file read_lnk_file_perms;
allow $1 gnome_home_t:sock_file read_sock_file_perms;
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index e57453fc..371ebfbd 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -209,6 +209,7 @@ interface(`networkmanager_manage_lib_files',`
files_search_var_lib($1)
manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ allow $1 NetworkManager_var_lib_t:file map;
')
########################################
@@ -229,6 +230,7 @@ interface(`networkmanager_read_lib_files',`
files_search_var_lib($1)
list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ allow $1 NetworkManager_var_lib_t:file map;
')
########################################
@@ -328,6 +330,7 @@ interface(`networkmanager_admin',`
files_search_var_lib($1)
admin_pattern($1, NetworkManager_var_lib_t)
+ allow $1 NetworkManager_var_lib_t:file map;
files_search_pids($1)
admin_pattern($1, NetworkManager_var_run_t)
diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index 2344edd5..304e97cb 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -459,6 +459,7 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+ allow $1 rpm_var_lib_t:file map;
')
########################################
@@ -499,6 +500,7 @@ interface(`rpm_manage_db',`
files_search_var_lib($1)
manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+ allow $1 rpm_var_lib_t:file map;
')
########################################
@@ -520,6 +522,7 @@ interface(`rpm_dontaudit_manage_db',`
dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
+ dontaudit $1 rpm_var_lib_t:file map;
')
#####################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-25 16:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-25 16:43 UTC (permalink / raw
To: gentoo-commits
commit: c29621291d0939bab99aaf62180e6f7e1bc3c631
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed May 24 12:38:53 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 16:31:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c2962129
cups: let hplip read udev pid files
Refine the cups module with an udev permission to read pid files.
Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
policy/modules/contrib/cups.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 2b81255f..b9abbb2c 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -730,6 +730,7 @@ optional_policy(`
optional_policy(`
udev_read_db(hplip_t)
+ udev_read_pid_files(hplip_t)
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-25 16:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-25 16:43 UTC (permalink / raw
To: gentoo-commits
commit: f0e3befaa5cc68eec29e5fb795ca1e9dae67fd54
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sun May 14 11:54:20 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 16:31:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f0e3befa
contrib: new libmtp module
This is the contrib part of the policy needed to support libmtp (an
Initiator implementation of the Media Transfer Protocol).
This is the second revised version of the patch.
Signed-off-by: Guido Trentalancia <guido at trentalancia.net>
policy/modules/contrib/libmtp.fc | 3 ++
policy/modules/contrib/libmtp.if | 30 ++++++++++++++++++++
policy/modules/contrib/libmtp.te | 59 ++++++++++++++++++++++++++++++++++++++++
3 files changed, 92 insertions(+)
diff --git a/policy/modules/contrib/libmtp.fc b/policy/modules/contrib/libmtp.fc
new file mode 100644
index 00000000..f8b91c24
--- /dev/null
+++ b/policy/modules/contrib/libmtp.fc
@@ -0,0 +1,3 @@
+HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0)
+
+/usr/bin/mtp-.* -- gen_context(system_u:object_r:libmtp_exec_t,s0)
diff --git a/policy/modules/contrib/libmtp.if b/policy/modules/contrib/libmtp.if
new file mode 100644
index 00000000..c010842d
--- /dev/null
+++ b/policy/modules/contrib/libmtp.if
@@ -0,0 +1,30 @@
+## <summary>libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP).</summary>
+
+###########################################################
+## <summary>
+## Role access for libmtp.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`libmtp_role',`
+ gen_require(`
+ attribute_role libmtp_roles;
+ type libmtp_t, libmtp_exec_t;
+ ')
+
+ roleattribute $1 libmtp_roles;
+
+ domtrans_pattern($2, libmtp_exec_t, libmtp_t)
+
+ allow $2 libmtp_t:process { ptrace signal_perms };
+ ps_process_pattern($2, libmtp_t)
+')
diff --git a/policy/modules/contrib/libmtp.te b/policy/modules/contrib/libmtp.te
new file mode 100644
index 00000000..dbc933ab
--- /dev/null
+++ b/policy/modules/contrib/libmtp.te
@@ -0,0 +1,59 @@
+policy_module(libmtp, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether libmtp can
+## manage the user home directories
+## and files.
+## </p>
+## </desc>
+gen_tunable(libmtp_enable_home_dirs, false)
+
+attribute_role libmtp_roles;
+
+type libmtp_t;
+type libmtp_exec_t;
+userdom_user_application_domain(libmtp_t, libmtp_exec_t)
+role libmtp_roles types libmtp_t;
+
+type libmtp_home_t;
+userdom_user_home_content(libmtp_home_t)
+
+##############################
+#
+# libmtp local policy
+#
+
+allow libmtp_t self:capability sys_tty_config;
+allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow libmtp_t self:fifo_file rw_fifo_file_perms;
+
+allow libmtp_t libmtp_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, ".mtpz-data")
+
+dev_read_sysfs(libmtp_t)
+dev_rw_generic_usb_dev(libmtp_t)
+
+domain_use_interactive_fds(libmtp_t)
+
+files_read_etc_files(libmtp_t)
+
+miscfiles_read_localization(libmtp_t)
+
+term_use_unallocated_ttys(libmtp_t)
+
+userdom_use_inherited_user_terminals(libmtp_t)
+
+tunable_policy(`libmtp_enable_home_dirs',`
+ userdom_manage_user_home_content_files(libmtp_t)
+ userdom_user_home_dir_filetrans_user_home_content(libmtp_t, file )
+')
+
+optional_policy(`
+ udev_read_pid_files(libmtp_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-25 16:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-25 16:43 UTC (permalink / raw
To: gentoo-commits
commit: 6306385624d8360760bbf1dd6bda4a4afbf83a47
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed May 24 23:54:39 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 16:31:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=63063856
Module version bump for mmap fixes from Stephen Smalley.
policy/modules/contrib/abrt.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index 6098ee58..1d7baa2d 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.7.1)
+policy_module(abrt, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 65109bb9..89a336c4 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.7.3)
+policy_module(gnome, 2.7.4)
##############################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 1614b533..dee77c73 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.6)
+policy_module(networkmanager, 1.20.7)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 2dcf018c..368a865f 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.19.3)
+policy_module(rpm, 1.19.4)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-25 16:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-25 16:43 UTC (permalink / raw
To: gentoo-commits
commit: eac236a86cba23a1d31e6f9e2c1e530736611bbe
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed May 24 23:43:56 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 16:31:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eac236a8
gnome: improved integration with openoffice
Minor update for the Apache OpenOffice(R) module: part 3/3.
This patch introduces minor changes in the gnome module for
smoother integration with Apache OpenOffice(R).
Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
policy/modules/contrib/gnome.te | 7 ++++++-
policy/modules/contrib/openoffice.if | 20 ++++++++++++++++++++
2 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 1b53cb4f..0377c479 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -98,7 +98,8 @@ kernel_read_system_state(gconfd_t)
files_read_var_lib_files(gconfd_t)
userdom_manage_user_tmp_dirs(gconfd_t)
-userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+userdom_manage_user_tmp_sockets(gconfd_t)
+userdom_tmp_filetrans_user_tmp(gconfd_t, { dir sock_file })
userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
optional_policy(`
@@ -111,6 +112,10 @@ optional_policy(`
nscd_dontaudit_search_pid(gconfd_t)
')
+optional_policy(`
+ ooffice_stream_connect(gconfd_t)
+')
+
##############################
#
# Keyring-daemon local policy
diff --git a/policy/modules/contrib/openoffice.if b/policy/modules/contrib/openoffice.if
index 4cb669c8..5580aaf7 100644
--- a/policy/modules/contrib/openoffice.if
+++ b/policy/modules/contrib/openoffice.if
@@ -112,3 +112,23 @@ interface(`ooffice_dbus_chat',`
allow $1 ooffice_t:dbus send_msg;
allow ooffice_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Connect to openoffice using a
+## unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_stream_connect',`
+ gen_require(`
+ type ooffice_t, ooffice_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, ooffice_tmp_t, ooffice_tmp_t, ooffice_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-25 16:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-25 16:43 UTC (permalink / raw
To: gentoo-commits
commit: 8d68ce2a990a182593b6a532b682a08f65da9b4f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue May 23 00:20:06 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 16:31:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8d68ce2a
libmtp: move lines
policy/modules/contrib/libmtp.te | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/libmtp.te b/policy/modules/contrib/libmtp.te
index dbc933ab..64c851e3 100644
--- a/policy/modules/contrib/libmtp.te
+++ b/policy/modules/contrib/libmtp.te
@@ -43,17 +43,17 @@ domain_use_interactive_fds(libmtp_t)
files_read_etc_files(libmtp_t)
-miscfiles_read_localization(libmtp_t)
-
term_use_unallocated_ttys(libmtp_t)
+miscfiles_read_localization(libmtp_t)
+
userdom_use_inherited_user_terminals(libmtp_t)
+optional_policy(`
+ udev_read_pid_files(libmtp_t)
+')
+
tunable_policy(`libmtp_enable_home_dirs',`
userdom_manage_user_home_content_files(libmtp_t)
userdom_user_home_dir_filetrans_user_home_content(libmtp_t, file )
')
-
-optional_policy(`
- udev_read_pid_files(libmtp_t)
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-25 16:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-25 16:43 UTC (permalink / raw
To: gentoo-commits
commit: b078d93ff039f8ee2be0cd61b3c3f2fb35abbcc4
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed May 24 23:51:03 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 16:31:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b078d93f
Module version bump for fixes from Guido Trentalancia.
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/openoffice.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index b9abbb2c..b57f58c1 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.21.5)
+policy_module(cups, 1.21.6)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 0377c479..65109bb9 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.7.2)
+policy_module(gnome, 2.7.3)
##############################
#
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index 01244b94..7f250ca4 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -1,4 +1,4 @@
-policy_module(openoffice, 1.1.2)
+policy_module(openoffice, 1.1.3)
##############################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-25 16:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-25 16:43 UTC (permalink / raw
To: gentoo-commits
commit: 510589e13d0ae9fa2672673524eab27f833cce1c
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed May 24 00:59:44 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 16:31:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=510589e1
openoffice: minor update
Minor update for the Apache OpenOffice(R) module: part 2/3.
This patch introduces a few minor changes to the Apache
OpenOffice(R) module, including fixes for smoother integration
with gnome.
It does no longer require the userdomain interface that was
previously introduced with part 1/3 (now dropped) because
it now uses an OpenOffice interface (thanks to Christopher
PeBenito for suggesting this improvement).
This is the third version (v3).
Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
policy/modules/contrib/openoffice.if | 26 ++++++++++++++++++++++++++
policy/modules/contrib/openoffice.te | 15 +++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/policy/modules/contrib/openoffice.if b/policy/modules/contrib/openoffice.if
index 19f62381..4cb669c8 100644
--- a/policy/modules/contrib/openoffice.if
+++ b/policy/modules/contrib/openoffice.if
@@ -29,6 +29,10 @@ interface(`ooffice_role',`
allow $2 ooffice_t:process { ptrace signal_perms };
ps_process_pattern($2, ooffice_t)
+
+ optional_policy(`
+ ooffice_dbus_chat($2)
+ ')
')
########################################
@@ -86,3 +90,25 @@ interface(`ooffice_rw_tmp_files',`
rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
')
+
+#######################################
+## <summary>
+## Send and receive dbus messages
+## from and to the openoffice
+## domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_dbus_chat',`
+ gen_require(`
+ type ooffice_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ooffice_t:dbus send_msg;
+ allow ooffice_t $1:dbus send_msg;
+')
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index fe241429..01244b94 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -66,12 +66,16 @@ files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
can_exec(ooffice_t, ooffice_exec_t)
+kernel_dontaudit_read_system_state(ooffice_t)
+
corecmd_exec_bin(ooffice_t)
corecmd_exec_shell(ooffice_t)
dev_read_sysfs(ooffice_t)
dev_read_urand(ooffice_t)
+domain_use_interactive_fds(ooffice_t)
+
files_getattr_all_dirs(ooffice_t)
files_getattr_all_files(ooffice_t)
files_getattr_all_symlinks(ooffice_t)
@@ -88,12 +92,18 @@ ooffice_dontaudit_exec_tmp_files(ooffice_t)
sysnet_dns_name_resolve(ooffice_t)
userdom_dontaudit_exec_user_home_content_files(ooffice_t)
+userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
+
userdom_read_user_tmp_files(ooffice_t)
userdom_manage_user_home_content_dirs(ooffice_t)
userdom_manage_user_home_content_files(ooffice_t)
userdom_manage_user_home_content_symlinks(ooffice_t)
userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
+userdom_manage_user_tmp_sockets(ooffice_t)
+
+userdom_use_inherited_user_terminals(ooffice_t)
+
tunable_policy(`openoffice_allow_update',`
corenet_tcp_connect_http_port(ooffice_t)
')
@@ -119,6 +129,11 @@ optional_policy(`
')
optional_policy(`
+ gnome_dbus_chat_gconfd(ooffice_t)
+ gnome_stream_connect_gconf(ooffice_t)
+')
+
+optional_policy(`
hostname_exec(ooffice_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-18 17:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:03 UTC (permalink / raw
To: gentoo-commits
commit: 39f8b214d04e1176c9511873dcbbbc1207872608
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu May 11 23:53:36 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:01:55 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=39f8b214
Module version bump for chronyd changes from Luis Ressel.
policy/modules/contrib/chronyd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 62ddd0bf..d1763c87 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.4.1)
+policy_module(chronyd, 1.4.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-18 17:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:03 UTC (permalink / raw
To: gentoo-commits
commit: d79fb64e176175d6ee37237aa03b3b00d9d6fb89
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon May 8 18:24:29 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:01:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d79fb64e
chronyd: Re-align fc file
policy/modules/contrib/chronyd.fc | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index 66f001b8..94b601fd 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -1,22 +1,22 @@
-/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
+/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
-/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
-/usr/bin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+/usr/bin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
# Systend unit files
/usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
/usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
-/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
-/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
+/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
-/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
+/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
-/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
-/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
-/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0)
ifdef(`distro_gentoo',`
/etc/chrony/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-18 17:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:03 UTC (permalink / raw
To: gentoo-commits
commit: 5164572d4f1c9c12bcad411349ee23f196dcc524
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon May 8 18:24:30 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:01:53 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5164572d
chronyd: Allow init scripts to create /run/chrony
Remark: So far, chronyd.fc only contains /run/chronyd, but chrony's
default location is actually /run/chrony, so I've added that to the fc.
This commit also fixes a bug in the fc: It said (/.*) instead of (/.*)?
policy/modules/contrib/chronyd.fc | 2 +-
policy/modules/contrib/chronyd.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index 94b601fd..ca2747e7 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -14,7 +14,7 @@
/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
-/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/run/chronyd?(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0)
/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 3e9a1c5b..62ddd0bf 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -28,7 +28,7 @@ type chronyd_var_log_t;
logging_log_file(chronyd_var_log_t)
type chronyd_var_run_t;
-files_pid_file(chronyd_var_run_t)
+init_daemon_pid_file(chronyd_var_run_t, dir, "chrony")
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-18 17:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:03 UTC (permalink / raw
To: gentoo-commits
commit: a02b60e38aeebbef9175e93856bf455eef0a7ebc
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat May 13 15:55:57 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:01:56 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a02b60e3
openoffice: open files retrieved using mozilla
Let openoffice open files retrieved from the network using mozilla.
Signed-off-by: Guido Trentalancia <guido at trentalancia.net>
policy/modules/contrib/mozilla.if | 18 ++++++++++++++++++
policy/modules/contrib/openoffice.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/contrib/mozilla.if b/policy/modules/contrib/mozilla.if
index ffda45d3..70390632 100644
--- a/policy/modules/contrib/mozilla.if
+++ b/policy/modules/contrib/mozilla.if
@@ -309,6 +309,24 @@ interface(`mozilla_execmod_user_plugin_home_files',`
allow $1 mozilla_plugin_home_t:file execmod;
')
+#######################################
+## <summary>
+## Read temporary mozilla files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_read_tmp_files',`
+ gen_require(`
+ type mozilla_tmp_t;
+ ')
+
+ read_files_pattern($1, mozilla_tmp_t, mozilla_tmp_t)
+')
+
########################################
## <summary>
## Run mozilla in the mozilla domain.
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index 0be66b6f..40e3d97f 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -128,6 +128,7 @@ optional_policy(`
optional_policy(`
mozilla_domtrans(ooffice_t)
+ mozilla_read_tmp_files(ooffice_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2017-05-18 17:02 Sven Vermeulen
2017-05-18 17:03 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:02 UTC (permalink / raw
To: gentoo-commits
commit: 343c6e0f96645d89fd64ec5f6434dc792a887b02
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon May 15 22:27:04 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:01:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=343c6e0f
openoffice: Move ooffice_rw_tmp_files() implementation.
policy/modules/contrib/openoffice.if | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/policy/modules/contrib/openoffice.if b/policy/modules/contrib/openoffice.if
index 5a579e08..19f62381 100644
--- a/policy/modules/contrib/openoffice.if
+++ b/policy/modules/contrib/openoffice.if
@@ -51,38 +51,38 @@ interface(`ooffice_domtrans',`
########################################
## <summary>
-## Read and write temporary
-## openoffice files.
+## Do not audit attempts to execute
+## files in temporary directories.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`ooffice_rw_tmp_files',`
+interface(`ooffice_dontaudit_exec_tmp_files',`
gen_require(`
type ooffice_tmp_t;
')
- rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
+ dontaudit $1 ooffice_tmp_t:file exec_file_perms;
')
########################################
## <summary>
-## Do not audit attempts to execute
-## files in temporary directories.
+## Read and write temporary
+## openoffice files.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`ooffice_dontaudit_exec_tmp_files',`
+interface(`ooffice_rw_tmp_files',`
gen_require(`
type ooffice_tmp_t;
')
- dontaudit $1 ooffice_tmp_t:file exec_file_perms;
+ rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-05-18 17:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
@ 2017-05-18 17:03 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:03 UTC (permalink / raw
To: gentoo-commits
commit: 343c6e0f96645d89fd64ec5f6434dc792a887b02
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon May 15 22:27:04 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:01:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=343c6e0f
openoffice: Move ooffice_rw_tmp_files() implementation.
policy/modules/contrib/openoffice.if | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/policy/modules/contrib/openoffice.if b/policy/modules/contrib/openoffice.if
index 5a579e08..19f62381 100644
--- a/policy/modules/contrib/openoffice.if
+++ b/policy/modules/contrib/openoffice.if
@@ -51,38 +51,38 @@ interface(`ooffice_domtrans',`
########################################
## <summary>
-## Read and write temporary
-## openoffice files.
+## Do not audit attempts to execute
+## files in temporary directories.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`ooffice_rw_tmp_files',`
+interface(`ooffice_dontaudit_exec_tmp_files',`
gen_require(`
type ooffice_tmp_t;
')
- rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
+ dontaudit $1 ooffice_tmp_t:file exec_file_perms;
')
########################################
## <summary>
-## Do not audit attempts to execute
-## files in temporary directories.
+## Read and write temporary
+## openoffice files.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`ooffice_dontaudit_exec_tmp_files',`
+interface(`ooffice_rw_tmp_files',`
gen_require(`
type ooffice_tmp_t;
')
- dontaudit $1 ooffice_tmp_t:file exec_file_perms;
+ rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2017-05-18 17:02 Sven Vermeulen
2017-05-18 17:03 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:02 UTC (permalink / raw
To: gentoo-commits
commit: 071fdd0538b320a9a5ab69032836cf5d4702db67
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon May 15 22:27:27 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:02:01 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=071fdd05
Module version bump for openoffice fix from Guido Trentalancia.
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/openoffice.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index c595af2f..24a36b4e 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.11.2)
+policy_module(mozilla, 2.11.3)
########################################
#
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index 40e3d97f..fe241429 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -1,4 +1,4 @@
-policy_module(openoffice, 1.1.1)
+policy_module(openoffice, 1.1.2)
##############################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-05-18 17:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
@ 2017-05-18 17:03 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:03 UTC (permalink / raw
To: gentoo-commits
commit: 071fdd0538b320a9a5ab69032836cf5d4702db67
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon May 15 22:27:27 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:02:01 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=071fdd05
Module version bump for openoffice fix from Guido Trentalancia.
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/openoffice.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index c595af2f..24a36b4e 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.11.2)
+policy_module(mozilla, 2.11.3)
########################################
#
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index 40e3d97f..fe241429 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -1,4 +1,4 @@
-policy_module(openoffice, 1.1.1)
+policy_module(openoffice, 1.1.2)
##############################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-07 17:47 Jason Zaman
2017-05-07 17:41 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: 83244b1264056d64fe3c979671a68ec3a80cd7dd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 03:39:18 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=83244b12
chromium: allow cap_userns for the sandbox
https://patchwork.kernel.org/patch/8785151/
policy/modules/contrib/chromium.te | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index cd1e1116..a4fba97c 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -89,10 +89,12 @@ xdg_cache_home_content(chromium_xdg_cache_t)
#
# execmem for load in plugins
-allow chromium_t self:process { execmem getsched setcap setrlimit setsched sigkill signal };
-allow chromium_t self:fifo_file rw_fifo_file_perms;;
+allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal };
+allow chromium_t self:fifo_file rw_fifo_file_perms;
allow chromium_t self:sem create_sem_perms;
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
+# cap_userns sys_admin for the sandbox
+allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace };
allow chromium_t chromium_exec_t:file execute_no_trans;
@@ -135,6 +137,7 @@ domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
kernel_list_proc(chromium_t)
+kernel_read_net_sysctls(chromium_t)
corecmd_exec_bin(chromium_t)
# Look for /etc/gentoo-release through a shell invocation running find
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-05-07 17:47 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-05-07 17:41 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-07 17:41 UTC (permalink / raw
To: gentoo-commits
commit: 83244b1264056d64fe3c979671a68ec3a80cd7dd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 03:39:18 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=83244b12
chromium: allow cap_userns for the sandbox
https://patchwork.kernel.org/patch/8785151/
policy/modules/contrib/chromium.te | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index cd1e1116..a4fba97c 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -89,10 +89,12 @@ xdg_cache_home_content(chromium_xdg_cache_t)
#
# execmem for load in plugins
-allow chromium_t self:process { execmem getsched setcap setrlimit setsched sigkill signal };
-allow chromium_t self:fifo_file rw_fifo_file_perms;;
+allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal };
+allow chromium_t self:fifo_file rw_fifo_file_perms;
allow chromium_t self:sem create_sem_perms;
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
+# cap_userns sys_admin for the sandbox
+allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace };
allow chromium_t chromium_exec_t:file execute_no_trans;
@@ -135,6 +137,7 @@ domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
kernel_list_proc(chromium_t)
+kernel_read_net_sysctls(chromium_t)
corecmd_exec_bin(chromium_t)
# Look for /etc/gentoo-release through a shell invocation running find
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-07 17:47 Jason Zaman
2017-05-07 16:09 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: 90bc58d30413ce90fc5f6b86da4114f539d374f0
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:18:15 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:54:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90bc58d3
shutdown: send msg to syslog
Update the shutdown module so that it can send messages to
syslog.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/shutdown.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index 6a0b126e..4a2b3510 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -42,6 +42,8 @@ domain_use_interactive_fds(shutdown_t)
files_delete_boot_flag(shutdown_t)
files_read_generic_pids(shutdown_t)
+fs_getattr_xattr_fs(shutdown_t)
+
mls_file_write_to_clearance(shutdown_t)
term_use_all_terms(shutdown_t)
@@ -55,6 +57,7 @@ init_telinit(shutdown_t)
logging_search_logs(shutdown_t)
logging_send_audit_msgs(shutdown_t)
+logging_send_syslog_msg(shutdown_t)
miscfiles_read_localization(shutdown_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-05-07 17:47 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-05-07 16:09 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-07 16:09 UTC (permalink / raw
To: gentoo-commits
commit: 90bc58d30413ce90fc5f6b86da4114f539d374f0
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:18:15 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:54:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90bc58d3
shutdown: send msg to syslog
Update the shutdown module so that it can send messages to
syslog.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/shutdown.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index 6a0b126e..4a2b3510 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -42,6 +42,8 @@ domain_use_interactive_fds(shutdown_t)
files_delete_boot_flag(shutdown_t)
files_read_generic_pids(shutdown_t)
+fs_getattr_xattr_fs(shutdown_t)
+
mls_file_write_to_clearance(shutdown_t)
term_use_all_terms(shutdown_t)
@@ -55,6 +57,7 @@ init_telinit(shutdown_t)
logging_search_logs(shutdown_t)
logging_send_audit_msgs(shutdown_t)
+logging_send_syslog_msg(shutdown_t)
miscfiles_read_localization(shutdown_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-05-07 17:47 Jason Zaman
2017-05-07 16:09 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-05-07 17:47 UTC (permalink / raw
To: gentoo-commits
commit: 2461473627beea7a5e372c1b3f244c5e30f3438b
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:18:02 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:54:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=24614736
plymouth: pid interface usability
Improve the usability of one plymouth interface.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/plymouthd.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/plymouthd.if b/policy/modules/contrib/plymouthd.if
index 30e751f1..54cd777a 100644
--- a/policy/modules/contrib/plymouthd.if
+++ b/policy/modules/contrib/plymouthd.if
@@ -228,6 +228,7 @@ interface(`plymouthd_read_pid_files',`
')
files_search_pids($1)
+ allow $1 plymouthd_var_run_t:dir search_dir_perms;
allow $1 plymouthd_var_run_t:file read_file_perms;
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-07 17:41 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-07 17:41 UTC (permalink / raw
To: gentoo-commits
commit: 6bc27759a132a8acc69946da46bb4aefce6bbaeb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 03:11:50 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6bc27759
consolekit: allow run fifo_files
audit: type=1400 audit(1494126304.815:19): avc: denied { create } for pid=5335 comm="console-kit-dae" name="inhibit.IWBEZY.pipe" scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:consolekit_var_run_t:s0 tclass=fifo_file permissive=0
policy/modules/contrib/consolekit.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 06451dff..19d4d1b4 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -40,6 +40,7 @@ logging_log_filetrans(consolekit_t, consolekit_log_t, file)
manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+manage_fifo_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
files_pid_filetrans(consolekit_t, consolekit_var_run_t, { dir file })
kernel_read_system_state(consolekit_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-07 16:09 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-07 16:09 UTC (permalink / raw
To: gentoo-commits
commit: 7342da73bcae2a72c74f015e1cbf4e6064ff1eee
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:17:21 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:54:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7342da73
java: error messages terminal printout
Minor fixes for the java module (print error messages to the terminal).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/java.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index c4aaa66b..96494b16 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -167,10 +167,12 @@ ifdef(`distro_gentoo',`
corecmd_search_bin(java_t)
+dev_read_sysfs(java_t)
+
locallogin_use_fds(java_t)
userdom_read_user_tmp_files(java_t)
-userdom_use_user_ttys(java_t)
+userdom_use_user_terminals(java_t)
optional_policy(`
xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-07 16:09 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-07 16:09 UTC (permalink / raw
To: gentoo-commits
commit: 17df41e7dfd69017344a22a0033cc2c75da1b9bf
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Apr 15 18:52:04 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 16:02:02 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=17df41e7
Support systems with a single /usr/bin directory
Create /usr/bin/... file context definitions for all /usr/sbin/... ones.
This implements https://github.com/TresysTechnology/refpolicy/pull/116
for contrib modules.
policy/modules/contrib/abrt.fc | 3 +++
policy/modules/contrib/acct.fc | 2 ++
policy/modules/contrib/acpi.fc | 3 +++
policy/modules/contrib/afs.fc | 3 +++
policy/modules/contrib/aiccu.fc | 2 ++
policy/modules/contrib/aisexec.fc | 2 ++
policy/modules/contrib/alsa.fc | 2 ++
policy/modules/contrib/amanda.fc | 3 +++
policy/modules/contrib/amavis.fc | 2 ++
policy/modules/contrib/apache.fc | 12 ++++++++++++
policy/modules/contrib/apcupsd.fc | 2 ++
policy/modules/contrib/arpwatch.fc | 2 ++
policy/modules/contrib/asterisk.fc | 2 ++
policy/modules/contrib/automount.fc | 2 ++
policy/modules/contrib/avahi.fc | 4 ++++
policy/modules/contrib/bacula.fc | 4 ++++
policy/modules/contrib/bcfg2.fc | 2 ++
policy/modules/contrib/bind.fc | 6 ++++++
policy/modules/contrib/bird.fc | 2 ++
policy/modules/contrib/bitlbee.fc | 1 +
policy/modules/contrib/bluetooth.fc | 5 +++++
policy/modules/contrib/brctl.fc | 2 ++
policy/modules/contrib/cachefilesd.fc | 2 ++
policy/modules/contrib/callweaver.fc | 2 ++
policy/modules/contrib/canna.fc | 4 +++-
policy/modules/contrib/ccs.fc | 2 ++
policy/modules/contrib/certmonger.fc | 2 ++
policy/modules/contrib/cfengine.fc | 4 ++++
policy/modules/contrib/cgroup.fc | 4 ++++
policy/modules/contrib/chronyd.fc | 3 ++-
policy/modules/contrib/cipe.fc | 2 ++
policy/modules/contrib/clamav.fc | 2 ++
policy/modules/contrib/clogd.fc | 2 ++
policy/modules/contrib/cmirrord.fc | 2 ++
policy/modules/contrib/collectd.fc | 2 ++
policy/modules/contrib/comsat.fc | 2 ++
policy/modules/contrib/condor.fc | 8 ++++++++
policy/modules/contrib/consolekit.fc | 2 ++
policy/modules/contrib/corosync.fc | 3 +++
policy/modules/contrib/courier.fc | 9 ++++++++-
policy/modules/contrib/cpucontrol.fc | 5 +++++
policy/modules/contrib/cron.fc | 7 ++++++-
policy/modules/contrib/ctdb.fc | 2 ++
policy/modules/contrib/cups.fc | 9 +++++++++
policy/modules/contrib/dante.fc | 3 +++
policy/modules/contrib/dbskk.fc | 2 ++
policy/modules/contrib/dcc.fc | 6 +++++-
policy/modules/contrib/ddclient.fc | 3 +++
policy/modules/contrib/ddcprobe.fc | 2 ++
policy/modules/contrib/dhcp.fc | 2 ++
policy/modules/contrib/dictd.fc | 2 ++
policy/modules/contrib/dkim.fc | 3 +++
policy/modules/contrib/dmidecode.fc | 5 +++++
policy/modules/contrib/dnsmasq.fc | 2 ++
policy/modules/contrib/dnssectrigger.fc | 2 ++
policy/modules/contrib/dovecot.fc | 2 ++
policy/modules/contrib/dphysswapfile.fc | 2 ++
policy/modules/contrib/dpkg.fc | 2 ++
policy/modules/contrib/drbd.fc | 3 +++
policy/modules/contrib/entropyd.fc | 3 +++
policy/modules/contrib/exim.fc | 3 +++
policy/modules/contrib/fakehwclock.fc | 2 ++
policy/modules/contrib/fcoe.fc | 2 ++
policy/modules/contrib/finger.fc | 3 +++
policy/modules/contrib/firewalld.fc | 2 ++
policy/modules/contrib/firstboot.fc | 2 ++
policy/modules/contrib/ftp.fc | 5 +++++
policy/modules/contrib/gatekeeper.fc | 3 +++
policy/modules/contrib/glusterfs.fc | 3 +++
policy/modules/contrib/gpm.fc | 2 ++
policy/modules/contrib/gpsd.fc | 2 ++
policy/modules/contrib/hal.fc | 2 ++
policy/modules/contrib/hddtemp.fc | 2 ++
policy/modules/contrib/hwloc.fc | 4 +++-
policy/modules/contrib/hypervkvp.fc | 2 ++
policy/modules/contrib/i18n_input.fc | 2 ++
policy/modules/contrib/ifplugd.fc | 2 ++
policy/modules/contrib/inetd.fc | 6 ++++++
policy/modules/contrib/inn.fc | 10 ++++++----
policy/modules/contrib/iodine.fc | 2 ++
policy/modules/contrib/ircd.fc | 2 ++
policy/modules/contrib/irqbalance.fc | 2 ++
policy/modules/contrib/iscsi.fc | 4 ++++
policy/modules/contrib/isns.fc | 2 ++
policy/modules/contrib/jabber.fc | 11 +++++++----
policy/modules/contrib/kdump.fc | 2 ++
policy/modules/contrib/kerberos.fc | 3 +++
policy/modules/contrib/kerneloops.fc | 2 ++
policy/modules/contrib/ksmtuned.fc | 2 ++
policy/modules/contrib/ktalk.fc | 4 +++-
policy/modules/contrib/kudzu.fc | 5 ++++-
policy/modules/contrib/l2tp.fc | 2 ++
policy/modules/contrib/ldap.fc | 2 ++
policy/modules/contrib/likewise.fc | 9 +++++++++
policy/modules/contrib/lircd.fc | 2 ++
policy/modules/contrib/lldpad.fc | 2 ++
policy/modules/contrib/lockdev.fc | 2 ++
policy/modules/contrib/logrotate.fc | 2 ++
policy/modules/contrib/logwatch.fc | 4 ++++
policy/modules/contrib/lpd.fc | 19 +++++++++++++------
policy/modules/contrib/mailscanner.fc | 2 ++
policy/modules/contrib/mcelog.fc | 2 ++
policy/modules/contrib/milter.fc | 5 +++++
policy/modules/contrib/minidlna.fc | 2 ++
policy/modules/contrib/minissdpd.fc | 2 ++
policy/modules/contrib/modemmanager.fc | 3 +++
policy/modules/contrib/mon.fc | 2 ++
policy/modules/contrib/monop.fc | 2 ++
policy/modules/contrib/mta.fc | 4 ++++
policy/modules/contrib/mysql.fc | 3 +++
policy/modules/contrib/nessus.fc | 2 ++
policy/modules/contrib/networkmanager.fc | 9 ++++++---
policy/modules/contrib/nis.fc | 5 +++++
policy/modules/contrib/nscd.fc | 2 ++
policy/modules/contrib/nsd.fc | 5 +++++
policy/modules/contrib/nslcd.fc | 2 ++
policy/modules/contrib/ntop.fc | 2 ++
policy/modules/contrib/ntp.fc | 4 ++++
policy/modules/contrib/nut.fc | 4 ++++
policy/modules/contrib/oav.fc | 3 +++
policy/modules/contrib/oddjob.fc | 3 +++
policy/modules/contrib/oident.fc | 2 ++
policy/modules/contrib/openct.fc | 3 +++
policy/modules/contrib/openhpi.fc | 2 ++
policy/modules/contrib/openvpn.fc | 2 ++
policy/modules/contrib/pacemaker.fc | 2 ++
policy/modules/contrib/pcmcia.fc | 3 +++
policy/modules/contrib/pcscd.fc | 2 ++
policy/modules/contrib/pegasus.fc | 3 +++
policy/modules/contrib/perdition.fc | 2 ++
policy/modules/contrib/pingd.fc | 2 ++
policy/modules/contrib/pkcs.fc | 2 ++
policy/modules/contrib/plymouthd.fc | 1 +
policy/modules/contrib/portmap.fc | 4 ++++
policy/modules/contrib/portreserve.fc | 2 ++
policy/modules/contrib/portslave.fc | 3 +++
policy/modules/contrib/postfix.fc | 11 +++++++++++
policy/modules/contrib/postfixpolicyd.fc | 2 ++
policy/modules/contrib/postgrey.fc | 2 ++
policy/modules/contrib/ppp.fc | 6 ++++++
policy/modules/contrib/prelink.fc | 2 ++
policy/modules/contrib/prelude.fc | 3 ++-
policy/modules/contrib/privoxy.fc | 2 ++
policy/modules/contrib/psad.fc | 2 ++
policy/modules/contrib/pxe.fc | 2 ++
policy/modules/contrib/qmail.fc | 12 ++++++++++++
policy/modules/contrib/qpid.fc | 2 ++
policy/modules/contrib/quota.fc | 4 ++++
policy/modules/contrib/radius.fc | 3 +++
policy/modules/contrib/radvd.fc | 2 ++
policy/modules/contrib/raid.fc | 8 ++++++++
policy/modules/contrib/rdisc.fc | 2 ++
policy/modules/contrib/readahead.fc | 2 ++
policy/modules/contrib/redis.fc | 2 ++
policy/modules/contrib/resmgr.fc | 2 ++
policy/modules/contrib/rgmanager.fc | 5 ++++-
policy/modules/contrib/rhcs.fc | 9 +++++++++
policy/modules/contrib/ricci.fc | 3 +++
policy/modules/contrib/rlogin.fc | 2 ++
policy/modules/contrib/rngd.fc | 2 ++
policy/modules/contrib/rpc.fc | 9 +++++++++
policy/modules/contrib/rpcbind.fc | 2 ++
policy/modules/contrib/rpm.fc | 10 ++++++++++
policy/modules/contrib/rshd.fc | 3 +++
policy/modules/contrib/rwho.fc | 2 ++
policy/modules/contrib/samba.fc | 4 ++++
policy/modules/contrib/samhain.fc | 3 +++
policy/modules/contrib/sanlock.fc | 2 ++
policy/modules/contrib/sasl.fc | 2 ++
policy/modules/contrib/sblim.fc | 3 +++
policy/modules/contrib/sensord.fc | 2 ++
policy/modules/contrib/setroubleshoot.fc | 2 ++
policy/modules/contrib/shibboleth.fc | 2 ++
policy/modules/contrib/shorewall.fc | 3 +++
policy/modules/contrib/shutdown.fc | 2 ++
policy/modules/contrib/slpd.fc | 2 ++
policy/modules/contrib/smartmon.fc | 2 ++
policy/modules/contrib/smokeping.fc | 2 ++
policy/modules/contrib/smstools.fc | 2 ++
policy/modules/contrib/snmp.fc | 4 ++++
policy/modules/contrib/snort.fc | 5 +++--
policy/modules/contrib/sosreport.fc | 2 ++
policy/modules/contrib/soundserver.fc | 1 +
policy/modules/contrib/spamassassin.fc | 5 +++--
policy/modules/contrib/speedtouch.fc | 2 ++
policy/modules/contrib/squid.fc | 2 ++
policy/modules/contrib/sssd.fc | 2 ++
policy/modules/contrib/sxid.fc | 1 +
policy/modules/contrib/tboot.fc | 2 ++
policy/modules/contrib/tcpd.fc | 2 ++
policy/modules/contrib/tcsd.fc | 2 ++
policy/modules/contrib/telnet.fc | 2 ++
policy/modules/contrib/tftp.fc | 2 ++
policy/modules/contrib/tgtd.fc | 2 ++
policy/modules/contrib/tmpreaper.fc | 3 +++
policy/modules/contrib/transproxy.fc | 2 ++
policy/modules/contrib/tripwire.fc | 5 +++++
policy/modules/contrib/tuned.fc | 2 ++
policy/modules/contrib/tzdata.fc | 2 ++
policy/modules/contrib/ulogd.fc | 2 ++
policy/modules/contrib/updfstab.fc | 3 +++
policy/modules/contrib/uptime.fc | 2 ++
policy/modules/contrib/usbmodules.fc | 2 ++
policy/modules/contrib/usbmuxd.fc | 2 ++
policy/modules/contrib/userhelper.fc | 1 +
policy/modules/contrib/usernetctl.fc | 2 ++
policy/modules/contrib/uucp.fc | 1 +
policy/modules/contrib/uuidd.fc | 2 ++
policy/modules/contrib/varnishd.fc | 1 +
policy/modules/contrib/vbetool.fc | 2 ++
policy/modules/contrib/vdagent.fc | 2 ++
policy/modules/contrib/vhostmd.fc | 2 ++
policy/modules/contrib/virt.fc | 7 ++++++-
policy/modules/contrib/vlock.fc | 3 ++-
policy/modules/contrib/vmware.fc | 2 ++
policy/modules/contrib/vnstatd.fc | 1 +
policy/modules/contrib/vpn.fc | 1 +
policy/modules/contrib/watchdog.fc | 2 ++
policy/modules/contrib/wdmd.fc | 2 ++
policy/modules/contrib/xen.fc | 9 +++++++++
policy/modules/contrib/zabbix.fc | 7 +++++--
policy/modules/contrib/zebra.fc | 5 +++++
policy/modules/contrib/zosremote.fc | 2 ++
223 files changed, 670 insertions(+), 35 deletions(-)
diff --git a/policy/modules/contrib/abrt.fc b/policy/modules/contrib/abrt.fc
index d1b1f4e8..d05819be 100644
--- a/policy/modules/contrib/abrt.fc
+++ b/policy/modules/contrib/abrt.fc
@@ -1,8 +1,11 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/usr/bin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/bin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
diff --git a/policy/modules/contrib/acct.fc b/policy/modules/contrib/acct.fc
index 204e5375..5a772ec6 100644
--- a/policy/modules/contrib/acct.fc
+++ b/policy/modules/contrib/acct.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/psacct -- gen_context(system_u:object_r:acct_initrc_exec_t,s0)
+/usr/bin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
+
/usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
/var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0)
diff --git a/policy/modules/contrib/acpi.fc b/policy/modules/contrib/acpi.fc
index bfbe255b..ffd4ea00 100644
--- a/policy/modules/contrib/acpi.fc
+++ b/policy/modules/contrib/acpi.fc
@@ -1,6 +1,9 @@
/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:acpid_initrc_exec_t,s0)
+/usr/bin/acpid -- gen_context(system_u:object_r:acpid_exec_t,s0)
/usr/bin/apm -- gen_context(system_u:object_r:acpi_exec_t,s0)
+/usr/bin/apmd -- gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/bin/powersaved -- gen_context(system_u:object_r:acpid_exec_t,s0)
/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:acpid_unit_t,s0)
diff --git a/policy/modules/contrib/afs.fc b/policy/modules/contrib/afs.fc
index c40fe9ae..9307074e 100644
--- a/policy/modules/contrib/afs.fc
+++ b/policy/modules/contrib/afs.fc
@@ -27,6 +27,9 @@
/usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0)
+/usr/bin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0)
+/usr/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
+
/usr/libexec/openafs/dafileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/libexec/openafs/dasalvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/libexec/openafs/davolserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
diff --git a/policy/modules/contrib/aiccu.fc b/policy/modules/contrib/aiccu.fc
index 86e436cb..5fc50bec 100644
--- a/policy/modules/contrib/aiccu.fc
+++ b/policy/modules/contrib/aiccu.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
+/usr/bin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
+
/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
diff --git a/policy/modules/contrib/aisexec.fc b/policy/modules/contrib/aisexec.fc
index f9c20c63..578f2d33 100644
--- a/policy/modules/contrib/aisexec.fc
+++ b/policy/modules/contrib/aisexec.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0)
+/usr/bin/aisexec -- gen_context(system_u:object_r:aisexec_exec_t,s0)
+
/usr/sbin/aisexec -- gen_context(system_u:object_r:aisexec_exec_t,s0)
/var/lib/openais(/.*)? gen_context(system_u:object_r:aisexec_var_lib_t,s0)
diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index 0f9e5196..75ea9ebf 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -6,7 +6,9 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
/run/alsa(/.*)? gen_context(system_u:object_r:alsa_runtime_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/bin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/bin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/lib/systemd/system/[^/]*alsa-restore.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
/usr/lib/systemd/system/[^/]*alsa-state.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
diff --git a/policy/modules/contrib/amanda.fc b/policy/modules/contrib/amanda.fc
index 7f4dfbca..0d90d71e 100644
--- a/policy/modules/contrib/amanda.fc
+++ b/policy/modules/contrib/amanda.fc
@@ -7,6 +7,9 @@
/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
+/usr/bin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/bin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
+
/usr/lib/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
/usr/lib/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
/usr/lib/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
diff --git a/policy/modules/contrib/amavis.fc b/policy/modules/contrib/amavis.fc
index 7b8beae4..da86959b 100644
--- a/policy/modules/contrib/amavis.fc
+++ b/policy/modules/contrib/amavis.fc
@@ -4,6 +4,8 @@
/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
+/usr/bin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
+
/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0)
/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index 591c8ad2..f55535e7 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -37,9 +37,21 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec
/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/bin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+/usr/bin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/bin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
diff --git a/policy/modules/contrib/apcupsd.fc b/policy/modules/contrib/apcupsd.fc
index c9a7900c..43666b34 100644
--- a/policy/modules/contrib/apcupsd.fc
+++ b/policy/modules/contrib/apcupsd.fc
@@ -2,6 +2,8 @@
/usr/lib/systemd/system/apcupsd.*\.service -- gen_context(system_u:object_r:apcupsd_unit_t,s0)
+/usr/bin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
diff --git a/policy/modules/contrib/arpwatch.fc b/policy/modules/contrib/arpwatch.fc
index 5e0e6862..b439c10c 100644
--- a/policy/modules/contrib/arpwatch.fc
+++ b/policy/modules/contrib/arpwatch.fc
@@ -2,6 +2,8 @@
/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
+/usr/bin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
+
/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/policy/modules/contrib/asterisk.fc b/policy/modules/contrib/asterisk.fc
index 0aaa615a..337bf601 100644
--- a/policy/modules/contrib/asterisk.fc
+++ b/policy/modules/contrib/asterisk.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/asterisk -- gen_context(system_u:object_r:asterisk_initrc_exec_t,s0)
+/usr/bin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0)
+
/usr/sbin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0)
/var/lib/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_lib_t,s0)
diff --git a/policy/modules/contrib/automount.fc b/policy/modules/contrib/automount.fc
index 8bd48bc4..dadd3a9f 100644
--- a/policy/modules/contrib/automount.fc
+++ b/policy/modules/contrib/automount.fc
@@ -3,6 +3,8 @@
/usr/lib/systemd/system/autofs.*\.service -- gen_context(system_u:object_r:automount_unit_t,s0)
+/usr/bin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
+
/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/policy/modules/contrib/avahi.fc b/policy/modules/contrib/avahi.fc
index 80248b62..2f72be4a 100644
--- a/policy/modules/contrib/avahi.fc
+++ b/policy/modules/contrib/avahi.fc
@@ -1,5 +1,9 @@
/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+/usr/bin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/bin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/bin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+
/usr/lib/systemd/system/avahi.*\.service -- gen_context(system_u:object_r:avahi_unit_t,s0)
/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/policy/modules/contrib/bacula.fc b/policy/modules/contrib/bacula.fc
index 3550dcc4..27c021c3 100644
--- a/policy/modules/contrib/bacula.fc
+++ b/policy/modules/contrib/bacula.fc
@@ -4,6 +4,10 @@
/etc/rc\.d/init\.d/bacula.* -- gen_context(system_u:object_r:bacula_initrc_exec_t,s0)
+/usr/bin/bacula.* -- gen_context(system_u:object_r:bacula_exec_t,s0)
+/usr/bin/bat -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+/usr/bin/bconsole -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
+
/usr/sbin/bacula.* -- gen_context(system_u:object_r:bacula_exec_t,s0)
/usr/sbin/bat -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
/usr/sbin/bconsole -- gen_context(system_u:object_r:bacula_admin_exec_t,s0)
diff --git a/policy/modules/contrib/bcfg2.fc b/policy/modules/contrib/bcfg2.fc
index 10f28688..feb5d9d9 100644
--- a/policy/modules/contrib/bcfg2.fc
+++ b/policy/modules/contrib/bcfg2.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
+/usr/bin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
+
/usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
index de596aed..b4879dc1 100644
--- a/policy/modules/contrib/bind.fc
+++ b/policy/modules/contrib/bind.fc
@@ -14,6 +14,12 @@
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/usr/bin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/bin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/bin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/bin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/bin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
+
/usr/lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_t,s0)
/usr/lib/systemd/system/unbound.*\.service -- gen_context(system_u:object_r:named_unit_t,s0)
diff --git a/policy/modules/contrib/bird.fc b/policy/modules/contrib/bird.fc
index d4524d56..d415fdf3 100644
--- a/policy/modules/contrib/bird.fc
+++ b/policy/modules/contrib/bird.fc
@@ -4,6 +4,8 @@
/etc/rc\.d/init\.d/bird -- gen_context(system_u:object_r:bird_initrc_exec_t,s0)
+/usr/bin/bird -- gen_context(system_u:object_r:bird_exec_t,s0)
+
/usr/sbin/bird -- gen_context(system_u:object_r:bird_exec_t,s0)
/var/log/bird\.log.* -- gen_context(system_u:object_r:bird_log_t,s0)
diff --git a/policy/modules/contrib/bitlbee.fc b/policy/modules/contrib/bitlbee.fc
index a6c071f8..e7b0aa60 100644
--- a/policy/modules/contrib/bitlbee.fc
+++ b/policy/modules/contrib/bitlbee.fc
@@ -3,6 +3,7 @@
/etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0)
/usr/bin/bip -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
+/usr/bin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
diff --git a/policy/modules/contrib/bluetooth.fc b/policy/modules/contrib/bluetooth.fc
index 495fb7c0..4fbe7955 100644
--- a/policy/modules/contrib/bluetooth.fc
+++ b/policy/modules/contrib/bluetooth.fc
@@ -6,9 +6,14 @@
/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
+/usr/bin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
# Systemd unit file
/usr/lib/systemd/system/[^/]*bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_t,s0)
diff --git a/policy/modules/contrib/brctl.fc b/policy/modules/contrib/brctl.fc
index 32f8ee97..ed472f09 100644
--- a/policy/modules/contrib/brctl.fc
+++ b/policy/modules/contrib/brctl.fc
@@ -1 +1,3 @@
+/usr/bin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)
+
/usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)
diff --git a/policy/modules/contrib/cachefilesd.fc b/policy/modules/contrib/cachefilesd.fc
index 1ddbe60d..f58be76b 100644
--- a/policy/modules/contrib/cachefilesd.fc
+++ b/policy/modules/contrib/cachefilesd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0)
+/usr/bin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
+
/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0)
diff --git a/policy/modules/contrib/callweaver.fc b/policy/modules/contrib/callweaver.fc
index 4a86bec5..3cdd635b 100644
--- a/policy/modules/contrib/callweaver.fc
+++ b/policy/modules/contrib/callweaver.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/callweaver -- gen_context(system_u:object_r:callweaver_initrc_exec_t,s0)
+/usr/bin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0)
+
/usr/sbin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0)
/var/lib/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_lib_t,s0)
diff --git a/policy/modules/contrib/canna.fc b/policy/modules/contrib/canna.fc
index df523340..7688d0ec 100644
--- a/policy/modules/contrib/canna.fc
+++ b/policy/modules/contrib/canna.fc
@@ -1,7 +1,9 @@
/etc/rc\.d/init\.d/canna -- gen_context(system_u:object_r:canna_initrc_exec_t,s0)
/usr/bin/cannaping -- gen_context(system_u:object_r:canna_exec_t,s0)
-/usr/bin/catdic -- gen_context(system_u:object_r:canna_exec_t,s0)
+/usr/bin/cannaserver -- gen_context(system_u:object_r:canna_exec_t,s0)
+/usr/bin/catdic -- gen_context(system_u:object_r:canna_exec_t,s0)
+/usr/bin/jserver -- gen_context(system_u:object_r:canna_exec_t,s0)
/usr/sbin/cannaserver -- gen_context(system_u:object_r:canna_exec_t,s0)
/usr/sbin/jserver -- gen_context(system_u:object_r:canna_exec_t,s0)
diff --git a/policy/modules/contrib/ccs.fc b/policy/modules/contrib/ccs.fc
index 4bf5e8f3..f428bee0 100644
--- a/policy/modules/contrib/ccs.fc
+++ b/policy/modules/contrib/ccs.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/((ccs)|(ccsd)) -- gen_context(system_u:object_r:ccs_initrc_exec_t,s0)
+/usr/bin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
+
/usr/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
/var/lib/cluster/((ccs)|(ccsd)).* gen_context(system_u:object_r:ccs_var_lib_t,s0)
diff --git a/policy/modules/contrib/certmonger.fc b/policy/modules/contrib/certmonger.fc
index d3e1d6cf..7d357324 100644
--- a/policy/modules/contrib/certmonger.fc
+++ b/policy/modules/contrib/certmonger.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
+/usr/bin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
+
/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
diff --git a/policy/modules/contrib/cfengine.fc b/policy/modules/contrib/cfengine.fc
index 5b605d6b..807467cb 100644
--- a/policy/modules/contrib/cfengine.fc
+++ b/policy/modules/contrib/cfengine.fc
@@ -1,5 +1,9 @@
/etc/rc\.d/init\.d/((cf-serverd)|(cf-monitord)|(cf-execd)) -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
+/usr/bin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0)
+/usr/bin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0)
+/usr/bin/cf-monitord -- gen_context(system_u:object_r:cfengine_monitord_exec_t,s0)
+
/usr/sbin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0)
/usr/sbin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0)
/usr/sbin/cf-monitord -- gen_context(system_u:object_r:cfengine_monitord_exec_t,s0)
diff --git a/policy/modules/contrib/cgroup.fc b/policy/modules/contrib/cgroup.fc
index cfe6b48c..f631358e 100644
--- a/policy/modules/contrib/cgroup.fc
+++ b/policy/modules/contrib/cgroup.fc
@@ -7,6 +7,10 @@
/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
+/usr/bin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
+/usr/bin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
+/usr/bin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
+
/usr/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
/usr/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
/usr/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index d3069a0a..66f001b8 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -2,11 +2,12 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+/usr/bin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+
# Systend unit files
/usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
/usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
-
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/policy/modules/contrib/cipe.fc b/policy/modules/contrib/cipe.fc
index c7535226..2cfb0ae9 100644
--- a/policy/modules/contrib/cipe.fc
+++ b/policy/modules/contrib/cipe.fc
@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/ciped.* -- gen_context(system_u:object_r:ciped_initrc_exec_t,s0)
+/usr/bin/ciped.* -- gen_context(system_u:object_r:ciped_exec_t,s0)
+
/usr/sbin/ciped.* -- gen_context(system_u:object_r:ciped_exec_t,s0)
diff --git a/policy/modules/contrib/clamav.fc b/policy/modules/contrib/clamav.fc
index ccca6aaa..70fb22e6 100644
--- a/policy/modules/contrib/clamav.fc
+++ b/policy/modules/contrib/clamav.fc
@@ -2,7 +2,9 @@
/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
+/usr/bin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
+/usr/bin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
diff --git a/policy/modules/contrib/clogd.fc b/policy/modules/contrib/clogd.fc
index ba3bca7f..6c5de73b 100644
--- a/policy/modules/contrib/clogd.fc
+++ b/policy/modules/contrib/clogd.fc
@@ -1,3 +1,5 @@
+/usr/bin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0)
+
/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0)
/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0)
diff --git a/policy/modules/contrib/cmirrord.fc b/policy/modules/contrib/cmirrord.fc
index 9a26f5e1..c948aacf 100644
--- a/policy/modules/contrib/cmirrord.fc
+++ b/policy/modules/contrib/cmirrord.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
+/usr/bin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
+
/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
diff --git a/policy/modules/contrib/collectd.fc b/policy/modules/contrib/collectd.fc
index 9ac08967..4e9b367e 100644
--- a/policy/modules/contrib/collectd.fc
+++ b/policy/modules/contrib/collectd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+/usr/bin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
+
/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
diff --git a/policy/modules/contrib/comsat.fc b/policy/modules/contrib/comsat.fc
index 90461f93..63e73363 100644
--- a/policy/modules/contrib/comsat.fc
+++ b/policy/modules/contrib/comsat.fc
@@ -1 +1,3 @@
+/usr/bin/in\.comsat -- gen_context(system_u:object_r:comsat_exec_t,s0)
+
/usr/sbin/in\.comsat -- gen_context(system_u:object_r:comsat_exec_t,s0)
diff --git a/policy/modules/contrib/condor.fc b/policy/modules/contrib/condor.fc
index 19ffde01..eed1e341 100644
--- a/policy/modules/contrib/condor.fc
+++ b/policy/modules/contrib/condor.fc
@@ -2,6 +2,14 @@
/etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
+/usr/bin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
+/usr/bin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
+/usr/bin/condor_negotiator -- gen_context(system_u:object_r:condor_negotiator_exec_t,s0)
+/usr/bin/condor_procd -- gen_context(system_u:object_r:condor_procd_exec_t,s0)
+/usr/bin/condor_schedd -- gen_context(system_u:object_r:condor_schedd_exec_t,s0)
+/usr/bin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
+/usr/bin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
+
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
/usr/sbin/condor_negotiator -- gen_context(system_u:object_r:condor_negotiator_exec_t,s0)
diff --git a/policy/modules/contrib/consolekit.fc b/policy/modules/contrib/consolekit.fc
index e3827ccd..8b440c56 100644
--- a/policy/modules/contrib/consolekit.fc
+++ b/policy/modules/contrib/consolekit.fc
@@ -1,3 +1,5 @@
+/usr/bin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
+
/usr/lib/systemd/system/console-kit.*\.service -- gen_context(system_u:object_r:consolekit_unit_t,s0)
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
diff --git a/policy/modules/contrib/corosync.fc b/policy/modules/contrib/corosync.fc
index e00b036b..3671df61 100644
--- a/policy/modules/contrib/corosync.fc
+++ b/policy/modules/contrib/corosync.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+/usr/bin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/bin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
diff --git a/policy/modules/contrib/courier.fc b/policy/modules/contrib/courier.fc
index 3db41fbc..c28b2209 100644
--- a/policy/modules/contrib/courier.fc
+++ b/policy/modules/contrib/courier.fc
@@ -1,7 +1,14 @@
/etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
/etc/courier-imap(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
-/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/bin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+/usr/bin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/bin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/bin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/bin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/bin/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+
/usr/sbin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
/usr/sbin/courier-imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
diff --git a/policy/modules/contrib/cpucontrol.fc b/policy/modules/contrib/cpucontrol.fc
index 06f5d0f9..d01f2350 100644
--- a/policy/modules/contrib/cpucontrol.fc
+++ b/policy/modules/contrib/cpucontrol.fc
@@ -1,5 +1,10 @@
/usr/lib/firmware/microcode.*\.dat -- gen_context(system_u:object_r:cpucontrol_conf_t,s0)
+/usr/bin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+/usr/bin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+/usr/bin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
+/usr/bin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+
/usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
/usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
/usr/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
index 6d4f5397..e1b3e7b3 100644
--- a/policy/modules/contrib/cron.fc
+++ b/policy/modules/contrib/cron.fc
@@ -3,7 +3,12 @@
/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-
+/usr/bin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
+/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/bin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/bin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/bin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/bin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/lib/systemd/system/atd.*\.service -- gen_context(system_u:object_r:crond_unit_t,s0)
diff --git a/policy/modules/contrib/ctdb.fc b/policy/modules/contrib/ctdb.fc
index be3db334..98484341 100644
--- a/policy/modules/contrib/ctdb.fc
+++ b/policy/modules/contrib/ctdb.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
+/usr/bin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
diff --git a/policy/modules/contrib/cups.fc b/policy/modules/contrib/cups.fc
index 72afd973..43c4616a 100644
--- a/policy/modules/contrib/cups.fc
+++ b/policy/modules/contrib/cups.fc
@@ -21,8 +21,17 @@
/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/bin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/bin/cups-browsed -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/bin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/bin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/bin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+/usr/bin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+/usr/bin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/policy/modules/contrib/dante.fc b/policy/modules/contrib/dante.fc
index 44c83be9..3aea9187 100644
--- a/policy/modules/contrib/dante.fc
+++ b/policy/modules/contrib/dante.fc
@@ -3,6 +3,9 @@
/etc/danted\.conf -- gen_context(system_u:object_r:dante_conf_t,s0)
/etc/socks(/.*)? gen_context(system_u:object_r:dante_conf_t,s0)
+/usr/bin/danted -- gen_context(system_u:object_r:dante_exec_t,s0)
+/usr/bin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0)
+
/usr/sbin/danted -- gen_context(system_u:object_r:dante_exec_t,s0)
/usr/sbin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0)
diff --git a/policy/modules/contrib/dbskk.fc b/policy/modules/contrib/dbskk.fc
index 6fb8fead..a3028746 100644
--- a/policy/modules/contrib/dbskk.fc
+++ b/policy/modules/contrib/dbskk.fc
@@ -1 +1,3 @@
+/usr/bin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0)
+
/usr/sbin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0)
diff --git a/policy/modules/contrib/dcc.fc b/policy/modules/contrib/dcc.fc
index ccfe6037..bc9189c8 100644
--- a/policy/modules/contrib/dcc.fc
+++ b/policy/modules/contrib/dcc.fc
@@ -2,8 +2,12 @@
/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
-/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0)
+/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0)
+/usr/bin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
+/usr/bin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
+/usr/bin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0)
+/usr/bin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
/usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
diff --git a/policy/modules/contrib/ddclient.fc b/policy/modules/contrib/ddclient.fc
index 81b69d02..64d55e5c 100644
--- a/policy/modules/contrib/ddclient.fc
+++ b/policy/modules/contrib/ddclient.fc
@@ -3,6 +3,9 @@
/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0)
+/usr/bin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0)
+/usr/bin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0)
+
/usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0)
/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0)
diff --git a/policy/modules/contrib/ddcprobe.fc b/policy/modules/contrib/ddcprobe.fc
index 9f2a27f5..747c416e 100644
--- a/policy/modules/contrib/ddcprobe.fc
+++ b/policy/modules/contrib/ddcprobe.fc
@@ -1 +1,3 @@
+/usr/bin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0)
+
/usr/sbin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0)
diff --git a/policy/modules/contrib/dhcp.fc b/policy/modules/contrib/dhcp.fc
index b85ea22a..c4166794 100644
--- a/policy/modules/contrib/dhcp.fc
+++ b/policy/modules/contrib/dhcp.fc
@@ -2,6 +2,8 @@
/usr/lib/systemd/system/dhcpcd.*\.service -- gen_context(system_u:object_r:dhcpd_unit_t,s0)
+/usr/bin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
diff --git a/policy/modules/contrib/dictd.fc b/policy/modules/contrib/dictd.fc
index 5902d746..b2c773b2 100644
--- a/policy/modules/contrib/dictd.fc
+++ b/policy/modules/contrib/dictd.fc
@@ -2,6 +2,8 @@
/etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0)
+/usr/bin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
+
/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
diff --git a/policy/modules/contrib/dkim.fc b/policy/modules/contrib/dkim.fc
index aa146efa..832c1585 100644
--- a/policy/modules/contrib/dkim.fc
+++ b/policy/modules/contrib/dkim.fc
@@ -2,6 +2,9 @@
/etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) -- gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0)
+/usr/bin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/bin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+
/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
diff --git a/policy/modules/contrib/dmidecode.fc b/policy/modules/contrib/dmidecode.fc
index c394e45d..0ca4c99a 100644
--- a/policy/modules/contrib/dmidecode.fc
+++ b/policy/modules/contrib/dmidecode.fc
@@ -1,3 +1,8 @@
+/usr/bin/biosdecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+/usr/bin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+/usr/bin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+/usr/bin/vpddecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+
/usr/sbin/biosdecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
/usr/sbin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
/usr/sbin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc
index a7169462..07ffc0d4 100644
--- a/policy/modules/contrib/dnsmasq.fc
+++ b/policy/modules/contrib/dnsmasq.fc
@@ -3,6 +3,8 @@
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+/usr/bin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
+
# Systemd unit file
/usr/lib/systemd/system/[^/]*dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_t,s0)
diff --git a/policy/modules/contrib/dnssectrigger.fc b/policy/modules/contrib/dnssectrigger.fc
index 312949dc..e2ed6e23 100644
--- a/policy/modules/contrib/dnssectrigger.fc
+++ b/policy/modules/contrib/dnssectrigger.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_triggerd_initrc_exec_t,s0)
+/usr/bin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_triggerd_exec_t,s0)
+
/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_triggerd_exec_t,s0)
/var/log/dnssec-trigger\.log.* -- gen_context(system_u:object_r:dnssec_trigger_log_t,s0)
diff --git a/policy/modules/contrib/dovecot.fc b/policy/modules/contrib/dovecot.fc
index c2f5734e..1ab9d643 100644
--- a/policy/modules/contrib/dovecot.fc
+++ b/policy/modules/contrib/dovecot.fc
@@ -8,6 +8,8 @@
/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
+/usr/bin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
+
/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
diff --git a/policy/modules/contrib/dphysswapfile.fc b/policy/modules/contrib/dphysswapfile.fc
index 5c0feb83..70b0ee3a 100644
--- a/policy/modules/contrib/dphysswapfile.fc
+++ b/policy/modules/contrib/dphysswapfile.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_initrc_exec_t,s0)
+/usr/bin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+
/usr/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
/var/swap -- gen_context(system_u:object_r:dphysswapfile_swap_t,s0)
diff --git a/policy/modules/contrib/dpkg.fc b/policy/modules/contrib/dpkg.fc
index ad87459f..9ba6e312 100644
--- a/policy/modules/contrib/dpkg.fc
+++ b/policy/modules/contrib/dpkg.fc
@@ -2,6 +2,8 @@
/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+/usr/bin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+/usr/bin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/var/lib/debtags(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0)
diff --git a/policy/modules/contrib/drbd.fc b/policy/modules/contrib/drbd.fc
index d5d54f78..3b7da568 100644
--- a/policy/modules/contrib/drbd.fc
+++ b/policy/modules/contrib/drbd.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/drbd -- gen_context(system_u:object_r:drbd_initrc_exec_t,s0)
+/usr/bin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
+/usr/bin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
+
/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
diff --git a/policy/modules/contrib/entropyd.fc b/policy/modules/contrib/entropyd.fc
index 3a0377e9..b7342ef2 100644
--- a/policy/modules/contrib/entropyd.fc
+++ b/policy/modules/contrib/entropyd.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/((audio-entropyd)|(haveged)) -- gen_context(system_u:object_r:entropyd_initrc_exec_t,s0)
+/usr/bin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+/usr/bin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+
/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc
index 842cb34a..bd1f558a 100644
--- a/policy/modules/contrib/exim.fc
+++ b/policy/modules/contrib/exim.fc
@@ -3,6 +3,9 @@
/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_pid_t,s0)
/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_pid_t,s0)
+/usr/bin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
+/usr/bin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
+
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
diff --git a/policy/modules/contrib/fakehwclock.fc b/policy/modules/contrib/fakehwclock.fc
index b0a55f6e..0ab3bd87 100644
--- a/policy/modules/contrib/fakehwclock.fc
+++ b/policy/modules/contrib/fakehwclock.fc
@@ -1,5 +1,7 @@
/etc/fake-hwclock\.data -- gen_context(system_u:object_r:fakehwclock_backup_t,s0)
+/usr/bin/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_exec_t,s0)
+
/usr/sbin/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_exec_t,s0)
/usr/lib/systemd/system/fake-hwclock\.service -- gen_context(system_u:object_r:fakehwclock_unit_t,s0)
diff --git a/policy/modules/contrib/fcoe.fc b/policy/modules/contrib/fcoe.fc
index 0cf8db8a..cb9552db 100644
--- a/policy/modules/contrib/fcoe.fc
+++ b/policy/modules/contrib/fcoe.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/fcoe -- gen_context(system_u:object_r:fcoemon_initrc_exec_t,s0)
+/usr/bin/fcoemon -- gen_context(system_u:object_r:fcoemon_exec_t,s0)
+
/usr/sbin/fcoemon -- gen_context(system_u:object_r:fcoemon_exec_t,s0)
/run/fcm(/.*)? gen_context(system_u:object_r:fcoemon_var_run_t,s0)
diff --git a/policy/modules/contrib/finger.fc b/policy/modules/contrib/finger.fc
index 422a9492..ce3adb5c 100644
--- a/policy/modules/contrib/finger.fc
+++ b/policy/modules/contrib/finger.fc
@@ -2,6 +2,9 @@
/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+/usr/bin/in\.(x)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+/usr/bin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+
/usr/sbin/in\.(x)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
diff --git a/policy/modules/contrib/firewalld.fc b/policy/modules/contrib/firewalld.fc
index 0e595c42..19fc9177 100644
--- a/policy/modules/contrib/firewalld.fc
+++ b/policy/modules/contrib/firewalld.fc
@@ -2,6 +2,8 @@
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
+/usr/bin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
+
/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
/var/log/firewalld.* -- gen_context(system_u:object_r:firewalld_var_log_t,s0)
diff --git a/policy/modules/contrib/firstboot.fc b/policy/modules/contrib/firstboot.fc
index 12c782c8..2aafeb25 100644
--- a/policy/modules/contrib/firstboot.fc
+++ b/policy/modules/contrib/firstboot.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/firstboot.* -- gen_context(system_u:object_r:firstboot_initrc_exec_t,s0)
+/usr/bin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
+
/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc
index 03adaab6..6af8b34f 100644
--- a/policy/modules/contrib/ftp.fc
+++ b/policy/modules/contrib/ftp.fc
@@ -6,6 +6,11 @@
/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
/usr/bin/ftpdctl -- gen_context(system_u:object_r:ftpdctl_exec_t,s0)
+/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/bin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/bin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/bin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/bin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
diff --git a/policy/modules/contrib/gatekeeper.fc b/policy/modules/contrib/gatekeeper.fc
index 5d37898e..516f65a2 100644
--- a/policy/modules/contrib/gatekeeper.fc
+++ b/policy/modules/contrib/gatekeeper.fc
@@ -2,6 +2,9 @@
/etc/rc\.d/init\.d/gnugk -- gen_context(system_u:object_r:gatekeeper_initrc_exec_t,s0)
+/usr/bin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
+/usr/bin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
+
/usr/sbin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
/usr/sbin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
diff --git a/policy/modules/contrib/glusterfs.fc b/policy/modules/contrib/glusterfs.fc
index e2d1f847..be43eb4f 100644
--- a/policy/modules/contrib/glusterfs.fc
+++ b/policy/modules/contrib/glusterfs.fc
@@ -3,6 +3,9 @@
/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
+/usr/bin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+/usr/bin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
diff --git a/policy/modules/contrib/gpm.fc b/policy/modules/contrib/gpm.fc
index aacc7f9f..24531dc0 100644
--- a/policy/modules/contrib/gpm.fc
+++ b/policy/modules/contrib/gpm.fc
@@ -6,6 +6,8 @@
/etc/rc\.d/init\.d/gpm -- gen_context(system_u:object_r:gpm_initrc_exec_t,s0)
+/usr/bin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0)
+
/usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0)
/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0)
diff --git a/policy/modules/contrib/gpsd.fc b/policy/modules/contrib/gpsd.fc
index 9909197d..4e62fd9e 100644
--- a/policy/modules/contrib/gpsd.fc
+++ b/policy/modules/contrib/gpsd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
+/usr/bin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0)
+
/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0)
/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0)
diff --git a/policy/modules/contrib/hal.fc b/policy/modules/contrib/hal.fc
index cf311f5a..5ac1f7a7 100644
--- a/policy/modules/contrib/hal.fc
+++ b/policy/modules/contrib/hal.fc
@@ -2,6 +2,8 @@
/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0)
+/usr/bin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
+/usr/bin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
/usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0)
/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0)
diff --git a/policy/modules/contrib/hddtemp.fc b/policy/modules/contrib/hddtemp.fc
index 993b14ac..f1d334eb 100644
--- a/policy/modules/contrib/hddtemp.fc
+++ b/policy/modules/contrib/hddtemp.fc
@@ -2,4 +2,6 @@
/etc/sysconfig/hddtemp -- gen_context(system_u:object_r:hddtemp_etc_t,s0)
+/usr/bin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0)
+
/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0)
diff --git a/policy/modules/contrib/hwloc.fc b/policy/modules/contrib/hwloc.fc
index ade2ac01..136bb697 100644
--- a/policy/modules/contrib/hwloc.fc
+++ b/policy/modules/contrib/hwloc.fc
@@ -1,5 +1,7 @@
-/usr/sbin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
+/usr/bin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
/usr/lib/systemd/system/hwloc-dump-hwdata.* -- gen_context(system_u:object_r:hwloc_dhwd_unit_t,s0)
+/usr/sbin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
+
/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0)
diff --git a/policy/modules/contrib/hypervkvp.fc b/policy/modules/contrib/hypervkvp.fc
index b46130ef..d1bbb44c 100644
--- a/policy/modules/contrib/hypervkvp.fc
+++ b/policy/modules/contrib/hypervkvp.fc
@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
+/usr/bin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
+
/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
diff --git a/policy/modules/contrib/i18n_input.fc b/policy/modules/contrib/i18n_input.fc
index 05aa1da3..9dcc65aa 100644
--- a/policy/modules/contrib/i18n_input.fc
+++ b/policy/modules/contrib/i18n_input.fc
@@ -2,6 +2,8 @@
/usr/bin/iiimd -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
/usr/bin/iiimd\.bin -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/htt -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/htt_server -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
/usr/bin/httx -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
/usr/bin/htt_xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
/usr/bin/iiimx -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
diff --git a/policy/modules/contrib/ifplugd.fc b/policy/modules/contrib/ifplugd.fc
index 8c365f5c..2a1e9290 100644
--- a/policy/modules/contrib/ifplugd.fc
+++ b/policy/modules/contrib/ifplugd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0)
+/usr/bin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0)
+
/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0)
/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0)
diff --git a/policy/modules/contrib/inetd.fc b/policy/modules/contrib/inetd.fc
index 7973588d..3329de47 100644
--- a/policy/modules/contrib/inetd.fc
+++ b/policy/modules/contrib/inetd.fc
@@ -2,6 +2,12 @@
/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+/usr/bin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+/usr/bin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+
+/usr/bin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+/usr/bin/(x)?inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+
/usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
diff --git a/policy/modules/contrib/inn.fc b/policy/modules/contrib/inn.fc
index 28a4f604..eb9bda28 100644
--- a/policy/modules/contrib/inn.fc
+++ b/policy/modules/contrib/inn.fc
@@ -3,10 +3,12 @@
/etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0)
-/usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/bin/suck -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/in\.nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/innd.* -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/suck -- gen_context(system_u:object_r:innd_exec_t,s0)
/usr/sbin/in\.nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
/usr/sbin/innd.* -- gen_context(system_u:object_r:innd_exec_t,s0)
diff --git a/policy/modules/contrib/iodine.fc b/policy/modules/contrib/iodine.fc
index 53b6a139..7ae0c069 100644
--- a/policy/modules/contrib/iodine.fc
+++ b/policy/modules/contrib/iodine.fc
@@ -2,4 +2,6 @@
/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0)
+/usr/bin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
+
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
diff --git a/policy/modules/contrib/ircd.fc b/policy/modules/contrib/ircd.fc
index 07decaa2..f1944c75 100644
--- a/policy/modules/contrib/ircd.fc
+++ b/policy/modules/contrib/ircd.fc
@@ -5,7 +5,9 @@
/etc/rc\.d/init\.d/((ircd)|(ngircd)|(dancer-ircd)) -- gen_context(system_u:object_r:ircd_initrc_exec_t,s0)
+/usr/bin/dancer-ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
/usr/bin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
+/usr/bin/ngircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
/usr/sbin/dancer-ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
/usr/sbin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
diff --git a/policy/modules/contrib/irqbalance.fc b/policy/modules/contrib/irqbalance.fc
index 77530088..a9fb4296 100644
--- a/policy/modules/contrib/irqbalance.fc
+++ b/policy/modules/contrib/irqbalance.fc
@@ -4,4 +4,6 @@
/run/irqbalance\.pid -- gen_context(system_u:object_r:irqbalance_pid_t,s0)
+/usr/bin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0)
+
/usr/sbin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0)
diff --git a/policy/modules/contrib/iscsi.fc b/policy/modules/contrib/iscsi.fc
index 29c1e5cd..9503952e 100644
--- a/policy/modules/contrib/iscsi.fc
+++ b/policy/modules/contrib/iscsi.fc
@@ -1,5 +1,9 @@
/etc/rc\.d/init\.d/((iscsi)|(iscsid)) -- gen_context(system_u:object_r:iscsi_initrc_exec_t,s0)
+/usr/bin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/bin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/bin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+
/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
diff --git a/policy/modules/contrib/isns.fc b/policy/modules/contrib/isns.fc
index f00d23d1..488e9a0c 100644
--- a/policy/modules/contrib/isns.fc
+++ b/policy/modules/contrib/isns.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/isnsd -- gen_context(system_u:object_r:isnsd_initrc_exec_t,s0)
+/usr/bin/isnsd -- gen_context(system_u:object_r:isnsd_exec_t,s0)
+
/usr/sbin/isnsd -- gen_context(system_u:object_r:isnsd_exec_t,s0)
/var/lib/isns(/.*)? gen_context(system_u:object_r:isnsd_var_lib_t,s0)
diff --git a/policy/modules/contrib/jabber.fc b/policy/modules/contrib/jabber.fc
index e31f56e8..bda8b8c5 100644
--- a/policy/modules/contrib/jabber.fc
+++ b/policy/modules/contrib/jabber.fc
@@ -1,10 +1,13 @@
/etc/rc\.d/init\.d/((jabber)|(ejabberd)|(jabberd)) -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
-/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/bin/prosody -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/sbin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0)
diff --git a/policy/modules/contrib/kdump.fc b/policy/modules/contrib/kdump.fc
index 94c0daa2..4e396725 100644
--- a/policy/modules/contrib/kdump.fc
+++ b/policy/modules/contrib/kdump.fc
@@ -2,7 +2,9 @@
/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
+/usr/bin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+/usr/bin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
/usr/lib/systemd/system/kdump.*\.service -- gen_context(system_u:object_r:kdump_unit_t,s0)
diff --git a/policy/modules/contrib/kerberos.fc b/policy/modules/contrib/kerberos.fc
index 4fe75fd6..df21fcc7 100644
--- a/policy/modules/contrib/kerberos.fc
+++ b/policy/modules/contrib/kerberos.fc
@@ -13,6 +13,9 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/usr/bin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/bin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+
/usr/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
/usr/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
diff --git a/policy/modules/contrib/kerneloops.fc b/policy/modules/contrib/kerneloops.fc
index 5ef261a3..d0db3544 100644
--- a/policy/modules/contrib/kerneloops.fc
+++ b/policy/modules/contrib/kerneloops.fc
@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/kerneloops -- gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0)
+/usr/bin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0)
+
/usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0)
diff --git a/policy/modules/contrib/ksmtuned.fc b/policy/modules/contrib/ksmtuned.fc
index 7229ce8b..68f3623b 100644
--- a/policy/modules/contrib/ksmtuned.fc
+++ b/policy/modules/contrib/ksmtuned.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
+/usr/bin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
+
/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/policy/modules/contrib/ktalk.fc b/policy/modules/contrib/ktalk.fc
index 38ecb07d..fae3b8c4 100644
--- a/policy/modules/contrib/ktalk.fc
+++ b/policy/modules/contrib/ktalk.fc
@@ -1,4 +1,6 @@
-/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/usr/bin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/usr/bin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
/usr/sbin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
diff --git a/policy/modules/contrib/kudzu.fc b/policy/modules/contrib/kudzu.fc
index a0030a74..a0127d49 100644
--- a/policy/modules/contrib/kudzu.fc
+++ b/policy/modules/contrib/kudzu.fc
@@ -1,6 +1,9 @@
/etc/rc\.d/init\.d/kudzu -- gen_context(system_u:object_r:kudzu_initrc_exec_t,s0)
+/usr/bin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+/usr/bin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+
/usr/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
-/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
/run/kudzu(/.*)? gen_context(system_u:object_r:kudzu_var_run_t,s0)
diff --git a/policy/modules/contrib/l2tp.fc b/policy/modules/contrib/l2tp.fc
index 77d5c5a6..499c7de6 100644
--- a/policy/modules/contrib/l2tp.fc
+++ b/policy/modules/contrib/l2tp.fc
@@ -4,6 +4,8 @@
/etc/sysconfig/.*l2tpd -- gen_context(system_u:object_r:l2tp_conf_t,s0)
+/usr/bin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
+
/usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/policy/modules/contrib/ldap.fc b/policy/modules/contrib/ldap.fc
index 38b123d7..174f4d73 100644
--- a/policy/modules/contrib/ldap.fc
+++ b/policy/modules/contrib/ldap.fc
@@ -4,6 +4,8 @@
/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/usr/bin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
/usr/lib/openldap/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
diff --git a/policy/modules/contrib/likewise.fc b/policy/modules/contrib/likewise.fc
index 0a5cc34e..c95fd7d5 100644
--- a/policy/modules/contrib/likewise.fc
+++ b/policy/modules/contrib/likewise.fc
@@ -21,6 +21,15 @@
/opt/likewise/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
/opt/likewise/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+/usr/bin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
+/usr/bin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
+/usr/bin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
+/usr/bin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
+/usr/bin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
+/usr/bin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
+/usr/bin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
+/usr/bin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+
/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
diff --git a/policy/modules/contrib/lircd.fc b/policy/modules/contrib/lircd.fc
index d38234fd..79947d0c 100644
--- a/policy/modules/contrib/lircd.fc
+++ b/policy/modules/contrib/lircd.fc
@@ -5,6 +5,8 @@
/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
+/usr/bin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
+
# Systemd unit file
/usr/lib/systemd/system/[^/]*lircd.* -- gen_context(system_u:object_r:lircd_unit_t,s0)
diff --git a/policy/modules/contrib/lldpad.fc b/policy/modules/contrib/lldpad.fc
index 385eccf4..305b8de7 100644
--- a/policy/modules/contrib/lldpad.fc
+++ b/policy/modules/contrib/lldpad.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/lldpad -- gen_context(system_u:object_r:lldpad_initrc_exec_t,s0)
+/usr/bin/lldpad -- gen_context(system_u:object_r:lldpad_exec_t,s0)
+
/usr/sbin/lldpad -- gen_context(system_u:object_r:lldpad_exec_t,s0)
/var/lib/lldpad(/.*)? gen_context(system_u:object_r:lldpad_var_lib_t,s0)
diff --git a/policy/modules/contrib/lockdev.fc b/policy/modules/contrib/lockdev.fc
index 4fd0fda9..65ed30df 100644
--- a/policy/modules/contrib/lockdev.fc
+++ b/policy/modules/contrib/lockdev.fc
@@ -1,3 +1,5 @@
+/usr/bin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0)
+
/usr/sbin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0)
/var/lock/lockdev(/.*)? gen_context(system_u:object_r:lockdev_lock_t,s0)
diff --git a/policy/modules/contrib/logrotate.fc b/policy/modules/contrib/logrotate.fc
index ad215962..dac1af39 100644
--- a/policy/modules/contrib/logrotate.fc
+++ b/policy/modules/contrib/logrotate.fc
@@ -1,6 +1,8 @@
/etc/cron\.(daily|weekly)/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+/usr/bin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+
# Systemd unit file
/usr/lib/systemd/system/[^/]*logrotate.* -- gen_context(system_u:object_r:logrotate_unit_t,s0)
diff --git a/policy/modules/contrib/logwatch.fc b/policy/modules/contrib/logwatch.fc
index 792e3cf7..7e83c901 100644
--- a/policy/modules/contrib/logwatch.fc
+++ b/policy/modules/contrib/logwatch.fc
@@ -1,3 +1,7 @@
+/usr/bin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+/usr/bin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+/usr/bin/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+
/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
/usr/sbin/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t,s0)
diff --git a/policy/modules/contrib/lpd.fc b/policy/modules/contrib/lpd.fc
index cd1aa707..8916d38e 100644
--- a/policy/modules/contrib/lpd.fc
+++ b/policy/modules/contrib/lpd.fc
@@ -3,19 +3,26 @@
/opt/gutenprint/bin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0)
/opt/gutenprint/sbin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/bin/cancel(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lpoptions -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
+/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
+/usr/bin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpoptions -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
-/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
/usr/sbin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
diff --git a/policy/modules/contrib/mailscanner.fc b/policy/modules/contrib/mailscanner.fc
index 00ecd1b2..cc6a8f88 100644
--- a/policy/modules/contrib/mailscanner.fc
+++ b/policy/modules/contrib/mailscanner.fc
@@ -6,6 +6,8 @@
/etc/sysconfig/update_spamassassin -- gen_context(system_u:object_r:mscan_etc_t,s0)
+/usr/bin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0)
+
/usr/sbin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0)
/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_var_run_t,s0)
diff --git a/policy/modules/contrib/mcelog.fc b/policy/modules/contrib/mcelog.fc
index 86d8bdba..a91a13f9 100644
--- a/policy/modules/contrib/mcelog.fc
+++ b/policy/modules/contrib/mcelog.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
+/usr/bin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+
/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
diff --git a/policy/modules/contrib/milter.fc b/policy/modules/contrib/milter.fc
index 38a65aac..378d5e4c 100644
--- a/policy/modules/contrib/milter.fc
+++ b/policy/modules/contrib/milter.fc
@@ -1,3 +1,8 @@
+/usr/bin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/bin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/bin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/bin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
diff --git a/policy/modules/contrib/minidlna.fc b/policy/modules/contrib/minidlna.fc
index 37239ebf..79af2d74 100644
--- a/policy/modules/contrib/minidlna.fc
+++ b/policy/modules/contrib/minidlna.fc
@@ -2,6 +2,8 @@
/etc/minidlna\.conf -- gen_context(system_u:object_r:minidlna_conf_t,s0)
+/usr/bin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0)
+
/usr/sbin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0)
/var/cache/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
diff --git a/policy/modules/contrib/minissdpd.fc b/policy/modules/contrib/minissdpd.fc
index c7a5368b..cdad38ed 100644
--- a/policy/modules/contrib/minissdpd.fc
+++ b/policy/modules/contrib/minissdpd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/minissdpd -- gen_context(system_u:object_r:minissdpd_initrc_exec_t,s0)
+/usr/bin/minissdpd -- gen_context(system_u:object_r:minissdpd_exec_t,s0)
+
/usr/sbin/minissdpd -- gen_context(system_u:object_r:minissdpd_exec_t,s0)
/run/minissdpd\.pid -- gen_context(system_u:object_r:minissdpd_var_run_t,s0)
diff --git a/policy/modules/contrib/modemmanager.fc b/policy/modules/contrib/modemmanager.fc
index c43901e6..88d8ff3f 100644
--- a/policy/modules/contrib/modemmanager.fc
+++ b/policy/modules/contrib/modemmanager.fc
@@ -1,2 +1,5 @@
+/usr/bin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
+/usr/bin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
+
/usr/sbin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
/usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
diff --git a/policy/modules/contrib/mon.fc b/policy/modules/contrib/mon.fc
index c92575b4..71b42ee7 100644
--- a/policy/modules/contrib/mon.fc
+++ b/policy/modules/contrib/mon.fc
@@ -1,5 +1,7 @@
/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
+/usr/bin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
+
/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
diff --git a/policy/modules/contrib/monop.fc b/policy/modules/contrib/monop.fc
index f25a1820..f89b50f9 100644
--- a/policy/modules/contrib/monop.fc
+++ b/policy/modules/contrib/monop.fc
@@ -2,6 +2,8 @@
/etc/monopd\.conf -- gen_context(system_u:object_r:monopd_etc_t,s0)
+/usr/bin/monopd -- gen_context(system_u:object_r:monopd_exec_t,s0)
+
/usr/sbin/monopd -- gen_context(system_u:object_r:monopd_exec_t,s0)
/usr/share/monopd/games(/.*)? gen_context(system_u:object_r:monopd_share_t,s0)
diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
index dd9f799a..ace4a1f1 100644
--- a/policy/modules/contrib/mta.fc
+++ b/policy/modules/contrib/mta.fc
@@ -14,6 +14,10 @@ HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/contrib/mysql.fc b/policy/modules/contrib/mysql.fc
index 6735c459..8213e53c 100644
--- a/policy/modules/contrib/mysql.fc
+++ b/policy/modules/contrib/mysql.fc
@@ -7,8 +7,11 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
+/usr/bin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/bin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
+/usr/bin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/lib/systemd/system/mysqld.*\.service -- gen_context(system_u:object_r:mysqld_unit_t,s0)
diff --git a/policy/modules/contrib/nessus.fc b/policy/modules/contrib/nessus.fc
index 9640c364..2065c1b8 100644
--- a/policy/modules/contrib/nessus.fc
+++ b/policy/modules/contrib/nessus.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/nessusd -- gen_context(system_u:object_r:nessusd_initrc_exec_t,s0)
+/usr/bin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
+
/usr/lib/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0)
/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index 1e6d0f5b..16b3c06f 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -21,9 +21,12 @@
/usr/lib/systemd/system/[^/]*NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
/usr/lib/systemd/system/[^/]*wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
-/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
diff --git a/policy/modules/contrib/nis.fc b/policy/modules/contrib/nis.fc
index 2b86f44d..46f101bc 100644
--- a/policy/modules/contrib/nis.fc
+++ b/policy/modules/contrib/nis.fc
@@ -5,6 +5,11 @@
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
+/usr/bin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/bin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/bin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
+/usr/bin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
+
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/lib/systemd/system/ypbind.*\.service -- gen_context(system_u:object_r:ypbind_unit_t,s0)
diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc
index 51460f89..4857b5b7 100644
--- a/policy/modules/contrib/nscd.fc
+++ b/policy/modules/contrib/nscd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
+/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
+
/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
diff --git a/policy/modules/contrib/nsd.fc b/policy/modules/contrib/nsd.fc
index 286a4ecf..d4fc584e 100644
--- a/policy/modules/contrib/nsd.fc
+++ b/policy/modules/contrib/nsd.fc
@@ -5,6 +5,11 @@
/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+/usr/bin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/bin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/bin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/bin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
+
/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
/usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0)
diff --git a/policy/modules/contrib/nslcd.fc b/policy/modules/contrib/nslcd.fc
index cdeb9350..89543b3e 100644
--- a/policy/modules/contrib/nslcd.fc
+++ b/policy/modules/contrib/nslcd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/usr/bin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
+
/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
diff --git a/policy/modules/contrib/ntop.fc b/policy/modules/contrib/ntop.fc
index cbbec58a..3ededdd2 100644
--- a/policy/modules/contrib/ntop.fc
+++ b/policy/modules/contrib/ntop.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/ntop -- gen_context(system_u:object_r:ntop_initrc_exec_t,s0)
+/usr/bin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0)
+
/usr/sbin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0)
/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 67c2b883..903c131c 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -13,6 +13,10 @@
/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0)
+/usr/bin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/bin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/bin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+
/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0)
diff --git a/policy/modules/contrib/nut.fc b/policy/modules/contrib/nut.fc
index fdf658f1..6dbfbde1 100644
--- a/policy/modules/contrib/nut.fc
+++ b/policy/modules/contrib/nut.fc
@@ -4,6 +4,10 @@
/etc/rc\.d/init\.d/nut-driver -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
/etc/rc\.d/init\.d/nut-server -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
+/usr/bin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
+/usr/bin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+/usr/bin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
+
/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
diff --git a/policy/modules/contrib/oav.fc b/policy/modules/contrib/oav.fc
index 2448426e..dabf41ee 100644
--- a/policy/modules/contrib/oav.fc
+++ b/policy/modules/contrib/oav.fc
@@ -1,6 +1,9 @@
/etc/oav-update(/.*)? gen_context(system_u:object_r:oav_update_etc_t,s0)
/etc/scannerdaemon/scannerdaemon\.conf -- gen_context(system_u:object_r:scannerdaemon_etc_t,s0)
+/usr/bin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0)
+/usr/bin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0)
+
/usr/sbin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0)
/usr/sbin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0)
diff --git a/policy/modules/contrib/oddjob.fc b/policy/modules/contrib/oddjob.fc
index d20f5ea2..f1c819ef 100644
--- a/policy/modules/contrib/oddjob.fc
+++ b/policy/modules/contrib/oddjob.fc
@@ -2,6 +2,9 @@
/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/bin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
+/usr/bin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+
/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
diff --git a/policy/modules/contrib/oident.fc b/policy/modules/contrib/oident.fc
index df3b9758..584d948f 100644
--- a/policy/modules/contrib/oident.fc
+++ b/policy/modules/contrib/oident.fc
@@ -5,4 +5,6 @@ HOME_DIR/\.oidentd\.conf -- gen_context(system_u:object_r:oidentd_home_t,s0)
/etc/rc\.d/init\.d/oidentd -- gen_context(system_u:object_r:oidentd_initrc_exec_t,s0)
+/usr/bin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t,s0)
+
/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t,s0)
diff --git a/policy/modules/contrib/openct.fc b/policy/modules/contrib/openct.fc
index b5c2b05d..4c0236d2 100644
--- a/policy/modules/contrib/openct.fc
+++ b/policy/modules/contrib/openct.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/openct -- gen_context(system_u:object_r:openct_initrc_exec_t,s0)
+/usr/bin/ifdhandler -- gen_context(system_u:object_r:openct_exec_t,s0)
+/usr/bin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0)
+
/usr/sbin/ifdhandler -- gen_context(system_u:object_r:openct_exec_t,s0)
/usr/sbin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0)
diff --git a/policy/modules/contrib/openhpi.fc b/policy/modules/contrib/openhpi.fc
index e1ee3e4a..1ce9da3d 100644
--- a/policy/modules/contrib/openhpi.fc
+++ b/policy/modules/contrib/openhpi.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0)
+/usr/bin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0)
+
/usr/sbin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0)
/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0)
diff --git a/policy/modules/contrib/openvpn.fc b/policy/modules/contrib/openvpn.fc
index 00d176d3..7a00b7a8 100644
--- a/policy/modules/contrib/openvpn.fc
+++ b/policy/modules/contrib/openvpn.fc
@@ -4,6 +4,8 @@
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
+/usr/bin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
+
/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
/var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0)
diff --git a/policy/modules/contrib/pacemaker.fc b/policy/modules/contrib/pacemaker.fc
index 6de95e79..3b398450 100644
--- a/policy/modules/contrib/pacemaker.fc
+++ b/policy/modules/contrib/pacemaker.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0)
+/usr/bin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0)
+
/usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0)
/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
diff --git a/policy/modules/contrib/pcmcia.fc b/policy/modules/contrib/pcmcia.fc
index b508069e..f9fadf5f 100644
--- a/policy/modules/contrib/pcmcia.fc
+++ b/policy/modules/contrib/pcmcia.fc
@@ -1,5 +1,8 @@
/etc/apm/event\.d/pcmcia -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
+/usr/bin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
+/usr/bin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
+
/usr/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
/usr/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
diff --git a/policy/modules/contrib/pcscd.fc b/policy/modules/contrib/pcscd.fc
index 79e96b1b..4d667ea2 100644
--- a/policy/modules/contrib/pcscd.fc
+++ b/policy/modules/contrib/pcscd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/pcscd -- gen_context(system_u:object_r:pcscd_initrc_exec_t,s0)
+/usr/bin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
+
/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
# Systemd unit file
diff --git a/policy/modules/contrib/pegasus.fc b/policy/modules/contrib/pegasus.fc
index 4791c0e2..0f7fe617 100644
--- a/policy/modules/contrib/pegasus.fc
+++ b/policy/modules/contrib/pegasus.fc
@@ -3,6 +3,9 @@
/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
+/usr/bin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/usr/bin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+
/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
diff --git a/policy/modules/contrib/perdition.fc b/policy/modules/contrib/perdition.fc
index a7d2a8be..f9f88dfb 100644
--- a/policy/modules/contrib/perdition.fc
+++ b/policy/modules/contrib/perdition.fc
@@ -2,6 +2,8 @@
/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0)
+/usr/bin/perdition.* -- gen_context(system_u:object_r:perdition_exec_t,s0)
+
/usr/sbin/perdition.* -- gen_context(system_u:object_r:perdition_exec_t,s0)
/run/perdition\.pid -- gen_context(system_u:object_r:perdition_var_run_t,s0)
diff --git a/policy/modules/contrib/pingd.fc b/policy/modules/contrib/pingd.fc
index 494a24cc..1cbbf6d8 100644
--- a/policy/modules/contrib/pingd.fc
+++ b/policy/modules/contrib/pingd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0)
+/usr/bin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0)
+
/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0)
/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0)
diff --git a/policy/modules/contrib/pkcs.fc b/policy/modules/contrib/pkcs.fc
index 65a25e37..148293a9 100644
--- a/policy/modules/contrib/pkcs.fc
+++ b/policy/modules/contrib/pkcs.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_initrc_exec_t,s0)
+/usr/bin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0)
+
/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0)
/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0)
diff --git a/policy/modules/contrib/plymouthd.fc b/policy/modules/contrib/plymouthd.fc
index 8eab91b8..c99ccd2d 100644
--- a/policy/modules/contrib/plymouthd.fc
+++ b/policy/modules/contrib/plymouthd.fc
@@ -1,4 +1,5 @@
/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+/usr/bin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
# Systemd unit file
/usr/lib/systemd/system/[^/]*plymouth-.* -- gen_context(system_u:object_r:plymouthd_unit_t,s0)
diff --git a/policy/modules/contrib/portmap.fc b/policy/modules/contrib/portmap.fc
index d15c7072..b33b5f4e 100644
--- a/policy/modules/contrib/portmap.fc
+++ b/policy/modules/contrib/portmap.fc
@@ -1,5 +1,9 @@
/etc/rc\.d/init\.d/portmap -- gen_context(system_u:object_r:portmap_initrc_exec_t,s0)
+/usr/bin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/usr/bin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/usr/bin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
+
/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
diff --git a/policy/modules/contrib/portreserve.fc b/policy/modules/contrib/portreserve.fc
index de7da13c..d649d58d 100644
--- a/policy/modules/contrib/portreserve.fc
+++ b/policy/modules/contrib/portreserve.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
+/usr/bin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
+
/usr/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0)
diff --git a/policy/modules/contrib/portslave.fc b/policy/modules/contrib/portslave.fc
index 22ca4a50..1afb1976 100644
--- a/policy/modules/contrib/portslave.fc
+++ b/policy/modules/contrib/portslave.fc
@@ -1,5 +1,8 @@
/etc/portslave(/.*)? gen_context(system_u:object_r:portslave_etc_t,s0)
+/usr/bin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
+/usr/bin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
+
/usr/sbin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
/usr/sbin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc
index 707b5be0..ecf447d6 100644
--- a/policy/modules/contrib/postfix.fc
+++ b/policy/modules/contrib/postfix.fc
@@ -4,6 +4,17 @@
/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
+/usr/bin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
+/usr/bin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postlock -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postlog -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/bin/postmap -- gen_context(system_u:object_r:postfix_map_exec_t,s0)
+/usr/bin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
+/usr/bin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+
# Remove catch-all so that .so files remain lib_t
#/usr/lib/postfix/(sbin/)?.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/lib/postfix/(sbin/)?cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
diff --git a/policy/modules/contrib/postfixpolicyd.fc b/policy/modules/contrib/postfixpolicyd.fc
index ed79fe20..a8fb9f8c 100644
--- a/policy/modules/contrib/postfixpolicyd.fc
+++ b/policy/modules/contrib/postfixpolicyd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/postfixpolicyd -- gen_context(system_u:object_r:postfix_policyd_initrc_exec_t,s0)
+/usr/bin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t,s0)
+
/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t,s0)
/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t,s0)
diff --git a/policy/modules/contrib/postgrey.fc b/policy/modules/contrib/postgrey.fc
index 955207fc..076987a6 100644
--- a/policy/modules/contrib/postgrey.fc
+++ b/policy/modules/contrib/postgrey.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/postgrey -- gen_context(system_u:object_r:postgrey_initrc_exec_t,s0)
+/usr/bin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
+
/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
/var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0)
diff --git a/policy/modules/contrib/ppp.fc b/policy/modules/contrib/ppp.fc
index d31591a5..67de5b3e 100644
--- a/policy/modules/contrib/ppp.fc
+++ b/policy/modules/contrib/ppp.fc
@@ -9,6 +9,12 @@ HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0)
/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/usr/bin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/bin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/bin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/bin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/bin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
+
/usr/lib/systemd/system/ppp.*\.service -- gen_context(system_u:object_r:pppd_unit_t,s0)
/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
diff --git a/policy/modules/contrib/prelink.fc b/policy/modules/contrib/prelink.fc
index a90d6231..8823d27a 100644
--- a/policy/modules/contrib/prelink.fc
+++ b/policy/modules/contrib/prelink.fc
@@ -2,6 +2,8 @@
/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
+/usr/bin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
+
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0)
diff --git a/policy/modules/contrib/prelude.fc b/policy/modules/contrib/prelude.fc
index 75df3cf6..ca48c982 100644
--- a/policy/modules/contrib/prelude.fc
+++ b/policy/modules/contrib/prelude.fc
@@ -4,8 +4,9 @@
/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
+/usr/bin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t,s0)
-/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
+/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
/usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
diff --git a/policy/modules/contrib/privoxy.fc b/policy/modules/contrib/privoxy.fc
index cf3678a4..9feef4f7 100644
--- a/policy/modules/contrib/privoxy.fc
+++ b/policy/modules/contrib/privoxy.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0)
+/usr/bin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
+
/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
/var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0)
diff --git a/policy/modules/contrib/psad.fc b/policy/modules/contrib/psad.fc
index 1157cebc..d26a15b5 100644
--- a/policy/modules/contrib/psad.fc
+++ b/policy/modules/contrib/psad.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0)
+/usr/bin/psad -- gen_context(system_u:object_r:psad_exec_t,s0)
+
/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0)
/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0)
diff --git a/policy/modules/contrib/pxe.fc b/policy/modules/contrib/pxe.fc
index 270f819a..56ca3ecd 100644
--- a/policy/modules/contrib/pxe.fc
+++ b/policy/modules/contrib/pxe.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/pxe -- gen_context(system_u:object_r:pxe_initrc_exec_t,s0)
+/usr/bin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0)
+
/usr/sbin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0)
/var/log/pxe\.log.* -- gen_context(system_u:object_r:pxe_log_t,s0)
diff --git a/policy/modules/contrib/qmail.fc b/policy/modules/contrib/qmail.fc
index e53fe5a9..54e0847f 100644
--- a/policy/modules/contrib/qmail.fc
+++ b/policy/modules/contrib/qmail.fc
@@ -1,5 +1,17 @@
/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+/usr/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/usr/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+/usr/bin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/usr/bin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/usr/bin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/usr/bin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/usr/bin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/usr/bin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/usr/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/usr/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/usr/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/usr/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
diff --git a/policy/modules/contrib/qpid.fc b/policy/modules/contrib/qpid.fc
index fdcf49dc..ed8f5432 100644
--- a/policy/modules/contrib/qpid.fc
+++ b/policy/modules/contrib/qpid.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
+/usr/bin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
+
/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
/var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0)
diff --git a/policy/modules/contrib/quota.fc b/policy/modules/contrib/quota.fc
index c3d05ba1..28a21a8b 100644
--- a/policy/modules/contrib/quota.fc
+++ b/policy/modules/contrib/quota.fc
@@ -10,6 +10,10 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/etc/rc\.d/init\.d/quota_nld -- gen_context(system_u:object_r:quota_nld_initrc_exec_t,s0)
+/usr/bin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+/usr/bin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
+/usr/bin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
+
/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
/usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
diff --git a/policy/modules/contrib/radius.fc b/policy/modules/contrib/radius.fc
index 663b804a..19ff8e93 100644
--- a/policy/modules/contrib/radius.fc
+++ b/policy/modules/contrib/radius.fc
@@ -6,6 +6,9 @@
/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0)
/etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0)
+/usr/bin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/usr/bin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
diff --git a/policy/modules/contrib/radvd.fc b/policy/modules/contrib/radvd.fc
index 350bb7e8..9765e456 100644
--- a/policy/modules/contrib/radvd.fc
+++ b/policy/modules/contrib/radvd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/radvd -- gen_context(system_u:object_r:radvd_initrc_exec_t,s0)
+/usr/bin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0)
+
/usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0)
/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0)
diff --git a/policy/modules/contrib/raid.fc b/policy/modules/contrib/raid.fc
index dc26d8d3..323a8865 100644
--- a/policy/modules/contrib/raid.fc
+++ b/policy/modules/contrib/raid.fc
@@ -3,6 +3,14 @@
/etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
+/usr/bin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/mdmon -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/bin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+
# Systemd unit files
/usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
/usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
diff --git a/policy/modules/contrib/rdisc.fc b/policy/modules/contrib/rdisc.fc
index 168de323..0c4d5b55 100644
--- a/policy/modules/contrib/rdisc.fc
+++ b/policy/modules/contrib/rdisc.fc
@@ -1 +1,3 @@
+/usr/bin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
+
/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/policy/modules/contrib/readahead.fc b/policy/modules/contrib/readahead.fc
index 5932e207..823f5454 100644
--- a/policy/modules/contrib/readahead.fc
+++ b/policy/modules/contrib/readahead.fc
@@ -1,3 +1,5 @@
+/usr/bin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
diff --git a/policy/modules/contrib/redis.fc b/policy/modules/contrib/redis.fc
index 2ea69aa9..74443abd 100644
--- a/policy/modules/contrib/redis.fc
+++ b/policy/modules/contrib/redis.fc
@@ -2,6 +2,8 @@
/etc/redis.*\.conf -- gen_context(system_u:object_r:redis_conf_t,s0)
+/usr/bin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
+
/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
diff --git a/policy/modules/contrib/resmgr.fc b/policy/modules/contrib/resmgr.fc
index 138f76e2..c5b467dc 100644
--- a/policy/modules/contrib/resmgr.fc
+++ b/policy/modules/contrib/resmgr.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/resmgr -- gen_context(system_u:object_r:resmgrd_initrc_exec_t,s0)
+/usr/bin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
+
/usr/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0)
diff --git a/policy/modules/contrib/rgmanager.fc b/policy/modules/contrib/rgmanager.fc
index fd21f975..0e064444 100644
--- a/policy/modules/contrib/rgmanager.fc
+++ b/policy/modules/contrib/rgmanager.fc
@@ -1,9 +1,12 @@
/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
-/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/bin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/bin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/bin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
diff --git a/policy/modules/contrib/rhcs.fc b/policy/modules/contrib/rhcs.fc
index ff20b9ce..90d0c0de 100644
--- a/policy/modules/contrib/rhcs.fc
+++ b/policy/modules/contrib/rhcs.fc
@@ -1,6 +1,15 @@
/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/bin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/bin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/bin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/bin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/bin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
+/usr/bin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/bin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/bin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
+
/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
diff --git a/policy/modules/contrib/ricci.fc b/policy/modules/contrib/ricci.fc
index 08d8abac..b7918a93 100644
--- a/policy/modules/contrib/ricci.fc
+++ b/policy/modules/contrib/ricci.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0)
+/usr/bin/modclusterd -- gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0)
+/usr/bin/ricci -- gen_context(system_u:object_r:ricci_exec_t,s0)
+
/usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
diff --git a/policy/modules/contrib/rlogin.fc b/policy/modules/contrib/rlogin.fc
index f1118772..00e7f3a5 100644
--- a/policy/modules/contrib/rlogin.fc
+++ b/policy/modules/contrib/rlogin.fc
@@ -3,6 +3,8 @@ HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+/usr/bin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+
/usr/lib/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
/usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
diff --git a/policy/modules/contrib/rngd.fc b/policy/modules/contrib/rngd.fc
index 3bba53a8..c49ab4ac 100644
--- a/policy/modules/contrib/rngd.fc
+++ b/policy/modules/contrib/rngd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
+/usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
+
/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
/run/rngd\.pid -- gen_context(system_u:object_r:rngd_var_run_t,s0)
diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc
index 9d6d5241..6674a53e 100644
--- a/policy/modules/contrib/rpc.fc
+++ b/policy/modules/contrib/rpc.fc
@@ -4,6 +4,15 @@
/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/usr/bin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/bin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/bin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+/usr/bin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/bin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/bin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/bin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+/usr/bin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+
/usr/lib/systemd/system/nfs.*\.service -- gen_context(system_u:object_r:nfsd_unit_t,s0)
/usr/lib/systemd/system/rpc.*\.service -- gen_context(system_u:object_r:rpcd_unit_t,s0)
diff --git a/policy/modules/contrib/rpcbind.fc b/policy/modules/contrib/rpcbind.fc
index 35f6ae43..afba9b29 100644
--- a/policy/modules/contrib/rpcbind.fc
+++ b/policy/modules/contrib/rpcbind.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
+/usr/bin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
+
/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
index 71c90c7e..9faf3c42 100644
--- a/policy/modules/contrib/rpm.fc
+++ b/policy/modules/contrib/rpm.fc
@@ -1,12 +1,22 @@
/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
+/usr/bin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
# Systemd unit file
diff --git a/policy/modules/contrib/rshd.fc b/policy/modules/contrib/rshd.fc
index 9ad0d58d..b77f12dc 100644
--- a/policy/modules/contrib/rshd.fc
+++ b/policy/modules/contrib/rshd.fc
@@ -1,4 +1,7 @@
/usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
+/usr/bin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0)
+/usr/bin/in\.rshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
+
/usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0)
/usr/sbin/in\.rshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
diff --git a/policy/modules/contrib/rwho.fc b/policy/modules/contrib/rwho.fc
index 5a630a99..fd5fdf71 100644
--- a/policy/modules/contrib/rwho.fc
+++ b/policy/modules/contrib/rwho.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/rwhod -- gen_context(system_u:object_r:rwho_initrc_exec_t,s0)
+/usr/bin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0)
+
/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0)
/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0)
diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc
index 753a009c..e104d2ba 100644
--- a/policy/modules/contrib/samba.fc
+++ b/policy/modules/contrib/samba.fc
@@ -9,10 +9,14 @@
/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
+/usr/bin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
+/usr/bin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
+/usr/bin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0)
/usr/lib/systemd/system/smb.*\.service -- gen_context(system_u:object_r:samba_unit_t,s0)
diff --git a/policy/modules/contrib/samhain.fc b/policy/modules/contrib/samhain.fc
index 39d915d9..76b448c8 100644
--- a/policy/modules/contrib/samhain.fc
+++ b/policy/modules/contrib/samhain.fc
@@ -2,6 +2,9 @@
/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh)
+/usr/bin/samhain -- gen_context(system_u:object_r:samhain_exec_t,s0)
+/usr/bin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,s0)
+
/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,s0)
/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,s0)
diff --git a/policy/modules/contrib/sanlock.fc b/policy/modules/contrib/sanlock.fc
index b8a7a0a2..6c6f3dec 100644
--- a/policy/modules/contrib/sanlock.fc
+++ b/policy/modules/contrib/sanlock.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
+/usr/bin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
+
/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
diff --git a/policy/modules/contrib/sasl.fc b/policy/modules/contrib/sasl.fc
index 1ec050a2..72551273 100644
--- a/policy/modules/contrib/sasl.fc
+++ b/policy/modules/contrib/sasl.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
+/usr/bin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
+
/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
diff --git a/policy/modules/contrib/sblim.fc b/policy/modules/contrib/sblim.fc
index 84fa5384..c2aed416 100644
--- a/policy/modules/contrib/sblim.fc
+++ b/policy/modules/contrib/sblim.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/gatherer -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0)
+/usr/bin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0)
+/usr/bin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0)
+
/usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0)
/usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0)
diff --git a/policy/modules/contrib/sensord.fc b/policy/modules/contrib/sensord.fc
index bcd8a2ed..1216f4bf 100644
--- a/policy/modules/contrib/sensord.fc
+++ b/policy/modules/contrib/sensord.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0)
+/usr/bin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
+
/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0)
diff --git a/policy/modules/contrib/setroubleshoot.fc b/policy/modules/contrib/setroubleshoot.fc
index 8c66d707..096fd47c 100644
--- a/policy/modules/contrib/setroubleshoot.fc
+++ b/policy/modules/contrib/setroubleshoot.fc
@@ -1,3 +1,5 @@
+/usr/bin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
+
/usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
/usr/share/setroubleshoot/SetroubleshootFixit\.py -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
diff --git a/policy/modules/contrib/shibboleth.fc b/policy/modules/contrib/shibboleth.fc
index 0e05da75..fc32f7c9 100644
--- a/policy/modules/contrib/shibboleth.fc
+++ b/policy/modules/contrib/shibboleth.fc
@@ -1,5 +1,7 @@
/etc/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_etc_t,s0)
+/usr/bin/shibd -- gen_context(system_u:object_r:shibboleth_exec_t,s0)
+
/usr/sbin/shibd -- gen_context(system_u:object_r:shibboleth_exec_t,s0)
/var/log/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_log_t,s0)
diff --git a/policy/modules/contrib/shorewall.fc b/policy/modules/contrib/shorewall.fc
index e92567aa..aae46ecb 100644
--- a/policy/modules/contrib/shorewall.fc
+++ b/policy/modules/contrib/shorewall.fc
@@ -3,6 +3,9 @@
/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
+/usr/bin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+/usr/bin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+
/usr/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
/usr/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc
index e6730a03..03a2230c 100644
--- a/policy/modules/contrib/shutdown.fc
+++ b/policy/modules/contrib/shutdown.fc
@@ -1,5 +1,7 @@
/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0)
+/usr/bin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
diff --git a/policy/modules/contrib/slpd.fc b/policy/modules/contrib/slpd.fc
index be0072b4..77ff516b 100644
--- a/policy/modules/contrib/slpd.fc
+++ b/policy/modules/contrib/slpd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/slpd -- gen_context(system_u:object_r:slpd_initrc_exec_t,s0)
+/usr/bin/slpd -- gen_context(system_u:object_r:slpd_exec_t,s0)
+
/usr/sbin/slpd -- gen_context(system_u:object_r:slpd_exec_t,s0)
/var/log/slpd\.log.* -- gen_context(system_u:object_r:slpd_log_t,s0)
diff --git a/policy/modules/contrib/smartmon.fc b/policy/modules/contrib/smartmon.fc
index 92988a26..daff956c 100644
--- a/policy/modules/contrib/smartmon.fc
+++ b/policy/modules/contrib/smartmon.fc
@@ -1,6 +1,8 @@
/etc/rc\.d/init\.d/smartd -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
/etc/rc\.d/init\.d/smartmontools -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
+/usr/bin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
+
/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0)
diff --git a/policy/modules/contrib/smokeping.fc b/policy/modules/contrib/smokeping.fc
index e92613ff..c75825e8 100644
--- a/policy/modules/contrib/smokeping.fc
+++ b/policy/modules/contrib/smokeping.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/smokeping -- gen_context(system_u:object_r:smokeping_initrc_exec_t,s0)
+/usr/bin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0)
+
/usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0)
/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0)
diff --git a/policy/modules/contrib/smstools.fc b/policy/modules/contrib/smstools.fc
index d77f5b5f..12a58511 100644
--- a/policy/modules/contrib/smstools.fc
+++ b/policy/modules/contrib/smstools.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/(smsd|smstools) -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0)
+/usr/bin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0)
+
/usr/sbin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0)
/var/lib/smstools(/.*)? gen_context(system_u:object_r:smsd_var_lib_t,s0)
diff --git a/policy/modules/contrib/snmp.fc b/policy/modules/contrib/snmp.fc
index c3d5ed71..8974ac9d 100644
--- a/policy/modules/contrib/snmp.fc
+++ b/policy/modules/contrib/snmp.fc
@@ -1,5 +1,9 @@
/etc/rc\.d/init\.d/(snmpd|snmptrapd) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
+/usr/bin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+/usr/bin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+/usr/bin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+
/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0)
/usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc
index 1e2faf00..97797bd6 100644
--- a/policy/modules/contrib/snort.fc
+++ b/policy/modules/contrib/snort.fc
@@ -2,9 +2,10 @@
/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
-/usr/bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
-/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/bin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
diff --git a/policy/modules/contrib/sosreport.fc b/policy/modules/contrib/sosreport.fc
index 704e2dab..d445530f 100644
--- a/policy/modules/contrib/sosreport.fc
+++ b/policy/modules/contrib/sosreport.fc
@@ -1,3 +1,5 @@
+/usr/bin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
+
/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
/\.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0)
diff --git a/policy/modules/contrib/soundserver.fc b/policy/modules/contrib/soundserver.fc
index 038f0315..d1880f66 100644
--- a/policy/modules/contrib/soundserver.fc
+++ b/policy/modules/contrib/soundserver.fc
@@ -5,6 +5,7 @@
/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0)
+/usr/bin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
diff --git a/policy/modules/contrib/spamassassin.fc b/policy/modules/contrib/spamassassin.fc
index 58dce766..bc2dbadf 100644
--- a/policy/modules/contrib/spamassassin.fc
+++ b/policy/modules/contrib/spamassassin.fc
@@ -5,16 +5,17 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
-/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
diff --git a/policy/modules/contrib/speedtouch.fc b/policy/modules/contrib/speedtouch.fc
index 0caf3cc0..48fe2da3 100644
--- a/policy/modules/contrib/speedtouch.fc
+++ b/policy/modules/contrib/speedtouch.fc
@@ -1,3 +1,5 @@
+/usr/bin/speedmgmt -- gen_context(system_u:object_r:speedmgmt_exec_t,s0)
+
/usr/sbin/speedmgmt -- gen_context(system_u:object_r:speedmgmt_exec_t,s0)
/run/speedmgmt\.pid -- gen_context(system_u:object_r:speedmgmt_var_run_t,s0)
diff --git a/policy/modules/contrib/squid.fc b/policy/modules/contrib/squid.fc
index 7051c3e1..4d838b27 100644
--- a/policy/modules/contrib/squid.fc
+++ b/policy/modules/contrib/squid.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
+/usr/bin/squid.* -- gen_context(system_u:object_r:squid_exec_t,s0)
+
/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
/usr/sbin/squid.* -- gen_context(system_u:object_r:squid_exec_t,s0)
diff --git a/policy/modules/contrib/sssd.fc b/policy/modules/contrib/sssd.fc
index 6ff3e253..ef8a215b 100644
--- a/policy/modules/contrib/sssd.fc
+++ b/policy/modules/contrib/sssd.fc
@@ -2,6 +2,8 @@
/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
+/usr/bin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
diff --git a/policy/modules/contrib/sxid.fc b/policy/modules/contrib/sxid.fc
index 95299487..92d3ff1a 100644
--- a/policy/modules/contrib/sxid.fc
+++ b/policy/modules/contrib/sxid.fc
@@ -1,3 +1,4 @@
+/usr/bin/checksecurity\.se -- gen_context(system_u:object_r:sxid_exec_t,s0)
/usr/bin/sxid -- gen_context(system_u:object_r:sxid_exec_t,s0)
/usr/sbin/checksecurity\.se -- gen_context(system_u:object_r:sxid_exec_t,s0)
diff --git a/policy/modules/contrib/tboot.fc b/policy/modules/contrib/tboot.fc
index 437e1d5d..8c3e66c4 100644
--- a/policy/modules/contrib/tboot.fc
+++ b/policy/modules/contrib/tboot.fc
@@ -1 +1,3 @@
+/usr/bin/txt-stat -- gen_context(system_u:object_r:txtstat_exec_t,s0)
+
/usr/sbin/txt-stat -- gen_context(system_u:object_r:txtstat_exec_t,s0)
diff --git a/policy/modules/contrib/tcpd.fc b/policy/modules/contrib/tcpd.fc
index 034ec7f6..57fe2bf1 100644
--- a/policy/modules/contrib/tcpd.fc
+++ b/policy/modules/contrib/tcpd.fc
@@ -1 +1,3 @@
+/usr/bin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0)
+
/usr/sbin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0)
diff --git a/policy/modules/contrib/tcsd.fc b/policy/modules/contrib/tcsd.fc
index 0e086e71..d6980334 100644
--- a/policy/modules/contrib/tcsd.fc
+++ b/policy/modules/contrib/tcsd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/(tcsd|trousers) -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
+/usr/bin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0)
+
# Systemd unit file
/usr/lib/systemd/system/[^/]*tcsd.* -- gen_context(system_u:object_r:tcsd_unit_t,s0)
diff --git a/policy/modules/contrib/telnet.fc b/policy/modules/contrib/telnet.fc
index 3d7d07aa..05d4726c 100644
--- a/policy/modules/contrib/telnet.fc
+++ b/policy/modules/contrib/telnet.fc
@@ -1,3 +1,5 @@
+/usr/bin/in\.telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0)
+
/usr/sbin/in\.telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0)
/usr/kerberos/sbin/telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0)
diff --git a/policy/modules/contrib/tftp.fc b/policy/modules/contrib/tftp.fc
index fb0b982d..dbd7f2a8 100644
--- a/policy/modules/contrib/tftp.fc
+++ b/policy/modules/contrib/tftp.fc
@@ -1,5 +1,7 @@
/etc/(x)?inetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0)
+/usr/bin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
+/usr/bin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
/usr/bin/tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
diff --git a/policy/modules/contrib/tgtd.fc b/policy/modules/contrib/tgtd.fc
index be16a4c0..1989d090 100644
--- a/policy/modules/contrib/tgtd.fc
+++ b/policy/modules/contrib/tgtd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
+/usr/bin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
+
/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
diff --git a/policy/modules/contrib/tmpreaper.fc b/policy/modules/contrib/tmpreaper.fc
index d19a6cf0..f4ce55e1 100644
--- a/policy/modules/contrib/tmpreaper.fc
+++ b/policy/modules/contrib/tmpreaper.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/mountall-bootclean\.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
/etc/rc\.d/init\.d/mountnfs-bootclean\.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/usr/bin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/usr/bin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+
/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
diff --git a/policy/modules/contrib/transproxy.fc b/policy/modules/contrib/transproxy.fc
index c4aa885e..ce0eb7d6 100644
--- a/policy/modules/contrib/transproxy.fc
+++ b/policy/modules/contrib/transproxy.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/transproxy -- gen_context(system_u:object_r:transproxy_initrc_exec_t,s0)
+/usr/bin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0)
+
/usr/sbin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0)
/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_var_run_t,s0)
diff --git a/policy/modules/contrib/tripwire.fc b/policy/modules/contrib/tripwire.fc
index a27298be..77b259a4 100644
--- a/policy/modules/contrib/tripwire.fc
+++ b/policy/modules/contrib/tripwire.fc
@@ -1,5 +1,10 @@
/etc/tripwire(/.*)? gen_context(system_u:object_r:tripwire_etc_t,s0)
+/usr/bin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0)
+/usr/bin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0)
+/usr/bin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0)
+/usr/bin/twprint -- gen_context(system_u:object_r:twprint_exec_t,s0)
+
/usr/sbin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0)
/usr/sbin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0)
/usr/sbin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0)
diff --git a/policy/modules/contrib/tuned.fc b/policy/modules/contrib/tuned.fc
index d22fde30..21ea1295 100644
--- a/policy/modules/contrib/tuned.fc
+++ b/policy/modules/contrib/tuned.fc
@@ -3,6 +3,8 @@
/etc/tuned(/.*)? gen_context(system_u:object_r:tuned_etc_t,s0)
/etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0)
+/usr/bin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
+
/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
diff --git a/policy/modules/contrib/tzdata.fc b/policy/modules/contrib/tzdata.fc
index 04b85488..c8448c68 100644
--- a/policy/modules/contrib/tzdata.fc
+++ b/policy/modules/contrib/tzdata.fc
@@ -1 +1,3 @@
+/usr/bin/tzdata-update -- gen_context(system_u:object_r:tzdata_exec_t,s0)
+
/usr/sbin/tzdata-update -- gen_context(system_u:object_r:tzdata_exec_t,s0)
diff --git a/policy/modules/contrib/ulogd.fc b/policy/modules/contrib/ulogd.fc
index d5f8ac0b..ca27a1d2 100644
--- a/policy/modules/contrib/ulogd.fc
+++ b/policy/modules/contrib/ulogd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
+/usr/bin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0)
+
/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0)
/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0)
diff --git a/policy/modules/contrib/updfstab.fc b/policy/modules/contrib/updfstab.fc
index b62ab19e..27ac178d 100644
--- a/policy/modules/contrib/updfstab.fc
+++ b/policy/modules/contrib/updfstab.fc
@@ -1,2 +1,5 @@
+/usr/bin/fstab-sync -- gen_context(system_u:object_r:updfstab_exec_t,s0)
+/usr/bin/updfstab -- gen_context(system_u:object_r:updfstab_exec_t,s0)
+
/usr/sbin/fstab-sync -- gen_context(system_u:object_r:updfstab_exec_t,s0)
/usr/sbin/updfstab -- gen_context(system_u:object_r:updfstab_exec_t,s0)
diff --git a/policy/modules/contrib/uptime.fc b/policy/modules/contrib/uptime.fc
index d15608f6..535dda0b 100644
--- a/policy/modules/contrib/uptime.fc
+++ b/policy/modules/contrib/uptime.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/uptimed -- gen_context(system_u:object_r:uptimed_initrc_exec_t,s0)
+/usr/bin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0)
+
/usr/sbin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0)
/run/uptimed\.pid -- gen_context(system_u:object_r:uptimed_var_run_t,s0)
diff --git a/policy/modules/contrib/usbmodules.fc b/policy/modules/contrib/usbmodules.fc
index 66604b50..72188740 100644
--- a/policy/modules/contrib/usbmodules.fc
+++ b/policy/modules/contrib/usbmodules.fc
@@ -1 +1,3 @@
+/usr/bin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
+
/usr/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
diff --git a/policy/modules/contrib/usbmuxd.fc b/policy/modules/contrib/usbmuxd.fc
index 413eef4b..dd949dde 100644
--- a/policy/modules/contrib/usbmuxd.fc
+++ b/policy/modules/contrib/usbmuxd.fc
@@ -1,3 +1,5 @@
+/usr/bin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
+
/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
diff --git a/policy/modules/contrib/userhelper.fc b/policy/modules/contrib/userhelper.fc
index 9fe12582..6a2cd2f0 100644
--- a/policy/modules/contrib/userhelper.fc
+++ b/policy/modules/contrib/userhelper.fc
@@ -1,5 +1,6 @@
/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0)
/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
+/usr/bin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
diff --git a/policy/modules/contrib/usernetctl.fc b/policy/modules/contrib/usernetctl.fc
index ddaf787d..72f38b1b 100644
--- a/policy/modules/contrib/usernetctl.fc
+++ b/policy/modules/contrib/usernetctl.fc
@@ -1 +1,3 @@
+/usr/bin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0)
+
/usr/sbin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0)
diff --git a/policy/modules/contrib/uucp.fc b/policy/modules/contrib/uucp.fc
index ec159fe5..21b5d723 100644
--- a/policy/modules/contrib/uucp.fc
+++ b/policy/modules/contrib/uucp.fc
@@ -1,6 +1,7 @@
/etc/rc\.d/init\.d/uucp -- gen_context(system_u:object_r:uucpd_initrc_exec_t,s0)
/usr/bin/uux -- gen_context(system_u:object_r:uux_exec_t,s0)
+/usr/bin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0)
/usr/sbin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0)
diff --git a/policy/modules/contrib/uuidd.fc b/policy/modules/contrib/uuidd.fc
index 03f98e30..d0a8520d 100644
--- a/policy/modules/contrib/uuidd.fc
+++ b/policy/modules/contrib/uuidd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0)
+/usr/bin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0)
+
/usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0)
/var/lib/libuuid(/.*)? gen_context(system_u:object_r:uuidd_var_lib_t,s0)
diff --git a/policy/modules/contrib/varnishd.fc b/policy/modules/contrib/varnishd.fc
index e93b95c3..5d3f0915 100644
--- a/policy/modules/contrib/varnishd.fc
+++ b/policy/modules/contrib/varnishd.fc
@@ -4,6 +4,7 @@
/etc/varnish(/.*)? gen_context(system_u:object_r:varnishd_etc_t,s0)
+/usr/bin/varnishd -- gen_context(system_u:object_r:varnishd_exec_t,s0)
/usr/bin/varnishlog -- gen_context(system_u:object_r:varnishlog_exec_t,s0)
/usr/bin/varnishncsa -- gen_context(system_u:object_r:varnishlog_exec_t,s0)
diff --git a/policy/modules/contrib/vbetool.fc b/policy/modules/contrib/vbetool.fc
index d00970f1..af6c0e38 100644
--- a/policy/modules/contrib/vbetool.fc
+++ b/policy/modules/contrib/vbetool.fc
@@ -1 +1,3 @@
+/usr/bin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0)
+
/usr/sbin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0)
diff --git a/policy/modules/contrib/vdagent.fc b/policy/modules/contrib/vdagent.fc
index e03441a3..13aecb58 100644
--- a/policy/modules/contrib/vdagent.fc
+++ b/policy/modules/contrib/vdagent.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/spice-vdagentd -- gen_context(system_u:object_r:vdagentd_initrc_exec_t,s0)
+/usr/bin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
+
/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0)
diff --git a/policy/modules/contrib/vhostmd.fc b/policy/modules/contrib/vhostmd.fc
index 83e6b4d4..ded76282 100644
--- a/policy/modules/contrib/vhostmd.fc
+++ b/policy/modules/contrib/vhostmd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0)
+/usr/bin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0)
+
/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0)
/run/vhostmd.* gen_context(system_u:object_r:vhostmd_var_run_t,s0)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed70..b1f9b1c8 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -24,7 +24,12 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
/usr/libexec/libvirt_leaseshelper -- gen_context(system_u:object_r:virt_leaseshelper_exec_t,s0)
-/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/bin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/bin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
+/usr/bin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/bin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
diff --git a/policy/modules/contrib/vlock.fc b/policy/modules/contrib/vlock.fc
index f84b61a5..f668cde9 100644
--- a/policy/modules/contrib/vlock.fc
+++ b/policy/modules/contrib/vlock.fc
@@ -1,3 +1,4 @@
-/usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0)
+/usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0)
+/usr/bin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0)
/usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0)
diff --git a/policy/modules/contrib/vmware.fc b/policy/modules/contrib/vmware.fc
index ea5a13b5..b1557721 100644
--- a/policy/modules/contrib/vmware.fc
+++ b/policy/modules/contrib/vmware.fc
@@ -9,9 +9,11 @@ HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0)
/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-network -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc
index 400d7f76..c3e1ad90 100644
--- a/policy/modules/contrib/vnstatd.fc
+++ b/policy/modules/contrib/vnstatd.fc
@@ -3,6 +3,7 @@
/run/vnstat.* gen_context(system_u:object_r:vnstatd_pid_t,s0)
/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0)
+/usr/bin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
/usr/lib/systemd/system/vnstat\.service -- gen_context(system_u:object_r:vnstatd_unit_t,s0)
diff --git a/policy/modules/contrib/vpn.fc b/policy/modules/contrib/vpn.fc
index 1cd43c66..3e40c477 100644
--- a/policy/modules/contrib/vpn.fc
+++ b/policy/modules/contrib/vpn.fc
@@ -1,4 +1,5 @@
/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+/usr/bin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
diff --git a/policy/modules/contrib/watchdog.fc b/policy/modules/contrib/watchdog.fc
index 093ebc6d..1e4f1158 100644
--- a/policy/modules/contrib/watchdog.fc
+++ b/policy/modules/contrib/watchdog.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/watchdog -- gen_context(system_u:object_r:watchdog_initrc_exec_t,s0)
+/usr/bin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
+
/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
/var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0)
diff --git a/policy/modules/contrib/wdmd.fc b/policy/modules/contrib/wdmd.fc
index b0fbf65a..849f93cc 100644
--- a/policy/modules/contrib/wdmd.fc
+++ b/policy/modules/contrib/wdmd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0)
+/usr/bin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
+
/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0)
diff --git a/policy/modules/contrib/xen.fc b/policy/modules/contrib/xen.fc
index be0374df..ac5439f9 100644
--- a/policy/modules/contrib/xen.fc
+++ b/policy/modules/contrib/xen.fc
@@ -7,6 +7,15 @@
/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
/usr/lib/xen-[^/]*/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
+/usr/bin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
+/usr/bin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
+/usr/bin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
+/usr/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+/usr/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
+/usr/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+/usr/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
+/usr/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+
/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
diff --git a/policy/modules/contrib/zabbix.fc b/policy/modules/contrib/zabbix.fc
index 4c9f1409..076e8544 100644
--- a/policy/modules/contrib/zabbix.fc
+++ b/policy/modules/contrib/zabbix.fc
@@ -1,11 +1,14 @@
/etc/rc\.d/init\.d/(zabbix|zabbix-server) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
-/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
+/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/bin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/bin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/bin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
+/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
diff --git a/policy/modules/contrib/zebra.fc b/policy/modules/contrib/zebra.fc
index 0c173382..3ded81f8 100644
--- a/policy/modules/contrib/zebra.fc
+++ b/policy/modules/contrib/zebra.fc
@@ -8,6 +8,11 @@
/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/usr/bin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/bin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/bin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/bin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
+
/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
diff --git a/policy/modules/contrib/zosremote.fc b/policy/modules/contrib/zosremote.fc
index adfd4a21..ca923534 100644
--- a/policy/modules/contrib/zosremote.fc
+++ b/policy/modules/contrib/zosremote.fc
@@ -1 +1,3 @@
+/usr/bin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
+
/usr/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-07 16:09 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-07 16:09 UTC (permalink / raw
To: gentoo-commits
commit: 7bb79960bdc89e57c7f681c63692c5341c1911e3
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:17:13 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:54:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7bb79960
evolution: minor fixes and updates
Minor fixes and updates for the evolution module.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/evolution.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index bf456df4..c30623de 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -111,7 +111,7 @@ userdom_user_tmpfs_file(evolution_webcal_tmpfs_t)
#
allow evolution_t self:capability { setgid setuid sys_nice };
-allow evolution_t self:process { execmem getsched setsched signal };
+allow evolution_t self:process { execmem getsched setsched signal signull };
allow evolution_t self:fifo_file rw_file_perms;
allow evolution_t evolution_home_t:dir manage_dir_perms;
@@ -320,6 +320,7 @@ dev_read_urand(evolution_alarm_t)
files_read_usr_files(evolution_alarm_t)
+fs_dontaudit_getattr_xattr_fs(evolution_alarm_t)
fs_search_auto_mountpoints(evolution_alarm_t)
auth_use_nsswitch(evolution_alarm_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-07 16:09 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-07 16:09 UTC (permalink / raw
To: gentoo-commits
commit: b8a604ac7ca611afbf53c9e07724030c0555fd30
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu May 4 12:27:23 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 16:02:02 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b8a604ac
Module version bump for /usr/bin fc fixes from Nicolas Iooss.
policy/modules/contrib/abrt.te | 2 +-
policy/modules/contrib/acct.te | 2 +-
policy/modules/contrib/acpi.te | 2 +-
policy/modules/contrib/afs.te | 2 +-
policy/modules/contrib/aiccu.te | 2 +-
policy/modules/contrib/aisexec.te | 2 +-
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/amanda.te | 2 +-
policy/modules/contrib/amavis.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apcupsd.te | 2 +-
policy/modules/contrib/arpwatch.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bacula.te | 2 +-
policy/modules/contrib/bcfg2.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/bird.te | 2 +-
policy/modules/contrib/bitlbee.te | 2 +-
policy/modules/contrib/bluetooth.te | 2 +-
policy/modules/contrib/brctl.te | 2 +-
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/callweaver.te | 2 +-
policy/modules/contrib/canna.te | 2 +-
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/certmonger.te | 2 +-
policy/modules/contrib/cfengine.te | 2 +-
policy/modules/contrib/cgroup.te | 2 +-
policy/modules/contrib/chronyd.te | 2 +-
policy/modules/contrib/cipe.te | 2 +-
policy/modules/contrib/clamav.te | 2 +-
policy/modules/contrib/clogd.te | 2 +-
policy/modules/contrib/cmirrord.te | 2 +-
policy/modules/contrib/collectd.te | 2 +-
policy/modules/contrib/comsat.te | 2 +-
policy/modules/contrib/condor.te | 2 +-
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/corosync.te | 2 +-
policy/modules/contrib/courier.te | 2 +-
policy/modules/contrib/cpucontrol.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/ctdb.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/dante.te | 2 +-
policy/modules/contrib/dbskk.te | 2 +-
policy/modules/contrib/dcc.te | 2 +-
policy/modules/contrib/ddclient.te | 2 +-
policy/modules/contrib/ddcprobe.te | 2 +-
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/dictd.te | 2 +-
policy/modules/contrib/dkim.te | 2 +-
policy/modules/contrib/dmidecode.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/dnssectrigger.te | 2 +-
policy/modules/contrib/dovecot.te | 2 +-
policy/modules/contrib/dphysswapfile.te | 2 +-
policy/modules/contrib/dpkg.te | 2 +-
policy/modules/contrib/drbd.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/fakehwclock.te | 2 +-
policy/modules/contrib/fcoe.te | 2 +-
policy/modules/contrib/finger.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/firstboot.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/gatekeeper.te | 2 +-
policy/modules/contrib/glusterfs.te | 2 +-
policy/modules/contrib/gpm.te | 2 +-
policy/modules/contrib/gpsd.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/hddtemp.te | 2 +-
policy/modules/contrib/hwloc.te | 2 +-
policy/modules/contrib/hypervkvp.te | 2 +-
policy/modules/contrib/i18n_input.te | 2 +-
policy/modules/contrib/ifplugd.te | 2 +-
policy/modules/contrib/inetd.te | 2 +-
policy/modules/contrib/inn.te | 2 +-
policy/modules/contrib/iodine.te | 2 +-
policy/modules/contrib/ircd.te | 2 +-
policy/modules/contrib/irqbalance.te | 2 +-
policy/modules/contrib/iscsi.te | 2 +-
policy/modules/contrib/isns.te | 2 +-
policy/modules/contrib/jabber.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/kerberos.te | 2 +-
policy/modules/contrib/kerneloops.te | 2 +-
policy/modules/contrib/ksmtuned.te | 2 +-
policy/modules/contrib/ktalk.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/l2tp.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/likewise.te | 2 +-
policy/modules/contrib/lircd.te | 2 +-
policy/modules/contrib/lldpad.te | 2 +-
policy/modules/contrib/lockdev.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/logwatch.te | 2 +-
policy/modules/contrib/lpd.te | 2 +-
policy/modules/contrib/mailscanner.te | 2 +-
policy/modules/contrib/mcelog.te | 2 +-
policy/modules/contrib/milter.te | 2 +-
policy/modules/contrib/minidlna.te | 2 +-
policy/modules/contrib/minissdpd.te | 2 +-
policy/modules/contrib/modemmanager.te | 2 +-
policy/modules/contrib/mon.te | 2 +-
policy/modules/contrib/monop.te | 2 +-
policy/modules/contrib/mta.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/nessus.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nis.te | 2 +-
policy/modules/contrib/nscd.te | 2 +-
policy/modules/contrib/nsd.te | 2 +-
policy/modules/contrib/nslcd.te | 2 +-
policy/modules/contrib/ntop.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/oav.te | 2 +-
policy/modules/contrib/oddjob.te | 2 +-
policy/modules/contrib/oident.te | 2 +-
policy/modules/contrib/openct.te | 2 +-
policy/modules/contrib/openhpi.te | 2 +-
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/pacemaker.te | 2 +-
policy/modules/contrib/pcmcia.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
policy/modules/contrib/pegasus.te | 2 +-
policy/modules/contrib/perdition.te | 2 +-
policy/modules/contrib/pingd.te | 2 +-
policy/modules/contrib/pkcs.te | 2 +-
policy/modules/contrib/plymouthd.te | 2 +-
policy/modules/contrib/portmap.te | 2 +-
policy/modules/contrib/portreserve.te | 2 +-
policy/modules/contrib/portslave.te | 2 +-
policy/modules/contrib/postfix.te | 2 +-
policy/modules/contrib/postfixpolicyd.te | 2 +-
policy/modules/contrib/postgrey.te | 2 +-
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/prelink.te | 2 +-
policy/modules/contrib/prelude.te | 2 +-
policy/modules/contrib/privoxy.te | 2 +-
policy/modules/contrib/psad.te | 2 +-
policy/modules/contrib/pxe.te | 2 +-
policy/modules/contrib/qmail.te | 2 +-
policy/modules/contrib/qpid.te | 2 +-
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/radius.te | 2 +-
policy/modules/contrib/radvd.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/rdisc.te | 2 +-
policy/modules/contrib/readahead.te | 2 +-
policy/modules/contrib/redis.te | 2 +-
policy/modules/contrib/resmgr.te | 2 +-
policy/modules/contrib/rgmanager.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/ricci.te | 2 +-
policy/modules/contrib/rlogin.te | 2 +-
policy/modules/contrib/rngd.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/rshd.te | 2 +-
policy/modules/contrib/rwho.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/samhain.te | 2 +-
policy/modules/contrib/sanlock.te | 2 +-
policy/modules/contrib/sasl.te | 2 +-
policy/modules/contrib/sblim.te | 2 +-
policy/modules/contrib/sensord.te | 2 +-
policy/modules/contrib/setroubleshoot.te | 2 +-
policy/modules/contrib/shibboleth.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/shutdown.te | 2 +-
policy/modules/contrib/slpd.te | 2 +-
policy/modules/contrib/smartmon.te | 2 +-
policy/modules/contrib/smokeping.te | 2 +-
policy/modules/contrib/smstools.te | 2 +-
policy/modules/contrib/snmp.te | 2 +-
policy/modules/contrib/snort.te | 2 +-
policy/modules/contrib/sosreport.te | 2 +-
policy/modules/contrib/soundserver.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
policy/modules/contrib/speedtouch.te | 2 +-
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/sssd.te | 2 +-
policy/modules/contrib/sxid.te | 2 +-
policy/modules/contrib/tboot.te | 2 +-
policy/modules/contrib/tcpd.te | 2 +-
policy/modules/contrib/tcsd.te | 2 +-
policy/modules/contrib/telnet.te | 2 +-
policy/modules/contrib/tftp.te | 2 +-
policy/modules/contrib/tgtd.te | 2 +-
policy/modules/contrib/tmpreaper.te | 2 +-
policy/modules/contrib/transproxy.te | 2 +-
policy/modules/contrib/tripwire.te | 2 +-
policy/modules/contrib/tuned.te | 2 +-
policy/modules/contrib/tzdata.te | 2 +-
policy/modules/contrib/ulogd.te | 2 +-
policy/modules/contrib/updfstab.te | 2 +-
policy/modules/contrib/uptime.te | 2 +-
policy/modules/contrib/usbmodules.te | 2 +-
policy/modules/contrib/usbmuxd.te | 2 +-
policy/modules/contrib/userhelper.te | 2 +-
policy/modules/contrib/usernetctl.te | 2 +-
policy/modules/contrib/uucp.te | 2 +-
policy/modules/contrib/uuidd.te | 2 +-
policy/modules/contrib/varnishd.te | 2 +-
policy/modules/contrib/vbetool.te | 2 +-
policy/modules/contrib/vdagent.te | 2 +-
policy/modules/contrib/vhostmd.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
policy/modules/contrib/vlock.te | 2 +-
policy/modules/contrib/vmware.te | 2 +-
policy/modules/contrib/vnstatd.te | 2 +-
policy/modules/contrib/vpn.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/wdmd.te | 2 +-
policy/modules/contrib/xen.te | 2 +-
policy/modules/contrib/zabbix.te | 2 +-
policy/modules/contrib/zebra.te | 2 +-
policy/modules/contrib/zosremote.te | 2 +-
223 files changed, 223 insertions(+), 223 deletions(-)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index 8c52ac9b..9fb4f3ff 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.7.0)
+policy_module(abrt, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/acct.te b/policy/modules/contrib/acct.te
index fb2e1ebe..dfe0ec7c 100644
--- a/policy/modules/contrib/acct.te
+++ b/policy/modules/contrib/acct.te
@@ -1,4 +1,4 @@
-policy_module(acct, 1.7.2)
+policy_module(acct, 1.7.3)
########################################
#
diff --git a/policy/modules/contrib/acpi.te b/policy/modules/contrib/acpi.te
index 0cd3d884..083dfe92 100644
--- a/policy/modules/contrib/acpi.te
+++ b/policy/modules/contrib/acpi.te
@@ -1,4 +1,4 @@
-policy_module(acpi, 1.0.0)
+policy_module(acpi, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
index b95757a5..8b7c7765 100644
--- a/policy/modules/contrib/afs.te
+++ b/policy/modules/contrib/afs.te
@@ -1,4 +1,4 @@
-policy_module(afs, 1.10.0)
+policy_module(afs, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/aiccu.te b/policy/modules/contrib/aiccu.te
index 6202f38c..a3ea7e6a 100644
--- a/policy/modules/contrib/aiccu.te
+++ b/policy/modules/contrib/aiccu.te
@@ -1,4 +1,4 @@
-policy_module(aiccu, 1.3.1)
+policy_module(aiccu, 1.3.2)
########################################
#
diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te
index 06b61940..1e5dffe4 100644
--- a/policy/modules/contrib/aisexec.te
+++ b/policy/modules/contrib/aisexec.te
@@ -1,4 +1,4 @@
-policy_module(aisexec, 1.4.0)
+policy_module(aisexec, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 6946ef0a..7654ae0e 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.16.2)
+policy_module(alsa, 1.16.3)
########################################
#
diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te
index ecf15211..6b058e02 100644
--- a/policy/modules/contrib/amanda.te
+++ b/policy/modules/contrib/amanda.te
@@ -1,4 +1,4 @@
-policy_module(amanda, 1.16.0)
+policy_module(amanda, 1.16.1)
#######################################
#
diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te
index 44913b37..f0722742 100644
--- a/policy/modules/contrib/amavis.te
+++ b/policy/modules/contrib/amavis.te
@@ -1,4 +1,4 @@
-policy_module(amavis, 1.17.0)
+policy_module(amavis, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index e69a6c9a..47e47b05 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.12.5)
+policy_module(apache, 2.12.6)
########################################
#
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index e1586b36..fcb60aa3 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.12.1)
+policy_module(apcupsd, 1.12.2)
########################################
#
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index 8c1ded68..441c0f3c 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.14.0)
+policy_module(arpwatch, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index 9c6a947f..3291031a 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.17.0)
+policy_module(asterisk, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index 09b82b0c..f99ecc18 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.18.0)
+policy_module(automount, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index b2e43eed..e38e0b09 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.18.0)
+policy_module(avahi, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te
index 20b92c3f..aac922f7 100644
--- a/policy/modules/contrib/bacula.te
+++ b/policy/modules/contrib/bacula.te
@@ -1,4 +1,4 @@
-policy_module(bacula, 1.4.0)
+policy_module(bacula, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/bcfg2.te b/policy/modules/contrib/bcfg2.te
index 24e70b89..cc84cd9f 100644
--- a/policy/modules/contrib/bcfg2.te
+++ b/policy/modules/contrib/bcfg2.te
@@ -1,4 +1,4 @@
-policy_module(bcfg2, 1.3.0)
+policy_module(bcfg2, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 25329fdb..2351e024 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.18.1)
+policy_module(bind, 1.18.2)
########################################
#
diff --git a/policy/modules/contrib/bird.te b/policy/modules/contrib/bird.te
index dcf8f0bd..27df06b2 100644
--- a/policy/modules/contrib/bird.te
+++ b/policy/modules/contrib/bird.te
@@ -1,4 +1,4 @@
-policy_module(bird, 1.3.0)
+policy_module(bird, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te
index 90ff0dc6..b30a5ec4 100644
--- a/policy/modules/contrib/bitlbee.te
+++ b/policy/modules/contrib/bitlbee.te
@@ -1,4 +1,4 @@
-policy_module(bitlbee, 1.7.1)
+policy_module(bitlbee, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index 75d739da..208a146b 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -1,4 +1,4 @@
-policy_module(bluetooth, 3.7.0)
+policy_module(bluetooth, 3.7.1)
########################################
#
diff --git a/policy/modules/contrib/brctl.te b/policy/modules/contrib/brctl.te
index fd789b5f..4582159b 100644
--- a/policy/modules/contrib/brctl.te
+++ b/policy/modules/contrib/brctl.te
@@ -1,4 +1,4 @@
-policy_module(brctl, 1.7.1)
+policy_module(brctl, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index c92149d1..954dc2a8 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.3.1)
+policy_module(cachefilesd, 1.3.2)
########################################
#
diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te
index f9443343..6bf2d777 100644
--- a/policy/modules/contrib/callweaver.te
+++ b/policy/modules/contrib/callweaver.te
@@ -1,4 +1,4 @@
-policy_module(callweaver, 1.3.0)
+policy_module(callweaver, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te
index ea8f64b5..9fee410c 100644
--- a/policy/modules/contrib/canna.te
+++ b/policy/modules/contrib/canna.te
@@ -1,4 +1,4 @@
-policy_module(canna, 1.14.0)
+policy_module(canna, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index bc766e74..7da9d409 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.10.1)
+policy_module(ccs, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index f6c9d20d..0770f117 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.5.0)
+policy_module(certmonger, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/cfengine.te b/policy/modules/contrib/cfengine.te
index c888ff23..d381792e 100644
--- a/policy/modules/contrib/cfengine.te
+++ b/policy/modules/contrib/cfengine.te
@@ -1,4 +1,4 @@
-policy_module(cfengine, 1.2.0)
+policy_module(cfengine, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index 3599d7a2..9705e1af 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.5.1)
+policy_module(cgroup, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 618f6cf5..3e9a1c5b 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.4.0)
+policy_module(chronyd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/cipe.te b/policy/modules/contrib/cipe.te
index 729d7820..8b31ca11 100644
--- a/policy/modules/contrib/cipe.te
+++ b/policy/modules/contrib/cipe.te
@@ -1,4 +1,4 @@
-policy_module(cipe, 1.7.0)
+policy_module(cipe, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index 11e568a6..5706540d 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.14.1)
+policy_module(clamav, 1.14.2)
## <desc>
## <p>
diff --git a/policy/modules/contrib/clogd.te b/policy/modules/contrib/clogd.te
index b9a57b18..6a667109 100644
--- a/policy/modules/contrib/clogd.te
+++ b/policy/modules/contrib/clogd.te
@@ -1,4 +1,4 @@
-policy_module(clogd, 1.2.0)
+policy_module(clogd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te
index ece1a1ce..22c88cfd 100644
--- a/policy/modules/contrib/cmirrord.te
+++ b/policy/modules/contrib/cmirrord.te
@@ -1,4 +1,4 @@
-policy_module(cmirrord, 1.3.0)
+policy_module(cmirrord, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/collectd.te b/policy/modules/contrib/collectd.te
index e9e6d135..4d375ce5 100644
--- a/policy/modules/contrib/collectd.te
+++ b/policy/modules/contrib/collectd.te
@@ -1,4 +1,4 @@
-policy_module(collectd, 1.3.0)
+policy_module(collectd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/comsat.te b/policy/modules/contrib/comsat.te
index 9b7b3706..9a4a146e 100644
--- a/policy/modules/contrib/comsat.te
+++ b/policy/modules/contrib/comsat.te
@@ -1,4 +1,4 @@
-policy_module(comsat, 1.8.0)
+policy_module(comsat, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index fbb70249..18012be1 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -1,4 +1,4 @@
-policy_module(condor, 1.4.0)
+policy_module(condor, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index a2a51ba8..06451dff 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -1,4 +1,4 @@
-policy_module(consolekit, 1.12.0)
+policy_module(consolekit, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te
index 771582f0..c8ecef1c 100644
--- a/policy/modules/contrib/corosync.te
+++ b/policy/modules/contrib/corosync.te
@@ -1,4 +1,4 @@
-policy_module(corosync, 1.3.0)
+policy_module(corosync, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 31ee1073..57ef751c 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -1,4 +1,4 @@
-policy_module(courier, 1.16.1)
+policy_module(courier, 1.16.2)
########################################
#
diff --git a/policy/modules/contrib/cpucontrol.te b/policy/modules/contrib/cpucontrol.te
index cff0e16c..0d255fce 100644
--- a/policy/modules/contrib/cpucontrol.te
+++ b/policy/modules/contrib/cpucontrol.te
@@ -1,4 +1,4 @@
-policy_module(cpucontrol, 1.6.1)
+policy_module(cpucontrol, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 15e6bdb4..49e58a0b 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.4)
+policy_module(cron, 2.11.5)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/ctdb.te b/policy/modules/contrib/ctdb.te
index 4f9c3f06..e62f3912 100644
--- a/policy/modules/contrib/ctdb.te
+++ b/policy/modules/contrib/ctdb.te
@@ -1,4 +1,4 @@
-policy_module(ctdb, 1.4.0)
+policy_module(ctdb, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 88a73ce4..2b81255f 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.21.4)
+policy_module(cups, 1.21.5)
########################################
#
diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te
index 124f2c58..bcabb498 100644
--- a/policy/modules/contrib/dante.te
+++ b/policy/modules/contrib/dante.te
@@ -1,4 +1,4 @@
-policy_module(dante, 1.11.0)
+policy_module(dante, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/dbskk.te b/policy/modules/contrib/dbskk.te
index f55c4208..6b5a7471 100644
--- a/policy/modules/contrib/dbskk.te
+++ b/policy/modules/contrib/dbskk.te
@@ -1,4 +1,4 @@
-policy_module(dbskk, 1.6.0)
+policy_module(dbskk, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/dcc.te b/policy/modules/contrib/dcc.te
index 9b1c25e7..eb05bbda 100644
--- a/policy/modules/contrib/dcc.te
+++ b/policy/modules/contrib/dcc.te
@@ -1,4 +1,4 @@
-policy_module(dcc, 1.13.0)
+policy_module(dcc, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/ddclient.te b/policy/modules/contrib/ddclient.te
index 333d3094..6e3f3bd2 100644
--- a/policy/modules/contrib/ddclient.te
+++ b/policy/modules/contrib/ddclient.te
@@ -1,4 +1,4 @@
-policy_module(ddclient, 1.12.0)
+policy_module(ddclient, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/ddcprobe.te b/policy/modules/contrib/ddcprobe.te
index 8d1263ae..4e67816a 100644
--- a/policy/modules/contrib/ddcprobe.te
+++ b/policy/modules/contrib/ddcprobe.te
@@ -1,4 +1,4 @@
-policy_module(ddcprobe, 1.3.0)
+policy_module(ddcprobe, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index 2fbf84ed..77d18aee 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.14.0)
+policy_module(dhcp, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te
index c390b549..13947f21 100644
--- a/policy/modules/contrib/dictd.te
+++ b/policy/modules/contrib/dictd.te
@@ -1,4 +1,4 @@
-policy_module(dictd, 1.10.0)
+policy_module(dictd, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 5ffc618b..2cb15e39 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.5.1)
+policy_module(dkim, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te
index aa8e3e6d..93000a01 100644
--- a/policy/modules/contrib/dmidecode.te
+++ b/policy/modules/contrib/dmidecode.te
@@ -1,4 +1,4 @@
-policy_module(dmidecode, 1.6.0)
+policy_module(dmidecode, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index ee961ce2..e7278d0a 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.14.0)
+policy_module(dnsmasq, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/dnssectrigger.te b/policy/modules/contrib/dnssectrigger.te
index e6c58402..c48910d0 100644
--- a/policy/modules/contrib/dnssectrigger.te
+++ b/policy/modules/contrib/dnssectrigger.te
@@ -1,4 +1,4 @@
-policy_module(dnssectrigger, 1.3.0)
+policy_module(dnssectrigger, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index d18f9adc..208d9957 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.19.1)
+policy_module(dovecot, 1.19.2)
########################################
#
diff --git a/policy/modules/contrib/dphysswapfile.te b/policy/modules/contrib/dphysswapfile.te
index 5a308095..fe11baec 100644
--- a/policy/modules/contrib/dphysswapfile.te
+++ b/policy/modules/contrib/dphysswapfile.te
@@ -1,4 +1,4 @@
-policy_module(dphysswapfile, 1.0.2)
+policy_module(dphysswapfile, 1.0.3)
########################################
#
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index e781815d..730e38f6 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.7)
+policy_module(dpkg, 1.11.8)
########################################
#
diff --git a/policy/modules/contrib/drbd.te b/policy/modules/contrib/drbd.te
index 0d1e6366..e7907f2b 100644
--- a/policy/modules/contrib/drbd.te
+++ b/policy/modules/contrib/drbd.te
@@ -1,4 +1,4 @@
-policy_module(drbd, 1.2.1)
+policy_module(drbd, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index 991b6219..a788c570 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.11.0)
+policy_module(entropyd, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 66421ff3..389aa302 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.10.0)
+policy_module(exim, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/fakehwclock.te b/policy/modules/contrib/fakehwclock.te
index 5caedf9f..5a6e57ca 100644
--- a/policy/modules/contrib/fakehwclock.te
+++ b/policy/modules/contrib/fakehwclock.te
@@ -1,4 +1,4 @@
-policy_module(fakehwclock, 1.0.1)
+policy_module(fakehwclock, 1.0.2)
########################################
#
diff --git a/policy/modules/contrib/fcoe.te b/policy/modules/contrib/fcoe.te
index 706874f3..20714983 100644
--- a/policy/modules/contrib/fcoe.te
+++ b/policy/modules/contrib/fcoe.te
@@ -1,4 +1,4 @@
-policy_module(fcoe, 1.3.0)
+policy_module(fcoe, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te
index d7fdd5eb..2619a20b 100644
--- a/policy/modules/contrib/finger.te
+++ b/policy/modules/contrib/finger.te
@@ -1,4 +1,4 @@
-policy_module(finger, 1.12.0)
+policy_module(finger, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 70f5fb43..c05dff4e 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.5.1)
+policy_module(firewalld, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/firstboot.te b/policy/modules/contrib/firstboot.te
index e5c5ecdb..a1afc1b7 100644
--- a/policy/modules/contrib/firstboot.te
+++ b/policy/modules/contrib/firstboot.te
@@ -1,4 +1,4 @@
-policy_module(firstboot, 1.13.1)
+policy_module(firstboot, 1.13.2)
gen_require(`
class passwd { passwd chfn chsh rootok };
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 7e81e249..f18dc97b 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.20.0)
+policy_module(ftp, 1.20.1)
########################################
#
diff --git a/policy/modules/contrib/gatekeeper.te b/policy/modules/contrib/gatekeeper.te
index 01dc4562..504f10e4 100644
--- a/policy/modules/contrib/gatekeeper.te
+++ b/policy/modules/contrib/gatekeeper.te
@@ -1,4 +1,4 @@
-policy_module(gatekeeper, 1.10.0)
+policy_module(gatekeeper, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index 07bd10d7..c32ed752 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -1,4 +1,4 @@
-policy_module(glusterfs, 1.4.0)
+policy_module(glusterfs, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
index 4e2b5f9c..4452e0e6 100644
--- a/policy/modules/contrib/gpm.te
+++ b/policy/modules/contrib/gpm.te
@@ -1,4 +1,4 @@
-policy_module(gpm, 1.11.1)
+policy_module(gpm, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te
index 6f4e8b79..20c377aa 100644
--- a/policy/modules/contrib/gpsd.te
+++ b/policy/modules/contrib/gpsd.te
@@ -1,4 +1,4 @@
-policy_module(gpsd, 1.4.0)
+policy_module(gpsd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index 997f3e3b..bce0de22 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.17.2)
+policy_module(hal, 1.17.3)
########################################
#
diff --git a/policy/modules/contrib/hddtemp.te b/policy/modules/contrib/hddtemp.te
index 90b148ec..135d8844 100644
--- a/policy/modules/contrib/hddtemp.te
+++ b/policy/modules/contrib/hddtemp.te
@@ -1,4 +1,4 @@
-policy_module(hddtemp, 1.3.0)
+policy_module(hddtemp, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/hwloc.te b/policy/modules/contrib/hwloc.te
index 716a590e..e6d6e0ae 100644
--- a/policy/modules/contrib/hwloc.te
+++ b/policy/modules/contrib/hwloc.te
@@ -1,4 +1,4 @@
-policy_module(hwloc, 1.1.0)
+policy_module(hwloc, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/hypervkvp.te b/policy/modules/contrib/hypervkvp.te
index 5f3e48da..8af768a4 100644
--- a/policy/modules/contrib/hypervkvp.te
+++ b/policy/modules/contrib/hypervkvp.te
@@ -1,4 +1,4 @@
-policy_module(hypervkvp, 1.1.0)
+policy_module(hypervkvp, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/i18n_input.te b/policy/modules/contrib/i18n_input.te
index d1a42660..6cb963ca 100644
--- a/policy/modules/contrib/i18n_input.te
+++ b/policy/modules/contrib/i18n_input.te
@@ -1,4 +1,4 @@
-policy_module(i18n_input, 1.11.0)
+policy_module(i18n_input, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te
index 4f1223db..46cc865a 100644
--- a/policy/modules/contrib/ifplugd.te
+++ b/policy/modules/contrib/ifplugd.te
@@ -1,4 +1,4 @@
-policy_module(ifplugd, 1.3.0)
+policy_module(ifplugd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te
index 70ecd1e5..678cacdf 100644
--- a/policy/modules/contrib/inetd.te
+++ b/policy/modules/contrib/inetd.te
@@ -1,4 +1,4 @@
-policy_module(inetd, 1.14.1)
+policy_module(inetd, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/inn.te b/policy/modules/contrib/inn.te
index dc5c007e..fd579875 100644
--- a/policy/modules/contrib/inn.te
+++ b/policy/modules/contrib/inn.te
@@ -1,4 +1,4 @@
-policy_module(inn, 1.13.0)
+policy_module(inn, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index b316ec5b..f0896487 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -1,4 +1,4 @@
-policy_module(iodine, 1.2.2)
+policy_module(iodine, 1.2.3)
########################################
#
diff --git a/policy/modules/contrib/ircd.te b/policy/modules/contrib/ircd.te
index 94c9c233..75aaa8f9 100644
--- a/policy/modules/contrib/ircd.te
+++ b/policy/modules/contrib/ircd.te
@@ -1,4 +1,4 @@
-policy_module(ircd, 1.10.0)
+policy_module(ircd, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te
index b8cea5ec..0c78171b 100644
--- a/policy/modules/contrib/irqbalance.te
+++ b/policy/modules/contrib/irqbalance.te
@@ -1,4 +1,4 @@
-policy_module(irqbalance, 1.9.0)
+policy_module(irqbalance, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index 8061f7ea..ebd7b255 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -1,4 +1,4 @@
-policy_module(iscsi, 1.11.1)
+policy_module(iscsi, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/isns.te b/policy/modules/contrib/isns.te
index 83356b97..1afc0a09 100644
--- a/policy/modules/contrib/isns.te
+++ b/policy/modules/contrib/isns.te
@@ -1,4 +1,4 @@
-policy_module(isns, 1.2.0)
+policy_module(isns, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te
index 36f603c3..954f3613 100644
--- a/policy/modules/contrib/jabber.te
+++ b/policy/modules/contrib/jabber.te
@@ -1,4 +1,4 @@
-policy_module(jabber, 1.12.1)
+policy_module(jabber, 1.12.2)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index fb6f1378..659b3aeb 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.5.2)
+policy_module(kdump, 1.5.3)
#######################################
#
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
index d226156e..2c75d8ec 100644
--- a/policy/modules/contrib/kerberos.te
+++ b/policy/modules/contrib/kerberos.te
@@ -1,4 +1,4 @@
-policy_module(kerberos, 1.14.0)
+policy_module(kerberos, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/kerneloops.te b/policy/modules/contrib/kerneloops.te
index 58ee9516..f974f045 100644
--- a/policy/modules/contrib/kerneloops.te
+++ b/policy/modules/contrib/kerneloops.te
@@ -1,4 +1,4 @@
-policy_module(kerneloops, 1.6.2)
+policy_module(kerneloops, 1.6.3)
########################################
#
diff --git a/policy/modules/contrib/ksmtuned.te b/policy/modules/contrib/ksmtuned.te
index f03cf59a..bbfdb4c8 100644
--- a/policy/modules/contrib/ksmtuned.te
+++ b/policy/modules/contrib/ksmtuned.te
@@ -1,4 +1,4 @@
-policy_module(ksmtuned, 1.4.0)
+policy_module(ksmtuned, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/ktalk.te b/policy/modules/contrib/ktalk.te
index 52f3be7e..bcd12a05 100644
--- a/policy/modules/contrib/ktalk.te
+++ b/policy/modules/contrib/ktalk.te
@@ -1,4 +1,4 @@
-policy_module(ktalk, 1.10.0)
+policy_module(ktalk, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index b1696618..e893b789 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -1,4 +1,4 @@
-policy_module(kudzu, 1.12.2)
+policy_module(kudzu, 1.12.3)
########################################
#
diff --git a/policy/modules/contrib/l2tp.te b/policy/modules/contrib/l2tp.te
index b45a216f..a0f598e1 100644
--- a/policy/modules/contrib/l2tp.te
+++ b/policy/modules/contrib/l2tp.te
@@ -1,4 +1,4 @@
-policy_module(l2tp, 1.3.0)
+policy_module(l2tp, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 023884ab..35a1ff33 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.15.0)
+policy_module(ldap, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te
index 21d18a3c..a0673fd5 100644
--- a/policy/modules/contrib/likewise.te
+++ b/policy/modules/contrib/likewise.te
@@ -1,4 +1,4 @@
-policy_module(likewise, 1.5.0)
+policy_module(likewise, 1.5.1)
#################################
#
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index 88078024..1be40213 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -1,4 +1,4 @@
-policy_module(lircd, 1.4.0)
+policy_module(lircd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te
index 803bf48f..b30a33d1 100644
--- a/policy/modules/contrib/lldpad.te
+++ b/policy/modules/contrib/lldpad.te
@@ -1,4 +1,4 @@
-policy_module(lldpad, 1.3.0)
+policy_module(lldpad, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/lockdev.te b/policy/modules/contrib/lockdev.te
index 61db5a0a..f60ee157 100644
--- a/policy/modules/contrib/lockdev.te
+++ b/policy/modules/contrib/lockdev.te
@@ -1,4 +1,4 @@
-policy_module(lockdev, 1.5.0)
+policy_module(lockdev, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 1c63e097..b0176afb 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.18.3)
+policy_module(logrotate, 1.18.4)
########################################
#
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
index d2b54207..0e115309 100644
--- a/policy/modules/contrib/logwatch.te
+++ b/policy/modules/contrib/logwatch.te
@@ -1,4 +1,4 @@
-policy_module(logwatch, 1.14.1)
+policy_module(logwatch, 1.14.2)
#################################
#
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index 8ebe2435..64fd6e50 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -1,4 +1,4 @@
-policy_module(lpd, 1.15.2)
+policy_module(lpd, 1.15.3)
########################################
#
diff --git a/policy/modules/contrib/mailscanner.te b/policy/modules/contrib/mailscanner.te
index d8dcb317..2da0a226 100644
--- a/policy/modules/contrib/mailscanner.te
+++ b/policy/modules/contrib/mailscanner.te
@@ -1,4 +1,4 @@
-policy_module(mailscanner, 1.3.0)
+policy_module(mailscanner, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te
index 8e62b7a8..d5e1cba0 100644
--- a/policy/modules/contrib/mcelog.te
+++ b/policy/modules/contrib/mcelog.te
@@ -1,4 +1,4 @@
-policy_module(mcelog, 1.5.0)
+policy_module(mcelog, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
index 8295ca64..96c0c59d 100644
--- a/policy/modules/contrib/milter.te
+++ b/policy/modules/contrib/milter.te
@@ -1,4 +1,4 @@
-policy_module(milter, 1.6.1)
+policy_module(milter, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/minidlna.te b/policy/modules/contrib/minidlna.te
index 3ab4189d..7b8aa39d 100644
--- a/policy/modules/contrib/minidlna.te
+++ b/policy/modules/contrib/minidlna.te
@@ -1,4 +1,4 @@
-policy_module(minidlna, 1.1.0)
+policy_module(minidlna, 1.1.1)
#############################################
#
diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te
index d16cdb1b..5145a16a 100644
--- a/policy/modules/contrib/minissdpd.te
+++ b/policy/modules/contrib/minissdpd.te
@@ -1,4 +1,4 @@
-policy_module(minissdpd, 1.3.0)
+policy_module(minissdpd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te
index 20c99b63..b4236dd7 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -1,4 +1,4 @@
-policy_module(modemmanager, 1.4.0)
+policy_module(modemmanager, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index 0207d0ac..b8a92025 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -1,4 +1,4 @@
-policy_module(mon, 1.0.3)
+policy_module(mon, 1.0.4)
########################################
#
diff --git a/policy/modules/contrib/monop.te b/policy/modules/contrib/monop.te
index 091f315b..9337497d 100644
--- a/policy/modules/contrib/monop.te
+++ b/policy/modules/contrib/monop.te
@@ -1,4 +1,4 @@
-policy_module(monop, 1.10.0)
+policy_module(monop, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index caa21fb9..a330ed83 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.6)
+policy_module(mta, 2.8.7)
########################################
#
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 6fe1ce56..04d9c9e9 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.19.1)
+policy_module(mysql, 1.19.2)
########################################
#
diff --git a/policy/modules/contrib/nessus.te b/policy/modules/contrib/nessus.te
index e14a3f35..ba5114fa 100644
--- a/policy/modules/contrib/nessus.te
+++ b/policy/modules/contrib/nessus.te
@@ -1,4 +1,4 @@
-policy_module(nessus, 1.11.0)
+policy_module(nessus, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index c6d62977..1614b533 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.5)
+policy_module(networkmanager, 1.20.6)
########################################
#
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index c49ecb0b..11a3bde2 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.15.1)
+policy_module(nis, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index dfd1adf8..93daee41 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.15.0)
+policy_module(nscd, 1.15.1)
gen_require(`
class nscd all_nscd_perms;
diff --git a/policy/modules/contrib/nsd.te b/policy/modules/contrib/nsd.te
index 911aa8ca..8851506f 100644
--- a/policy/modules/contrib/nsd.te
+++ b/policy/modules/contrib/nsd.te
@@ -1,4 +1,4 @@
-policy_module(nsd, 1.10.0)
+policy_module(nsd, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te
index 30639e64..eb6ed983 100644
--- a/policy/modules/contrib/nslcd.te
+++ b/policy/modules/contrib/nslcd.te
@@ -1,4 +1,4 @@
-policy_module(nslcd, 1.7.0)
+policy_module(nslcd, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te
index 025f5d4a..1b5251a5 100644
--- a/policy/modules/contrib/ntop.te
+++ b/policy/modules/contrib/ntop.te
@@ -1,4 +1,4 @@
-policy_module(ntop, 1.12.0)
+policy_module(ntop, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 89b31bf3..cbd5fd18 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.16.4)
+policy_module(ntp, 1.16.5)
########################################
#
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index d38ced7b..0a12ac89 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -1,4 +1,4 @@
-policy_module(nut, 1.6.1)
+policy_module(nut, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/oav.te b/policy/modules/contrib/oav.te
index b09c4c41..4a171f13 100644
--- a/policy/modules/contrib/oav.te
+++ b/policy/modules/contrib/oav.te
@@ -1,4 +1,4 @@
-policy_module(oav, 1.10.0)
+policy_module(oav, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/oddjob.te b/policy/modules/contrib/oddjob.te
index 507d6d24..dd34cec0 100644
--- a/policy/modules/contrib/oddjob.te
+++ b/policy/modules/contrib/oddjob.te
@@ -1,4 +1,4 @@
-policy_module(oddjob, 1.11.1)
+policy_module(oddjob, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/oident.te b/policy/modules/contrib/oident.te
index c1f42dc1..6d19804e 100644
--- a/policy/modules/contrib/oident.te
+++ b/policy/modules/contrib/oident.te
@@ -1,4 +1,4 @@
-policy_module(oident, 2.4.0)
+policy_module(oident, 2.4.1)
########################################
#
diff --git a/policy/modules/contrib/openct.te b/policy/modules/contrib/openct.te
index 5002e6ac..c4157e74 100644
--- a/policy/modules/contrib/openct.te
+++ b/policy/modules/contrib/openct.te
@@ -1,4 +1,4 @@
-policy_module(openct, 1.9.0)
+policy_module(openct, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/openhpi.te b/policy/modules/contrib/openhpi.te
index ea840550..d33d901a 100644
--- a/policy/modules/contrib/openhpi.te
+++ b/policy/modules/contrib/openhpi.te
@@ -1,4 +1,4 @@
-policy_module(openhpi, 1.3.0)
+policy_module(openhpi, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index 54170a62..49c3dc0e 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.15.1)
+policy_module(openvpn, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/pacemaker.te b/policy/modules/contrib/pacemaker.te
index 218470bb..d5509e77 100644
--- a/policy/modules/contrib/pacemaker.te
+++ b/policy/modules/contrib/pacemaker.te
@@ -1,4 +1,4 @@
-policy_module(pacemaker, 1.3.0)
+policy_module(pacemaker, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te
index 5d8ccb2f..63a42663 100644
--- a/policy/modules/contrib/pcmcia.te
+++ b/policy/modules/contrib/pcmcia.te
@@ -1,4 +1,4 @@
-policy_module(pcmcia, 1.8.2)
+policy_module(pcmcia, 1.8.3)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index e33dc6b6..1b3b1302 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.12.0)
+policy_module(pcscd, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te
index b2138295..1648e483 100644
--- a/policy/modules/contrib/pegasus.te
+++ b/policy/modules/contrib/pegasus.te
@@ -1,4 +1,4 @@
-policy_module(pegasus, 1.12.0)
+policy_module(pegasus, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te
index 2975c2cc..42df124f 100644
--- a/policy/modules/contrib/perdition.te
+++ b/policy/modules/contrib/perdition.te
@@ -1,4 +1,4 @@
-policy_module(perdition, 1.10.1)
+policy_module(perdition, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/pingd.te b/policy/modules/contrib/pingd.te
index fbe72918..6614fd9e 100644
--- a/policy/modules/contrib/pingd.te
+++ b/policy/modules/contrib/pingd.te
@@ -1,4 +1,4 @@
-policy_module(pingd, 1.2.0)
+policy_module(pingd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index b10f18e7..eeb4bacd 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -1,4 +1,4 @@
-policy_module(pkcs, 1.3.0)
+policy_module(pkcs, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index 6c73283c..71467854 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.4.2)
+policy_module(plymouthd, 1.4.3)
########################################
#
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
index 2a8c850b..b894502e 100644
--- a/policy/modules/contrib/portmap.te
+++ b/policy/modules/contrib/portmap.te
@@ -1,4 +1,4 @@
-policy_module(portmap, 1.13.1)
+policy_module(portmap, 1.13.2)
########################################
#
diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te
index a09698ce..298d5905 100644
--- a/policy/modules/contrib/portreserve.te
+++ b/policy/modules/contrib/portreserve.te
@@ -1,4 +1,4 @@
-policy_module(portreserve, 1.6.1)
+policy_module(portreserve, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/portslave.te b/policy/modules/contrib/portslave.te
index b34887c9..217bebaf 100644
--- a/policy/modules/contrib/portslave.te
+++ b/policy/modules/contrib/portslave.te
@@ -1,4 +1,4 @@
-policy_module(portslave, 1.8.0)
+policy_module(portslave, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 1b562bab..33f2cdd1 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.17.2)
+policy_module(postfix, 1.17.3)
########################################
#
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
index be84e714..082b2a06 100644
--- a/policy/modules/contrib/postfixpolicyd.te
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -1,4 +1,4 @@
-policy_module(postfixpolicyd, 1.5.1)
+policy_module(postfixpolicyd, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te
index 4fe73487..0628a4e5 100644
--- a/policy/modules/contrib/postgrey.te
+++ b/policy/modules/contrib/postgrey.te
@@ -1,4 +1,4 @@
-policy_module(postgrey, 1.11.1)
+policy_module(postgrey, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index 6d34d7b7..8f05b2d6 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.17.2)
+policy_module(ppp, 1.17.3)
########################################
#
diff --git a/policy/modules/contrib/prelink.te b/policy/modules/contrib/prelink.te
index 784b81ae..3198c925 100644
--- a/policy/modules/contrib/prelink.te
+++ b/policy/modules/contrib/prelink.te
@@ -1,4 +1,4 @@
-policy_module(prelink, 1.11.1)
+policy_module(prelink, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te
index 4f14f0b6..5c8efc5d 100644
--- a/policy/modules/contrib/prelude.te
+++ b/policy/modules/contrib/prelude.te
@@ -1,4 +1,4 @@
-policy_module(prelude, 1.7.1)
+policy_module(prelude, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/privoxy.te b/policy/modules/contrib/privoxy.te
index ce344917..5205da69 100644
--- a/policy/modules/contrib/privoxy.te
+++ b/policy/modules/contrib/privoxy.te
@@ -1,4 +1,4 @@
-policy_module(privoxy, 1.14.0)
+policy_module(privoxy, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te
index b94e44a9..53fc70b2 100644
--- a/policy/modules/contrib/psad.te
+++ b/policy/modules/contrib/psad.te
@@ -1,4 +1,4 @@
-policy_module(psad, 1.4.0)
+policy_module(psad, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/pxe.te b/policy/modules/contrib/pxe.te
index 8694d852..c9ef2a2c 100644
--- a/policy/modules/contrib/pxe.te
+++ b/policy/modules/contrib/pxe.te
@@ -1,4 +1,4 @@
-policy_module(pxe, 1.7.0)
+policy_module(pxe, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te
index 455f2c0e..99b31343 100644
--- a/policy/modules/contrib/qmail.te
+++ b/policy/modules/contrib/qmail.te
@@ -1,4 +1,4 @@
-policy_module(qmail, 1.7.0)
+policy_module(qmail, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/qpid.te b/policy/modules/contrib/qpid.te
index edae1871..4a7e0bf9 100644
--- a/policy/modules/contrib/qpid.te
+++ b/policy/modules/contrib/qpid.te
@@ -1,4 +1,4 @@
-policy_module(qpid, 1.3.0)
+policy_module(qpid, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index 95fc0aa3..6100ff21 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -1,4 +1,4 @@
-policy_module(quota, 1.9.1)
+policy_module(quota, 1.9.2)
########################################
#
diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
index bbe4e1ce..0d3a0c57 100644
--- a/policy/modules/contrib/radius.te
+++ b/policy/modules/contrib/radius.te
@@ -1,4 +1,4 @@
-policy_module(radius, 1.15.0)
+policy_module(radius, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te
index 41df3b57..b9972ee5 100644
--- a/policy/modules/contrib/radvd.te
+++ b/policy/modules/contrib/radvd.te
@@ -1,4 +1,4 @@
-policy_module(radvd, 1.16.0)
+policy_module(radvd, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index 49c7dbb4..011b2967 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.17.1)
+policy_module(raid, 1.17.2)
########################################
#
diff --git a/policy/modules/contrib/rdisc.te b/policy/modules/contrib/rdisc.te
index ea6d2d92..d4b488de 100644
--- a/policy/modules/contrib/rdisc.te
+++ b/policy/modules/contrib/rdisc.te
@@ -1,4 +1,4 @@
-policy_module(rdisc, 1.8.1)
+policy_module(rdisc, 1.8.2)
########################################
#
diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te
index ec587591..e70c52a6 100644
--- a/policy/modules/contrib/readahead.te
+++ b/policy/modules/contrib/readahead.te
@@ -1,4 +1,4 @@
-policy_module(readahead, 1.15.1)
+policy_module(readahead, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index b5162055..362cc355 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.4.0)
+policy_module(redis, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/resmgr.te b/policy/modules/contrib/resmgr.te
index 25e40670..3fce4733 100644
--- a/policy/modules/contrib/resmgr.te
+++ b/policy/modules/contrib/resmgr.te
@@ -1,4 +1,4 @@
-policy_module(resmgr, 1.5.1)
+policy_module(resmgr, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te
index 905c3d44..e63c628f 100644
--- a/policy/modules/contrib/rgmanager.te
+++ b/policy/modules/contrib/rgmanager.te
@@ -1,4 +1,4 @@
-policy_module(rgmanager, 1.6.0)
+policy_module(rgmanager, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 85a3a066..2cf91164 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -1,4 +1,4 @@
-policy_module(rhcs, 1.6.0)
+policy_module(rhcs, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te
index e576ff12..f2e9c806 100644
--- a/policy/modules/contrib/ricci.te
+++ b/policy/modules/contrib/ricci.te
@@ -1,4 +1,4 @@
-policy_module(ricci, 1.10.1)
+policy_module(ricci, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te
index 94d41e81..fa544703 100644
--- a/policy/modules/contrib/rlogin.te
+++ b/policy/modules/contrib/rlogin.te
@@ -1,4 +1,4 @@
-policy_module(rlogin, 1.12.0)
+policy_module(rlogin, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
index ee1f1349..6f41db77 100644
--- a/policy/modules/contrib/rngd.te
+++ b/policy/modules/contrib/rngd.te
@@ -1,4 +1,4 @@
-policy_module(rngd, 1.4.0)
+policy_module(rngd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 0b9a71fc..a8a83400 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.19.2)
+policy_module(rpc, 1.19.3)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index abe55b18..75b5725f 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.11.2)
+policy_module(rpcbind, 1.11.3)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 2e3596b0..2dcf018c 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.19.2)
+policy_module(rpm, 1.19.3)
########################################
#
diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te
index 78a8f3c7..4cff9508 100644
--- a/policy/modules/contrib/rshd.te
+++ b/policy/modules/contrib/rshd.te
@@ -1,4 +1,4 @@
-policy_module(rshd, 1.9.1)
+policy_module(rshd, 1.9.2)
########################################
#
diff --git a/policy/modules/contrib/rwho.te b/policy/modules/contrib/rwho.te
index 0cd90acd..9b731982 100644
--- a/policy/modules/contrib/rwho.te
+++ b/policy/modules/contrib/rwho.te
@@ -1,4 +1,4 @@
-policy_module(rwho, 1.8.0)
+policy_module(rwho, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 06323b49..2bde1870 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.20.1)
+policy_module(samba, 1.20.2)
#################################
#
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index 9618e95c..20972aa3 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -1,4 +1,4 @@
-policy_module(samhain, 1.4.1)
+policy_module(samhain, 1.4.2)
########################################
#
diff --git a/policy/modules/contrib/sanlock.te b/policy/modules/contrib/sanlock.te
index fccc1c29..b818f2b6 100644
--- a/policy/modules/contrib/sanlock.te
+++ b/policy/modules/contrib/sanlock.te
@@ -1,4 +1,4 @@
-policy_module(sanlock, 1.3.0)
+policy_module(sanlock, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te
index 235a66d8..daf996eb 100644
--- a/policy/modules/contrib/sasl.te
+++ b/policy/modules/contrib/sasl.te
@@ -1,4 +1,4 @@
-policy_module(sasl, 1.18.0)
+policy_module(sasl, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/sblim.te b/policy/modules/contrib/sblim.te
index 77632c25..9a901bd5 100644
--- a/policy/modules/contrib/sblim.te
+++ b/policy/modules/contrib/sblim.te
@@ -1,4 +1,4 @@
-policy_module(sblim, 1.3.0)
+policy_module(sblim, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/sensord.te b/policy/modules/contrib/sensord.te
index f5d4288a..572bf7cf 100644
--- a/policy/modules/contrib/sensord.te
+++ b/policy/modules/contrib/sensord.te
@@ -1,4 +1,4 @@
-policy_module(sensord, 1.2.0)
+policy_module(sensord, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/setroubleshoot.te b/policy/modules/contrib/setroubleshoot.te
index 68f546fe..2d8adf9e 100644
--- a/policy/modules/contrib/setroubleshoot.te
+++ b/policy/modules/contrib/setroubleshoot.te
@@ -1,4 +1,4 @@
-policy_module(setroubleshoot, 1.15.0)
+policy_module(setroubleshoot, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/shibboleth.te b/policy/modules/contrib/shibboleth.te
index 0d742041..7ed9e3f9 100644
--- a/policy/modules/contrib/shibboleth.te
+++ b/policy/modules/contrib/shibboleth.te
@@ -1,4 +1,4 @@
-policy_module(shibboleth, 1.2.0)
+policy_module(shibboleth, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index e7249426..a56cab4a 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.6.2)
+policy_module(shorewall, 1.6.3)
########################################
#
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index 0e38114a..881f6c1f 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -1,4 +1,4 @@
-policy_module(shutdown, 1.4.2)
+policy_module(shutdown, 1.4.3)
########################################
#
diff --git a/policy/modules/contrib/slpd.te b/policy/modules/contrib/slpd.te
index f4f1edfd..116f3e35 100644
--- a/policy/modules/contrib/slpd.te
+++ b/policy/modules/contrib/slpd.te
@@ -1,4 +1,4 @@
-policy_module(slpd, 1.3.0)
+policy_module(slpd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te
index 1ad706c7..74925838 100644
--- a/policy/modules/contrib/smartmon.te
+++ b/policy/modules/contrib/smartmon.te
@@ -1,4 +1,4 @@
-policy_module(smartmon, 1.14.1)
+policy_module(smartmon, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te
index cc19c38d..ed86ad9a 100644
--- a/policy/modules/contrib/smokeping.te
+++ b/policy/modules/contrib/smokeping.te
@@ -1,4 +1,4 @@
-policy_module(smokeping, 1.4.0)
+policy_module(smokeping, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/smstools.te b/policy/modules/contrib/smstools.te
index 55096f6a..e18a79b6 100644
--- a/policy/modules/contrib/smstools.te
+++ b/policy/modules/contrib/smstools.te
@@ -1,4 +1,4 @@
-policy_module(smstools, 1.2.0)
+policy_module(smstools, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te
index fe37b52d..134094e8 100644
--- a/policy/modules/contrib/snmp.te
+++ b/policy/modules/contrib/snmp.te
@@ -1,4 +1,4 @@
-policy_module(snmp, 1.16.0)
+policy_module(snmp, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 536efd00..6ccb88d2 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -1,4 +1,4 @@
-policy_module(snort, 1.14.0)
+policy_module(snort, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te
index 940f220a..0adbde7e 100644
--- a/policy/modules/contrib/sosreport.te
+++ b/policy/modules/contrib/sosreport.te
@@ -1,4 +1,4 @@
-policy_module(sosreport, 1.4.0)
+policy_module(sosreport, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/soundserver.te b/policy/modules/contrib/soundserver.te
index 5b8bd927..18386afd 100644
--- a/policy/modules/contrib/soundserver.te
+++ b/policy/modules/contrib/soundserver.te
@@ -1,4 +1,4 @@
-policy_module(soundserver, 1.11.0)
+policy_module(soundserver, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 2f770d2d..74d30072 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.10.1)
+policy_module(spamassassin, 2.10.2)
########################################
#
diff --git a/policy/modules/contrib/speedtouch.te b/policy/modules/contrib/speedtouch.te
index 70dcf8d4..e91ca9e4 100644
--- a/policy/modules/contrib/speedtouch.te
+++ b/policy/modules/contrib/speedtouch.te
@@ -1,4 +1,4 @@
-policy_module(speedtouch, 1.6.0)
+policy_module(speedtouch, 1.6.1)
#######################################
#
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index f4fd15e8..626e10bc 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.15.1)
+policy_module(squid, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index e273c904..2e9b28ac 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -1,4 +1,4 @@
-policy_module(sssd, 1.4.0)
+policy_module(sssd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/sxid.te b/policy/modules/contrib/sxid.te
index 010c40ce..3c9f9a73 100644
--- a/policy/modules/contrib/sxid.te
+++ b/policy/modules/contrib/sxid.te
@@ -1,4 +1,4 @@
-policy_module(sxid, 1.8.0)
+policy_module(sxid, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/tboot.te b/policy/modules/contrib/tboot.te
index 4961a362..02bae3b7 100644
--- a/policy/modules/contrib/tboot.te
+++ b/policy/modules/contrib/tboot.te
@@ -1,4 +1,4 @@
-policy_module(tboot, 1.0.0)
+policy_module(tboot, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/tcpd.te b/policy/modules/contrib/tcpd.te
index 2d6d2c23..32485347 100644
--- a/policy/modules/contrib/tcpd.te
+++ b/policy/modules/contrib/tcpd.te
@@ -1,4 +1,4 @@
-policy_module(tcpd, 1.5.0)
+policy_module(tcpd, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index ca98bf86..36434768 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -1,4 +1,4 @@
-policy_module(tcsd, 1.3.0)
+policy_module(tcsd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te
index 6007d763..f0da2757 100644
--- a/policy/modules/contrib/telnet.te
+++ b/policy/modules/contrib/telnet.te
@@ -1,4 +1,4 @@
-policy_module(telnet, 1.12.0)
+policy_module(telnet, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/tftp.te b/policy/modules/contrib/tftp.te
index cfaa2a19..02dfb404 100644
--- a/policy/modules/contrib/tftp.te
+++ b/policy/modules/contrib/tftp.te
@@ -1,4 +1,4 @@
-policy_module(tftp, 1.13.0)
+policy_module(tftp, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/tgtd.te b/policy/modules/contrib/tgtd.te
index c3761188..d21cf4b4 100644
--- a/policy/modules/contrib/tgtd.te
+++ b/policy/modules/contrib/tgtd.te
@@ -1,4 +1,4 @@
-policy_module(tgtd, 1.6.0)
+policy_module(tgtd, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/tmpreaper.te b/policy/modules/contrib/tmpreaper.te
index f96e6242..f6fad636 100644
--- a/policy/modules/contrib/tmpreaper.te
+++ b/policy/modules/contrib/tmpreaper.te
@@ -1,4 +1,4 @@
-policy_module(tmpreaper, 1.8.0)
+policy_module(tmpreaper, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/transproxy.te b/policy/modules/contrib/transproxy.te
index 61b6f5cb..2e7c2f7e 100644
--- a/policy/modules/contrib/transproxy.te
+++ b/policy/modules/contrib/transproxy.te
@@ -1,4 +1,4 @@
-policy_module(transproxy, 1.10.0)
+policy_module(transproxy, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/tripwire.te b/policy/modules/contrib/tripwire.te
index 47dc24b3..0a098f30 100644
--- a/policy/modules/contrib/tripwire.te
+++ b/policy/modules/contrib/tripwire.te
@@ -1,4 +1,4 @@
-policy_module(tripwire, 1.3.0)
+policy_module(tripwire, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/tuned.te b/policy/modules/contrib/tuned.te
index ba1e1471..5aef872b 100644
--- a/policy/modules/contrib/tuned.te
+++ b/policy/modules/contrib/tuned.te
@@ -1,4 +1,4 @@
-policy_module(tuned, 1.4.0)
+policy_module(tuned, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/tzdata.te b/policy/modules/contrib/tzdata.te
index 221c43b8..55656375 100644
--- a/policy/modules/contrib/tzdata.te
+++ b/policy/modules/contrib/tzdata.te
@@ -1,4 +1,4 @@
-policy_module(tzdata, 1.5.0)
+policy_module(tzdata, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
index 50beee26..d2ac9c3c 100644
--- a/policy/modules/contrib/ulogd.te
+++ b/policy/modules/contrib/ulogd.te
@@ -1,4 +1,4 @@
-policy_module(ulogd, 1.4.0)
+policy_module(ulogd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/updfstab.te b/policy/modules/contrib/updfstab.te
index 02754be8..735a3cc2 100644
--- a/policy/modules/contrib/updfstab.te
+++ b/policy/modules/contrib/updfstab.te
@@ -1,4 +1,4 @@
-policy_module(updfstab, 1.6.1)
+policy_module(updfstab, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/uptime.te b/policy/modules/contrib/uptime.te
index 79c6c8ed..8130870c 100644
--- a/policy/modules/contrib/uptime.te
+++ b/policy/modules/contrib/uptime.te
@@ -1,4 +1,4 @@
-policy_module(uptime, 1.8.0)
+policy_module(uptime, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/usbmodules.te b/policy/modules/contrib/usbmodules.te
index d4307b9d..84312dd4 100644
--- a/policy/modules/contrib/usbmodules.te
+++ b/policy/modules/contrib/usbmodules.te
@@ -1,4 +1,4 @@
-policy_module(usbmodules, 1.3.1)
+policy_module(usbmodules, 1.3.2)
########################################
#
diff --git a/policy/modules/contrib/usbmuxd.te b/policy/modules/contrib/usbmuxd.te
index a1d498e6..77f7a7e6 100644
--- a/policy/modules/contrib/usbmuxd.te
+++ b/policy/modules/contrib/usbmuxd.te
@@ -1,4 +1,4 @@
-policy_module(usbmuxd, 1.3.0)
+policy_module(usbmuxd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index 9c7ac268..d620c666 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -1,4 +1,4 @@
-policy_module(userhelper, 1.10.0)
+policy_module(userhelper, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te
index 1c8b8dfd..3a4d5caa 100644
--- a/policy/modules/contrib/usernetctl.te
+++ b/policy/modules/contrib/usernetctl.te
@@ -1,4 +1,4 @@
-policy_module(usernetctl, 1.7.1)
+policy_module(usernetctl, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/uucp.te b/policy/modules/contrib/uucp.te
index d44d025f..7547ba14 100644
--- a/policy/modules/contrib/uucp.te
+++ b/policy/modules/contrib/uucp.te
@@ -1,4 +1,4 @@
-policy_module(uucp, 1.14.0)
+policy_module(uucp, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/uuidd.te b/policy/modules/contrib/uuidd.te
index 176ae298..fc83244f 100644
--- a/policy/modules/contrib/uuidd.te
+++ b/policy/modules/contrib/uuidd.te
@@ -1,4 +1,4 @@
-policy_module(uuidd, 1.3.0)
+policy_module(uuidd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index b36f69ca..bc464524 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -1,4 +1,4 @@
-policy_module(varnishd, 1.5.0)
+policy_module(varnishd, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/vbetool.te b/policy/modules/contrib/vbetool.te
index 09980a08..ed76f796 100644
--- a/policy/modules/contrib/vbetool.te
+++ b/policy/modules/contrib/vbetool.te
@@ -1,4 +1,4 @@
-policy_module(vbetool, 1.7.0)
+policy_module(vbetool, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te
index 4ceabe08..dca28b43 100644
--- a/policy/modules/contrib/vdagent.te
+++ b/policy/modules/contrib/vdagent.te
@@ -1,4 +1,4 @@
-policy_module(vdagent, 1.4.0)
+policy_module(vdagent, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te
index f6636a99..8720c22f 100644
--- a/policy/modules/contrib/vhostmd.te
+++ b/policy/modules/contrib/vhostmd.te
@@ -1,4 +1,4 @@
-policy_module(vhostmd, 1.3.0)
+policy_module(vhostmd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index eb72843f..4fb34894 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.11.0)
+policy_module(virt, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te
index 3ef60af7..4e49bd9c 100644
--- a/policy/modules/contrib/vlock.te
+++ b/policy/modules/contrib/vlock.te
@@ -1,4 +1,4 @@
-policy_module(vlock, 1.2.1)
+policy_module(vlock, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
index a4346aad..2332cc12 100644
--- a/policy/modules/contrib/vmware.te
+++ b/policy/modules/contrib/vmware.te
@@ -1,4 +1,4 @@
-policy_module(vmware, 2.8.1)
+policy_module(vmware, 2.8.2)
########################################
#
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index ee8ae063..1170dc37 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -1,4 +1,4 @@
-policy_module(vnstatd, 1.3.2)
+policy_module(vnstatd, 1.3.3)
########################################
#
diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te
index 10fb1013..a6769a65 100644
--- a/policy/modules/contrib/vpn.te
+++ b/policy/modules/contrib/vpn.te
@@ -1,4 +1,4 @@
-policy_module(vpn, 1.17.1)
+policy_module(vpn, 1.17.2)
########################################
#
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index bac0a747..c58a46bc 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.12.0)
+policy_module(watchdog, 1.12.1)
#################################
#
diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te
index 24c3802e..03351241 100644
--- a/policy/modules/contrib/wdmd.te
+++ b/policy/modules/contrib/wdmd.te
@@ -1,4 +1,4 @@
-policy_module(wdmd, 1.3.0)
+policy_module(wdmd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index 0d680116..5886a0c2 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -1,4 +1,4 @@
-policy_module(xen, 1.15.1)
+policy_module(xen, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index a021b743..3f45497a 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.10.0)
+policy_module(zabbix, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
index bfc2d21d..25e66cae 100644
--- a/policy/modules/contrib/zebra.te
+++ b/policy/modules/contrib/zebra.te
@@ -1,4 +1,4 @@
-policy_module(zebra, 1.15.0)
+policy_module(zebra, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/zosremote.te b/policy/modules/contrib/zosremote.te
index 7139cde4..67ea8925 100644
--- a/policy/modules/contrib/zosremote.te
+++ b/policy/modules/contrib/zosremote.te
@@ -1,4 +1,4 @@
-policy_module(zosremote, 1.2.1)
+policy_module(zosremote, 1.2.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-07 16:09 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-07 16:09 UTC (permalink / raw
To: gentoo-commits
commit: d4c00f71309403b77db1cdf60a1da0de877d7b30
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:17:53 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:54:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4c00f71
loadkeys: use init fds (system bootup)
Update the loadkeys module so that it can use init file descriptors (to
print out messages during boot).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/loadkeys.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index d99a28bf..dcde3ffe 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -23,6 +23,8 @@ allow loadkeys_t self:unix_stream_socket { connect create };
kernel_read_system_state(loadkeys_t)
+init_use_fds(loadkeys_t)
+
corecmd_exec_bin(loadkeys_t)
corecmd_exec_shell(loadkeys_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-05-07 16:09 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-05-07 16:09 UTC (permalink / raw
To: gentoo-commits
commit: ec9d897b9e69d1ba90b25c871b12bd72ae6f3b31
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon May 1 22:44:21 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:54:42 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ec9d897b
Module version bump for minor fixes from Guido Trentalancia.
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/java.te | 2 +-
policy/modules/contrib/loadkeys.te | 2 +-
policy/modules/contrib/plymouthd.te | 2 +-
policy/modules/contrib/shutdown.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index c30623de..f97985e1 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.6.2)
+policy_module(evolution, 2.6.3)
########################################
#
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 96494b16..9c5c7f2c 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.9.2)
+policy_module(java, 2.9.3)
########################################
#
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index dcde3ffe..ce63f0ee 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -1,4 +1,4 @@
-policy_module(loadkeys, 1.11.2)
+policy_module(loadkeys, 1.11.3)
########################################
#
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index c9c04040..6c73283c 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.4.1)
+policy_module(plymouthd, 1.4.2)
########################################
#
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index 4a2b3510..0e38114a 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -1,4 +1,4 @@
-policy_module(shutdown, 1.4.1)
+policy_module(shutdown, 1.4.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:20 UTC (permalink / raw
To: gentoo-commits
commit: 9f8cb24323e7357725e97e57caa71920e398ea6b
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 22:02:08 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f8cb243
some little misc things from Russell Coker.
This patch allows setfiles to use file handles inherited from apt (for dpkg
postinst scripts), adds those rsync permissions that were rejected previously
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
allows system_cronjob_t some access it requires (including net_admin for
when it runs utilities that set buffers).
policy/modules/contrib/apt.if | 20 ++++++++++++++++++++
policy/modules/contrib/apt.te | 2 +-
policy/modules/contrib/cron.te | 25 +++++++++++++++++++++----
policy/modules/contrib/mrtg.if | 18 ++++++++++++++++++
policy/modules/contrib/mrtg.te | 2 +-
policy/modules/contrib/rsync.te | 4 +++-
6 files changed, 64 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if
index 0a1bc49f..568aa97d 100644
--- a/policy/modules/contrib/apt.if
+++ b/policy/modules/contrib/apt.if
@@ -176,6 +176,26 @@ interface(`apt_read_cache',`
########################################
## <summary>
+## Create, read, write, and delete apt package cache content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apt_manage_cache',`
+ gen_require(`
+ type apt_var_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 apt_var_cache_t:dir manage_dir_perms;
+ allow $1 apt_var_cache_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
## Read apt package database content.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index 05197c4c..dc6f09b1 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.10.1)
+policy_module(apt, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 5cb7dac1..15e6bdb4 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.3)
+policy_module(cron, 2.11.4)
gen_require(`
class passwd rootok;
@@ -338,6 +338,13 @@ ifdef(`distro_debian',`
allow crond_t self:process setrlimit;
optional_policy(`
+ apt_manage_cache(system_cronjob_t)
+ apt_read_db(system_cronjob_t)
+
+ dpkg_manage_db(system_cronjob_t)
+ ')
+
+ optional_policy(`
logwatch_search_cache_dir(crond_t)
')
')
@@ -429,6 +436,7 @@ optional_policy(`
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
# so cron jobs can restart daemons
init_stream_connect(system_cronjob_t)
+ init_manage_script_service(system_cronjob_t)
')
optional_policy(`
@@ -440,7 +448,7 @@ optional_policy(`
# System local policy
#
-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
@@ -461,10 +469,11 @@ allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms;
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, { file lnk_file })
+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
@@ -475,7 +484,7 @@ allow system_cronjob_t crond_t:process sigchld;
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
-allow system_cronjob_t crond_tmp_t:file { read write };
+allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_network_state(system_cronjob_t)
@@ -560,10 +569,15 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
+ acct_manage_data(system_cronjob_t)
+')
+
+optional_policy(`
apache_exec_modules(system_cronjob_t)
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
+ apache_delete_lib_files(system_cronjob_t)
')
optional_policy(`
@@ -607,6 +621,7 @@ optional_policy(`
optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
+ mrtg_read_config(system_cronjob_t)
')
optional_policy(`
@@ -649,6 +664,8 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
+allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
+
kernel_read_system_state(cronjob_t)
kernel_read_kernel_sysctls(cronjob_t)
diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if
index 0a71bd89..b25b0894 100644
--- a/policy/modules/contrib/mrtg.if
+++ b/policy/modules/contrib/mrtg.if
@@ -2,6 +2,24 @@
########################################
## <summary>
+## Read mrtg configuration
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mrtg_read_config',`
+ gen_require(`
+ type mrtg_etc_t;
+ ')
+
+ allow $1 mrtg_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Create and append mrtg log files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
index 5126d9d5..96d48f37 100644
--- a/policy/modules/contrib/mrtg.te
+++ b/policy/modules/contrib/mrtg.te
@@ -1,4 +1,4 @@
-policy_module(mrtg, 1.11.0)
+policy_module(mrtg, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index 2fce98b0..11c7041a 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -1,4 +1,4 @@
-policy_module(rsync, 1.15.0)
+policy_module(rsync, 1.15.1)
########################################
#
@@ -123,6 +123,8 @@ dev_read_urand(rsync_t)
fs_getattr_all_fs(rsync_t)
fs_search_auto_mountpoints(rsync_t)
+files_getattr_all_pipes(rsync_t)
+files_getattr_all_sockets(rsync_t)
files_search_home(rsync_t)
auth_can_read_shadow_passwords(rsync_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:20 UTC (permalink / raw
To: gentoo-commits
commit: e65bf897dd026493e6fa44cfb05df48577654c40
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 10:35:47 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e65bf897
Rename apm to acpi from Russell Coker.
This patch is slightly more involved than just running sed. It also adds
typealias rules and doesn't change the FC entries.
The /dev/apm_bios device doesn't exist on modern systems. I have left that
policy in for the moment on the principle of making one change per patch. But
I might send another patch to remove that as it won't exist with modern
kernels.
policy/modules/contrib/acpi.fc | 21 +++
policy/modules/contrib/{apm.if => acpi.if} | 70 ++++----
policy/modules/contrib/acpi.te | 247 +++++++++++++++++++++++++++++
policy/modules/contrib/apm.fc | 21 ---
policy/modules/contrib/apm.te | 236 ---------------------------
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
7 files changed, 305 insertions(+), 294 deletions(-)
diff --git a/policy/modules/contrib/acpi.fc b/policy/modules/contrib/acpi.fc
new file mode 100644
index 00000000..bfbe255b
--- /dev/null
+++ b/policy/modules/contrib/acpi.fc
@@ -0,0 +1,21 @@
+/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:acpid_initrc_exec_t,s0)
+
+/usr/bin/apm -- gen_context(system_u:object_r:acpi_exec_t,s0)
+
+/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:acpid_unit_t,s0)
+
+/usr/sbin/acpid -- gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/sbin/apmd -- gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/sbin/powersaved -- gen_context(system_u:object_r:acpid_exec_t,s0)
+
+/var/lock/subsys/acpid -- gen_context(system_u:object_r:acpid_lock_t,s0)
+
+/var/log/acpid.* -- gen_context(system_u:object_r:acpid_log_t,s0)
+
+/run/\.?acpid\.socket -s gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/acpid\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/apmd\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/powersaved\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/powersave_socket -s gen_context(system_u:object_r:acpid_var_run_t,s0)
+
+/var/lib/acpi(/.*)? gen_context(system_u:object_r:acpid_var_lib_t,s0)
diff --git a/policy/modules/contrib/apm.if b/policy/modules/contrib/acpi.if
similarity index 65%
rename from policy/modules/contrib/apm.if
rename to policy/modules/contrib/acpi.if
index cbf60b55..109b644e 100644
--- a/policy/modules/contrib/apm.if
+++ b/policy/modules/contrib/acpi.if
@@ -10,13 +10,13 @@
## </summary>
## </param>
#
-interface(`apm_domtrans_client',`
+interface(`acpi_domtrans_client',`
gen_require(`
- type apm_t, apm_exec_t;
+ type acpi_t, acpi_exec_t;
')
corecmd_search_bin($1)
- domtrans_pattern($1, apm_exec_t, apm_t)
+ domtrans_pattern($1, acpi_exec_t, acpi_t)
')
########################################
@@ -36,13 +36,13 @@ interface(`apm_domtrans_client',`
## </summary>
## </param>
#
-interface(`apm_run_client',`
+interface(`acpi_run_client',`
gen_require(`
- attribute_role apm_roles;
+ attribute_role acpi_roles;
')
- apm_domtrans_client($1)
- roleattribute $2 apm_roles;
+ acpi_domtrans_client($1)
+ roleattribute $2 acpi_roles;
')
########################################
@@ -55,12 +55,12 @@ interface(`apm_run_client',`
## </summary>
## </param>
#
-interface(`apm_use_fds',`
+interface(`acpi_use_fds',`
gen_require(`
- type apmd_t;
+ type acpid_t;
')
- allow $1 apmd_t:fd use;
+ allow $1 acpid_t:fd use;
')
########################################
@@ -73,12 +73,12 @@ interface(`apm_use_fds',`
## </summary>
## </param>
#
-interface(`apm_write_pipes',`
+interface(`acpi_write_pipes',`
gen_require(`
- type apmd_t;
+ type acpid_t;
')
- allow $1 apmd_t:fifo_file write;
+ allow $1 acpid_t:fifo_file write;
')
########################################
@@ -92,12 +92,12 @@ interface(`apm_write_pipes',`
## </summary>
## </param>
#
-interface(`apm_rw_stream_sockets',`
+interface(`acpi_rw_stream_sockets',`
gen_require(`
- type apmd_t;
+ type acpid_t;
')
- allow $1 apmd_t:unix_stream_socket { read write };
+ allow $1 acpid_t:unix_stream_socket { read write };
')
########################################
@@ -110,13 +110,13 @@ interface(`apm_rw_stream_sockets',`
## </summary>
## </param>
#
-interface(`apm_append_log',`
+interface(`acpi_append_log',`
gen_require(`
- type apmd_log_t;
+ type acpid_log_t;
')
logging_search_logs($1)
- allow $1 apmd_log_t:file append_file_perms;
+ allow $1 acpid_log_t:file append_file_perms;
')
########################################
@@ -130,13 +130,13 @@ interface(`apm_append_log',`
## </summary>
## </param>
#
-interface(`apm_stream_connect',`
+interface(`acpi_stream_connect',`
gen_require(`
- type apmd_t, apmd_var_run_t;
+ type acpid_t, acpid_var_run_t;
')
files_search_pids($1)
- stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
+ stream_connect_pattern($1, acpid_var_run_t, acpid_var_run_t, acpid_t)
')
########################################
@@ -156,32 +156,32 @@ interface(`apm_stream_connect',`
## </param>
## <rolecap/>
#
-interface(`apm_admin',`
+interface(`acpi_admin',`
gen_require(`
- type apmd_t, apmd_initrc_exec_t, apmd_log_t;
- type apmd_lock_t, apmd_var_run_t, apmd_var_lib_t;
- type apmd_tmp_t;
+ type acpid_t, acpid_initrc_exec_t, acpid_log_t;
+ type acpid_lock_t, acpid_var_run_t, acpid_var_lib_t;
+ type acpid_tmp_t;
')
- allow $1 apmd_t:process { ptrace signal_perms };
- ps_process_pattern($1, apmd_t)
+ allow $1 acpid_t:process { ptrace signal_perms };
+ ps_process_pattern($1, acpid_t)
- init_startstop_service($1, $2, apmd_t, apmd_initrc_exec_t)
+ init_startstop_service($1, $2, acpid_t, acpid_initrc_exec_t)
logging_search_logs($1)
- admin_pattern($1, apmd_log_t)
+ admin_pattern($1, acpid_log_t)
files_search_locks($1)
- admin_pattern($1, apmd_lock_t)
+ admin_pattern($1, acpid_lock_t)
files_search_pids($1)
- admin_pattern($1, apmd_var_run_t)
+ admin_pattern($1, acpid_var_run_t)
files_search_var_lib($1)
- admin_pattern($1, apmd_var_lib_t)
+ admin_pattern($1, acpid_var_lib_t)
files_search_tmp($1)
- admin_pattern($1, apmd_tmp_t)
+ admin_pattern($1, acpid_tmp_t)
- apm_run_client($1, $2)
+ acpi_run_client($1, $2)
')
diff --git a/policy/modules/contrib/acpi.te b/policy/modules/contrib/acpi.te
new file mode 100644
index 00000000..0cd3d884
--- /dev/null
+++ b/policy/modules/contrib/acpi.te
@@ -0,0 +1,247 @@
+policy_module(acpi, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role acpi_roles;
+roleattribute system_r acpi_roles;
+
+type acpid_t;
+type acpid_exec_t;
+typealias acpid_t alias apmd_t;
+typealias acpid_exec_t alias apmd_exec_t;
+init_daemon_domain(acpid_t, acpid_exec_t)
+
+type acpid_initrc_exec_t;
+typealias acpid_initrc_exec_t alias apmd_initrc_exec_t;
+init_script_file(acpid_initrc_exec_t)
+
+type acpi_t;
+type acpi_exec_t;
+typealias acpi_t alias apm_t;
+typealias acpi_exec_t alias apm_exec_t;
+application_domain(acpi_t, acpi_exec_t)
+role acpi_roles types acpi_t;
+
+type acpid_lock_t;
+typealias acpid_lock_t alias apmd_lock_t;
+files_lock_file(acpid_lock_t)
+
+type acpid_log_t;
+typealias acpid_log_t alias apmd_log_t;
+logging_log_file(acpid_log_t)
+
+type acpid_tmp_t;
+typealias acpid_tmp_t alias apmd_tmp_t;
+files_tmp_file(acpid_tmp_t)
+
+type acpid_unit_t;
+typealias acpid_unit_t alias apmd_unit_t;
+init_unit_file(acpid_unit_t)
+
+type acpid_var_lib_t;
+typealias acpid_var_lib_t alias apmd_var_lib_t;
+files_type(acpid_var_lib_t)
+
+type acpid_var_run_t;
+typealias acpid_var_run_t alias apmd_var_run_t;
+files_pid_file(acpid_var_run_t)
+
+########################################
+#
+# Client local policy
+#
+
+allow acpi_t self:capability { dac_override sys_admin };
+
+kernel_read_system_state(acpi_t)
+
+dev_rw_acpi_bios(acpi_t)
+
+fs_getattr_xattr_fs(acpi_t)
+
+term_use_all_terms(acpi_t)
+
+domain_use_interactive_fds(acpi_t)
+
+logging_send_syslog_msg(acpi_t)
+
+########################################
+#
+# Server local policy
+#
+
+allow acpid_t self:capability { kill mknod sys_admin sys_nice sys_time };
+dontaudit acpid_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
+allow acpid_t self:process { signal_perms getsession };
+allow acpid_t self:fifo_file rw_fifo_file_perms;
+allow acpid_t self:netlink_socket create_socket_perms;
+allow acpid_t self:netlink_generic_socket create_socket_perms;
+allow acpid_t self:unix_stream_socket { accept listen };
+
+allow acpid_t acpid_lock_t:file manage_file_perms;
+files_lock_filetrans(acpid_t, acpid_lock_t, file)
+
+allow acpid_t acpid_log_t:file manage_file_perms;
+logging_log_filetrans(acpid_t, acpid_log_t, file)
+
+manage_dirs_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
+manage_files_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
+files_tmp_filetrans(acpid_t, acpid_tmp_t, { file dir })
+
+manage_dirs_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
+manage_files_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
+files_var_lib_filetrans(acpid_t, acpid_var_lib_t, dir)
+
+manage_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
+manage_sock_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
+files_pid_filetrans(acpid_t, acpid_var_run_t, { file sock_file })
+
+can_exec(acpid_t, acpid_var_run_t)
+
+kernel_read_kernel_sysctls(acpid_t)
+kernel_rw_all_sysctls(acpid_t)
+kernel_read_system_state(acpid_t)
+kernel_write_proc_files(acpid_t)
+kernel_request_load_module(acpid_t)
+
+dev_read_input(acpid_t)
+dev_read_mouse(acpid_t)
+dev_read_realtime_clock(acpid_t)
+dev_read_urand(acpid_t)
+dev_rw_acpi_bios(acpid_t)
+dev_rw_sysfs(acpid_t)
+dev_dontaudit_getattr_all_chr_files(acpid_t)
+dev_dontaudit_getattr_all_blk_files(acpid_t)
+
+files_exec_etc_files(acpid_t)
+files_read_etc_runtime_files(acpid_t)
+files_dontaudit_getattr_all_files(acpid_t)
+files_dontaudit_getattr_all_symlinks(acpid_t)
+files_dontaudit_getattr_all_pipes(acpid_t)
+files_dontaudit_getattr_all_sockets(acpid_t)
+
+fs_dontaudit_list_tmpfs(acpid_t)
+fs_getattr_all_fs(acpid_t)
+fs_search_auto_mountpoints(acpid_t)
+fs_dontaudit_getattr_all_files(acpid_t)
+fs_dontaudit_getattr_all_symlinks(acpid_t)
+fs_dontaudit_getattr_all_pipes(acpid_t)
+fs_dontaudit_getattr_all_sockets(acpid_t)
+
+selinux_search_fs(acpid_t)
+
+corecmd_exec_all_executables(acpid_t)
+
+domain_read_all_domains_state(acpid_t)
+domain_dontaudit_ptrace_all_domains(acpid_t)
+domain_use_interactive_fds(acpid_t)
+domain_dontaudit_getattr_all_sockets(acpid_t)
+domain_dontaudit_getattr_all_key_sockets(acpid_t)
+domain_dontaudit_list_all_domains_state(acpid_t)
+
+auth_use_nsswitch(acpid_t)
+
+init_domtrans_script(acpid_t)
+
+libs_exec_ld_so(acpid_t)
+libs_exec_lib_files(acpid_t)
+
+logging_send_audit_msgs(acpid_t)
+logging_send_syslog_msg(acpid_t)
+
+miscfiles_read_localization(acpid_t)
+miscfiles_read_hwdata(acpid_t)
+
+modutils_domtrans(acpid_t)
+modutils_read_module_config(acpid_t)
+
+seutil_dontaudit_read_config(acpid_t)
+
+userdom_dontaudit_use_unpriv_user_fds(acpid_t)
+userdom_dontaudit_search_user_home_dirs(acpid_t)
+userdom_dontaudit_search_user_home_content(acpid_t)
+
+optional_policy(`
+ automount_domtrans(acpid_t)
+')
+
+optional_policy(`
+ clock_domtrans(acpid_t)
+ clock_rw_adjtime(acpid_t)
+')
+
+optional_policy(`
+ cron_system_entry(acpid_t, acpid_exec_t)
+ cron_anacron_domtrans_system_job(acpid_t)
+')
+
+optional_policy(`
+ devicekit_manage_pid_files(acpid_t)
+ devicekit_manage_log_files(acpid_t)
+ devicekit_relabel_log_files(acpid_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(acpid_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(acpid_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(acpid_t)
+ ')
+')
+
+optional_policy(`
+ fstools_domtrans(acpid_t)
+')
+
+optional_policy(`
+ iptables_domtrans(acpid_t)
+')
+
+optional_policy(`
+ logrotate_use_fds(acpid_t)
+')
+
+optional_policy(`
+ mta_send_mail(acpid_t)
+')
+
+optional_policy(`
+ netutils_domtrans(acpid_t)
+')
+
+optional_policy(`
+ pcmcia_domtrans_cardmgr(acpid_t)
+ pcmcia_domtrans_cardctl(acpid_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(acpid_t)
+')
+
+optional_policy(`
+ shutdown_domtrans(acpid_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(acpid_t)
+')
+
+optional_policy(`
+ udev_read_db(acpid_t)
+ udev_read_state(acpid_t)
+')
+
+optional_policy(`
+ vbetool_domtrans(acpid_t)
+')
+
+optional_policy(`
+ xserver_domtrans(acpid_t)
+')
diff --git a/policy/modules/contrib/apm.fc b/policy/modules/contrib/apm.fc
deleted file mode 100644
index bfa60ae0..00000000
--- a/policy/modules/contrib/apm.fc
+++ /dev/null
@@ -1,21 +0,0 @@
-/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
-
-/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
-
-/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:apmd_unit_t,s0)
-
-/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0)
-/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0)
-/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
-
-/var/lock/subsys/acpid -- gen_context(system_u:object_r:apmd_lock_t,s0)
-
-/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
-
-/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/acpid\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
-
-/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0)
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
deleted file mode 100644
index 7f41a450..00000000
--- a/policy/modules/contrib/apm.te
+++ /dev/null
@@ -1,236 +0,0 @@
-policy_module(apm, 1.16.1)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role apm_roles;
-roleattribute system_r apm_roles;
-
-type apmd_t;
-type apmd_exec_t;
-init_daemon_domain(apmd_t, apmd_exec_t)
-
-type apmd_initrc_exec_t;
-init_script_file(apmd_initrc_exec_t)
-
-type apm_t;
-type apm_exec_t;
-application_domain(apm_t, apm_exec_t)
-role apm_roles types apm_t;
-
-type apmd_lock_t;
-files_lock_file(apmd_lock_t)
-
-type apmd_log_t;
-logging_log_file(apmd_log_t)
-
-type apmd_tmp_t;
-files_tmp_file(apmd_tmp_t)
-
-type apmd_unit_t;
-init_unit_file(apmd_unit_t)
-
-type apmd_var_lib_t;
-files_type(apmd_var_lib_t)
-
-type apmd_var_run_t;
-files_pid_file(apmd_var_run_t)
-
-########################################
-#
-# Client local policy
-#
-
-allow apm_t self:capability { dac_override sys_admin };
-
-kernel_read_system_state(apm_t)
-
-dev_rw_apm_bios(apm_t)
-
-fs_getattr_xattr_fs(apm_t)
-
-term_use_all_terms(apm_t)
-
-domain_use_interactive_fds(apm_t)
-
-logging_send_syslog_msg(apm_t)
-
-########################################
-#
-# Server local policy
-#
-
-allow apmd_t self:capability { kill mknod sys_admin sys_nice sys_time };
-dontaudit apmd_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
-allow apmd_t self:process { signal_perms getsession };
-allow apmd_t self:fifo_file rw_fifo_file_perms;
-allow apmd_t self:netlink_socket create_socket_perms;
-allow apmd_t self:netlink_generic_socket create_socket_perms;
-allow apmd_t self:unix_stream_socket { accept listen };
-
-allow apmd_t apmd_lock_t:file manage_file_perms;
-files_lock_filetrans(apmd_t, apmd_lock_t, file)
-
-allow apmd_t apmd_log_t:file manage_file_perms;
-logging_log_filetrans(apmd_t, apmd_log_t, file)
-
-manage_dirs_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
-manage_files_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
-files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir })
-
-manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
-manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
-files_var_lib_filetrans(apmd_t, apmd_var_lib_t, dir)
-
-manage_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
-manage_sock_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
-files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file })
-
-can_exec(apmd_t, apmd_var_run_t)
-
-kernel_read_kernel_sysctls(apmd_t)
-kernel_rw_all_sysctls(apmd_t)
-kernel_read_system_state(apmd_t)
-kernel_write_proc_files(apmd_t)
-kernel_request_load_module(apmd_t)
-
-dev_read_input(apmd_t)
-dev_read_mouse(apmd_t)
-dev_read_realtime_clock(apmd_t)
-dev_read_urand(apmd_t)
-dev_rw_apm_bios(apmd_t)
-dev_rw_sysfs(apmd_t)
-dev_dontaudit_getattr_all_chr_files(apmd_t)
-dev_dontaudit_getattr_all_blk_files(apmd_t)
-
-files_exec_etc_files(apmd_t)
-files_read_etc_runtime_files(apmd_t)
-files_dontaudit_getattr_all_files(apmd_t)
-files_dontaudit_getattr_all_symlinks(apmd_t)
-files_dontaudit_getattr_all_pipes(apmd_t)
-files_dontaudit_getattr_all_sockets(apmd_t)
-
-fs_dontaudit_list_tmpfs(apmd_t)
-fs_getattr_all_fs(apmd_t)
-fs_search_auto_mountpoints(apmd_t)
-fs_dontaudit_getattr_all_files(apmd_t)
-fs_dontaudit_getattr_all_symlinks(apmd_t)
-fs_dontaudit_getattr_all_pipes(apmd_t)
-fs_dontaudit_getattr_all_sockets(apmd_t)
-
-selinux_search_fs(apmd_t)
-
-corecmd_exec_all_executables(apmd_t)
-
-domain_read_all_domains_state(apmd_t)
-domain_dontaudit_ptrace_all_domains(apmd_t)
-domain_use_interactive_fds(apmd_t)
-domain_dontaudit_getattr_all_sockets(apmd_t)
-domain_dontaudit_getattr_all_key_sockets(apmd_t)
-domain_dontaudit_list_all_domains_state(apmd_t)
-
-auth_use_nsswitch(apmd_t)
-
-init_domtrans_script(apmd_t)
-
-libs_exec_ld_so(apmd_t)
-libs_exec_lib_files(apmd_t)
-
-logging_send_audit_msgs(apmd_t)
-logging_send_syslog_msg(apmd_t)
-
-miscfiles_read_localization(apmd_t)
-miscfiles_read_hwdata(apmd_t)
-
-modutils_domtrans(apmd_t)
-modutils_read_module_config(apmd_t)
-
-seutil_dontaudit_read_config(apmd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(apmd_t)
-userdom_dontaudit_search_user_home_dirs(apmd_t)
-userdom_dontaudit_search_user_home_content(apmd_t)
-
-optional_policy(`
- automount_domtrans(apmd_t)
-')
-
-optional_policy(`
- clock_domtrans(apmd_t)
- clock_rw_adjtime(apmd_t)
-')
-
-optional_policy(`
- cron_system_entry(apmd_t, apmd_exec_t)
- cron_anacron_domtrans_system_job(apmd_t)
-')
-
-optional_policy(`
- devicekit_manage_pid_files(apmd_t)
- devicekit_manage_log_files(apmd_t)
- devicekit_relabel_log_files(apmd_t)
-')
-
-optional_policy(`
- dbus_system_bus_client(apmd_t)
-
- optional_policy(`
- consolekit_dbus_chat(apmd_t)
- ')
-
- optional_policy(`
- networkmanager_dbus_chat(apmd_t)
- ')
-')
-
-optional_policy(`
- fstools_domtrans(apmd_t)
-')
-
-optional_policy(`
- iptables_domtrans(apmd_t)
-')
-
-optional_policy(`
- logrotate_use_fds(apmd_t)
-')
-
-optional_policy(`
- mta_send_mail(apmd_t)
-')
-
-optional_policy(`
- netutils_domtrans(apmd_t)
-')
-
-optional_policy(`
- pcmcia_domtrans_cardmgr(apmd_t)
- pcmcia_domtrans_cardctl(apmd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(apmd_t)
-')
-
-optional_policy(`
- shutdown_domtrans(apmd_t)
-')
-
-optional_policy(`
- sysnet_domtrans_ifconfig(apmd_t)
-')
-
-optional_policy(`
- udev_read_db(apmd_t)
- udev_read_state(apmd_t)
-')
-
-optional_policy(`
- vbetool_domtrans(apmd_t)
-')
-
-optional_policy(`
- xserver_domtrans(apmd_t)
-')
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 8fdd713f..3a6c0b92 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -273,7 +273,7 @@ userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
- apm_domtrans_client(cupsd_t)
+ acpi_domtrans_client(cupsd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index d260d697..29b473e7 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -221,7 +221,7 @@ optional_policy(`
')
optional_policy(`
- apm_stream_connect(hald_t)
+ acpi_stream_connect(hald_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:20 UTC (permalink / raw
To: gentoo-commits
commit: 9c13ccfd92d3223dbad2972c7ed90c19f7c1a4ef
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 10:38:44 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9c13ccfd
Module version bump for patches from Russell Coker.
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 3a6c0b92..88a73ce4 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.21.3)
+policy_module(cups, 1.21.4)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 80ceb9de..ca39fb6b 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.22.5)
+policy_module(dbus, 1.22.6)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index c795f278..c145fb4c 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.11.0)
+policy_module(gpg, 2.11.1)
########################################
#
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index 29b473e7..997f3e3b 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.17.1)
+policy_module(hal, 1.17.2)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index ee6ad3da..fc89a486 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.6.1)
+policy_module(policykit, 1.6.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:20 UTC (permalink / raw
To: gentoo-commits
commit: 5c0380690178b590981b61a84253b8ca67452d65
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Apr 29 15:13:24 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5c038069
apt/dpkg strict patches from Russell Coker.
The following are needed for correct operation of apt and dpkg on a "strict"
configuration.
policy/modules/contrib/apt.te | 6 ++++--
policy/modules/contrib/dpkg.if | 20 ++++++++++++++++++++
policy/modules/contrib/dpkg.te | 5 ++++-
policy/modules/contrib/mta.te | 7 ++++++-
4 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index dc6f09b1..63b93257 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.10.2)
+policy_module(apt, 1.10.3)
########################################
#
@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
# Local policy
#
-allow apt_t self:capability { chown dac_override fowner fsetid };
+allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
allow apt_t self:process { signal setpgid fork };
allow apt_t self:fd use;
allow apt_t self:fifo_file rw_fifo_file_perms;
@@ -69,12 +69,14 @@ manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
files_var_filetrans(apt_t, apt_var_cache_t, dir)
manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
allow apt_t apt_var_log_t:file manage_file_perms;
+allow apt_t apt_var_log_t:dir manage_dir_perms;
logging_log_filetrans(apt_t, apt_var_log_t, file)
can_exec(apt_t, apt_exec_t)
diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if
index 081134f2..c753ad62 100644
--- a/policy/modules/contrib/dpkg.if
+++ b/policy/modules/contrib/dpkg.if
@@ -179,6 +179,26 @@ interface(`dpkg_use_script_fds',`
########################################
## <summary>
+## Inherit and use file descriptors
+## from dpkg scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_script_rw_inherited_pipes',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ allow $1 dpkg_script_t:fd use;
+ allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Read dpkg package database content.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index a91e4896..e781815d 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.6)
+policy_module(dpkg, 1.11.7)
########################################
#
@@ -42,6 +42,8 @@ role dpkg_roles types dpkg_script_t;
type dpkg_script_tmp_t;
files_tmp_file(dpkg_script_tmp_t)
+# out of order to work around compiler issue
+domain_entry_file(dpkg_script_t, dpkg_script_tmp_t)
type dpkg_script_tmpfs_t;
files_tmpfs_file(dpkg_script_tmpfs_t)
@@ -69,6 +71,7 @@ allow dpkg_t self:msg { send receive };
allow dpkg_t dpkg_lock_t:file manage_file_perms;
spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
+spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t)
manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 2baa07c9..caa21fb9 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.5)
+policy_module(mta, 2.8.6)
########################################
#
@@ -205,6 +205,11 @@ init_rw_stream_sockets(system_mail_t)
userdom_use_user_terminals(system_mail_t)
optional_policy(`
+ apt_use_fds(system_mail_t)
+ apt_use_ptys(system_mail_t)
+')
+
+optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
apache_dontaudit_append_log(system_mail_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:20 UTC (permalink / raw
To: gentoo-commits
commit: 937cefe5eb3aaeafe83db33bf1e2222ca37fe327
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Apr 21 00:19:38 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=937cefe5
Module version bump for changes from Sven Vermeulen and Guido Trentalancia.
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/openoffice.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 9593175b..e69a6c9a 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.12.4)
+policy_module(apache, 2.12.5)
########################################
#
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index 58845575..0be66b6f 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -1,4 +1,4 @@
-policy_module(openoffice, 1.1.0)
+policy_module(openoffice, 1.1.1)
##############################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:20 UTC (permalink / raw
To: gentoo-commits
commit: 97a89021e9da46a60f54655f5f8f0aa2dd8b88cb
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 10:25:59 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=97a89021
login take 4 from Russell Coker.
I have used optional sections for dbus and xserver as requested and also
fixed a minor issue of a rule not being in the correct section.
Please merge this.
policy/modules/contrib/dbus.te | 6 ++++++
policy/modules/contrib/gpg.te | 12 ++++++++++++
policy/modules/contrib/policykit.te | 5 +++++
3 files changed, 23 insertions(+)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 579b2230..80ceb9de 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -149,6 +149,12 @@ ifdef(`distro_gentoo',`
')
')
+ifdef(`init_systemd', `
+ # gdm3 causes system_dbusd_t to want this access
+ dev_rw_dri(system_dbusd_t)
+ dev_rw_input_dev(system_dbusd_t)
+')
+
optional_policy(`
# for /run/systemd/users/*
systemd_read_logind_pids(system_dbusd_t)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 4345bd08..c795f278 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t)
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+kernel_read_crypto_sysctls(gpg_t)
kernel_read_sysctl(gpg_t)
# read /proc/cpuinfo
kernel_read_system_state(gpg_t)
@@ -232,6 +233,8 @@ kernel_dontaudit_search_sysctl(gpg_agent_t)
kernel_read_core_if(gpg_agent_t)
kernel_read_system_state(gpg_agent_t)
+auth_use_nsswitch(gpg_agent_t)
+
corecmd_exec_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
@@ -272,6 +275,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ dbus_system_bus_client(gpg_agent_t)
+')
+
+optional_policy(`
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
')
@@ -279,6 +286,11 @@ optional_policy(`
pcscd_stream_connect(gpg_agent_t)
')
+optional_policy(`
+ xserver_sigchld_xdm(gpg_agent_t)
+ xserver_read_user_xauth(gpg_agent_t)
+')
+
##############################
#
# Pinentry local policy
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index d7686081..ee6ad3da 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -89,6 +89,7 @@ kernel_read_kernel_sysctls(policykit_t)
kernel_read_system_state(policykit_t)
dev_read_urand(policykit_t)
+dev_read_urand(policykit_t)
domain_read_all_domains_state(policykit_t)
@@ -96,6 +97,8 @@ files_dontaudit_search_all_mountpoints(policykit_t)
fs_getattr_xattr_fs(policykit_t)
fs_list_inotifyfs(policykit_t)
+fs_getattr_tmpfs(policykit_t)
+fs_getattr_cgroup(policykit_t)
auth_use_nsswitch(policykit_t)
@@ -105,6 +108,8 @@ userdom_read_all_users_state(policykit_t)
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)
+ userdom_dbus_send_all_users(policykit_t)
+
optional_policy(`
consolekit_dbus_chat(policykit_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:20 UTC (permalink / raw
To: gentoo-commits
commit: 2a45b491602c974a5bf42f37fa1dcee7cac8492a
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 19 01:06:48 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a45b491
logging patches from Russell Coker
Patches for logrotate, webalizer, sysstat, and logwatch.
policy/modules/contrib/logrotate.te | 6 +++++-
policy/modules/contrib/logwatch.te | 7 ++++++-
policy/modules/contrib/sysstat.te | 9 ++++++---
policy/modules/contrib/webalizer.te | 8 +++++++-
4 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index ec338fb6..1c63e097 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.18.2)
+policy_module(logrotate, 1.18.3)
########################################
#
@@ -89,6 +89,7 @@ files_dontaudit_list_mnt(logrotate_t)
fs_search_auto_mountpoints(logrotate_t)
fs_getattr_xattr_fs(logrotate_t)
fs_list_inotifyfs(logrotate_t)
+fs_getattr_tmpfs(logrotate_t)
mls_file_read_all_levels(logrotate_t)
mls_file_write_all_levels(logrotate_t)
@@ -102,8 +103,10 @@ auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
init_all_labeled_script_domtrans(logrotate_t)
+init_startstop_all_script_services(logrotate_t)
init_get_generic_units_status(logrotate_t)
init_get_all_units_status(logrotate_t)
+init_get_system_status(logrotate_t)
init_dbus_chat(logrotate_t)
init_stream_connect(logrotate_t)
init_manage_all_units(logrotate_t)
@@ -218,6 +221,7 @@ optional_policy(`
optional_policy(`
mysql_read_config(logrotate_t)
mysql_stream_connect(logrotate_t)
+ mysql_signal(logrotate_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
index 24f1c17b..d2b54207 100644
--- a/policy/modules/contrib/logwatch.te
+++ b/policy/modules/contrib/logwatch.te
@@ -1,4 +1,4 @@
-policy_module(logwatch, 1.14.0)
+policy_module(logwatch, 1.14.1)
#################################
#
@@ -160,6 +160,10 @@ optional_policy(`
')
optional_policy(`
+ raid_domtrans_mdadm(logwatch_t)
+')
+
+optional_policy(`
rpc_search_nfs_state_data(logwatch_t)
')
@@ -189,4 +193,5 @@ logging_read_all_logs(logwatch_mail_t)
optional_policy(`
cron_use_system_job_fds(logwatch_mail_t)
+ cron_rw_system_job_pipes(logwatch_mail_t)
')
diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te
index ac249ac0..deca783e 100644
--- a/policy/modules/contrib/sysstat.te
+++ b/policy/modules/contrib/sysstat.te
@@ -1,4 +1,4 @@
-policy_module(sysstat, 1.9.0)
+policy_module(sysstat, 1.9.1)
########################################
#
@@ -24,8 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co
allow sysstat_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
-append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
-create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
@@ -39,12 +38,15 @@ kernel_read_fs_sysctls(sysstat_t)
kernel_read_rpc_sysctls(sysstat_t)
corecmd_exec_bin(sysstat_t)
+corecmd_exec_shell(sysstat_t)
dev_read_sysfs(sysstat_t)
+dev_getattr_sysfs(sysstat_t)
dev_read_urand(sysstat_t)
files_search_var(sysstat_t)
files_read_etc_runtime_files(sysstat_t)
+files_search_all_mountpoints(sysstat_t)
fs_getattr_xattr_fs(sysstat_t)
fs_list_inotifyfs(sysstat_t)
@@ -66,6 +68,7 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
optional_policy(`
cron_system_entry(sysstat_t, sysstat_exec_t)
+ cron_rw_tmp_files(sysstat_t)
')
ifdef(`distro_gentoo',`
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 06f9d332..9ea1bdad 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -1,4 +1,4 @@
-policy_module(webalizer, 1.14.0)
+policy_module(webalizer, 1.14.1)
########################################
#
@@ -16,6 +16,9 @@ role webalizer_roles types webalizer_t;
type webalizer_etc_t;
files_config_file(webalizer_etc_t)
+type webalizer_log_t;
+logging_log_file(webalizer_log_t)
+
type webalizer_tmp_t;
files_tmp_file(webalizer_tmp_t)
@@ -37,6 +40,9 @@ allow webalizer_t self:tcp_socket { accept listen };
allow webalizer_t webalizer_etc_t:file read_file_perms;
+manage_dirs_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
+manage_files_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
+
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:20 UTC (permalink / raw
To: gentoo-commits
commit: 7529321be0c71a4426117c7cafcc2b952d9be90e
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 19 01:34:54 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7529321b
some userdomain patches from Russell Coker
Added mono_run for unconfined and also xserver_role and allow it to dbus
chat with xdm.
Allow sysadm_t to read kmsg.
Allow user domains to dbus chat with kerneloops for the kerneloops desktop
gui. Also allow them to chat with devicekit disk and power daemons.
Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems
policy/modules/contrib/gnome.te | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index f69c10ba..25fe44da 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.7.0)
+policy_module(gnome, 2.7.1)
##############################
#
@@ -91,6 +91,12 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+# for /proc/filesystems
+kernel_read_system_state(gconfd_t)
+
+# for /var/lib/gconf/defaults
+files_read_var_lib_files(gconfd_t)
+
userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:20 UTC (permalink / raw
To: gentoo-commits
commit: 7b0509b4ca611c1723179a84d751ada6345b7a13
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Apr 21 00:19:13 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7b0509b4
apache: Move blocks. No rule changes.
policy/modules/contrib/apache.te | 58 +++++++++++++++++++---------------------
1 file changed, 28 insertions(+), 30 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index ce6479e8..9593175b 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -745,14 +745,6 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_t)
')
-optional_policy(`
- tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
- ')
-')
-
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_t)
')
@@ -877,6 +869,12 @@ optional_policy(`
optional_policy(`
rpc_search_nfs_state_data(httpd_t)
+
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
optional_policy(`
@@ -1016,6 +1014,10 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
+tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_user_home_dirs(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_list_auto_mountpoints(httpd_suexec_t)
fs_read_cifs_files(httpd_suexec_t)
@@ -1040,6 +1042,10 @@ tunable_policy(`httpd_execmem',`
allow httpd_suexec_t self:process { execmem execstack };
')
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_tmp_exec',`
can_exec(httpd_suexec_t, httpd_suexec_tmp_t)
')
@@ -1072,14 +1078,6 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_suexec_t)
')
-optional_policy(`
- tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
- ')
-')
-
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -1106,12 +1104,12 @@ optional_policy(`
')
')
-tunable_policy(`httpd_read_user_content',`
- userdom_read_user_home_content_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_suexec_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_suexec_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
########################################
@@ -1311,14 +1309,6 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_sys_script_t)
')
-optional_policy(`
- tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
- ')
-')
-
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_sys_script_t)
')
@@ -1331,6 +1321,14 @@ optional_policy(`
postgresql_unpriv_client(httpd_sys_script_t)
')
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
+')
+
########################################
#
# Rotatelogs local policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:20 UTC (permalink / raw
To: gentoo-commits
commit: 2031a2a31c996dafd4837a40d52ad605da357abd
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu Apr 20 22:00:36 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2031a2a3
openoffice: support starting it from the window manager
This patch allows to start the openoffice suite from the
window manager.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/openoffice.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index 148ff232..58845575 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -34,6 +34,10 @@ type ooffice_exec_t;
userdom_user_application_domain(ooffice_t, ooffice_exec_t)
role ooffice_roles types ooffice_t;
+optional_policy(`
+ wm_application_domain(ooffice_t, ooffice_exec_t)
+')
+
type ooffice_home_t;
userdom_user_home_content(ooffice_home_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:20 UTC (permalink / raw
To: gentoo-commits
commit: ed8c380a71d1b647a6fdc57a29781eff7f523e80
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 19 00:37:39 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ed8c380a
misc daemons from Russell Coker.
Put in libx32 subs entries that refer to directories with fc entries.
Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
dpkg-reconfigure.
Some dontaudit rules for mta processes spawned by mon for notification.
Lots of tiny changes that are obvious.
policy/modules/contrib/backup.te | 4 ++--
policy/modules/contrib/bitlbee.te | 3 ++-
policy/modules/contrib/dpkg.te | 9 ++++++++-
policy/modules/contrib/fetchmail.te | 3 ++-
policy/modules/contrib/kerneloops.te | 4 +++-
policy/modules/contrib/loadkeys.te | 4 +++-
policy/modules/contrib/mon.if | 37 ++++++++++++++++++++++++++++++++++++
policy/modules/contrib/mon.te | 3 ++-
policy/modules/contrib/mta.te | 10 +++++++++-
policy/modules/contrib/munin.te | 5 ++++-
policy/modules/contrib/ntp.te | 4 ++--
policy/modules/contrib/rtkit.te | 6 +++++-
policy/modules/contrib/smartmon.te | 3 ++-
13 files changed, 81 insertions(+), 14 deletions(-)
diff --git a/policy/modules/contrib/backup.te b/policy/modules/contrib/backup.te
index c207d5a2..135f94a3 100644
--- a/policy/modules/contrib/backup.te
+++ b/policy/modules/contrib/backup.te
@@ -1,4 +1,4 @@
-policy_module(backup, 1.7.0)
+policy_module(backup, 1.7.1)
########################################
#
@@ -21,7 +21,7 @@ files_type(backup_store_t)
# Local policy
#
-allow backup_t self:capability dac_override;
+allow backup_t self:capability { chown dac_override fsetid };
allow backup_t self:process signal;
allow backup_t self:fifo_file rw_fifo_file_perms;
allow backup_t self:tcp_socket create_socket_perms;
diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te
index 93d4385d..90ff0dc6 100644
--- a/policy/modules/contrib/bitlbee.te
+++ b/policy/modules/contrib/bitlbee.te
@@ -1,4 +1,4 @@
-policy_module(bitlbee, 1.7.0)
+policy_module(bitlbee, 1.7.1)
########################################
#
@@ -61,6 +61,7 @@ files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
kernel_read_kernel_sysctls(bitlbee_t)
kernel_read_system_state(bitlbee_t)
+kernel_read_crypto_sysctls(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)
corenet_all_recvfrom_netlabel(bitlbee_t)
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 3ea9e3e0..a3d3f2e5 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.4)
+policy_module(dpkg, 1.11.5)
########################################
#
@@ -34,6 +34,7 @@ domain_type(dpkg_script_t)
domain_entry_file(dpkg_t, dpkg_var_lib_t)
domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
corecmd_shell_entry_type(dpkg_script_t)
+corecmd_bin_entry_type(dpkg_script_t)
domain_obj_id_change_exemption(dpkg_script_t)
domain_system_change_exemption(dpkg_script_t)
domain_interactive_fd(dpkg_script_t)
@@ -87,6 +88,8 @@ files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
kernel_read_system_state(dpkg_t)
kernel_read_kernel_sysctls(dpkg_t)
+corecmd_bin_domtrans(dpkg_t, dpkg_script_t)
+
corenet_all_recvfrom_unlabeled(dpkg_t)
corenet_all_recvfrom_netlabel(dpkg_t)
corenet_tcp_sendrecv_generic_if(dpkg_t)
@@ -307,6 +310,10 @@ optional_policy(`
')
optional_policy(`
+ devicekit_dbus_chat_power(dpkg_script_t)
+')
+
+optional_policy(`
modutils_run(dpkg_script_t, dpkg_roles)
')
diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te
index a15bc538..7e796c31 100644
--- a/policy/modules/contrib/fetchmail.te
+++ b/policy/modules/contrib/fetchmail.te
@@ -1,4 +1,4 @@
-policy_module(fetchmail, 1.16.1)
+policy_module(fetchmail, 1.16.2)
########################################
#
@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
dev_read_urand(fetchmail_t)
files_read_etc_runtime_files(fetchmail_t)
+files_search_tmp(fetchmail_t)
files_dontaudit_search_home(fetchmail_t)
fs_getattr_all_fs(fetchmail_t)
diff --git a/policy/modules/contrib/kerneloops.te b/policy/modules/contrib/kerneloops.te
index 4ecba0ae..58ee9516 100644
--- a/policy/modules/contrib/kerneloops.te
+++ b/policy/modules/contrib/kerneloops.te
@@ -1,4 +1,4 @@
-policy_module(kerneloops, 1.6.1)
+policy_module(kerneloops, 1.6.2)
########################################
#
@@ -30,6 +30,8 @@ files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file)
kernel_read_ring_buffer(kerneloops_t)
kernel_read_system_state(kerneloops_t)
+dev_read_urand(kerneloops_t)
+
domain_use_interactive_fds(kerneloops_t)
corenet_all_recvfrom_unlabeled(kerneloops_t)
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index ca8e7015..d99a28bf 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -1,4 +1,4 @@
-policy_module(loadkeys, 1.11.1)
+policy_module(loadkeys, 1.11.2)
########################################
#
@@ -37,6 +37,8 @@ files_search_tmp(loadkeys_t)
term_dontaudit_use_console(loadkeys_t)
term_use_unallocated_ttys(loadkeys_t)
+init_read_script_tmp_files(loadkeys_t)
+
locallogin_use_fds(loadkeys_t)
miscfiles_read_localization(loadkeys_t)
diff --git a/policy/modules/contrib/mon.if b/policy/modules/contrib/mon.if
index d9aee2be..4701724e 100644
--- a/policy/modules/contrib/mon.if
+++ b/policy/modules/contrib/mon.if
@@ -1 +1,38 @@
## <summary>mon network monitoring daemon.</summary>
+
+######################################
+## <summary>
+## dontaudit using an inherited fd from mon_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`mon_dontaudit_use_fds',`
+ gen_require(`
+ type mon_t;
+ ')
+
+ dontaudit $1 mon_t:fd use;
+')
+
+######################################
+## <summary>
+## dontaudit searching /var/lib/mon
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`mon_dontaudit_search_var_lib',`
+ gen_require(`
+ type mon_var_lib_t;
+ ')
+
+ dontaudit $1 mon_var_lib_t:dir search;
+')
+
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index 5db41833..0207d0ac 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -1,4 +1,4 @@
-policy_module(mon, 1.0.2)
+policy_module(mon, 1.0.3)
########################################
#
@@ -80,6 +80,7 @@ domain_use_interactive_fds(mon_t)
files_read_etc_files(mon_t)
files_read_etc_runtime_files(mon_t)
files_read_usr_files(mon_t)
+files_search_var_lib(mon_t)
fs_getattr_all_fs(mon_t)
fs_search_auto_mountpoints(mon_t)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 68f3e91f..2baa07c9 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.4)
+policy_module(mta, 2.8.5)
########################################
#
@@ -324,6 +324,10 @@ optional_policy(`
')
')
+optional_policy(`
+ mon_dontaudit_use_fds(mta_user_agent)
+')
+
########################################
#
# Mailserver delivery local policy
@@ -379,6 +383,10 @@ optional_policy(`
')
optional_policy(`
+ mon_dontaudit_search_var_lib(mailserver_delivery)
+')
+
+optional_policy(`
postfix_rw_inherited_master_pipes(mailserver_delivery)
')
diff --git a/policy/modules/contrib/munin.te b/policy/modules/contrib/munin.te
index 16f15ddd..fba6470b 100644
--- a/policy/modules/contrib/munin.te
+++ b/policy/modules/contrib/munin.te
@@ -1,4 +1,4 @@
-policy_module(munin, 1.12.0)
+policy_module(munin, 1.12.1)
########################################
#
@@ -385,6 +385,7 @@ optional_policy(`
# System local policy
#
+allow system_munin_plugin_t self:capability net_admin;
allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -399,6 +400,8 @@ dev_read_urand(system_munin_plugin_t)
domain_read_all_domains_state(system_munin_plugin_t)
+files_read_usr_files(system_munin_plugin_t)
+
init_read_utmp(system_munin_plugin_t)
logging_search_logs(system_munin_plugin_t)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index aae4f194..89b31bf3 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.16.3)
+policy_module(ntp, 1.16.4)
########################################
#
@@ -71,7 +71,7 @@ files_var_filetrans(ntpd_t, ntp_drift_t, file)
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
-allow ntpd_t ntpd_lock_t:file write_file_perms;
+allow ntpd_t ntpd_lock_t:file rw_file_perms;
allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index c5e77836..cfee1a14 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.5.0)
+policy_module(rtkit, 1.5.1)
########################################
#
@@ -30,12 +30,16 @@ domain_read_all_domains_state(rtkit_daemon_t)
fs_rw_anon_inodefs_files(rtkit_daemon_t)
+selinux_getattr_fs(rtkit_daemon_t)
+
auth_use_nsswitch(rtkit_daemon_t)
logging_send_syslog_msg(rtkit_daemon_t)
miscfiles_read_localization(rtkit_daemon_t)
+seutil_search_default_contexts(rtkit_daemon_t)
+
optional_policy(`
dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te
index 4a7cafa7..1ad706c7 100644
--- a/policy/modules/contrib/smartmon.te
+++ b/policy/modules/contrib/smartmon.te
@@ -1,4 +1,4 @@
-policy_module(smartmon, 1.14.0)
+policy_module(smartmon, 1.14.1)
########################################
#
@@ -69,6 +69,7 @@ files_exec_etc_files(fsdaemon_t)
files_read_etc_files(fsdaemon_t)
files_read_etc_runtime_files(fsdaemon_t)
files_read_usr_files(fsdaemon_t)
+files_search_var_lib(fsdaemon_t)
fs_getattr_all_fs(fsdaemon_t)
fs_search_auto_mountpoints(fsdaemon_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:20 UTC (permalink / raw
To: gentoo-commits
commit: c86ff0fad5076084e9f98a16b47152ed52645bfa
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Apr 16 23:01:40 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c86ff0fa
systemd init from Russell Coker
This patch lets mandb_t search init_var_run_t dirs which it needs when running
with systems. Also allows it to fs_getattr_xattr_fs() because it seemed
pointless to put that in a separate patch.
Allow init_t to do several things that it requires when init is systemd.
Allow various operations on var_log_t to access var_log_t symlinks too.
Let auditd setattr it's directory.
policy/modules/contrib/mandb.te | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 62684374..70fb5072 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.3.1)
+policy_module(mandb, 1.3.2)
########################################
#
@@ -51,6 +51,10 @@ miscfiles_read_localization(mandb_t)
userdom_use_inherited_user_terminals(mandb_t)
+ifdef(`init_systemd',`
+ init_search_run(mandb_t)
+')
+
optional_policy(`
cron_system_entry(mandb_t, mandb_exec_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:20 UTC (permalink / raw
To: gentoo-commits
commit: f00dd537112df8f2b61cb398583ef1d267a97dea
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Apr 20 23:18:48 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f00dd537
Module version bump for gnome fix from Guido Trentalancia.
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 579c21a6..bf456df4 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.6.1)
+policy_module(evolution, 2.6.2)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 25fe44da..1b53cb4f 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.7.1)
+policy_module(gnome, 2.7.2)
##############################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:20 UTC (permalink / raw
To: gentoo-commits
commit: 3962c65a06ae9026ea3746c8603f39a828a5a9aa
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr 20 15:07:37 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3962c65a
rpc_* interfaces should be wrapped by optional_policy()
The rpc module is not a core module. As such, calls towards rpc_*
interfaces should be wrapped with optional_policy().
Changes since v2:
- Wrapped other calls towards rpc_* within apache.te
Changes since v1:
- Fixed wrong quotation mark
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/apache.te | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index b418338c..ce6479e8 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -745,10 +745,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1070,10 +1072,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_suexec_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_suexec_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1307,10 +1311,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_sys_script_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:20 UTC (permalink / raw
To: gentoo-commits
commit: 1ea4f1cd05f02e5996c2c168d5f64bdf1304b3db
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed Apr 19 13:37:16 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1ea4f1cd
Gnome and Evolution dbus chat permissions
This patch adds assorted permission to chat over dbus needed
for the correct functioning of Gnome and Evolution.
The second version, simply removes an extra "#" prefix from
the comments.
This third version, rebases the patch so that it applies to
the most recent git tree (thanks to Christopher PeBenito and
Russell Coker for pointing that out).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/evolution.te | 4 ++++
policy/modules/contrib/gnome.if | 37 +++++++++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index bd1647f2..579c21a6 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -345,6 +345,10 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_all_session_bus_client(evolution_alarm_t)
dbus_connect_all_session_bus(evolution_alarm_t)
+
+ optional_policy(`
+ evolution_dbus_chat(evolution_alarm_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 7ea2cf40..ce436cfd 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -112,8 +112,17 @@ template(`gnome_role_template',`
dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
optional_policy(`
+ evolution_dbus_chat($1_gkeyringd_t)
+ ')
+
+ optional_policy(`
+ gnome_dbus_chat_gconfd($3)
gnome_dbus_chat_gkeyringd($1, $3)
')
+
+ optional_policy(`
+ wm_dbus_chat($1, $1_gkeyringd_t)
+ ')
')
ifdef(`distro_gentoo',`
@@ -690,6 +699,34 @@ interface(`gnome_read_keyring_home_files',`
########################################
## <summary>
## Send and receive messages from
+## gnome configuration daemon over
+## dbus.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gconfd',`
+ gen_require(`
+ type gconfd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gconfd_t:dbus send_msg;
+ allow gconfd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
## gnome keyring daemon over dbus.
## </summary>
## <param name="role_prefix">
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:20 UTC (permalink / raw
To: gentoo-commits
commit: 2aaeb154457ab51334bc8668a33fc89d65bab4e6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 19 01:17:16 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2aaeb154
kmod, lvm, brctl patches from Russell Coker
Patches for modutils, at least one of which is needed to generate an initramfs
on Debian.
Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts
etc.
Patch for brctl to allow it to create sysfs files.
policy/modules/contrib/brctl.te | 3 ++-
policy/modules/contrib/dpkg.if | 39 +++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/dpkg.te | 2 +-
3 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/brctl.te b/policy/modules/contrib/brctl.te
index c5a91138..fd789b5f 100644
--- a/policy/modules/contrib/brctl.te
+++ b/policy/modules/contrib/brctl.te
@@ -1,4 +1,4 @@
-policy_module(brctl, 1.7.0)
+policy_module(brctl, 1.7.1)
########################################
#
@@ -29,6 +29,7 @@ kernel_read_sysctl(brctl_t)
corenet_rw_tun_tap_dev(brctl_t)
+dev_create_sysfs_files(brctl_t)
dev_rw_sysfs(brctl_t)
dev_write_sysfs_dirs(brctl_t)
diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if
index fdc06d69..081134f2 100644
--- a/policy/modules/contrib/dpkg.if
+++ b/policy/modules/contrib/dpkg.if
@@ -62,6 +62,25 @@ interface(`dpkg_domtrans_script',`
########################################
## <summary>
+## access dpkg_script fifos
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`dpkg_script_rw_pipes',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ allow $1 dpkg_script_t:fd use;
+ allow $1 dpkg_script_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
## Execute dpkg programs in the dpkg domain.
## </summary>
## <param name="domain">
@@ -242,3 +261,23 @@ interface(`dpkg_lock_db',`
allow $1 dpkg_var_lib_t:dir list_dir_perms;
allow $1 dpkg_lock_t:file manage_file_perms;
')
+
+########################################
+## <summary>
+## manage dpkg_script_tmp_t files and dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_manage_script_tmp_files',`
+ gen_require(`
+ type dpkg_script_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 dpkg_script_tmp_t:dir manage_dir_perms;
+ allow $1 dpkg_script_tmp_t:file manage_file_perms;
+')
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index a3d3f2e5..a91e4896 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.5)
+policy_module(dpkg, 1.11.6)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:20 UTC (permalink / raw
To: gentoo-commits
commit: 8a40fd018dd706545beee6585ce3dbdcd9abfe6a
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 19 01:21:12 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8a40fd01
devicekit, mount, xserver, and selinuxutil from Russell Coker
Allow devicekit_power_t to chat to xdm via dbus and log via syslog.
Allow mount_t to do more with it's runtime files and stat more filesystem
types.
Allow xauth to send sigchld to xdm.
Allow semanage to search policy_src_t dirs and read /dev/urandom.
policy/modules/contrib/devicekit.te | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 83e0fabd..d2d3f830 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.6.3)
+policy_module(devicekit, 1.6.4)
########################################
#
@@ -59,12 +59,17 @@ optional_policy(`
udev_read_db(devicekit_t)
')
+optional_policy(`
+ xserver_dbus_chat_xdm(devicekit_power_t)
+')
+
########################################
#
# Disk local policy
#
allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability2 wake_alarm;
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -263,6 +268,8 @@ init_all_labeled_script_domtrans(devicekit_power_t)
init_read_utmp(devicekit_power_t)
init_search_run(devicekit_power_t)
+logging_send_syslog_msg(devicekit_power_t)
+
miscfiles_read_localization(devicekit_power_t)
sysnet_domtrans_ifconfig(devicekit_power_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:19 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:19 UTC (permalink / raw
To: gentoo-commits
commit: 86cf7f0c01b889767399e16bd315b2b8bf177340
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Apr 16 22:45:05 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:43 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=86cf7f0c
wm: interface docs adjustment.
policy/modules/contrib/wm.if | 29 ++++++++++++++---------------
1 file changed, 14 insertions(+), 15 deletions(-)
diff --git a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
index e8fd7706..45ce9949 100644
--- a/policy/modules/contrib/wm.if
+++ b/policy/modules/contrib/wm.if
@@ -223,22 +223,21 @@ interface(`wm_application_domain',`
')
########################################
-### <summary>
-### Write wm unnamed pipes.
-### </summary>
+## <summary>
+## Write wm unnamed pipes.
+## </summary>
## <param name="role_prefix">
-### <summary>
-### The prefix of the user domain (e.g., user
-### is the prefix for user_t).
-### </summary>
-### </param>
-### <param name="domain">
-### <summary>
-### Domain allowed access.
-### </summary>
-### </param>
-### </param>
-##
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`wm_write_pipes',`
gen_require(`
type $1_t;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:19 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:19 UTC (permalink / raw
To: gentoo-commits
commit: e2dd03fff198bec191aa28a97ed411d63ad29338
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Apr 16 22:46:34 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:43 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e2dd03ff
Module version bump for misc fixes from Guido Trentalancia.
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/java.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/wm.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 16c620aa..bd1647f2 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.6.0)
+policy_module(evolution, 2.6.1)
########################################
#
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 01b33922..c4aaa66b 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.9.1)
+policy_module(java, 2.9.2)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 41bfeb97..c595af2f 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.11.1)
+policy_module(mozilla, 2.11.2)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 99002c12..c6d62977 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.4)
+policy_module(networkmanager, 1.20.5)
########################################
#
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 5b39df69..2bc2c8d9 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.6.0)
+policy_module(wm, 1.6.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:19 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:19 UTC (permalink / raw
To: gentoo-commits
commit: eae74f80d6ed5f475ecf7fe3c476d8047aca6f39
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu Apr 13 23:26:10 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:43 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eae74f80
wm: load the NetworkManager applet
Gnome-shell needs to read NetworkManager configuration files in /etc in
order to correctly run the applet.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/networkmanager.if | 20 ++++++++++++++++++++
policy/modules/contrib/wm.te | 2 ++
2 files changed, 22 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index 10688d21..3c5073d1 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -172,6 +172,26 @@ interface(`networkmanager_signal',`
')
########################################
+### <summary>
+### Read networkmanager etc files.
+### </summary>
+### <param name="domain">
+### <summary>
+### Domain allowed access.
+### </summary>
+### </param>
+##
+interface(`networkmanager_read_etc_files',`
+ gen_require(`
+ type NetworkManager_etc_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, NetworkManager_etc_t, NetworkManager_etc_t)
+ read_files_pattern($1, NetworkManager_etc_t, NetworkManager_etc_t)
+')
+
+########################################
## <summary>
## Create, read, and write
## networkmanager library files.
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index e5f65316..77dcc432 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -68,6 +68,8 @@ miscfiles_read_fonts(wm_domain)
miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
+networkmanager_read_etc_files(wm_domain)
+
udev_read_pid_files(wm_domain)
# this is needed by gnome-shell
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:19 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:19 UTC (permalink / raw
To: gentoo-commits
commit: d99dbfd2344aaab6826b1b61a1d4ef858ef58568
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sun Apr 16 22:39:36 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:43 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d99dbfd2
wm: interactive start
Update the window manager (wm) module (support starting
gnome-shell from an X terminal).
This second version curbs on an open permission when dealing with the user terminal (terminal is already opened by the X terminal application, thanks to Christian Göttsche for the tip).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/wm.if | 27 +++++++++++++++++++++++++++
policy/modules/contrib/wm.te | 7 ++++++-
2 files changed, 33 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
index dbe32237..e8fd7706 100644
--- a/policy/modules/contrib/wm.if
+++ b/policy/modules/contrib/wm.if
@@ -73,6 +73,8 @@ template(`wm_role_template',`
xserver_role($2, $1_wm_t)
xserver_manage_core_devices($1_wm_t)
+ wm_write_pipes($1, $3)
+
optional_policy(`
dbus_connect_spec_session_bus($1, $1_wm_t)
dbus_spec_session_bus_client($1, $1_wm_t)
@@ -219,3 +221,28 @@ interface(`wm_application_domain',`
userdom_user_application_domain($1, $2)
domtrans_pattern(wm_domain, $2, $1)
')
+
+########################################
+### <summary>
+### Write wm unnamed pipes.
+### </summary>
+## <param name="role_prefix">
+### <summary>
+### The prefix of the user domain (e.g., user
+### is the prefix for user_t).
+### </summary>
+### </param>
+### <param name="domain">
+### <summary>
+### Domain allowed access.
+### </summary>
+### </param>
+### </param>
+##
+interface(`wm_write_pipes',`
+ gen_require(`
+ type $1_t;
+ ')
+
+ allow $2 $1_wm_t:fifo_file write;
+')
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 77dcc432..5b39df69 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -64,6 +64,8 @@ kernel_read_fs_sysctls(wm_domain)
kernel_read_proc_symlinks(wm_domain)
kernel_read_sysctl(wm_domain)
+locallogin_dontaudit_use_fds(wm_domain)
+
miscfiles_read_fonts(wm_domain)
miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
@@ -72,13 +74,16 @@ networkmanager_read_etc_files(wm_domain)
udev_read_pid_files(wm_domain)
-# this is needed by gnome-shell
+# the following is needed by gnome-shell
userdom_exec_user_home_content_files(wm_domain)
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
+# to print error messages
+userdom_use_inherited_user_terminals(wm_domain)
+
userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:19 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:19 UTC (permalink / raw
To: gentoo-commits
commit: 972850f05cf3dfe43158185c181795144629114a
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu Apr 13 23:25:46 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:43 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=972850f0
mozilla: add a permission
Update the mozilla module with a permission that firefox needs to
run (temporary lock file creation).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/mozilla.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 611959a0..41bfeb97 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -103,6 +103,7 @@ userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix")
filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 14:19 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 14:19 UTC (permalink / raw
To: gentoo-commits
commit: 5c9e977ce21e78d2b82f92ea3fa72e90bc4b4d30
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Apr 16 22:30:28 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:43 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5c9e977c
networkmanager: adjust interface docs format.
policy/modules/contrib/networkmanager.if | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index 3c5073d1..e57453fc 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -172,15 +172,15 @@ interface(`networkmanager_signal',`
')
########################################
-### <summary>
-### Read networkmanager etc files.
-### </summary>
-### <param name="domain">
-### <summary>
-### Domain allowed access.
-### </summary>
-### </param>
-##
+## <summary>
+## Read networkmanager etc files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`networkmanager_read_etc_files',`
gen_require(`
type NetworkManager_etc_t;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
2017-04-30 9:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: a8cb4e80579cdaa70d22c79eab1c8fe6e89cd2b7
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 10:35:47 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:21:11 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a8cb4e80
Rename apm to acpi from Russell Coker.
This patch is slightly more involved than just running sed. It also adds
typealias rules and doesn't change the FC entries.
The /dev/apm_bios device doesn't exist on modern systems. I have left that
policy in for the moment on the principle of making one change per patch. But
I might send another patch to remove that as it won't exist with modern
kernels.
policy/modules/contrib/acpi.fc | 21 +++
policy/modules/contrib/{apm.if => acpi.if} | 70 ++++----
policy/modules/contrib/acpi.te | 247 +++++++++++++++++++++++++++++
policy/modules/contrib/apm.fc | 21 ---
policy/modules/contrib/apm.te | 236 ---------------------------
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
7 files changed, 305 insertions(+), 294 deletions(-)
diff --git a/policy/modules/contrib/acpi.fc b/policy/modules/contrib/acpi.fc
new file mode 100644
index 00000000..bfbe255b
--- /dev/null
+++ b/policy/modules/contrib/acpi.fc
@@ -0,0 +1,21 @@
+/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:acpid_initrc_exec_t,s0)
+
+/usr/bin/apm -- gen_context(system_u:object_r:acpi_exec_t,s0)
+
+/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:acpid_unit_t,s0)
+
+/usr/sbin/acpid -- gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/sbin/apmd -- gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/sbin/powersaved -- gen_context(system_u:object_r:acpid_exec_t,s0)
+
+/var/lock/subsys/acpid -- gen_context(system_u:object_r:acpid_lock_t,s0)
+
+/var/log/acpid.* -- gen_context(system_u:object_r:acpid_log_t,s0)
+
+/run/\.?acpid\.socket -s gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/acpid\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/apmd\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/powersaved\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/powersave_socket -s gen_context(system_u:object_r:acpid_var_run_t,s0)
+
+/var/lib/acpi(/.*)? gen_context(system_u:object_r:acpid_var_lib_t,s0)
diff --git a/policy/modules/contrib/apm.if b/policy/modules/contrib/acpi.if
similarity index 65%
rename from policy/modules/contrib/apm.if
rename to policy/modules/contrib/acpi.if
index cbf60b55..109b644e 100644
--- a/policy/modules/contrib/apm.if
+++ b/policy/modules/contrib/acpi.if
@@ -10,13 +10,13 @@
## </summary>
## </param>
#
-interface(`apm_domtrans_client',`
+interface(`acpi_domtrans_client',`
gen_require(`
- type apm_t, apm_exec_t;
+ type acpi_t, acpi_exec_t;
')
corecmd_search_bin($1)
- domtrans_pattern($1, apm_exec_t, apm_t)
+ domtrans_pattern($1, acpi_exec_t, acpi_t)
')
########################################
@@ -36,13 +36,13 @@ interface(`apm_domtrans_client',`
## </summary>
## </param>
#
-interface(`apm_run_client',`
+interface(`acpi_run_client',`
gen_require(`
- attribute_role apm_roles;
+ attribute_role acpi_roles;
')
- apm_domtrans_client($1)
- roleattribute $2 apm_roles;
+ acpi_domtrans_client($1)
+ roleattribute $2 acpi_roles;
')
########################################
@@ -55,12 +55,12 @@ interface(`apm_run_client',`
## </summary>
## </param>
#
-interface(`apm_use_fds',`
+interface(`acpi_use_fds',`
gen_require(`
- type apmd_t;
+ type acpid_t;
')
- allow $1 apmd_t:fd use;
+ allow $1 acpid_t:fd use;
')
########################################
@@ -73,12 +73,12 @@ interface(`apm_use_fds',`
## </summary>
## </param>
#
-interface(`apm_write_pipes',`
+interface(`acpi_write_pipes',`
gen_require(`
- type apmd_t;
+ type acpid_t;
')
- allow $1 apmd_t:fifo_file write;
+ allow $1 acpid_t:fifo_file write;
')
########################################
@@ -92,12 +92,12 @@ interface(`apm_write_pipes',`
## </summary>
## </param>
#
-interface(`apm_rw_stream_sockets',`
+interface(`acpi_rw_stream_sockets',`
gen_require(`
- type apmd_t;
+ type acpid_t;
')
- allow $1 apmd_t:unix_stream_socket { read write };
+ allow $1 acpid_t:unix_stream_socket { read write };
')
########################################
@@ -110,13 +110,13 @@ interface(`apm_rw_stream_sockets',`
## </summary>
## </param>
#
-interface(`apm_append_log',`
+interface(`acpi_append_log',`
gen_require(`
- type apmd_log_t;
+ type acpid_log_t;
')
logging_search_logs($1)
- allow $1 apmd_log_t:file append_file_perms;
+ allow $1 acpid_log_t:file append_file_perms;
')
########################################
@@ -130,13 +130,13 @@ interface(`apm_append_log',`
## </summary>
## </param>
#
-interface(`apm_stream_connect',`
+interface(`acpi_stream_connect',`
gen_require(`
- type apmd_t, apmd_var_run_t;
+ type acpid_t, acpid_var_run_t;
')
files_search_pids($1)
- stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
+ stream_connect_pattern($1, acpid_var_run_t, acpid_var_run_t, acpid_t)
')
########################################
@@ -156,32 +156,32 @@ interface(`apm_stream_connect',`
## </param>
## <rolecap/>
#
-interface(`apm_admin',`
+interface(`acpi_admin',`
gen_require(`
- type apmd_t, apmd_initrc_exec_t, apmd_log_t;
- type apmd_lock_t, apmd_var_run_t, apmd_var_lib_t;
- type apmd_tmp_t;
+ type acpid_t, acpid_initrc_exec_t, acpid_log_t;
+ type acpid_lock_t, acpid_var_run_t, acpid_var_lib_t;
+ type acpid_tmp_t;
')
- allow $1 apmd_t:process { ptrace signal_perms };
- ps_process_pattern($1, apmd_t)
+ allow $1 acpid_t:process { ptrace signal_perms };
+ ps_process_pattern($1, acpid_t)
- init_startstop_service($1, $2, apmd_t, apmd_initrc_exec_t)
+ init_startstop_service($1, $2, acpid_t, acpid_initrc_exec_t)
logging_search_logs($1)
- admin_pattern($1, apmd_log_t)
+ admin_pattern($1, acpid_log_t)
files_search_locks($1)
- admin_pattern($1, apmd_lock_t)
+ admin_pattern($1, acpid_lock_t)
files_search_pids($1)
- admin_pattern($1, apmd_var_run_t)
+ admin_pattern($1, acpid_var_run_t)
files_search_var_lib($1)
- admin_pattern($1, apmd_var_lib_t)
+ admin_pattern($1, acpid_var_lib_t)
files_search_tmp($1)
- admin_pattern($1, apmd_tmp_t)
+ admin_pattern($1, acpid_tmp_t)
- apm_run_client($1, $2)
+ acpi_run_client($1, $2)
')
diff --git a/policy/modules/contrib/acpi.te b/policy/modules/contrib/acpi.te
new file mode 100644
index 00000000..0cd3d884
--- /dev/null
+++ b/policy/modules/contrib/acpi.te
@@ -0,0 +1,247 @@
+policy_module(acpi, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role acpi_roles;
+roleattribute system_r acpi_roles;
+
+type acpid_t;
+type acpid_exec_t;
+typealias acpid_t alias apmd_t;
+typealias acpid_exec_t alias apmd_exec_t;
+init_daemon_domain(acpid_t, acpid_exec_t)
+
+type acpid_initrc_exec_t;
+typealias acpid_initrc_exec_t alias apmd_initrc_exec_t;
+init_script_file(acpid_initrc_exec_t)
+
+type acpi_t;
+type acpi_exec_t;
+typealias acpi_t alias apm_t;
+typealias acpi_exec_t alias apm_exec_t;
+application_domain(acpi_t, acpi_exec_t)
+role acpi_roles types acpi_t;
+
+type acpid_lock_t;
+typealias acpid_lock_t alias apmd_lock_t;
+files_lock_file(acpid_lock_t)
+
+type acpid_log_t;
+typealias acpid_log_t alias apmd_log_t;
+logging_log_file(acpid_log_t)
+
+type acpid_tmp_t;
+typealias acpid_tmp_t alias apmd_tmp_t;
+files_tmp_file(acpid_tmp_t)
+
+type acpid_unit_t;
+typealias acpid_unit_t alias apmd_unit_t;
+init_unit_file(acpid_unit_t)
+
+type acpid_var_lib_t;
+typealias acpid_var_lib_t alias apmd_var_lib_t;
+files_type(acpid_var_lib_t)
+
+type acpid_var_run_t;
+typealias acpid_var_run_t alias apmd_var_run_t;
+files_pid_file(acpid_var_run_t)
+
+########################################
+#
+# Client local policy
+#
+
+allow acpi_t self:capability { dac_override sys_admin };
+
+kernel_read_system_state(acpi_t)
+
+dev_rw_acpi_bios(acpi_t)
+
+fs_getattr_xattr_fs(acpi_t)
+
+term_use_all_terms(acpi_t)
+
+domain_use_interactive_fds(acpi_t)
+
+logging_send_syslog_msg(acpi_t)
+
+########################################
+#
+# Server local policy
+#
+
+allow acpid_t self:capability { kill mknod sys_admin sys_nice sys_time };
+dontaudit acpid_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
+allow acpid_t self:process { signal_perms getsession };
+allow acpid_t self:fifo_file rw_fifo_file_perms;
+allow acpid_t self:netlink_socket create_socket_perms;
+allow acpid_t self:netlink_generic_socket create_socket_perms;
+allow acpid_t self:unix_stream_socket { accept listen };
+
+allow acpid_t acpid_lock_t:file manage_file_perms;
+files_lock_filetrans(acpid_t, acpid_lock_t, file)
+
+allow acpid_t acpid_log_t:file manage_file_perms;
+logging_log_filetrans(acpid_t, acpid_log_t, file)
+
+manage_dirs_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
+manage_files_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
+files_tmp_filetrans(acpid_t, acpid_tmp_t, { file dir })
+
+manage_dirs_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
+manage_files_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
+files_var_lib_filetrans(acpid_t, acpid_var_lib_t, dir)
+
+manage_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
+manage_sock_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
+files_pid_filetrans(acpid_t, acpid_var_run_t, { file sock_file })
+
+can_exec(acpid_t, acpid_var_run_t)
+
+kernel_read_kernel_sysctls(acpid_t)
+kernel_rw_all_sysctls(acpid_t)
+kernel_read_system_state(acpid_t)
+kernel_write_proc_files(acpid_t)
+kernel_request_load_module(acpid_t)
+
+dev_read_input(acpid_t)
+dev_read_mouse(acpid_t)
+dev_read_realtime_clock(acpid_t)
+dev_read_urand(acpid_t)
+dev_rw_acpi_bios(acpid_t)
+dev_rw_sysfs(acpid_t)
+dev_dontaudit_getattr_all_chr_files(acpid_t)
+dev_dontaudit_getattr_all_blk_files(acpid_t)
+
+files_exec_etc_files(acpid_t)
+files_read_etc_runtime_files(acpid_t)
+files_dontaudit_getattr_all_files(acpid_t)
+files_dontaudit_getattr_all_symlinks(acpid_t)
+files_dontaudit_getattr_all_pipes(acpid_t)
+files_dontaudit_getattr_all_sockets(acpid_t)
+
+fs_dontaudit_list_tmpfs(acpid_t)
+fs_getattr_all_fs(acpid_t)
+fs_search_auto_mountpoints(acpid_t)
+fs_dontaudit_getattr_all_files(acpid_t)
+fs_dontaudit_getattr_all_symlinks(acpid_t)
+fs_dontaudit_getattr_all_pipes(acpid_t)
+fs_dontaudit_getattr_all_sockets(acpid_t)
+
+selinux_search_fs(acpid_t)
+
+corecmd_exec_all_executables(acpid_t)
+
+domain_read_all_domains_state(acpid_t)
+domain_dontaudit_ptrace_all_domains(acpid_t)
+domain_use_interactive_fds(acpid_t)
+domain_dontaudit_getattr_all_sockets(acpid_t)
+domain_dontaudit_getattr_all_key_sockets(acpid_t)
+domain_dontaudit_list_all_domains_state(acpid_t)
+
+auth_use_nsswitch(acpid_t)
+
+init_domtrans_script(acpid_t)
+
+libs_exec_ld_so(acpid_t)
+libs_exec_lib_files(acpid_t)
+
+logging_send_audit_msgs(acpid_t)
+logging_send_syslog_msg(acpid_t)
+
+miscfiles_read_localization(acpid_t)
+miscfiles_read_hwdata(acpid_t)
+
+modutils_domtrans(acpid_t)
+modutils_read_module_config(acpid_t)
+
+seutil_dontaudit_read_config(acpid_t)
+
+userdom_dontaudit_use_unpriv_user_fds(acpid_t)
+userdom_dontaudit_search_user_home_dirs(acpid_t)
+userdom_dontaudit_search_user_home_content(acpid_t)
+
+optional_policy(`
+ automount_domtrans(acpid_t)
+')
+
+optional_policy(`
+ clock_domtrans(acpid_t)
+ clock_rw_adjtime(acpid_t)
+')
+
+optional_policy(`
+ cron_system_entry(acpid_t, acpid_exec_t)
+ cron_anacron_domtrans_system_job(acpid_t)
+')
+
+optional_policy(`
+ devicekit_manage_pid_files(acpid_t)
+ devicekit_manage_log_files(acpid_t)
+ devicekit_relabel_log_files(acpid_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(acpid_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(acpid_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(acpid_t)
+ ')
+')
+
+optional_policy(`
+ fstools_domtrans(acpid_t)
+')
+
+optional_policy(`
+ iptables_domtrans(acpid_t)
+')
+
+optional_policy(`
+ logrotate_use_fds(acpid_t)
+')
+
+optional_policy(`
+ mta_send_mail(acpid_t)
+')
+
+optional_policy(`
+ netutils_domtrans(acpid_t)
+')
+
+optional_policy(`
+ pcmcia_domtrans_cardmgr(acpid_t)
+ pcmcia_domtrans_cardctl(acpid_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(acpid_t)
+')
+
+optional_policy(`
+ shutdown_domtrans(acpid_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(acpid_t)
+')
+
+optional_policy(`
+ udev_read_db(acpid_t)
+ udev_read_state(acpid_t)
+')
+
+optional_policy(`
+ vbetool_domtrans(acpid_t)
+')
+
+optional_policy(`
+ xserver_domtrans(acpid_t)
+')
diff --git a/policy/modules/contrib/apm.fc b/policy/modules/contrib/apm.fc
deleted file mode 100644
index bfa60ae0..00000000
--- a/policy/modules/contrib/apm.fc
+++ /dev/null
@@ -1,21 +0,0 @@
-/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
-
-/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
-
-/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:apmd_unit_t,s0)
-
-/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0)
-/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0)
-/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
-
-/var/lock/subsys/acpid -- gen_context(system_u:object_r:apmd_lock_t,s0)
-
-/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
-
-/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/acpid\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
-
-/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0)
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
deleted file mode 100644
index 7f41a450..00000000
--- a/policy/modules/contrib/apm.te
+++ /dev/null
@@ -1,236 +0,0 @@
-policy_module(apm, 1.16.1)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role apm_roles;
-roleattribute system_r apm_roles;
-
-type apmd_t;
-type apmd_exec_t;
-init_daemon_domain(apmd_t, apmd_exec_t)
-
-type apmd_initrc_exec_t;
-init_script_file(apmd_initrc_exec_t)
-
-type apm_t;
-type apm_exec_t;
-application_domain(apm_t, apm_exec_t)
-role apm_roles types apm_t;
-
-type apmd_lock_t;
-files_lock_file(apmd_lock_t)
-
-type apmd_log_t;
-logging_log_file(apmd_log_t)
-
-type apmd_tmp_t;
-files_tmp_file(apmd_tmp_t)
-
-type apmd_unit_t;
-init_unit_file(apmd_unit_t)
-
-type apmd_var_lib_t;
-files_type(apmd_var_lib_t)
-
-type apmd_var_run_t;
-files_pid_file(apmd_var_run_t)
-
-########################################
-#
-# Client local policy
-#
-
-allow apm_t self:capability { dac_override sys_admin };
-
-kernel_read_system_state(apm_t)
-
-dev_rw_apm_bios(apm_t)
-
-fs_getattr_xattr_fs(apm_t)
-
-term_use_all_terms(apm_t)
-
-domain_use_interactive_fds(apm_t)
-
-logging_send_syslog_msg(apm_t)
-
-########################################
-#
-# Server local policy
-#
-
-allow apmd_t self:capability { kill mknod sys_admin sys_nice sys_time };
-dontaudit apmd_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
-allow apmd_t self:process { signal_perms getsession };
-allow apmd_t self:fifo_file rw_fifo_file_perms;
-allow apmd_t self:netlink_socket create_socket_perms;
-allow apmd_t self:netlink_generic_socket create_socket_perms;
-allow apmd_t self:unix_stream_socket { accept listen };
-
-allow apmd_t apmd_lock_t:file manage_file_perms;
-files_lock_filetrans(apmd_t, apmd_lock_t, file)
-
-allow apmd_t apmd_log_t:file manage_file_perms;
-logging_log_filetrans(apmd_t, apmd_log_t, file)
-
-manage_dirs_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
-manage_files_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
-files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir })
-
-manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
-manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
-files_var_lib_filetrans(apmd_t, apmd_var_lib_t, dir)
-
-manage_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
-manage_sock_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
-files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file })
-
-can_exec(apmd_t, apmd_var_run_t)
-
-kernel_read_kernel_sysctls(apmd_t)
-kernel_rw_all_sysctls(apmd_t)
-kernel_read_system_state(apmd_t)
-kernel_write_proc_files(apmd_t)
-kernel_request_load_module(apmd_t)
-
-dev_read_input(apmd_t)
-dev_read_mouse(apmd_t)
-dev_read_realtime_clock(apmd_t)
-dev_read_urand(apmd_t)
-dev_rw_apm_bios(apmd_t)
-dev_rw_sysfs(apmd_t)
-dev_dontaudit_getattr_all_chr_files(apmd_t)
-dev_dontaudit_getattr_all_blk_files(apmd_t)
-
-files_exec_etc_files(apmd_t)
-files_read_etc_runtime_files(apmd_t)
-files_dontaudit_getattr_all_files(apmd_t)
-files_dontaudit_getattr_all_symlinks(apmd_t)
-files_dontaudit_getattr_all_pipes(apmd_t)
-files_dontaudit_getattr_all_sockets(apmd_t)
-
-fs_dontaudit_list_tmpfs(apmd_t)
-fs_getattr_all_fs(apmd_t)
-fs_search_auto_mountpoints(apmd_t)
-fs_dontaudit_getattr_all_files(apmd_t)
-fs_dontaudit_getattr_all_symlinks(apmd_t)
-fs_dontaudit_getattr_all_pipes(apmd_t)
-fs_dontaudit_getattr_all_sockets(apmd_t)
-
-selinux_search_fs(apmd_t)
-
-corecmd_exec_all_executables(apmd_t)
-
-domain_read_all_domains_state(apmd_t)
-domain_dontaudit_ptrace_all_domains(apmd_t)
-domain_use_interactive_fds(apmd_t)
-domain_dontaudit_getattr_all_sockets(apmd_t)
-domain_dontaudit_getattr_all_key_sockets(apmd_t)
-domain_dontaudit_list_all_domains_state(apmd_t)
-
-auth_use_nsswitch(apmd_t)
-
-init_domtrans_script(apmd_t)
-
-libs_exec_ld_so(apmd_t)
-libs_exec_lib_files(apmd_t)
-
-logging_send_audit_msgs(apmd_t)
-logging_send_syslog_msg(apmd_t)
-
-miscfiles_read_localization(apmd_t)
-miscfiles_read_hwdata(apmd_t)
-
-modutils_domtrans(apmd_t)
-modutils_read_module_config(apmd_t)
-
-seutil_dontaudit_read_config(apmd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(apmd_t)
-userdom_dontaudit_search_user_home_dirs(apmd_t)
-userdom_dontaudit_search_user_home_content(apmd_t)
-
-optional_policy(`
- automount_domtrans(apmd_t)
-')
-
-optional_policy(`
- clock_domtrans(apmd_t)
- clock_rw_adjtime(apmd_t)
-')
-
-optional_policy(`
- cron_system_entry(apmd_t, apmd_exec_t)
- cron_anacron_domtrans_system_job(apmd_t)
-')
-
-optional_policy(`
- devicekit_manage_pid_files(apmd_t)
- devicekit_manage_log_files(apmd_t)
- devicekit_relabel_log_files(apmd_t)
-')
-
-optional_policy(`
- dbus_system_bus_client(apmd_t)
-
- optional_policy(`
- consolekit_dbus_chat(apmd_t)
- ')
-
- optional_policy(`
- networkmanager_dbus_chat(apmd_t)
- ')
-')
-
-optional_policy(`
- fstools_domtrans(apmd_t)
-')
-
-optional_policy(`
- iptables_domtrans(apmd_t)
-')
-
-optional_policy(`
- logrotate_use_fds(apmd_t)
-')
-
-optional_policy(`
- mta_send_mail(apmd_t)
-')
-
-optional_policy(`
- netutils_domtrans(apmd_t)
-')
-
-optional_policy(`
- pcmcia_domtrans_cardmgr(apmd_t)
- pcmcia_domtrans_cardctl(apmd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(apmd_t)
-')
-
-optional_policy(`
- shutdown_domtrans(apmd_t)
-')
-
-optional_policy(`
- sysnet_domtrans_ifconfig(apmd_t)
-')
-
-optional_policy(`
- udev_read_db(apmd_t)
- udev_read_state(apmd_t)
-')
-
-optional_policy(`
- vbetool_domtrans(apmd_t)
-')
-
-optional_policy(`
- xserver_domtrans(apmd_t)
-')
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 8fdd713f..3a6c0b92 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -273,7 +273,7 @@ userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
- apm_domtrans_client(cupsd_t)
+ acpi_domtrans_client(cupsd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index d260d697..29b473e7 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -221,7 +221,7 @@ optional_policy(`
')
optional_policy(`
- apm_stream_connect(hald_t)
+ acpi_stream_connect(hald_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-04-30 9:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-04-30 9:32 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: a8cb4e80579cdaa70d22c79eab1c8fe6e89cd2b7
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 10:35:47 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:21:11 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a8cb4e80
Rename apm to acpi from Russell Coker.
This patch is slightly more involved than just running sed. It also adds
typealias rules and doesn't change the FC entries.
The /dev/apm_bios device doesn't exist on modern systems. I have left that
policy in for the moment on the principle of making one change per patch. But
I might send another patch to remove that as it won't exist with modern
kernels.
policy/modules/contrib/acpi.fc | 21 +++
policy/modules/contrib/{apm.if => acpi.if} | 70 ++++----
policy/modules/contrib/acpi.te | 247 +++++++++++++++++++++++++++++
policy/modules/contrib/apm.fc | 21 ---
policy/modules/contrib/apm.te | 236 ---------------------------
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
7 files changed, 305 insertions(+), 294 deletions(-)
diff --git a/policy/modules/contrib/acpi.fc b/policy/modules/contrib/acpi.fc
new file mode 100644
index 00000000..bfbe255b
--- /dev/null
+++ b/policy/modules/contrib/acpi.fc
@@ -0,0 +1,21 @@
+/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:acpid_initrc_exec_t,s0)
+
+/usr/bin/apm -- gen_context(system_u:object_r:acpi_exec_t,s0)
+
+/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:acpid_unit_t,s0)
+
+/usr/sbin/acpid -- gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/sbin/apmd -- gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/sbin/powersaved -- gen_context(system_u:object_r:acpid_exec_t,s0)
+
+/var/lock/subsys/acpid -- gen_context(system_u:object_r:acpid_lock_t,s0)
+
+/var/log/acpid.* -- gen_context(system_u:object_r:acpid_log_t,s0)
+
+/run/\.?acpid\.socket -s gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/acpid\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/apmd\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/powersaved\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0)
+/run/powersave_socket -s gen_context(system_u:object_r:acpid_var_run_t,s0)
+
+/var/lib/acpi(/.*)? gen_context(system_u:object_r:acpid_var_lib_t,s0)
diff --git a/policy/modules/contrib/apm.if b/policy/modules/contrib/acpi.if
similarity index 65%
rename from policy/modules/contrib/apm.if
rename to policy/modules/contrib/acpi.if
index cbf60b55..109b644e 100644
--- a/policy/modules/contrib/apm.if
+++ b/policy/modules/contrib/acpi.if
@@ -10,13 +10,13 @@
## </summary>
## </param>
#
-interface(`apm_domtrans_client',`
+interface(`acpi_domtrans_client',`
gen_require(`
- type apm_t, apm_exec_t;
+ type acpi_t, acpi_exec_t;
')
corecmd_search_bin($1)
- domtrans_pattern($1, apm_exec_t, apm_t)
+ domtrans_pattern($1, acpi_exec_t, acpi_t)
')
########################################
@@ -36,13 +36,13 @@ interface(`apm_domtrans_client',`
## </summary>
## </param>
#
-interface(`apm_run_client',`
+interface(`acpi_run_client',`
gen_require(`
- attribute_role apm_roles;
+ attribute_role acpi_roles;
')
- apm_domtrans_client($1)
- roleattribute $2 apm_roles;
+ acpi_domtrans_client($1)
+ roleattribute $2 acpi_roles;
')
########################################
@@ -55,12 +55,12 @@ interface(`apm_run_client',`
## </summary>
## </param>
#
-interface(`apm_use_fds',`
+interface(`acpi_use_fds',`
gen_require(`
- type apmd_t;
+ type acpid_t;
')
- allow $1 apmd_t:fd use;
+ allow $1 acpid_t:fd use;
')
########################################
@@ -73,12 +73,12 @@ interface(`apm_use_fds',`
## </summary>
## </param>
#
-interface(`apm_write_pipes',`
+interface(`acpi_write_pipes',`
gen_require(`
- type apmd_t;
+ type acpid_t;
')
- allow $1 apmd_t:fifo_file write;
+ allow $1 acpid_t:fifo_file write;
')
########################################
@@ -92,12 +92,12 @@ interface(`apm_write_pipes',`
## </summary>
## </param>
#
-interface(`apm_rw_stream_sockets',`
+interface(`acpi_rw_stream_sockets',`
gen_require(`
- type apmd_t;
+ type acpid_t;
')
- allow $1 apmd_t:unix_stream_socket { read write };
+ allow $1 acpid_t:unix_stream_socket { read write };
')
########################################
@@ -110,13 +110,13 @@ interface(`apm_rw_stream_sockets',`
## </summary>
## </param>
#
-interface(`apm_append_log',`
+interface(`acpi_append_log',`
gen_require(`
- type apmd_log_t;
+ type acpid_log_t;
')
logging_search_logs($1)
- allow $1 apmd_log_t:file append_file_perms;
+ allow $1 acpid_log_t:file append_file_perms;
')
########################################
@@ -130,13 +130,13 @@ interface(`apm_append_log',`
## </summary>
## </param>
#
-interface(`apm_stream_connect',`
+interface(`acpi_stream_connect',`
gen_require(`
- type apmd_t, apmd_var_run_t;
+ type acpid_t, acpid_var_run_t;
')
files_search_pids($1)
- stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
+ stream_connect_pattern($1, acpid_var_run_t, acpid_var_run_t, acpid_t)
')
########################################
@@ -156,32 +156,32 @@ interface(`apm_stream_connect',`
## </param>
## <rolecap/>
#
-interface(`apm_admin',`
+interface(`acpi_admin',`
gen_require(`
- type apmd_t, apmd_initrc_exec_t, apmd_log_t;
- type apmd_lock_t, apmd_var_run_t, apmd_var_lib_t;
- type apmd_tmp_t;
+ type acpid_t, acpid_initrc_exec_t, acpid_log_t;
+ type acpid_lock_t, acpid_var_run_t, acpid_var_lib_t;
+ type acpid_tmp_t;
')
- allow $1 apmd_t:process { ptrace signal_perms };
- ps_process_pattern($1, apmd_t)
+ allow $1 acpid_t:process { ptrace signal_perms };
+ ps_process_pattern($1, acpid_t)
- init_startstop_service($1, $2, apmd_t, apmd_initrc_exec_t)
+ init_startstop_service($1, $2, acpid_t, acpid_initrc_exec_t)
logging_search_logs($1)
- admin_pattern($1, apmd_log_t)
+ admin_pattern($1, acpid_log_t)
files_search_locks($1)
- admin_pattern($1, apmd_lock_t)
+ admin_pattern($1, acpid_lock_t)
files_search_pids($1)
- admin_pattern($1, apmd_var_run_t)
+ admin_pattern($1, acpid_var_run_t)
files_search_var_lib($1)
- admin_pattern($1, apmd_var_lib_t)
+ admin_pattern($1, acpid_var_lib_t)
files_search_tmp($1)
- admin_pattern($1, apmd_tmp_t)
+ admin_pattern($1, acpid_tmp_t)
- apm_run_client($1, $2)
+ acpi_run_client($1, $2)
')
diff --git a/policy/modules/contrib/acpi.te b/policy/modules/contrib/acpi.te
new file mode 100644
index 00000000..0cd3d884
--- /dev/null
+++ b/policy/modules/contrib/acpi.te
@@ -0,0 +1,247 @@
+policy_module(acpi, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role acpi_roles;
+roleattribute system_r acpi_roles;
+
+type acpid_t;
+type acpid_exec_t;
+typealias acpid_t alias apmd_t;
+typealias acpid_exec_t alias apmd_exec_t;
+init_daemon_domain(acpid_t, acpid_exec_t)
+
+type acpid_initrc_exec_t;
+typealias acpid_initrc_exec_t alias apmd_initrc_exec_t;
+init_script_file(acpid_initrc_exec_t)
+
+type acpi_t;
+type acpi_exec_t;
+typealias acpi_t alias apm_t;
+typealias acpi_exec_t alias apm_exec_t;
+application_domain(acpi_t, acpi_exec_t)
+role acpi_roles types acpi_t;
+
+type acpid_lock_t;
+typealias acpid_lock_t alias apmd_lock_t;
+files_lock_file(acpid_lock_t)
+
+type acpid_log_t;
+typealias acpid_log_t alias apmd_log_t;
+logging_log_file(acpid_log_t)
+
+type acpid_tmp_t;
+typealias acpid_tmp_t alias apmd_tmp_t;
+files_tmp_file(acpid_tmp_t)
+
+type acpid_unit_t;
+typealias acpid_unit_t alias apmd_unit_t;
+init_unit_file(acpid_unit_t)
+
+type acpid_var_lib_t;
+typealias acpid_var_lib_t alias apmd_var_lib_t;
+files_type(acpid_var_lib_t)
+
+type acpid_var_run_t;
+typealias acpid_var_run_t alias apmd_var_run_t;
+files_pid_file(acpid_var_run_t)
+
+########################################
+#
+# Client local policy
+#
+
+allow acpi_t self:capability { dac_override sys_admin };
+
+kernel_read_system_state(acpi_t)
+
+dev_rw_acpi_bios(acpi_t)
+
+fs_getattr_xattr_fs(acpi_t)
+
+term_use_all_terms(acpi_t)
+
+domain_use_interactive_fds(acpi_t)
+
+logging_send_syslog_msg(acpi_t)
+
+########################################
+#
+# Server local policy
+#
+
+allow acpid_t self:capability { kill mknod sys_admin sys_nice sys_time };
+dontaudit acpid_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
+allow acpid_t self:process { signal_perms getsession };
+allow acpid_t self:fifo_file rw_fifo_file_perms;
+allow acpid_t self:netlink_socket create_socket_perms;
+allow acpid_t self:netlink_generic_socket create_socket_perms;
+allow acpid_t self:unix_stream_socket { accept listen };
+
+allow acpid_t acpid_lock_t:file manage_file_perms;
+files_lock_filetrans(acpid_t, acpid_lock_t, file)
+
+allow acpid_t acpid_log_t:file manage_file_perms;
+logging_log_filetrans(acpid_t, acpid_log_t, file)
+
+manage_dirs_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
+manage_files_pattern(acpid_t, acpid_tmp_t, acpid_tmp_t)
+files_tmp_filetrans(acpid_t, acpid_tmp_t, { file dir })
+
+manage_dirs_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
+manage_files_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t)
+files_var_lib_filetrans(acpid_t, acpid_var_lib_t, dir)
+
+manage_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
+manage_sock_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t)
+files_pid_filetrans(acpid_t, acpid_var_run_t, { file sock_file })
+
+can_exec(acpid_t, acpid_var_run_t)
+
+kernel_read_kernel_sysctls(acpid_t)
+kernel_rw_all_sysctls(acpid_t)
+kernel_read_system_state(acpid_t)
+kernel_write_proc_files(acpid_t)
+kernel_request_load_module(acpid_t)
+
+dev_read_input(acpid_t)
+dev_read_mouse(acpid_t)
+dev_read_realtime_clock(acpid_t)
+dev_read_urand(acpid_t)
+dev_rw_acpi_bios(acpid_t)
+dev_rw_sysfs(acpid_t)
+dev_dontaudit_getattr_all_chr_files(acpid_t)
+dev_dontaudit_getattr_all_blk_files(acpid_t)
+
+files_exec_etc_files(acpid_t)
+files_read_etc_runtime_files(acpid_t)
+files_dontaudit_getattr_all_files(acpid_t)
+files_dontaudit_getattr_all_symlinks(acpid_t)
+files_dontaudit_getattr_all_pipes(acpid_t)
+files_dontaudit_getattr_all_sockets(acpid_t)
+
+fs_dontaudit_list_tmpfs(acpid_t)
+fs_getattr_all_fs(acpid_t)
+fs_search_auto_mountpoints(acpid_t)
+fs_dontaudit_getattr_all_files(acpid_t)
+fs_dontaudit_getattr_all_symlinks(acpid_t)
+fs_dontaudit_getattr_all_pipes(acpid_t)
+fs_dontaudit_getattr_all_sockets(acpid_t)
+
+selinux_search_fs(acpid_t)
+
+corecmd_exec_all_executables(acpid_t)
+
+domain_read_all_domains_state(acpid_t)
+domain_dontaudit_ptrace_all_domains(acpid_t)
+domain_use_interactive_fds(acpid_t)
+domain_dontaudit_getattr_all_sockets(acpid_t)
+domain_dontaudit_getattr_all_key_sockets(acpid_t)
+domain_dontaudit_list_all_domains_state(acpid_t)
+
+auth_use_nsswitch(acpid_t)
+
+init_domtrans_script(acpid_t)
+
+libs_exec_ld_so(acpid_t)
+libs_exec_lib_files(acpid_t)
+
+logging_send_audit_msgs(acpid_t)
+logging_send_syslog_msg(acpid_t)
+
+miscfiles_read_localization(acpid_t)
+miscfiles_read_hwdata(acpid_t)
+
+modutils_domtrans(acpid_t)
+modutils_read_module_config(acpid_t)
+
+seutil_dontaudit_read_config(acpid_t)
+
+userdom_dontaudit_use_unpriv_user_fds(acpid_t)
+userdom_dontaudit_search_user_home_dirs(acpid_t)
+userdom_dontaudit_search_user_home_content(acpid_t)
+
+optional_policy(`
+ automount_domtrans(acpid_t)
+')
+
+optional_policy(`
+ clock_domtrans(acpid_t)
+ clock_rw_adjtime(acpid_t)
+')
+
+optional_policy(`
+ cron_system_entry(acpid_t, acpid_exec_t)
+ cron_anacron_domtrans_system_job(acpid_t)
+')
+
+optional_policy(`
+ devicekit_manage_pid_files(acpid_t)
+ devicekit_manage_log_files(acpid_t)
+ devicekit_relabel_log_files(acpid_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(acpid_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(acpid_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(acpid_t)
+ ')
+')
+
+optional_policy(`
+ fstools_domtrans(acpid_t)
+')
+
+optional_policy(`
+ iptables_domtrans(acpid_t)
+')
+
+optional_policy(`
+ logrotate_use_fds(acpid_t)
+')
+
+optional_policy(`
+ mta_send_mail(acpid_t)
+')
+
+optional_policy(`
+ netutils_domtrans(acpid_t)
+')
+
+optional_policy(`
+ pcmcia_domtrans_cardmgr(acpid_t)
+ pcmcia_domtrans_cardctl(acpid_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(acpid_t)
+')
+
+optional_policy(`
+ shutdown_domtrans(acpid_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(acpid_t)
+')
+
+optional_policy(`
+ udev_read_db(acpid_t)
+ udev_read_state(acpid_t)
+')
+
+optional_policy(`
+ vbetool_domtrans(acpid_t)
+')
+
+optional_policy(`
+ xserver_domtrans(acpid_t)
+')
diff --git a/policy/modules/contrib/apm.fc b/policy/modules/contrib/apm.fc
deleted file mode 100644
index bfa60ae0..00000000
--- a/policy/modules/contrib/apm.fc
+++ /dev/null
@@ -1,21 +0,0 @@
-/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
-
-/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
-
-/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:apmd_unit_t,s0)
-
-/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0)
-/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0)
-/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
-
-/var/lock/subsys/acpid -- gen_context(system_u:object_r:apmd_lock_t,s0)
-
-/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
-
-/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/acpid\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
-
-/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0)
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
deleted file mode 100644
index 7f41a450..00000000
--- a/policy/modules/contrib/apm.te
+++ /dev/null
@@ -1,236 +0,0 @@
-policy_module(apm, 1.16.1)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role apm_roles;
-roleattribute system_r apm_roles;
-
-type apmd_t;
-type apmd_exec_t;
-init_daemon_domain(apmd_t, apmd_exec_t)
-
-type apmd_initrc_exec_t;
-init_script_file(apmd_initrc_exec_t)
-
-type apm_t;
-type apm_exec_t;
-application_domain(apm_t, apm_exec_t)
-role apm_roles types apm_t;
-
-type apmd_lock_t;
-files_lock_file(apmd_lock_t)
-
-type apmd_log_t;
-logging_log_file(apmd_log_t)
-
-type apmd_tmp_t;
-files_tmp_file(apmd_tmp_t)
-
-type apmd_unit_t;
-init_unit_file(apmd_unit_t)
-
-type apmd_var_lib_t;
-files_type(apmd_var_lib_t)
-
-type apmd_var_run_t;
-files_pid_file(apmd_var_run_t)
-
-########################################
-#
-# Client local policy
-#
-
-allow apm_t self:capability { dac_override sys_admin };
-
-kernel_read_system_state(apm_t)
-
-dev_rw_apm_bios(apm_t)
-
-fs_getattr_xattr_fs(apm_t)
-
-term_use_all_terms(apm_t)
-
-domain_use_interactive_fds(apm_t)
-
-logging_send_syslog_msg(apm_t)
-
-########################################
-#
-# Server local policy
-#
-
-allow apmd_t self:capability { kill mknod sys_admin sys_nice sys_time };
-dontaudit apmd_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
-allow apmd_t self:process { signal_perms getsession };
-allow apmd_t self:fifo_file rw_fifo_file_perms;
-allow apmd_t self:netlink_socket create_socket_perms;
-allow apmd_t self:netlink_generic_socket create_socket_perms;
-allow apmd_t self:unix_stream_socket { accept listen };
-
-allow apmd_t apmd_lock_t:file manage_file_perms;
-files_lock_filetrans(apmd_t, apmd_lock_t, file)
-
-allow apmd_t apmd_log_t:file manage_file_perms;
-logging_log_filetrans(apmd_t, apmd_log_t, file)
-
-manage_dirs_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
-manage_files_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
-files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir })
-
-manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
-manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
-files_var_lib_filetrans(apmd_t, apmd_var_lib_t, dir)
-
-manage_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
-manage_sock_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
-files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file })
-
-can_exec(apmd_t, apmd_var_run_t)
-
-kernel_read_kernel_sysctls(apmd_t)
-kernel_rw_all_sysctls(apmd_t)
-kernel_read_system_state(apmd_t)
-kernel_write_proc_files(apmd_t)
-kernel_request_load_module(apmd_t)
-
-dev_read_input(apmd_t)
-dev_read_mouse(apmd_t)
-dev_read_realtime_clock(apmd_t)
-dev_read_urand(apmd_t)
-dev_rw_apm_bios(apmd_t)
-dev_rw_sysfs(apmd_t)
-dev_dontaudit_getattr_all_chr_files(apmd_t)
-dev_dontaudit_getattr_all_blk_files(apmd_t)
-
-files_exec_etc_files(apmd_t)
-files_read_etc_runtime_files(apmd_t)
-files_dontaudit_getattr_all_files(apmd_t)
-files_dontaudit_getattr_all_symlinks(apmd_t)
-files_dontaudit_getattr_all_pipes(apmd_t)
-files_dontaudit_getattr_all_sockets(apmd_t)
-
-fs_dontaudit_list_tmpfs(apmd_t)
-fs_getattr_all_fs(apmd_t)
-fs_search_auto_mountpoints(apmd_t)
-fs_dontaudit_getattr_all_files(apmd_t)
-fs_dontaudit_getattr_all_symlinks(apmd_t)
-fs_dontaudit_getattr_all_pipes(apmd_t)
-fs_dontaudit_getattr_all_sockets(apmd_t)
-
-selinux_search_fs(apmd_t)
-
-corecmd_exec_all_executables(apmd_t)
-
-domain_read_all_domains_state(apmd_t)
-domain_dontaudit_ptrace_all_domains(apmd_t)
-domain_use_interactive_fds(apmd_t)
-domain_dontaudit_getattr_all_sockets(apmd_t)
-domain_dontaudit_getattr_all_key_sockets(apmd_t)
-domain_dontaudit_list_all_domains_state(apmd_t)
-
-auth_use_nsswitch(apmd_t)
-
-init_domtrans_script(apmd_t)
-
-libs_exec_ld_so(apmd_t)
-libs_exec_lib_files(apmd_t)
-
-logging_send_audit_msgs(apmd_t)
-logging_send_syslog_msg(apmd_t)
-
-miscfiles_read_localization(apmd_t)
-miscfiles_read_hwdata(apmd_t)
-
-modutils_domtrans(apmd_t)
-modutils_read_module_config(apmd_t)
-
-seutil_dontaudit_read_config(apmd_t)
-
-userdom_dontaudit_use_unpriv_user_fds(apmd_t)
-userdom_dontaudit_search_user_home_dirs(apmd_t)
-userdom_dontaudit_search_user_home_content(apmd_t)
-
-optional_policy(`
- automount_domtrans(apmd_t)
-')
-
-optional_policy(`
- clock_domtrans(apmd_t)
- clock_rw_adjtime(apmd_t)
-')
-
-optional_policy(`
- cron_system_entry(apmd_t, apmd_exec_t)
- cron_anacron_domtrans_system_job(apmd_t)
-')
-
-optional_policy(`
- devicekit_manage_pid_files(apmd_t)
- devicekit_manage_log_files(apmd_t)
- devicekit_relabel_log_files(apmd_t)
-')
-
-optional_policy(`
- dbus_system_bus_client(apmd_t)
-
- optional_policy(`
- consolekit_dbus_chat(apmd_t)
- ')
-
- optional_policy(`
- networkmanager_dbus_chat(apmd_t)
- ')
-')
-
-optional_policy(`
- fstools_domtrans(apmd_t)
-')
-
-optional_policy(`
- iptables_domtrans(apmd_t)
-')
-
-optional_policy(`
- logrotate_use_fds(apmd_t)
-')
-
-optional_policy(`
- mta_send_mail(apmd_t)
-')
-
-optional_policy(`
- netutils_domtrans(apmd_t)
-')
-
-optional_policy(`
- pcmcia_domtrans_cardmgr(apmd_t)
- pcmcia_domtrans_cardctl(apmd_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(apmd_t)
-')
-
-optional_policy(`
- shutdown_domtrans(apmd_t)
-')
-
-optional_policy(`
- sysnet_domtrans_ifconfig(apmd_t)
-')
-
-optional_policy(`
- udev_read_db(apmd_t)
- udev_read_state(apmd_t)
-')
-
-optional_policy(`
- vbetool_domtrans(apmd_t)
-')
-
-optional_policy(`
- xserver_domtrans(apmd_t)
-')
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 8fdd713f..3a6c0b92 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -273,7 +273,7 @@ userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
- apm_domtrans_client(cupsd_t)
+ acpi_domtrans_client(cupsd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index d260d697..29b473e7 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -221,7 +221,7 @@ optional_policy(`
')
optional_policy(`
- apm_stream_connect(hald_t)
+ acpi_stream_connect(hald_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
2017-04-30 9:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 99a1aee5df78c8da42caa7bf1df6bc8110898f81
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Apr 21 00:19:13 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:16:47 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=99a1aee5
apache: Move blocks. No rule changes.
policy/modules/contrib/apache.te | 58 +++++++++++++++++++---------------------
1 file changed, 28 insertions(+), 30 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index ce6479e8..9593175b 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -745,14 +745,6 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_t)
')
-optional_policy(`
- tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
- ')
-')
-
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_t)
')
@@ -877,6 +869,12 @@ optional_policy(`
optional_policy(`
rpc_search_nfs_state_data(httpd_t)
+
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
optional_policy(`
@@ -1016,6 +1014,10 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
+tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_user_home_dirs(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_list_auto_mountpoints(httpd_suexec_t)
fs_read_cifs_files(httpd_suexec_t)
@@ -1040,6 +1042,10 @@ tunable_policy(`httpd_execmem',`
allow httpd_suexec_t self:process { execmem execstack };
')
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_tmp_exec',`
can_exec(httpd_suexec_t, httpd_suexec_tmp_t)
')
@@ -1072,14 +1078,6 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_suexec_t)
')
-optional_policy(`
- tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
- ')
-')
-
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -1106,12 +1104,12 @@ optional_policy(`
')
')
-tunable_policy(`httpd_read_user_content',`
- userdom_read_user_home_content_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_suexec_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_suexec_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
########################################
@@ -1311,14 +1309,6 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_sys_script_t)
')
-optional_policy(`
- tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
- ')
-')
-
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_sys_script_t)
')
@@ -1331,6 +1321,14 @@ optional_policy(`
postgresql_unpriv_client(httpd_sys_script_t)
')
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
+')
+
########################################
#
# Rotatelogs local policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-04-30 9:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-04-30 9:32 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 99a1aee5df78c8da42caa7bf1df6bc8110898f81
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Apr 21 00:19:13 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:16:47 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=99a1aee5
apache: Move blocks. No rule changes.
policy/modules/contrib/apache.te | 58 +++++++++++++++++++---------------------
1 file changed, 28 insertions(+), 30 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index ce6479e8..9593175b 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -745,14 +745,6 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_t)
')
-optional_policy(`
- tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
- ')
-')
-
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_t)
')
@@ -877,6 +869,12 @@ optional_policy(`
optional_policy(`
rpc_search_nfs_state_data(httpd_t)
+
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
optional_policy(`
@@ -1016,6 +1014,10 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
+tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_user_home_dirs(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_list_auto_mountpoints(httpd_suexec_t)
fs_read_cifs_files(httpd_suexec_t)
@@ -1040,6 +1042,10 @@ tunable_policy(`httpd_execmem',`
allow httpd_suexec_t self:process { execmem execstack };
')
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_tmp_exec',`
can_exec(httpd_suexec_t, httpd_suexec_tmp_t)
')
@@ -1072,14 +1078,6 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_suexec_t)
')
-optional_policy(`
- tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
- ')
-')
-
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -1106,12 +1104,12 @@ optional_policy(`
')
')
-tunable_policy(`httpd_read_user_content',`
- userdom_read_user_home_content_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_suexec_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_suexec_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
########################################
@@ -1311,14 +1309,6 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_sys_script_t)
')
-optional_policy(`
- tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
- ')
-')
-
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_sys_script_t)
')
@@ -1331,6 +1321,14 @@ optional_policy(`
postgresql_unpriv_client(httpd_sys_script_t)
')
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
+')
+
########################################
#
# Rotatelogs local policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
2017-04-30 9:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 1dfdf221ae0952dfcba50f8380b75150f07c2d8a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr 20 15:07:37 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:16:47 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1dfdf221
rpc_* interfaces should be wrapped by optional_policy()
The rpc module is not a core module. As such, calls towards rpc_*
interfaces should be wrapped with optional_policy().
Changes since v2:
- Wrapped other calls towards rpc_* within apache.te
Changes since v1:
- Fixed wrong quotation mark
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/apache.te | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index b418338c..ce6479e8 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -745,10 +745,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1070,10 +1072,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_suexec_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_suexec_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1307,10 +1311,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_sys_script_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-04-30 9:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-04-30 9:32 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 1dfdf221ae0952dfcba50f8380b75150f07c2d8a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr 20 15:07:37 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:16:47 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1dfdf221
rpc_* interfaces should be wrapped by optional_policy()
The rpc module is not a core module. As such, calls towards rpc_*
interfaces should be wrapped with optional_policy().
Changes since v2:
- Wrapped other calls towards rpc_* within apache.te
Changes since v1:
- Fixed wrong quotation mark
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/apache.te | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index b418338c..ce6479e8 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -745,10 +745,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1070,10 +1072,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_suexec_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_suexec_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1307,10 +1311,12 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
fs_exec_fusefs_files(httpd_sys_script_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
- rpc_manage_nfs_rw_content(httpd_t)
- rpc_read_nfs_content(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
+ ')
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
2017-04-30 9:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 007a597180bcd449f400cb15130deca3dae61738
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed Apr 19 13:37:16 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:16:47 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=007a5971
Gnome and Evolution dbus chat permissions
This patch adds assorted permission to chat over dbus needed
for the correct functioning of Gnome and Evolution.
The second version, simply removes an extra "#" prefix from
the comments.
This third version, rebases the patch so that it applies to
the most recent git tree (thanks to Christopher PeBenito and
Russell Coker for pointing that out).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/evolution.te | 4 ++++
policy/modules/contrib/gnome.if | 37 +++++++++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index bd1647f2..579c21a6 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -345,6 +345,10 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_all_session_bus_client(evolution_alarm_t)
dbus_connect_all_session_bus(evolution_alarm_t)
+
+ optional_policy(`
+ evolution_dbus_chat(evolution_alarm_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 7ea2cf40..ce436cfd 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -112,8 +112,17 @@ template(`gnome_role_template',`
dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
optional_policy(`
+ evolution_dbus_chat($1_gkeyringd_t)
+ ')
+
+ optional_policy(`
+ gnome_dbus_chat_gconfd($3)
gnome_dbus_chat_gkeyringd($1, $3)
')
+
+ optional_policy(`
+ wm_dbus_chat($1, $1_gkeyringd_t)
+ ')
')
ifdef(`distro_gentoo',`
@@ -690,6 +699,34 @@ interface(`gnome_read_keyring_home_files',`
########################################
## <summary>
## Send and receive messages from
+## gnome configuration daemon over
+## dbus.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gconfd',`
+ gen_require(`
+ type gconfd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gconfd_t:dbus send_msg;
+ allow gconfd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
## gnome keyring daemon over dbus.
## </summary>
## <param name="role_prefix">
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-04-30 9:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-04-30 9:32 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 007a597180bcd449f400cb15130deca3dae61738
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed Apr 19 13:37:16 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:16:47 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=007a5971
Gnome and Evolution dbus chat permissions
This patch adds assorted permission to chat over dbus needed
for the correct functioning of Gnome and Evolution.
The second version, simply removes an extra "#" prefix from
the comments.
This third version, rebases the patch so that it applies to
the most recent git tree (thanks to Christopher PeBenito and
Russell Coker for pointing that out).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/evolution.te | 4 ++++
policy/modules/contrib/gnome.if | 37 +++++++++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index bd1647f2..579c21a6 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -345,6 +345,10 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_all_session_bus_client(evolution_alarm_t)
dbus_connect_all_session_bus(evolution_alarm_t)
+
+ optional_policy(`
+ evolution_dbus_chat(evolution_alarm_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 7ea2cf40..ce436cfd 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -112,8 +112,17 @@ template(`gnome_role_template',`
dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
optional_policy(`
+ evolution_dbus_chat($1_gkeyringd_t)
+ ')
+
+ optional_policy(`
+ gnome_dbus_chat_gconfd($3)
gnome_dbus_chat_gkeyringd($1, $3)
')
+
+ optional_policy(`
+ wm_dbus_chat($1, $1_gkeyringd_t)
+ ')
')
ifdef(`distro_gentoo',`
@@ -690,6 +699,34 @@ interface(`gnome_read_keyring_home_files',`
########################################
## <summary>
## Send and receive messages from
+## gnome configuration daemon over
+## dbus.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gconfd',`
+ gen_require(`
+ type gconfd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gconfd_t:dbus send_msg;
+ allow gconfd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
## gnome keyring daemon over dbus.
## </summary>
## <param name="role_prefix">
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
2017-04-30 9:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 4958ff939e10105864acd95b941c9d7e3d380586
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 10:25:59 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:21:11 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4958ff93
login take 4 from Russell Coker.
I have used optional sections for dbus and xserver as requested and also
fixed a minor issue of a rule not being in the correct section.
Please merge this.
policy/modules/contrib/dbus.te | 6 ++++++
policy/modules/contrib/gpg.te | 12 ++++++++++++
policy/modules/contrib/policykit.te | 5 +++++
3 files changed, 23 insertions(+)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 579b2230..80ceb9de 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -149,6 +149,12 @@ ifdef(`distro_gentoo',`
')
')
+ifdef(`init_systemd', `
+ # gdm3 causes system_dbusd_t to want this access
+ dev_rw_dri(system_dbusd_t)
+ dev_rw_input_dev(system_dbusd_t)
+')
+
optional_policy(`
# for /run/systemd/users/*
systemd_read_logind_pids(system_dbusd_t)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 4345bd08..c795f278 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t)
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+kernel_read_crypto_sysctls(gpg_t)
kernel_read_sysctl(gpg_t)
# read /proc/cpuinfo
kernel_read_system_state(gpg_t)
@@ -232,6 +233,8 @@ kernel_dontaudit_search_sysctl(gpg_agent_t)
kernel_read_core_if(gpg_agent_t)
kernel_read_system_state(gpg_agent_t)
+auth_use_nsswitch(gpg_agent_t)
+
corecmd_exec_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
@@ -272,6 +275,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ dbus_system_bus_client(gpg_agent_t)
+')
+
+optional_policy(`
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
')
@@ -279,6 +286,11 @@ optional_policy(`
pcscd_stream_connect(gpg_agent_t)
')
+optional_policy(`
+ xserver_sigchld_xdm(gpg_agent_t)
+ xserver_read_user_xauth(gpg_agent_t)
+')
+
##############################
#
# Pinentry local policy
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index d7686081..ee6ad3da 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -89,6 +89,7 @@ kernel_read_kernel_sysctls(policykit_t)
kernel_read_system_state(policykit_t)
dev_read_urand(policykit_t)
+dev_read_urand(policykit_t)
domain_read_all_domains_state(policykit_t)
@@ -96,6 +97,8 @@ files_dontaudit_search_all_mountpoints(policykit_t)
fs_getattr_xattr_fs(policykit_t)
fs_list_inotifyfs(policykit_t)
+fs_getattr_tmpfs(policykit_t)
+fs_getattr_cgroup(policykit_t)
auth_use_nsswitch(policykit_t)
@@ -105,6 +108,8 @@ userdom_read_all_users_state(policykit_t)
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)
+ userdom_dbus_send_all_users(policykit_t)
+
optional_policy(`
consolekit_dbus_chat(policykit_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-04-30 9:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-04-30 9:32 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 4958ff939e10105864acd95b941c9d7e3d380586
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 10:25:59 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:21:11 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4958ff93
login take 4 from Russell Coker.
I have used optional sections for dbus and xserver as requested and also
fixed a minor issue of a rule not being in the correct section.
Please merge this.
policy/modules/contrib/dbus.te | 6 ++++++
policy/modules/contrib/gpg.te | 12 ++++++++++++
policy/modules/contrib/policykit.te | 5 +++++
3 files changed, 23 insertions(+)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 579b2230..80ceb9de 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -149,6 +149,12 @@ ifdef(`distro_gentoo',`
')
')
+ifdef(`init_systemd', `
+ # gdm3 causes system_dbusd_t to want this access
+ dev_rw_dri(system_dbusd_t)
+ dev_rw_input_dev(system_dbusd_t)
+')
+
optional_policy(`
# for /run/systemd/users/*
systemd_read_logind_pids(system_dbusd_t)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 4345bd08..c795f278 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t)
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+kernel_read_crypto_sysctls(gpg_t)
kernel_read_sysctl(gpg_t)
# read /proc/cpuinfo
kernel_read_system_state(gpg_t)
@@ -232,6 +233,8 @@ kernel_dontaudit_search_sysctl(gpg_agent_t)
kernel_read_core_if(gpg_agent_t)
kernel_read_system_state(gpg_agent_t)
+auth_use_nsswitch(gpg_agent_t)
+
corecmd_exec_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
@@ -272,6 +275,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ dbus_system_bus_client(gpg_agent_t)
+')
+
+optional_policy(`
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
')
@@ -279,6 +286,11 @@ optional_policy(`
pcscd_stream_connect(gpg_agent_t)
')
+optional_policy(`
+ xserver_sigchld_xdm(gpg_agent_t)
+ xserver_read_user_xauth(gpg_agent_t)
+')
+
##############################
#
# Pinentry local policy
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index d7686081..ee6ad3da 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -89,6 +89,7 @@ kernel_read_kernel_sysctls(policykit_t)
kernel_read_system_state(policykit_t)
dev_read_urand(policykit_t)
+dev_read_urand(policykit_t)
domain_read_all_domains_state(policykit_t)
@@ -96,6 +97,8 @@ files_dontaudit_search_all_mountpoints(policykit_t)
fs_getattr_xattr_fs(policykit_t)
fs_list_inotifyfs(policykit_t)
+fs_getattr_tmpfs(policykit_t)
+fs_getattr_cgroup(policykit_t)
auth_use_nsswitch(policykit_t)
@@ -105,6 +108,8 @@ userdom_read_all_users_state(policykit_t)
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)
+ userdom_dbus_send_all_users(policykit_t)
+
optional_policy(`
consolekit_dbus_chat(policykit_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-04-30 9:40 Jason Zaman
2017-04-30 9:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:40 UTC (permalink / raw
To: gentoo-commits
commit: d093fd90125d80dfd122221d69daecd64687d89f
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu Apr 20 22:00:36 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:16:47 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d093fd90
openoffice: support starting it from the window manager
This patch allows to start the openoffice suite from the
window manager.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/openoffice.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index 148ff232..58845575 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -34,6 +34,10 @@ type ooffice_exec_t;
userdom_user_application_domain(ooffice_t, ooffice_exec_t)
role ooffice_roles types ooffice_t;
+optional_policy(`
+ wm_application_domain(ooffice_t, ooffice_exec_t)
+')
+
type ooffice_home_t;
userdom_user_home_content(ooffice_home_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 235046c2e9c4578585bb482e62e44cf1ef0eacd7
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Apr 29 15:13:24 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:21:11 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=235046c2
apt/dpkg strict patches from Russell Coker.
The following are needed for correct operation of apt and dpkg on a "strict"
configuration.
policy/modules/contrib/apt.te | 6 ++++--
policy/modules/contrib/dpkg.if | 20 ++++++++++++++++++++
policy/modules/contrib/dpkg.te | 5 ++++-
policy/modules/contrib/mta.te | 7 ++++++-
4 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index dc6f09b1..63b93257 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.10.2)
+policy_module(apt, 1.10.3)
########################################
#
@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
# Local policy
#
-allow apt_t self:capability { chown dac_override fowner fsetid };
+allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
allow apt_t self:process { signal setpgid fork };
allow apt_t self:fd use;
allow apt_t self:fifo_file rw_fifo_file_perms;
@@ -69,12 +69,14 @@ manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
files_var_filetrans(apt_t, apt_var_cache_t, dir)
manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
allow apt_t apt_var_log_t:file manage_file_perms;
+allow apt_t apt_var_log_t:dir manage_dir_perms;
logging_log_filetrans(apt_t, apt_var_log_t, file)
can_exec(apt_t, apt_exec_t)
diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if
index 081134f2..c753ad62 100644
--- a/policy/modules/contrib/dpkg.if
+++ b/policy/modules/contrib/dpkg.if
@@ -179,6 +179,26 @@ interface(`dpkg_use_script_fds',`
########################################
## <summary>
+## Inherit and use file descriptors
+## from dpkg scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_script_rw_inherited_pipes',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ allow $1 dpkg_script_t:fd use;
+ allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Read dpkg package database content.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index a91e4896..e781815d 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.6)
+policy_module(dpkg, 1.11.7)
########################################
#
@@ -42,6 +42,8 @@ role dpkg_roles types dpkg_script_t;
type dpkg_script_tmp_t;
files_tmp_file(dpkg_script_tmp_t)
+# out of order to work around compiler issue
+domain_entry_file(dpkg_script_t, dpkg_script_tmp_t)
type dpkg_script_tmpfs_t;
files_tmpfs_file(dpkg_script_tmpfs_t)
@@ -69,6 +71,7 @@ allow dpkg_t self:msg { send receive };
allow dpkg_t dpkg_lock_t:file manage_file_perms;
spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
+spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t)
manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 2baa07c9..caa21fb9 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.5)
+policy_module(mta, 2.8.6)
########################################
#
@@ -205,6 +205,11 @@ init_rw_stream_sockets(system_mail_t)
userdom_use_user_terminals(system_mail_t)
optional_policy(`
+ apt_use_fds(system_mail_t)
+ apt_use_ptys(system_mail_t)
+')
+
+optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
apache_dontaudit_append_log(system_mail_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 13817b67f3d881a22778a8f4e97763cc83237df0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Apr 21 00:19:38 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:16:47 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=13817b67
Module version bump for changes from Sven Vermeulen and Guido Trentalancia.
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/openoffice.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 9593175b..e69a6c9a 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.12.4)
+policy_module(apache, 2.12.5)
########################################
#
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index 58845575..0be66b6f 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -1,4 +1,4 @@
-policy_module(openoffice, 1.1.0)
+policy_module(openoffice, 1.1.1)
##############################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 2533ba81a266408dc2e9f9c271e7568709c73b48
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 19 01:34:54 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2533ba81
some userdomain patches from Russell Coker
Added mono_run for unconfined and also xserver_role and allow it to dbus
chat with xdm.
Allow sysadm_t to read kmsg.
Allow user domains to dbus chat with kerneloops for the kerneloops desktop
gui. Also allow them to chat with devicekit disk and power daemons.
Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems
policy/modules/contrib/gnome.te | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index f69c10ba..25fe44da 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.7.0)
+policy_module(gnome, 2.7.1)
##############################
#
@@ -91,6 +91,12 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+# for /proc/filesystems
+kernel_read_system_state(gconfd_t)
+
+# for /var/lib/gconf/defaults
+files_read_var_lib_files(gconfd_t)
+
userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 2c0150452aa2f181971677e246b38487c7df8d75
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 22:02:08 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:21:11 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2c015045
some little misc things from Russell Coker.
This patch allows setfiles to use file handles inherited from apt (for dpkg
postinst scripts), adds those rsync permissions that were rejected previously
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
allows system_cronjob_t some access it requires (including net_admin for
when it runs utilities that set buffers).
policy/modules/contrib/apt.if | 20 ++++++++++++++++++++
policy/modules/contrib/apt.te | 2 +-
policy/modules/contrib/cron.te | 25 +++++++++++++++++++++----
policy/modules/contrib/mrtg.if | 18 ++++++++++++++++++
policy/modules/contrib/mrtg.te | 2 +-
policy/modules/contrib/rsync.te | 4 +++-
6 files changed, 64 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if
index 0a1bc49f..568aa97d 100644
--- a/policy/modules/contrib/apt.if
+++ b/policy/modules/contrib/apt.if
@@ -176,6 +176,26 @@ interface(`apt_read_cache',`
########################################
## <summary>
+## Create, read, write, and delete apt package cache content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apt_manage_cache',`
+ gen_require(`
+ type apt_var_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 apt_var_cache_t:dir manage_dir_perms;
+ allow $1 apt_var_cache_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
## Read apt package database content.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index 05197c4c..dc6f09b1 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.10.1)
+policy_module(apt, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 5cb7dac1..15e6bdb4 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.3)
+policy_module(cron, 2.11.4)
gen_require(`
class passwd rootok;
@@ -338,6 +338,13 @@ ifdef(`distro_debian',`
allow crond_t self:process setrlimit;
optional_policy(`
+ apt_manage_cache(system_cronjob_t)
+ apt_read_db(system_cronjob_t)
+
+ dpkg_manage_db(system_cronjob_t)
+ ')
+
+ optional_policy(`
logwatch_search_cache_dir(crond_t)
')
')
@@ -429,6 +436,7 @@ optional_policy(`
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
# so cron jobs can restart daemons
init_stream_connect(system_cronjob_t)
+ init_manage_script_service(system_cronjob_t)
')
optional_policy(`
@@ -440,7 +448,7 @@ optional_policy(`
# System local policy
#
-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
@@ -461,10 +469,11 @@ allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms;
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, { file lnk_file })
+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
@@ -475,7 +484,7 @@ allow system_cronjob_t crond_t:process sigchld;
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
-allow system_cronjob_t crond_tmp_t:file { read write };
+allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_network_state(system_cronjob_t)
@@ -560,10 +569,15 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
+ acct_manage_data(system_cronjob_t)
+')
+
+optional_policy(`
apache_exec_modules(system_cronjob_t)
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
+ apache_delete_lib_files(system_cronjob_t)
')
optional_policy(`
@@ -607,6 +621,7 @@ optional_policy(`
optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
+ mrtg_read_config(system_cronjob_t)
')
optional_policy(`
@@ -649,6 +664,8 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
+allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
+
kernel_read_system_state(cronjob_t)
kernel_read_kernel_sysctls(cronjob_t)
diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if
index 0a71bd89..b25b0894 100644
--- a/policy/modules/contrib/mrtg.if
+++ b/policy/modules/contrib/mrtg.if
@@ -2,6 +2,24 @@
########################################
## <summary>
+## Read mrtg configuration
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mrtg_read_config',`
+ gen_require(`
+ type mrtg_etc_t;
+ ')
+
+ allow $1 mrtg_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Create and append mrtg log files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
index 5126d9d5..96d48f37 100644
--- a/policy/modules/contrib/mrtg.te
+++ b/policy/modules/contrib/mrtg.te
@@ -1,4 +1,4 @@
-policy_module(mrtg, 1.11.0)
+policy_module(mrtg, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index 2fce98b0..11c7041a 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -1,4 +1,4 @@
-policy_module(rsync, 1.15.0)
+policy_module(rsync, 1.15.1)
########################################
#
@@ -123,6 +123,8 @@ dev_read_urand(rsync_t)
fs_getattr_all_fs(rsync_t)
fs_search_auto_mountpoints(rsync_t)
+files_getattr_all_pipes(rsync_t)
+files_getattr_all_sockets(rsync_t)
files_search_home(rsync_t)
auth_can_read_shadow_passwords(rsync_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 65f2dc9479c12dca474e917434415e1d0fda7ff3
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 19 01:21:12 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=65f2dc94
devicekit, mount, xserver, and selinuxutil from Russell Coker
Allow devicekit_power_t to chat to xdm via dbus and log via syslog.
Allow mount_t to do more with it's runtime files and stat more filesystem
types.
Allow xauth to send sigchld to xdm.
Allow semanage to search policy_src_t dirs and read /dev/urandom.
policy/modules/contrib/devicekit.te | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 83e0fabd..d2d3f830 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.6.3)
+policy_module(devicekit, 1.6.4)
########################################
#
@@ -59,12 +59,17 @@ optional_policy(`
udev_read_db(devicekit_t)
')
+optional_policy(`
+ xserver_dbus_chat_xdm(devicekit_power_t)
+')
+
########################################
#
# Disk local policy
#
allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability2 wake_alarm;
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -263,6 +268,8 @@ init_all_labeled_script_domtrans(devicekit_power_t)
init_read_utmp(devicekit_power_t)
init_search_run(devicekit_power_t)
+logging_send_syslog_msg(devicekit_power_t)
+
miscfiles_read_localization(devicekit_power_t)
sysnet_domtrans_ifconfig(devicekit_power_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: a70ac72ccb9f4e12e93648defadbe3f0c87e3993
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Apr 20 23:18:48 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:16:47 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a70ac72c
Module version bump for gnome fix from Guido Trentalancia.
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 579c21a6..bf456df4 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.6.1)
+policy_module(evolution, 2.6.2)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 25fe44da..1b53cb4f 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.7.1)
+policy_module(gnome, 2.7.2)
##############################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: f328e52e14903e825ae02bf8c25ebdf859278a40
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 10:38:44 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:21:11 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f328e52e
Module version bump for patches from Russell Coker.
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 3a6c0b92..88a73ce4 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.21.3)
+policy_module(cups, 1.21.4)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 80ceb9de..ca39fb6b 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.22.5)
+policy_module(dbus, 1.22.6)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index c795f278..c145fb4c 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.11.0)
+policy_module(gpg, 2.11.1)
########################################
#
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index 29b473e7..997f3e3b 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.17.1)
+policy_module(hal, 1.17.2)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index ee6ad3da..fc89a486 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.6.1)
+policy_module(policykit, 1.6.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 8c603f3c8d2287b778473a09b4576bee12401b59
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 19 01:17:16 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c603f3c
kmod, lvm, brctl patches from Russell Coker
Patches for modutils, at least one of which is needed to generate an initramfs
on Debian.
Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts
etc.
Patch for brctl to allow it to create sysfs files.
policy/modules/contrib/brctl.te | 3 ++-
policy/modules/contrib/dpkg.if | 39 +++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/dpkg.te | 2 +-
3 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/brctl.te b/policy/modules/contrib/brctl.te
index c5a91138..fd789b5f 100644
--- a/policy/modules/contrib/brctl.te
+++ b/policy/modules/contrib/brctl.te
@@ -1,4 +1,4 @@
-policy_module(brctl, 1.7.0)
+policy_module(brctl, 1.7.1)
########################################
#
@@ -29,6 +29,7 @@ kernel_read_sysctl(brctl_t)
corenet_rw_tun_tap_dev(brctl_t)
+dev_create_sysfs_files(brctl_t)
dev_rw_sysfs(brctl_t)
dev_write_sysfs_dirs(brctl_t)
diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if
index fdc06d69..081134f2 100644
--- a/policy/modules/contrib/dpkg.if
+++ b/policy/modules/contrib/dpkg.if
@@ -62,6 +62,25 @@ interface(`dpkg_domtrans_script',`
########################################
## <summary>
+## access dpkg_script fifos
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`dpkg_script_rw_pipes',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ allow $1 dpkg_script_t:fd use;
+ allow $1 dpkg_script_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
## Execute dpkg programs in the dpkg domain.
## </summary>
## <param name="domain">
@@ -242,3 +261,23 @@ interface(`dpkg_lock_db',`
allow $1 dpkg_var_lib_t:dir list_dir_perms;
allow $1 dpkg_lock_t:file manage_file_perms;
')
+
+########################################
+## <summary>
+## manage dpkg_script_tmp_t files and dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_manage_script_tmp_files',`
+ gen_require(`
+ type dpkg_script_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 dpkg_script_tmp_t:dir manage_dir_perms;
+ allow $1 dpkg_script_tmp_t:file manage_file_perms;
+')
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index a3d3f2e5..a91e4896 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.5)
+policy_module(dpkg, 1.11.6)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 0ec70896db5e578c6c0d40a2e04de39b53ff1a7a
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Apr 16 23:01:40 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0ec70896
systemd init from Russell Coker
This patch lets mandb_t search init_var_run_t dirs which it needs when running
with systems. Also allows it to fs_getattr_xattr_fs() because it seemed
pointless to put that in a separate patch.
Allow init_t to do several things that it requires when init is systemd.
Allow various operations on var_log_t to access var_log_t symlinks too.
Let auditd setattr it's directory.
policy/modules/contrib/mandb.te | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 62684374..70fb5072 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.3.1)
+policy_module(mandb, 1.3.2)
########################################
#
@@ -51,6 +51,10 @@ miscfiles_read_localization(mandb_t)
userdom_use_inherited_user_terminals(mandb_t)
+ifdef(`init_systemd',`
+ init_search_run(mandb_t)
+')
+
optional_policy(`
cron_system_entry(mandb_t, mandb_exec_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 79122e4440ac3616cef3283767c88232f9f6f265
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 19 01:06:48 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79122e44
logging patches from Russell Coker
Patches for logrotate, webalizer, sysstat, and logwatch.
policy/modules/contrib/logrotate.te | 6 +++++-
policy/modules/contrib/logwatch.te | 7 ++++++-
policy/modules/contrib/sysstat.te | 9 ++++++---
policy/modules/contrib/webalizer.te | 8 +++++++-
4 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index ec338fb6..1c63e097 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.18.2)
+policy_module(logrotate, 1.18.3)
########################################
#
@@ -89,6 +89,7 @@ files_dontaudit_list_mnt(logrotate_t)
fs_search_auto_mountpoints(logrotate_t)
fs_getattr_xattr_fs(logrotate_t)
fs_list_inotifyfs(logrotate_t)
+fs_getattr_tmpfs(logrotate_t)
mls_file_read_all_levels(logrotate_t)
mls_file_write_all_levels(logrotate_t)
@@ -102,8 +103,10 @@ auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
init_all_labeled_script_domtrans(logrotate_t)
+init_startstop_all_script_services(logrotate_t)
init_get_generic_units_status(logrotate_t)
init_get_all_units_status(logrotate_t)
+init_get_system_status(logrotate_t)
init_dbus_chat(logrotate_t)
init_stream_connect(logrotate_t)
init_manage_all_units(logrotate_t)
@@ -218,6 +221,7 @@ optional_policy(`
optional_policy(`
mysql_read_config(logrotate_t)
mysql_stream_connect(logrotate_t)
+ mysql_signal(logrotate_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
index 24f1c17b..d2b54207 100644
--- a/policy/modules/contrib/logwatch.te
+++ b/policy/modules/contrib/logwatch.te
@@ -1,4 +1,4 @@
-policy_module(logwatch, 1.14.0)
+policy_module(logwatch, 1.14.1)
#################################
#
@@ -160,6 +160,10 @@ optional_policy(`
')
optional_policy(`
+ raid_domtrans_mdadm(logwatch_t)
+')
+
+optional_policy(`
rpc_search_nfs_state_data(logwatch_t)
')
@@ -189,4 +193,5 @@ logging_read_all_logs(logwatch_mail_t)
optional_policy(`
cron_use_system_job_fds(logwatch_mail_t)
+ cron_rw_system_job_pipes(logwatch_mail_t)
')
diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te
index ac249ac0..deca783e 100644
--- a/policy/modules/contrib/sysstat.te
+++ b/policy/modules/contrib/sysstat.te
@@ -1,4 +1,4 @@
-policy_module(sysstat, 1.9.0)
+policy_module(sysstat, 1.9.1)
########################################
#
@@ -24,8 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co
allow sysstat_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
-append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
-create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
@@ -39,12 +38,15 @@ kernel_read_fs_sysctls(sysstat_t)
kernel_read_rpc_sysctls(sysstat_t)
corecmd_exec_bin(sysstat_t)
+corecmd_exec_shell(sysstat_t)
dev_read_sysfs(sysstat_t)
+dev_getattr_sysfs(sysstat_t)
dev_read_urand(sysstat_t)
files_search_var(sysstat_t)
files_read_etc_runtime_files(sysstat_t)
+files_search_all_mountpoints(sysstat_t)
fs_getattr_xattr_fs(sysstat_t)
fs_list_inotifyfs(sysstat_t)
@@ -66,6 +68,7 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
optional_policy(`
cron_system_entry(sysstat_t, sysstat_exec_t)
+ cron_rw_tmp_files(sysstat_t)
')
ifdef(`distro_gentoo',`
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 06f9d332..9ea1bdad 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -1,4 +1,4 @@
-policy_module(webalizer, 1.14.0)
+policy_module(webalizer, 1.14.1)
########################################
#
@@ -16,6 +16,9 @@ role webalizer_roles types webalizer_t;
type webalizer_etc_t;
files_config_file(webalizer_etc_t)
+type webalizer_log_t;
+logging_log_file(webalizer_log_t)
+
type webalizer_tmp_t;
files_tmp_file(webalizer_tmp_t)
@@ -37,6 +40,9 @@ allow webalizer_t self:tcp_socket { accept listen };
allow webalizer_t webalizer_etc_t:file read_file_perms;
+manage_dirs_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
+manage_files_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
+
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: cb26336af2009ff82257bb3d49f0630259471070
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sun Apr 16 22:39:36 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cb26336a
wm: interactive start
Update the window manager (wm) module (support starting
gnome-shell from an X terminal).
This second version curbs on an open permission when dealing with the user terminal (terminal is already opened by the X terminal application, thanks to Christian Göttsche for the tip).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/wm.if | 27 +++++++++++++++++++++++++++
policy/modules/contrib/wm.te | 7 ++++++-
2 files changed, 33 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
index dbe32237..e8fd7706 100644
--- a/policy/modules/contrib/wm.if
+++ b/policy/modules/contrib/wm.if
@@ -73,6 +73,8 @@ template(`wm_role_template',`
xserver_role($2, $1_wm_t)
xserver_manage_core_devices($1_wm_t)
+ wm_write_pipes($1, $3)
+
optional_policy(`
dbus_connect_spec_session_bus($1, $1_wm_t)
dbus_spec_session_bus_client($1, $1_wm_t)
@@ -219,3 +221,28 @@ interface(`wm_application_domain',`
userdom_user_application_domain($1, $2)
domtrans_pattern(wm_domain, $2, $1)
')
+
+########################################
+### <summary>
+### Write wm unnamed pipes.
+### </summary>
+## <param name="role_prefix">
+### <summary>
+### The prefix of the user domain (e.g., user
+### is the prefix for user_t).
+### </summary>
+### </param>
+### <param name="domain">
+### <summary>
+### Domain allowed access.
+### </summary>
+### </param>
+### </param>
+##
+interface(`wm_write_pipes',`
+ gen_require(`
+ type $1_t;
+ ')
+
+ allow $2 $1_wm_t:fifo_file write;
+')
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 77dcc432..5b39df69 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -64,6 +64,8 @@ kernel_read_fs_sysctls(wm_domain)
kernel_read_proc_symlinks(wm_domain)
kernel_read_sysctl(wm_domain)
+locallogin_dontaudit_use_fds(wm_domain)
+
miscfiles_read_fonts(wm_domain)
miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
@@ -72,13 +74,16 @@ networkmanager_read_etc_files(wm_domain)
udev_read_pid_files(wm_domain)
-# this is needed by gnome-shell
+# the following is needed by gnome-shell
userdom_exec_user_home_content_files(wm_domain)
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
+# to print error messages
+userdom_use_inherited_user_terminals(wm_domain)
+
userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 1197ff93afecfb4c4a64b0daeca0b24b711f64d0
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu Apr 13 23:25:46 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1197ff93
mozilla: add a permission
Update the mozilla module with a permission that firefox needs to
run (temporary lock file creation).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/mozilla.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 611959a0..41bfeb97 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -103,6 +103,7 @@ userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix")
filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 242ca25eaafd9b258c47523ea4b837f4425ef8db
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu Apr 13 23:25:37 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=242ca25e
mozilla: read hardware state information
Update the mozilla module with a new permission (read sysfs).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/mozilla.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 85d6bda1..611959a0 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -161,6 +161,7 @@ corenet_tcp_connect_speech_port(mozilla_t)
corenet_tcp_sendrecv_speech_port(mozilla_t)
dev_getattr_sysfs_dirs(mozilla_t)
+dev_read_sysfs(mozilla_t)
dev_read_sound(mozilla_t)
dev_read_rand(mozilla_t)
dev_read_urand(mozilla_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 64045504485f73be3553bb7b3ee2cbbe2fc6866c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Apr 16 22:45:05 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=64045504
wm: interface docs adjustment.
policy/modules/contrib/wm.if | 29 ++++++++++++++---------------
1 file changed, 14 insertions(+), 15 deletions(-)
diff --git a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
index e8fd7706..45ce9949 100644
--- a/policy/modules/contrib/wm.if
+++ b/policy/modules/contrib/wm.if
@@ -223,22 +223,21 @@ interface(`wm_application_domain',`
')
########################################
-### <summary>
-### Write wm unnamed pipes.
-### </summary>
+## <summary>
+## Write wm unnamed pipes.
+## </summary>
## <param name="role_prefix">
-### <summary>
-### The prefix of the user domain (e.g., user
-### is the prefix for user_t).
-### </summary>
-### </param>
-### <param name="domain">
-### <summary>
-### Domain allowed access.
-### </summary>
-### </param>
-### </param>
-##
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`wm_write_pipes',`
gen_require(`
type $1_t;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 3a4ccbc3c0c08814a34c132529ab13596fd4fb8a
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Apr 16 22:46:34 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3a4ccbc3
Module version bump for misc fixes from Guido Trentalancia.
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/java.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/wm.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 16c620aa..bd1647f2 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.6.0)
+policy_module(evolution, 2.6.1)
########################################
#
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 01b33922..c4aaa66b 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.9.1)
+policy_module(java, 2.9.2)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 41bfeb97..c595af2f 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.11.1)
+policy_module(mozilla, 2.11.2)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 99002c12..c6d62977 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.4)
+policy_module(networkmanager, 1.20.5)
########################################
#
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 5b39df69..2bc2c8d9 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.6.0)
+policy_module(wm, 1.6.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 9e5c904a59a7a7b8b95aaf7d2c176f3099e0cedd
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu Apr 13 23:26:10 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9e5c904a
wm: load the NetworkManager applet
Gnome-shell needs to read NetworkManager configuration files in /etc in
order to correctly run the applet.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/networkmanager.if | 20 ++++++++++++++++++++
policy/modules/contrib/wm.te | 2 ++
2 files changed, 22 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index 10688d21..3c5073d1 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -172,6 +172,26 @@ interface(`networkmanager_signal',`
')
########################################
+### <summary>
+### Read networkmanager etc files.
+### </summary>
+### <param name="domain">
+### <summary>
+### Domain allowed access.
+### </summary>
+### </param>
+##
+interface(`networkmanager_read_etc_files',`
+ gen_require(`
+ type NetworkManager_etc_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, NetworkManager_etc_t, NetworkManager_etc_t)
+ read_files_pattern($1, NetworkManager_etc_t, NetworkManager_etc_t)
+')
+
+########################################
## <summary>
## Create, read, and write
## networkmanager library files.
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index e5f65316..77dcc432 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -68,6 +68,8 @@ miscfiles_read_fonts(wm_domain)
miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
+networkmanager_read_etc_files(wm_domain)
+
udev_read_pid_files(wm_domain)
# this is needed by gnome-shell
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: dfb1fd6a118cb23a923d8c4b4290db564559862c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Apr 16 22:30:28 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dfb1fd6a
networkmanager: adjust interface docs format.
policy/modules/contrib/networkmanager.if | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index 3c5073d1..e57453fc 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -172,15 +172,15 @@ interface(`networkmanager_signal',`
')
########################################
-### <summary>
-### Read networkmanager etc files.
-### </summary>
-### <param name="domain">
-### <summary>
-### Domain allowed access.
-### </summary>
-### </param>
-##
+## <summary>
+## Read networkmanager etc files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`networkmanager_read_etc_files',`
gen_require(`
type NetworkManager_etc_t;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-30 9:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-04-30 9:32 UTC (permalink / raw
To: gentoo-commits
commit: 27908db261c5fee5edc8ea06e1fb2c0a59e72bad
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 19 00:37:39 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=27908db2
misc daemons from Russell Coker.
Put in libx32 subs entries that refer to directories with fc entries.
Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
dpkg-reconfigure.
Some dontaudit rules for mta processes spawned by mon for notification.
Lots of tiny changes that are obvious.
policy/modules/contrib/backup.te | 4 ++--
policy/modules/contrib/bitlbee.te | 3 ++-
policy/modules/contrib/dpkg.te | 9 ++++++++-
policy/modules/contrib/fetchmail.te | 3 ++-
policy/modules/contrib/kerneloops.te | 4 +++-
policy/modules/contrib/loadkeys.te | 4 +++-
policy/modules/contrib/mon.if | 37 ++++++++++++++++++++++++++++++++++++
policy/modules/contrib/mon.te | 3 ++-
policy/modules/contrib/mta.te | 10 +++++++++-
policy/modules/contrib/munin.te | 5 ++++-
policy/modules/contrib/ntp.te | 4 ++--
policy/modules/contrib/rtkit.te | 6 +++++-
policy/modules/contrib/smartmon.te | 3 ++-
13 files changed, 81 insertions(+), 14 deletions(-)
diff --git a/policy/modules/contrib/backup.te b/policy/modules/contrib/backup.te
index c207d5a2..135f94a3 100644
--- a/policy/modules/contrib/backup.te
+++ b/policy/modules/contrib/backup.te
@@ -1,4 +1,4 @@
-policy_module(backup, 1.7.0)
+policy_module(backup, 1.7.1)
########################################
#
@@ -21,7 +21,7 @@ files_type(backup_store_t)
# Local policy
#
-allow backup_t self:capability dac_override;
+allow backup_t self:capability { chown dac_override fsetid };
allow backup_t self:process signal;
allow backup_t self:fifo_file rw_fifo_file_perms;
allow backup_t self:tcp_socket create_socket_perms;
diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te
index 93d4385d..90ff0dc6 100644
--- a/policy/modules/contrib/bitlbee.te
+++ b/policy/modules/contrib/bitlbee.te
@@ -1,4 +1,4 @@
-policy_module(bitlbee, 1.7.0)
+policy_module(bitlbee, 1.7.1)
########################################
#
@@ -61,6 +61,7 @@ files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
kernel_read_kernel_sysctls(bitlbee_t)
kernel_read_system_state(bitlbee_t)
+kernel_read_crypto_sysctls(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)
corenet_all_recvfrom_netlabel(bitlbee_t)
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 3ea9e3e0..a3d3f2e5 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.4)
+policy_module(dpkg, 1.11.5)
########################################
#
@@ -34,6 +34,7 @@ domain_type(dpkg_script_t)
domain_entry_file(dpkg_t, dpkg_var_lib_t)
domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
corecmd_shell_entry_type(dpkg_script_t)
+corecmd_bin_entry_type(dpkg_script_t)
domain_obj_id_change_exemption(dpkg_script_t)
domain_system_change_exemption(dpkg_script_t)
domain_interactive_fd(dpkg_script_t)
@@ -87,6 +88,8 @@ files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
kernel_read_system_state(dpkg_t)
kernel_read_kernel_sysctls(dpkg_t)
+corecmd_bin_domtrans(dpkg_t, dpkg_script_t)
+
corenet_all_recvfrom_unlabeled(dpkg_t)
corenet_all_recvfrom_netlabel(dpkg_t)
corenet_tcp_sendrecv_generic_if(dpkg_t)
@@ -307,6 +310,10 @@ optional_policy(`
')
optional_policy(`
+ devicekit_dbus_chat_power(dpkg_script_t)
+')
+
+optional_policy(`
modutils_run(dpkg_script_t, dpkg_roles)
')
diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te
index a15bc538..7e796c31 100644
--- a/policy/modules/contrib/fetchmail.te
+++ b/policy/modules/contrib/fetchmail.te
@@ -1,4 +1,4 @@
-policy_module(fetchmail, 1.16.1)
+policy_module(fetchmail, 1.16.2)
########################################
#
@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
dev_read_urand(fetchmail_t)
files_read_etc_runtime_files(fetchmail_t)
+files_search_tmp(fetchmail_t)
files_dontaudit_search_home(fetchmail_t)
fs_getattr_all_fs(fetchmail_t)
diff --git a/policy/modules/contrib/kerneloops.te b/policy/modules/contrib/kerneloops.te
index 4ecba0ae..58ee9516 100644
--- a/policy/modules/contrib/kerneloops.te
+++ b/policy/modules/contrib/kerneloops.te
@@ -1,4 +1,4 @@
-policy_module(kerneloops, 1.6.1)
+policy_module(kerneloops, 1.6.2)
########################################
#
@@ -30,6 +30,8 @@ files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file)
kernel_read_ring_buffer(kerneloops_t)
kernel_read_system_state(kerneloops_t)
+dev_read_urand(kerneloops_t)
+
domain_use_interactive_fds(kerneloops_t)
corenet_all_recvfrom_unlabeled(kerneloops_t)
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index ca8e7015..d99a28bf 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -1,4 +1,4 @@
-policy_module(loadkeys, 1.11.1)
+policy_module(loadkeys, 1.11.2)
########################################
#
@@ -37,6 +37,8 @@ files_search_tmp(loadkeys_t)
term_dontaudit_use_console(loadkeys_t)
term_use_unallocated_ttys(loadkeys_t)
+init_read_script_tmp_files(loadkeys_t)
+
locallogin_use_fds(loadkeys_t)
miscfiles_read_localization(loadkeys_t)
diff --git a/policy/modules/contrib/mon.if b/policy/modules/contrib/mon.if
index d9aee2be..4701724e 100644
--- a/policy/modules/contrib/mon.if
+++ b/policy/modules/contrib/mon.if
@@ -1 +1,38 @@
## <summary>mon network monitoring daemon.</summary>
+
+######################################
+## <summary>
+## dontaudit using an inherited fd from mon_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`mon_dontaudit_use_fds',`
+ gen_require(`
+ type mon_t;
+ ')
+
+ dontaudit $1 mon_t:fd use;
+')
+
+######################################
+## <summary>
+## dontaudit searching /var/lib/mon
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`mon_dontaudit_search_var_lib',`
+ gen_require(`
+ type mon_var_lib_t;
+ ')
+
+ dontaudit $1 mon_var_lib_t:dir search;
+')
+
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index 5db41833..0207d0ac 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -1,4 +1,4 @@
-policy_module(mon, 1.0.2)
+policy_module(mon, 1.0.3)
########################################
#
@@ -80,6 +80,7 @@ domain_use_interactive_fds(mon_t)
files_read_etc_files(mon_t)
files_read_etc_runtime_files(mon_t)
files_read_usr_files(mon_t)
+files_search_var_lib(mon_t)
fs_getattr_all_fs(mon_t)
fs_search_auto_mountpoints(mon_t)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 68f3e91f..2baa07c9 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.4)
+policy_module(mta, 2.8.5)
########################################
#
@@ -324,6 +324,10 @@ optional_policy(`
')
')
+optional_policy(`
+ mon_dontaudit_use_fds(mta_user_agent)
+')
+
########################################
#
# Mailserver delivery local policy
@@ -379,6 +383,10 @@ optional_policy(`
')
optional_policy(`
+ mon_dontaudit_search_var_lib(mailserver_delivery)
+')
+
+optional_policy(`
postfix_rw_inherited_master_pipes(mailserver_delivery)
')
diff --git a/policy/modules/contrib/munin.te b/policy/modules/contrib/munin.te
index 16f15ddd..fba6470b 100644
--- a/policy/modules/contrib/munin.te
+++ b/policy/modules/contrib/munin.te
@@ -1,4 +1,4 @@
-policy_module(munin, 1.12.0)
+policy_module(munin, 1.12.1)
########################################
#
@@ -385,6 +385,7 @@ optional_policy(`
# System local policy
#
+allow system_munin_plugin_t self:capability net_admin;
allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -399,6 +400,8 @@ dev_read_urand(system_munin_plugin_t)
domain_read_all_domains_state(system_munin_plugin_t)
+files_read_usr_files(system_munin_plugin_t)
+
init_read_utmp(system_munin_plugin_t)
logging_search_logs(system_munin_plugin_t)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index aae4f194..89b31bf3 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.16.3)
+policy_module(ntp, 1.16.4)
########################################
#
@@ -71,7 +71,7 @@ files_var_filetrans(ntpd_t, ntp_drift_t, file)
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
-allow ntpd_t ntpd_lock_t:file write_file_perms;
+allow ntpd_t ntpd_lock_t:file rw_file_perms;
allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index c5e77836..cfee1a14 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.5.0)
+policy_module(rtkit, 1.5.1)
########################################
#
@@ -30,12 +30,16 @@ domain_read_all_domains_state(rtkit_daemon_t)
fs_rw_anon_inodefs_files(rtkit_daemon_t)
+selinux_getattr_fs(rtkit_daemon_t)
+
auth_use_nsswitch(rtkit_daemon_t)
logging_send_syslog_msg(rtkit_daemon_t)
miscfiles_read_localization(rtkit_daemon_t)
+seutil_search_default_contexts(rtkit_daemon_t)
+
optional_policy(`
dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te
index 4a7cafa7..1ad706c7 100644
--- a/policy/modules/contrib/smartmon.te
+++ b/policy/modules/contrib/smartmon.te
@@ -1,4 +1,4 @@
-policy_module(smartmon, 1.14.0)
+policy_module(smartmon, 1.14.1)
########################################
#
@@ -69,6 +69,7 @@ files_exec_etc_files(fsdaemon_t)
files_read_etc_files(fsdaemon_t)
files_read_etc_runtime_files(fsdaemon_t)
files_read_usr_files(fsdaemon_t)
+files_search_var_lib(fsdaemon_t)
fs_getattr_all_fs(fsdaemon_t)
fs_search_auto_mountpoints(fsdaemon_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-10 16:59 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2017-04-10 16:59 UTC (permalink / raw
To: gentoo-commits
commit: b283816112a221d3ef0381b117b0261f24b1e7f4
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Apr 6 20:59:03 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 10 16:42:08 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2838161
Misc fc changes from Russell Coker.
policy/modules/contrib/acct.fc | 2 --
policy/modules/contrib/acct.te | 2 +-
policy/modules/contrib/apache.fc | 1 +
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apt.fc | 1 +
policy/modules/contrib/apt.te | 2 +-
policy/modules/contrib/dirmngr.fc | 1 +
policy/modules/contrib/dirmngr.te | 2 +-
policy/modules/contrib/dpkg.fc | 1 +
policy/modules/contrib/dpkg.te | 2 +-
10 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/acct.fc b/policy/modules/contrib/acct.fc
index 8a4f7efd..204e5375 100644
--- a/policy/modules/contrib/acct.fc
+++ b/policy/modules/contrib/acct.fc
@@ -1,5 +1,3 @@
-/etc/cron\.(daily|monthly)/acct -- gen_context(system_u:object_r:acct_exec_t,s0)
-
/etc/rc\.d/init\.d/psacct -- gen_context(system_u:object_r:acct_initrc_exec_t,s0)
/usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
diff --git a/policy/modules/contrib/acct.te b/policy/modules/contrib/acct.te
index aca9d80b..fb2e1ebe 100644
--- a/policy/modules/contrib/acct.te
+++ b/policy/modules/contrib/acct.te
@@ -1,4 +1,4 @@
-policy_module(acct, 1.7.1)
+policy_module(acct, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index 5fded37a..591c8ad2 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -85,6 +85,7 @@ ifdef(`distro_suse',`
/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/postfixadmin/templates_c(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 1d8b1140..628b4156 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.12.2)
+policy_module(apache, 2.12.3)
########################################
#
diff --git a/policy/modules/contrib/apt.fc b/policy/modules/contrib/apt.fc
index 7b208016..92db84d6 100644
--- a/policy/modules/contrib/apt.fc
+++ b/policy/modules/contrib/apt.fc
@@ -14,6 +14,7 @@ ifndef(`distro_redhat',`
/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
+/var/lib/apt-xapian-inde(x)(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index 3c7d9b2d..05197c4c 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.10.0)
+policy_module(apt, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc
index 8d97f2e6..a0f261c9 100644
--- a/policy/modules/contrib/dirmngr.fc
+++ b/policy/modules/contrib/dirmngr.fc
@@ -7,6 +7,7 @@
/var/log/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_log_t,s0)
/var/lib/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
+/var/cache/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
/run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0)
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index df4963bc..23f40456 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -1,4 +1,4 @@
-policy_module(dirmngr, 1.2.0)
+policy_module(dirmngr, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/dpkg.fc b/policy/modules/contrib/dpkg.fc
index eec3c487..ad87459f 100644
--- a/policy/modules/contrib/dpkg.fc
+++ b/policy/modules/contrib/dpkg.fc
@@ -4,6 +4,7 @@
/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+/var/lib/debtags(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0)
/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0)
/var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0)
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index e7e50372..51ae8c36 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.2)
+policy_module(dpkg, 1.11.3)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-04-10 16:59 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2017-04-10 16:59 UTC (permalink / raw
To: gentoo-commits
commit: a973b8969f85d4148a3a2adad6bd2bfd06c0a4ec
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Apr 6 21:37:31 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 10 16:42:40 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a973b896
Systemd-related changes from Russell Coker.
policy/modules/contrib/apache.te | 6 +++++-
policy/modules/contrib/cron.te | 17 ++++++++++++++++-
policy/modules/contrib/dbus.if | 4 ++++
policy/modules/contrib/dbus.te | 9 ++++++++-
policy/modules/contrib/devicekit.te | 3 ++-
policy/modules/contrib/dpkg.te | 11 ++---------
policy/modules/contrib/logrotate.te | 14 ++++++++++++--
policy/modules/contrib/mta.te | 3 ++-
policy/modules/contrib/networkmanager.te | 6 +++++-
policy/modules/contrib/ntp.fc | 3 +++
policy/modules/contrib/ntp.if | 9 +++++++++
policy/modules/contrib/ntp.te | 25 ++++++++++++++++++++++++-
policy/modules/contrib/policykit.te | 13 ++++++++++++-
13 files changed, 104 insertions(+), 19 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 628b4156..b418338c 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.12.3)
+policy_module(apache, 2.12.4)
########################################
#
@@ -544,6 +544,10 @@ ifdef(`hide_broken_symptoms',`
libs_exec_lib_files(httpd_t)
')
+ifdef(`init_systemd', `
+ systemd_use_passwd_agent(httpd_t)
+')
+
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index b51524a4..5cb7dac1 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.2)
+policy_module(cron, 2.11.3)
gen_require(`
class passwd rootok;
@@ -304,6 +304,10 @@ selinux_compute_user_contexts(crond_t)
init_read_state(crond_t)
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
+init_stop_all_units(system_cronjob_t)
+init_start_all_units(system_cronjob_t)
+init_get_generic_units_status(system_cronjob_t)
+init_get_system_status(system_cronjob_t)
auth_domtrans_chk_passwd(crond_t)
auth_manage_var_auth(crond_t)
@@ -417,6 +421,17 @@ optional_policy(`
')
optional_policy(`
+ systemd_write_inherited_logind_sessions_pipes(crond_t)
+')
+
+optional_policy(`
+ systemd_dbus_chat_logind(system_cronjob_t)
+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+ # so cron jobs can restart daemons
+ init_stream_connect(system_cronjob_t)
+')
+
+optional_policy(`
udev_read_db(crond_t)
')
diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index e06f20d6..3893df7c 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -94,6 +94,10 @@ template(`dbus_role_template',`
xdg_read_data_home_files($1_dbusd_t)
')
')
+
+ optional_policy(`
+ systemd_read_logind_pids($1_dbusd_t)
+ ')
')
#######################################
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 941d2f47..579b2230 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.22.4)
+policy_module(dbus, 1.22.5)
gen_require(`
class dbus all_dbus_perms;
@@ -150,6 +150,13 @@ ifdef(`distro_gentoo',`
')
optional_policy(`
+ # for /run/systemd/users/*
+ systemd_read_logind_pids(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_logind_pid_pipes(system_dbusd_t)
+')
+
+optional_policy(`
bluetooth_stream_connect(system_dbusd_t)
')
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 458afb08..83e0fabd 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.6.2)
+policy_module(devicekit, 1.6.3)
########################################
#
@@ -261,6 +261,7 @@ auth_use_nsswitch(devicekit_power_t)
init_all_labeled_script_domtrans(devicekit_power_t)
init_read_utmp(devicekit_power_t)
+init_search_run(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 51ae8c36..3ea9e3e0 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.3)
+policy_module(dpkg, 1.11.4)
########################################
#
@@ -229,7 +229,6 @@ kernel_read_system_state(dpkg_script_t)
corecmd_exec_all_executables(dpkg_script_t)
-dev_manage_null_service(dpkg_script_t)
dev_list_sysfs(dpkg_script_t)
# Use named file transition to fix this
# dev_manage_generic_blk_files(dpkg_script_t)
@@ -276,16 +275,10 @@ files_manage_non_auth_files(dpkg_script_t)
auth_manage_shadow(dpkg_script_t)
init_all_labeled_script_domtrans(dpkg_script_t)
-init_get_generic_units_status(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
-init_get_system_status(dpkg_script_t)
-init_start_generic_units(dpkg_script_t)
-init_stop_generic_units(dpkg_script_t)
-init_reload(dpkg_script_t)
-init_stop_system(dpkg_script_t)
-init_telinit(dpkg_script_t)
init_manage_script_service(dpkg_script_t)
init_startstop_all_script_services(dpkg_script_t)
+init_admin(dpkg_script_t)
libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index c43440ee..ec338fb6 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.18.1)
+policy_module(logrotate, 1.18.2)
########################################
#
@@ -37,7 +37,7 @@ role system_r types logrotate_mail_t;
#
allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap };
allow logrotate_t self:fd use;
allow logrotate_t self:key manage_key_perms;
allow logrotate_t self:fifo_file rw_fifo_file_perms;
@@ -102,6 +102,11 @@ auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
init_all_labeled_script_domtrans(logrotate_t)
+init_get_generic_units_status(logrotate_t)
+init_get_all_units_status(logrotate_t)
+init_dbus_chat(logrotate_t)
+init_stream_connect(logrotate_t)
+init_manage_all_units(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
@@ -173,6 +178,11 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(logrotate_t)
+ init_write_pid_socket(logrotate_t)
+')
+
+optional_policy(`
fail2ban_stream_connect(logrotate_t)
')
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 22308885..68f3e91f 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.3)
+policy_module(mta, 2.8.4)
########################################
#
@@ -200,6 +200,7 @@ term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
init_use_fds(system_mail_t)
+init_rw_stream_sockets(system_mail_t)
userdom_use_user_terminals(system_mail_t)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index e7bc8487..99002c12 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.3)
+policy_module(networkmanager, 1.20.4)
########################################
#
@@ -345,6 +345,10 @@ optional_policy(`
')
optional_policy(`
+ systemd_read_logind_sessions_files(NetworkManager_t)
+')
+
+optional_policy(`
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
udev_read_pid_files(NetworkManager_t)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 756241da..67c2b883 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -15,6 +15,8 @@
/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
@@ -23,6 +25,7 @@
/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0)
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index 8bbb2aa3..31f71108 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -223,6 +223,15 @@ interface(`ntp_admin',`
admin_pattern($1, ntpd_pid_t)
ntp_run($1, $2)
+
+ ifdef(`init_systemd',`
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ allow $1 ntpd_t:dbus send_msg;
+ allow ntpd_t $1:dbus send_msg;
+ ')
')
# This should be in an ifdef distro_gentoo but that is not allowed in if files
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 9af1ad5f..aae4f194 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.16.2)
+policy_module(ntp, 1.16.3)
########################################
#
@@ -144,6 +144,29 @@ miscfiles_read_localization(ntpd_t)
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_user_home_dirs(ntpd_t)
+ifdef(`init_systemd',`
+ dbus_system_bus_client(ntpd_t)
+ dbus_connect_system_bus(ntpd_t)
+ init_dbus_chat(ntpd_t)
+ init_get_system_status(ntpd_t)
+ allow ntpd_t self:capability { fowner setpcap };
+ init_reload(ntpd_t)
+
+ # for /var/lib/systemd/clock
+ init_list_var_lib_dirs(ntpd_t)
+
+ # for /run/systemd/netif/links
+ init_list_pids(ntpd_t)
+
+ optional_policy(`
+ unconfined_dbus_send(ntpd_t)
+ ')
+')
+
+optional_policy(`
+ clock_read_adjtime(ntpd_t)
+')
+
optional_policy(`
cron_system_entry(ntpd_t, ntpdate_exec_t)
')
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index 21ab30e7..d7686081 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.6.0)
+policy_module(policykit, 1.6.1)
########################################
#
@@ -131,6 +131,17 @@ optional_policy(`
kerberos_tmp_filetrans_host_rcache(policykit_t, file, "host_0")
')
+optional_policy(`
+ # for /run/systemd/machines
+ systemd_read_machines(policykit_t)
+
+ # for /run/systemd/seats/seat*
+ systemd_read_logind_sessions_files(policykit_t)
+
+ # for /run/systemd/users/*
+ systemd_read_logind_pids(policykit_t)
+')
+
########################################
#
# Auth local policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
2017-03-30 17:06 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: ca6c38b25c5f3187b4ef72253548e944f4e515c0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Mar 25 17:24:42 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca6c38b2
Module version bump for monit patch from cgzones.
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/monit.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 65765f63..c43440ee 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.18.0)
+policy_module(logrotate, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index feedbd7e..3f929253 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -1,4 +1,4 @@
-policy_module(monit, 1.0.1)
+policy_module(monit, 1.0.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-03-30 17:09 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-03-30 17:06 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: ca6c38b25c5f3187b4ef72253548e944f4e515c0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Mar 25 17:24:42 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca6c38b2
Module version bump for monit patch from cgzones.
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/monit.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 65765f63..c43440ee 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.18.0)
+policy_module(logrotate, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index feedbd7e..3f929253 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -1,4 +1,4 @@
-policy_module(monit, 1.0.1)
+policy_module(monit, 1.0.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
2017-03-30 17:06 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: 0f32cb056a8ed3e2b619202c03a9d2db6b9dace2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 15:23:08 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 15:23:08 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0f32cb05
phpfpm: corecmd_read_bin_symlinks is deprecated
policy/modules/contrib/phpfpm.te | 1 -
1 file changed, 1 deletion(-)
diff --git a/policy/modules/contrib/phpfpm.te b/policy/modules/contrib/phpfpm.te
index 89ed6c9e..826ba859 100644
--- a/policy/modules/contrib/phpfpm.te
+++ b/policy/modules/contrib/phpfpm.te
@@ -52,7 +52,6 @@ manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
kernel_read_kernel_sysctls(phpfpm_t)
-corecmd_read_bin_symlinks(phpfpm_t)
corecmd_search_bin(phpfpm_t)
corenet_tcp_bind_all_unreserved_ports(phpfpm_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
2017-03-30 17:06 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: 0575eea1a7dfe550051c45678d2b1d98b3b91805
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Mar 14 14:14:05 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0575eea1
remove /var/run file context lefovers, add dbus exception
policy/modules/contrib/dbus.fc | 17 ++++++++++-------
policy/modules/contrib/iodine.fc | 4 ++--
policy/modules/contrib/mon.fc | 12 ++++++------
policy/modules/contrib/qemu.fc | 6 +++---
4 files changed, 21 insertions(+), 18 deletions(-)
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index c7baa6ba..725276de 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -1,8 +1,11 @@
-HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
-/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
+/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
-/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+
+/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
@@ -11,9 +14,9 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
-/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
-/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
-/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+# /var/run prefix exception; https://dbus.freedesktop.org/doc/dbus-specification.html#idm2461
+/var/run/dbus/system_bus_socket gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --git a/policy/modules/contrib/iodine.fc b/policy/modules/contrib/iodine.fc
index 42a24aaf..53b6a139 100644
--- a/policy/modules/contrib/iodine.fc
+++ b/policy/modules/contrib/iodine.fc
@@ -1,5 +1,5 @@
/etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
-/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
+/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0)
-/var/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0)
+/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
diff --git a/policy/modules/contrib/mon.fc b/policy/modules/contrib/mon.fc
index fa179dd8..c92575b4 100644
--- a/policy/modules/contrib/mon.fc
+++ b/policy/modules/contrib/mon.fc
@@ -1,11 +1,11 @@
-/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
-/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
-/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
-/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
-/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
+/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
-/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
+/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0)
/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index 122ca70f..1fc79800 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -1,4 +1,6 @@
-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0)
+
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
@@ -7,8 +9,6 @@
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
-/var/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0)
-
ifdef(`distro_gentoo',`
/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-03-30 17:09 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-03-30 17:06 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: 0575eea1a7dfe550051c45678d2b1d98b3b91805
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Mar 14 14:14:05 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0575eea1
remove /var/run file context lefovers, add dbus exception
policy/modules/contrib/dbus.fc | 17 ++++++++++-------
policy/modules/contrib/iodine.fc | 4 ++--
policy/modules/contrib/mon.fc | 12 ++++++------
policy/modules/contrib/qemu.fc | 6 +++---
4 files changed, 21 insertions(+), 18 deletions(-)
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index c7baa6ba..725276de 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -1,8 +1,11 @@
-HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
-/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
+/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
-/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+
+/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
@@ -11,9 +14,9 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
-/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
-/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
-/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+# /var/run prefix exception; https://dbus.freedesktop.org/doc/dbus-specification.html#idm2461
+/var/run/dbus/system_bus_socket gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --git a/policy/modules/contrib/iodine.fc b/policy/modules/contrib/iodine.fc
index 42a24aaf..53b6a139 100644
--- a/policy/modules/contrib/iodine.fc
+++ b/policy/modules/contrib/iodine.fc
@@ -1,5 +1,5 @@
/etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
-/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
+/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0)
-/var/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0)
+/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
diff --git a/policy/modules/contrib/mon.fc b/policy/modules/contrib/mon.fc
index fa179dd8..c92575b4 100644
--- a/policy/modules/contrib/mon.fc
+++ b/policy/modules/contrib/mon.fc
@@ -1,11 +1,11 @@
-/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
-/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
-/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
-/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
-/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
+/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
-/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
+/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0)
/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index 122ca70f..1fc79800 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -1,4 +1,6 @@
-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0)
+
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
@@ -7,8 +9,6 @@
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
-/var/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0)
-
ifdef(`distro_gentoo',`
/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
2017-03-30 17:06 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: 63a3fc2863f04cafbd4f160861133e064764b0d4
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Mar 14 15:01:16 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=63a3fc28
monit: add syslog access and support for monit systemd service
policy/modules/contrib/monit.if | 8 ++++----
policy/modules/contrib/monit.te | 3 +++
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if
index 6107ef9d..d249dfbd 100644
--- a/policy/modules/contrib/monit.if
+++ b/policy/modules/contrib/monit.if
@@ -58,10 +58,10 @@ interface(`monit_run_cli',`
interface(`monit_reload',`
gen_require(`
class service { reload status };
- type monit_initrc_exec_t;
+ type monit_initrc_exec_t, monit_unit_t;
')
- allow $1 monit_initrc_exec_t:service { reload status };
+ allow $1 { monit_initrc_exec_t monit_unit_t }:service { reload status };
')
########################################
@@ -77,10 +77,10 @@ interface(`monit_reload',`
interface(`monit_startstop_service',`
gen_require(`
class service { start status stop };
- type monit_initrc_exec_t;
+ type monit_initrc_exec_t, monit_unit_t;
')
- allow $1 monit_initrc_exec_t:service { start status stop };
+ allow $1 { monit_initrc_exec_t monit_unit_t }:service { start status stop };
')
########################################
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index 470c44f4..feedbd7e 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -88,6 +88,7 @@ dontaudit monit_t self:capability net_admin;
allow monit_t self:fifo_file rw_fifo_file_perms;
allow monit_t self:rawip_socket connected_socket_perms;
allow monit_t self:tcp_socket server_stream_socket_perms;
+allow monit_t self:unix_dgram_socket { connect create };
allow monit_t monit_log_t:file { create read_file_perms append_file_perms };
logging_log_filetrans(monit_t, monit_log_t, file)
@@ -111,6 +112,8 @@ domain_read_all_domains_state(monit_t)
files_read_all_pids(monit_t)
+logging_send_syslog_msg(monit_t)
+
ifdef(`hide_broken_symptoms',`
# kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6
dontaudit monit_t self:capability dac_override;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-03-30 17:09 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-03-30 17:06 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: 63a3fc2863f04cafbd4f160861133e064764b0d4
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Mar 14 15:01:16 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=63a3fc28
monit: add syslog access and support for monit systemd service
policy/modules/contrib/monit.if | 8 ++++----
policy/modules/contrib/monit.te | 3 +++
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if
index 6107ef9d..d249dfbd 100644
--- a/policy/modules/contrib/monit.if
+++ b/policy/modules/contrib/monit.if
@@ -58,10 +58,10 @@ interface(`monit_run_cli',`
interface(`monit_reload',`
gen_require(`
class service { reload status };
- type monit_initrc_exec_t;
+ type monit_initrc_exec_t, monit_unit_t;
')
- allow $1 monit_initrc_exec_t:service { reload status };
+ allow $1 { monit_initrc_exec_t monit_unit_t }:service { reload status };
')
########################################
@@ -77,10 +77,10 @@ interface(`monit_reload',`
interface(`monit_startstop_service',`
gen_require(`
class service { start status stop };
- type monit_initrc_exec_t;
+ type monit_initrc_exec_t, monit_unit_t;
')
- allow $1 monit_initrc_exec_t:service { start status stop };
+ allow $1 { monit_initrc_exec_t monit_unit_t }:service { start status stop };
')
########################################
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index 470c44f4..feedbd7e 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -88,6 +88,7 @@ dontaudit monit_t self:capability net_admin;
allow monit_t self:fifo_file rw_fifo_file_perms;
allow monit_t self:rawip_socket connected_socket_perms;
allow monit_t self:tcp_socket server_stream_socket_perms;
+allow monit_t self:unix_dgram_socket { connect create };
allow monit_t monit_log_t:file { create read_file_perms append_file_perms };
logging_log_filetrans(monit_t, monit_log_t, file)
@@ -111,6 +112,8 @@ domain_read_all_domains_state(monit_t)
files_read_all_pids(monit_t)
+logging_send_syslog_msg(monit_t)
+
ifdef(`hide_broken_symptoms',`
# kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6
dontaudit monit_t self:capability dac_override;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
2017-03-30 17:06 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
To: gentoo-commits
commit: 7778cfae1f95b32eb4b244dd4c0721fda21b0cf6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Mar 18 13:14:38 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7778cfae
Module version bump for fixes from cgzones.
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/iodine.te | 2 +-
policy/modules/contrib/mon.te | 2 +-
policy/modules/contrib/qemu.te | 2 +-
policy/modules/contrib/vnstatd.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 6e011919..f307ddec 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.22.2)
+policy_module(dbus, 1.22.3)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index 11ef68f9..b316ec5b 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -1,4 +1,4 @@
-policy_module(iodine, 1.2.1)
+policy_module(iodine, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index 1a9d2a1a..5db41833 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -1,4 +1,4 @@
-policy_module(mon, 1.0.1)
+policy_module(mon, 1.0.2)
########################################
#
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 2183147c..6581907a 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.9.1)
+policy_module(qemu, 1.9.2)
########################################
#
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index 69a93d0b..ee8ae063 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -1,4 +1,4 @@
-policy_module(vnstatd, 1.3.1)
+policy_module(vnstatd, 1.3.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-03-30 17:09 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-03-30 17:06 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: 7778cfae1f95b32eb4b244dd4c0721fda21b0cf6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Mar 18 13:14:38 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7778cfae
Module version bump for fixes from cgzones.
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/iodine.te | 2 +-
policy/modules/contrib/mon.te | 2 +-
policy/modules/contrib/qemu.te | 2 +-
policy/modules/contrib/vnstatd.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 6e011919..f307ddec 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.22.2)
+policy_module(dbus, 1.22.3)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index 11ef68f9..b316ec5b 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -1,4 +1,4 @@
-policy_module(iodine, 1.2.1)
+policy_module(iodine, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index 1a9d2a1a..5db41833 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -1,4 +1,4 @@
-policy_module(mon, 1.0.1)
+policy_module(mon, 1.0.2)
########################################
#
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 2183147c..6581907a 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.9.1)
+policy_module(qemu, 1.9.2)
########################################
#
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index 69a93d0b..ee8ae063 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -1,4 +1,4 @@
-policy_module(vnstatd, 1.3.1)
+policy_module(vnstatd, 1.3.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-03-30 17:06 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: cb4a7621007fc2b4bfd34fd5952c151cfa3e82c3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 16:50:15 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 16:50:39 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cb4a7621
android: add new rules for adb
policy/modules/contrib/android.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
index 9b3d010f..5c2681c2 100644
--- a/policy/modules/contrib/android.te
+++ b/policy/modules/contrib/android.te
@@ -56,6 +56,8 @@ files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+corecmd_list_bin(android_tools_t)
+
corenet_tcp_bind_adb_port(android_tools_t)
corenet_tcp_bind_generic_node(android_tools_t)
corenet_tcp_connect_adb_port(android_tools_t)
@@ -63,11 +65,15 @@ corenet_tcp_connect_adb_port(android_tools_t)
dev_read_sysfs(android_tools_t)
dev_rw_generic_usb_dev(android_tools_t)
+files_read_etc_files(android_tools_t)
+
userdom_manage_user_home_content_dirs(android_tools_t)
userdom_manage_user_home_content_files(android_tools_t)
userdom_search_user_home_content(android_tools_t)
userdom_use_user_terminals(android_tools_t)
+sysnet_dns_name_resolve(android_tools_t)
+
############################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-03-30 17:06 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: 2b2cac1a93616e2362475161b8ce8b821850ad8c
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Mar 9 12:26:36 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 13:58:39 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2b2cac1a
logrotate: reload monit after log rotation
policy/modules/contrib/logrotate.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 1179568b..65765f63 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -195,6 +195,11 @@ optional_policy(`
')
optional_policy(`
+ # reload after log rotation
+ monit_reload(logrotate_t)
+')
+
+optional_policy(`
munin_read_config(logrotate_t)
munin_stream_connect(logrotate_t)
munin_search_lib(logrotate_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-03-30 17:06 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: 997b61a104f916f9883d5dfdc2e3510ecc7f3d61
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Mar 25 16:31:20 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=997b61a1
dontaudit net_admin for SO_SNDBUFFORCE
The following patch adds dontaudit rules for where the net_admin capability
is requested due to SO_SNDBUFFORCE. This forces the caller to use SO_SNDBUF
which gives the same result but possibly a smaller buffer.
From Russell Coker
policy/modules/contrib/rpcbind.te | 4 +++-
policy/modules/contrib/tor.te | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 8e752265..abe55b18 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.11.1)
+policy_module(rpcbind, 1.11.2)
########################################
#
@@ -26,6 +26,8 @@ files_type(rpcbind_var_lib_t)
#
allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
+# net_admin is for SO_SNDBUFFORCE
+dontaudit rpcbind_t self:capability net_admin;
allow rpcbind_t self:fifo_file rw_fifo_file_perms;
allow rpcbind_t self:unix_stream_socket { accept listen };
allow rpcbind_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index a68e5d9e..3b48ba5e 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.13.1)
+policy_module(tor, 1.13.2)
########################################
#
@@ -42,6 +42,8 @@ init_daemon_pid_file(tor_var_run_t, dir, "tor")
#
allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
+# net_admin is for SO_SNDBUFFORCE
+dontaudit tor_t self:capability net_admin;
allow tor_t self:process signal;
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket { accept listen };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-03-30 17:06 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: 2c0da71cc910b4b69b6be4565771b2da18df9254
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Mar 12 20:36:34 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 13:58:39 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2c0da71c
Module version bump for dphysswapfile and mandb fixes from cgzones.
policy/modules/contrib/dphysswapfile.te | 2 +-
policy/modules/contrib/mandb.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/dphysswapfile.te b/policy/modules/contrib/dphysswapfile.te
index cb3d194f..5a308095 100644
--- a/policy/modules/contrib/dphysswapfile.te
+++ b/policy/modules/contrib/dphysswapfile.te
@@ -1,4 +1,4 @@
-policy_module(dphysswapfile, 1.0.1)
+policy_module(dphysswapfile, 1.0.2)
########################################
#
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 0358aaff..62684374 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.3.0)
+policy_module(mandb, 1.3.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-03-30 17:06 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: 9c069ad294b09ac28ca1fe83ff999e77975c3cd0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Mar 25 16:55:52 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9c069ad2
/var/run -> /run again
Here's the latest version of my patch to remove all /var/run when it's not
needed. I have removed the subst thing from the patch, but kept a
distro_debian bit that relies on it. So with this patch the policy won't
install if you build it with distro_debian unless you have my subst patch.
Chris, if your automated tests require that it build and install with
distro_debian then skip the patch for sysnetwork.fc.
From Russell Coker
policy/modules/contrib/dbus.fc | 4 ++++
policy/modules/contrib/dbus.te | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index 725276de..c2a15358 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -20,3 +20,7 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
# /var/run prefix exception; https://dbus.freedesktop.org/doc/dbus-specification.html#idm2461
/var/run/dbus/system_bus_socket gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+
+ifdef(`distro_debian',`
+/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index f307ddec..941d2f47 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.22.3)
+policy_module(dbus, 1.22.4)
gen_require(`
class dbus all_dbus_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-03-30 17:06 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: 66330450e5ece7ebc512aae878d224b772efd252
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Mar 28 22:50:35 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=66330450
systemd-resolvd, sessions, and tmpfiles take2
I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.
Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell <AT> coker.com.au>
Last-Update: 2017-03-26
policy/modules/contrib/xfs.if | 19 +++++++++++++++++++
policy/modules/contrib/xfs.te | 2 +-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/xfs.if b/policy/modules/contrib/xfs.if
index 19934060..1aafbbc1 100644
--- a/policy/modules/contrib/xfs.if
+++ b/policy/modules/contrib/xfs.if
@@ -60,6 +60,25 @@ interface(`xfs_exec',`
########################################
## <summary>
+## Create xfs temporary dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xfs_create_tmp_dirs',`
+ gen_require(`
+ type xfs_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 xfs_tmp_t:dir create;
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an xfs environment.
## </summary>
diff --git a/policy/modules/contrib/xfs.te b/policy/modules/contrib/xfs.te
index 3fc2a1bf..839f15cf 100644
--- a/policy/modules/contrib/xfs.te
+++ b/policy/modules/contrib/xfs.te
@@ -1,4 +1,4 @@
-policy_module(xfs, 1.9.0)
+policy_module(xfs, 1.9.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-03-30 17:06 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: 1280d65a50cf19804497f782146cdf7a18715bf5
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sat Feb 18 21:47:11 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 13:58:38 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1280d65a
modutils: adopt calls to new interfaces
policy/modules/contrib/aiccu.te | 2 +-
policy/modules/contrib/anaconda.te | 3 +--
policy/modules/contrib/apm.te | 2 +-
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/dpkg.te | 7 +++----
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/firstboot.te | 3 +--
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/jockey.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/ncftool.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/pcmcia.te | 2 +-
policy/modules/contrib/portage.te | 3 +--
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/ricci.te | 2 +-
policy/modules/contrib/rpm.te | 3 +--
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/updfstab.te | 2 +-
policy/modules/contrib/usernetctl.te | 2 +-
policy/modules/contrib/vmware.te | 2 +-
22 files changed, 24 insertions(+), 29 deletions(-)
diff --git a/policy/modules/contrib/aiccu.te b/policy/modules/contrib/aiccu.te
index 78c86532..27168e12 100644
--- a/policy/modules/contrib/aiccu.te
+++ b/policy/modules/contrib/aiccu.te
@@ -67,7 +67,7 @@ logging_send_syslog_msg(aiccu_t)
miscfiles_read_localization(aiccu_t)
optional_policy(`
- modutils_domtrans_insmod(aiccu_t)
+ modutils_domtrans(aiccu_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/anaconda.te b/policy/modules/contrib/anaconda.te
index aa44abfe..009c772f 100644
--- a/policy/modules/contrib/anaconda.te
+++ b/policy/modules/contrib/anaconda.te
@@ -30,8 +30,7 @@ init_domtrans_script(anaconda_t)
logging_send_syslog_msg(anaconda_t)
-modutils_domtrans_insmod(anaconda_t)
-modutils_domtrans_depmod(anaconda_t)
+modutils_domtrans(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index c5647460..ede687d5 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -144,7 +144,7 @@ logging_send_syslog_msg(apmd_t)
miscfiles_read_localization(apmd_t)
miscfiles_read_hwdata(apmd_t)
-modutils_domtrans_insmod(apmd_t)
+modutils_domtrans(apmd_t)
modutils_read_module_config(apmd_t)
seutil_dontaudit_read_config(apmd_t)
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 82ce25c3..baf9349c 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -315,7 +315,7 @@ optional_policy(`
')
optional_policy(`
- modutils_domtrans_insmod(devicekit_power_t)
+ modutils_domtrans(devicekit_power_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index cc7f9dbb..5cc6ce3e 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -179,13 +179,13 @@ optional_policy(`
')
optional_policy(`
- modutils_run_depmod(dpkg_t, dpkg_roles)
- modutils_run_insmod(dpkg_t, dpkg_roles)
+ modutils_run(dpkg_t, dpkg_roles)
')
optional_policy(`
mta_send_mail(dpkg_t)
')
+
optional_policy(`
usermanage_run_groupadd(dpkg_t, dpkg_roles)
usermanage_run_useradd(dpkg_t, dpkg_roles)
@@ -314,8 +314,7 @@ optional_policy(`
')
optional_policy(`
- modutils_run_depmod(dpkg_script_t, dpkg_roles)
- modutils_run_insmod(dpkg_script_t, dpkg_roles)
+ modutils_run(dpkg_script_t, dpkg_roles)
')
optional_policy(`
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 6ae370b7..991a1d65 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -101,7 +101,7 @@ optional_policy(`
')
optional_policy(`
- modutils_domtrans_insmod(firewalld_t)
+ modutils_domtrans(firewalld_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/firstboot.te b/policy/modules/contrib/firstboot.te
index 5010f04e..3c39c258 100644
--- a/policy/modules/contrib/firstboot.te
+++ b/policy/modules/contrib/firstboot.te
@@ -95,8 +95,7 @@ optional_policy(`
')
optional_policy(`
- modutils_domtrans_insmod(firstboot_t)
- modutils_domtrans_depmod(firstboot_t)
+ modutils_domtrans(firstboot_t)
modutils_read_module_config(firstboot_t)
modutils_read_module_deps(firstboot_t)
')
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index 31035d15..99cd1293 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -197,7 +197,7 @@ logging_send_syslog_msg(hald_t)
miscfiles_read_hwdata(hald_t)
-modutils_domtrans_insmod(hald_t)
+modutils_domtrans(hald_t)
modutils_read_module_deps(hald_t)
seutil_read_config(hald_t)
diff --git a/policy/modules/contrib/jockey.te b/policy/modules/contrib/jockey.te
index d59ec10a..8060276e 100644
--- a/policy/modules/contrib/jockey.te
+++ b/policy/modules/contrib/jockey.te
@@ -54,6 +54,6 @@ optional_policy(`
')
optional_policy(`
- modutils_domtrans_insmod(jockey_t)
+ modutils_domtrans(jockey_t)
modutils_read_module_config(jockey_t)
')
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 9981dc55..ff9815b6 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -106,7 +106,7 @@ optional_policy(`
')
optional_policy(`
- modutils_domtrans_insmod(kdumpctl_t)
+ modutils_domtrans(kdumpctl_t)
modutils_read_module_config(kdumpctl_t)
')
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index 00b43648..8ff1088c 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -118,7 +118,7 @@ optional_policy(`
modutils_read_module_deps(kudzu_t)
modutils_rename_module_config(kudzu_t)
modutils_delete_module_config(kudzu_t)
- modutils_domtrans_insmod(kudzu_t)
+ modutils_domtrans(kudzu_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/ncftool.te b/policy/modules/contrib/ncftool.te
index 71f30ba6..95c16bef 100644
--- a/policy/modules/contrib/ncftool.te
+++ b/policy/modules/contrib/ncftool.te
@@ -77,7 +77,7 @@ optional_policy(`
optional_policy(`
modutils_read_module_config(ncftool_t)
- modutils_run_insmod(ncftool_t, ncftool_roles)
+ modutils_run(ncftool_t, ncftool_roles)
')
optional_policy(`
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 1e3237e5..caa8bcfd 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -285,7 +285,7 @@ optional_policy(`
')
optional_policy(`
- modutils_domtrans_insmod(NetworkManager_t)
+ modutils_domtrans(NetworkManager_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te
index 230f1f00..c1dd9490 100644
--- a/policy/modules/contrib/pcmcia.te
+++ b/policy/modules/contrib/pcmcia.te
@@ -90,7 +90,7 @@ logging_send_syslog_msg(cardmgr_t)
miscfiles_read_localization(cardmgr_t)
-modutils_domtrans_insmod(cardmgr_t)
+modutils_domtrans(cardmgr_t)
sysnet_domtrans_ifconfig(cardmgr_t)
sysnet_etc_filetrans_config(cardmgr_t)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 114a0fe4..e5c1cb9d 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -222,8 +222,7 @@ optional_policy(`
')
optional_policy(`
- modutils_run_depmod(portage_t, portage_roles)
- modutils_run_update_mods(portage_t, portage_roles)
+ modutils_run(portage_t, portage_roles)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
')
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index 740e03fc..7b9093af 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -193,7 +193,7 @@ optional_policy(`
optional_policy(`
tunable_policy(`pppd_can_insmod',`
- modutils_domtrans_insmod(pppd_t)
+ modutils_domtrans(pppd_t)
')
')
diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te
index 326d7b85..12b6bcc6 100644
--- a/policy/modules/contrib/ricci.te
+++ b/policy/modules/contrib/ricci.te
@@ -255,7 +255,7 @@ optional_policy(`
')
optional_policy(`
- modutils_domtrans_insmod(ricci_modcluster_t)
+ modutils_domtrans(ricci_modcluster_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 1b36d097..3f620534 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -350,8 +350,7 @@ logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
-modutils_run_depmod(rpm_script_t, rpm_roles)
-modutils_run_insmod(rpm_script_t, rpm_roles)
+modutils_run(rpm_script_t, rpm_roles)
seutil_run_loadpolicy(rpm_script_t, rpm_roles)
seutil_run_setfiles(rpm_script_t, rpm_roles)
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index 5e815dd8..3222f01c 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -106,7 +106,7 @@ optional_policy(`
')
optional_policy(`
- modutils_domtrans_insmod(shorewall_t)
+ modutils_domtrans(shorewall_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/updfstab.te b/policy/modules/contrib/updfstab.te
index 5ceb9124..5aa33bfd 100644
--- a/policy/modules/contrib/updfstab.te
+++ b/policy/modules/contrib/updfstab.te
@@ -99,7 +99,7 @@ optional_policy(`
optional_policy(`
modutils_read_module_config(updfstab_t)
- modutils_exec_insmod(updfstab_t)
+ modutils_exec(updfstab_t)
modutils_read_module_deps(updfstab_t)
')
diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te
index 3f774951..c5832ef2 100644
--- a/policy/modules/contrib/usernetctl.te
+++ b/policy/modules/contrib/usernetctl.te
@@ -70,7 +70,7 @@ optional_policy(`
')
optional_policy(`
- modutils_run_insmod(usernetctl_t, usernetctl_roles)
+ modutils_run(usernetctl_t, usernetctl_roles)
')
optional_policy(`
diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
index 59a32f5d..7dbcd40e 100644
--- a/policy/modules/contrib/vmware.te
+++ b/policy/modules/contrib/vmware.te
@@ -157,7 +157,7 @@ optional_policy(`
')
optional_policy(`
- modutils_domtrans_insmod(vmware_host_t)
+ modutils_domtrans(vmware_host_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-03-30 17:06 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: b6371921229cf02860e383fe970d331ebcaad159
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Wed Mar 8 20:27:57 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 13:58:38 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b6371921
monit: update
add monit cli policy and several interfaces
policy/modules/contrib/monit.fc | 6 +-
policy/modules/contrib/monit.if | 127 ++++++++++++++++++++++++++++++++++++-
policy/modules/contrib/monit.te | 134 ++++++++++++++++++++++++++--------------
3 files changed, 217 insertions(+), 50 deletions(-)
diff --git a/policy/modules/contrib/monit.fc b/policy/modules/contrib/monit.fc
index d47fa153..273aad3e 100644
--- a/policy/modules/contrib/monit.fc
+++ b/policy/modules/contrib/monit.fc
@@ -1,7 +1,8 @@
/etc/rc\.d/init\.d/monit -- gen_context(system_u:object_r:monit_initrc_exec_t,s9)
-/etc/monit(/.*)? gen_context(system_u:object_r:monit_etc_t,s0)
-/run/monit\.pid -- gen_context(system_u:object_r:monit_run_t,s0)
+/etc/monit(/.*)? gen_context(system_u:object_r:monit_conf_t,s0)
+
+/run/monit\.pid -- gen_context(system_u:object_r:monit_pid_t,s0)
/usr/bin/monit -- gen_context(system_u:object_r:monit_exec_t,s0)
@@ -10,4 +11,3 @@
/var/lib/monit(/.*)? gen_context(system_u:object_r:monit_var_lib_t,s0)
/var/log/monit\.log.* -- gen_context(system_u:object_r:monit_log_t,s0)
-
diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if
index d387f435..6107ef9d 100644
--- a/policy/modules/contrib/monit.if
+++ b/policy/modules/contrib/monit.if
@@ -1 +1,126 @@
-## <summary>Monit system monitoring daemon</summary>
+## <summary>Monit - utility for monitoring services on a Unix system.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run monit cli.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`monit_domtrans_cli',`
+ gen_require(`
+ type monit_cli_t, monit_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, monit_exec_t, monit_cli_t)
+')
+
+########################################
+## <summary>
+## Execute monit in the monit cli domain,
+## and allow the specified role
+## the monit cli domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`monit_run_cli',`
+ gen_require(`
+ attribute_role monit_cli_roles;
+ ')
+
+ monit_domtrans_cli($1)
+ roleattribute $2 monit_cli_roles;
+')
+
+########################################
+## <summary>
+## Reload the monit daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`monit_reload',`
+ gen_require(`
+ class service { reload status };
+ type monit_initrc_exec_t;
+ ')
+
+ allow $1 monit_initrc_exec_t:service { reload status };
+')
+
+########################################
+## <summary>
+## Start and stop the monit daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`monit_startstop_service',`
+ gen_require(`
+ class service { start status stop };
+ type monit_initrc_exec_t;
+ ')
+
+ allow $1 monit_initrc_exec_t:service { start status stop };
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an monit environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`monit_admin',`
+ gen_require(`
+ type monit_t, monit_conf_t, monit_initrc_exec_t;
+ type monit_log_t, monit_pid_t;
+ type monit_unit_t, monit_var_lib_t;
+ ')
+
+ admin_process_pattern($1, monit_t)
+
+ init_startstop_service($1, $2, monit_t, monit_initrc_exec_t, monit_unit_t)
+
+ files_search_etc($1)
+ admin_pattern($1, monit_conf_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, monit_log_t)
+
+ files_search_pids($1)
+ admin_pattern($1, monit_pid_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, monit_var_lib_t)
+
+ monit_run_cli($1, $2)
+')
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index 14aeddcd..470c44f4 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -12,24 +12,29 @@ policy_module(monit, 1.0.1)
## </desc>
gen_tunable(monit_startstop_services, false)
-attribute_role monit_interactive_roles;
+attribute_role monit_cli_roles;
-type monit_t;
+attribute monit_domain;
+
+type monit_t, monit_domain;
type monit_exec_t;
init_daemon_domain(monit_t, monit_exec_t)
-type monit_etc_t;
-files_config_file(monit_etc_t)
-files_security_file(monit_etc_t) # may contain password for monit webinterface
+type monit_conf_t alias monit_etc_t;
+files_security_file(monit_conf_t) # may contain password for monit webinterface
type monit_initrc_exec_t;
init_script_file(monit_initrc_exec_t)
+type monit_cli_t, monit_domain;
+application_domain(monit_cli_t, monit_exec_t)
+role monit_cli_roles types monit_cli_t;
+
type monit_log_t;
logging_log_file(monit_log_t)
-type monit_run_t;
-files_pid_file(monit_run_t)
+type monit_pid_t alias monit_run_t;
+files_pid_file(monit_pid_t)
type monit_unit_t;
init_unit_file(monit_unit_t)
@@ -39,6 +44,37 @@ files_type(monit_var_lib_t)
########################################
#
+# Common monit domain policy
+#
+
+allow monit_domain self:unix_stream_socket create_stream_socket_perms;
+allow monit_domain monit_t:process { getpgid sigkill signal };
+
+allow monit_domain monit_conf_t:dir list_dir_perms;
+allow monit_domain monit_conf_t:file read_file_perms;
+allow monit_domain monit_conf_t:lnk_file read_lnk_file_perms;
+
+kernel_read_system_state(monit_domain)
+
+# can not use with attributes
+#auth_use_nsswitch(monit_domain)
+
+# read /sys/class/net/eth0 /sys/devices/system/cpu
+dev_read_sysfs(monit_domain)
+dev_read_urand(monit_domain)
+
+fs_getattr_dos_fs(monit_domain)
+fs_getattr_dos_dirs(monit_domain)
+fs_getattr_tmpfs(monit_domain)
+fs_getattr_xattr_fs(monit_domain)
+
+miscfiles_read_localization(monit_domain)
+
+# disk usage of sd card
+storage_getattr_removable_dev(monit_domain)
+
+########################################
+#
# Daemon policy
#
@@ -46,72 +82,78 @@ files_type(monit_var_lib_t)
# net_raw : create raw sockets
# sys_ptrace : trace processes
allow monit_t self:capability { dac_read_search net_raw sys_ptrace };
-# kernel bug
-dontaudit monit_t self:capability dac_override;
# setsockopt
dontaudit monit_t self:capability net_admin;
-allow monit_t self:process { getpgid sigkill signal };
allow monit_t self:fifo_file rw_fifo_file_perms;
-allow monit_t self:netlink_route_socket r_netlink_socket_perms;
allow monit_t self:rawip_socket connected_socket_perms;
-allow monit_t self:sem rw_sem_perms;
-allow monit_t self:tcp_socket create_stream_socket_perms;
-allow monit_t self:udp_socket create_socket_perms;
-allow monit_t self:unix_stream_socket create_stream_socket_perms;
-
-allow monit_t monit_etc_t:dir list_dir_perms;
-allow monit_t monit_etc_t:file read_file_perms;
-allow monit_t monit_etc_t:lnk_file read_lnk_file_perms;
+allow monit_t self:tcp_socket server_stream_socket_perms;
allow monit_t monit_log_t:file { create read_file_perms append_file_perms };
logging_log_filetrans(monit_t, monit_log_t, file)
-allow monit_t monit_run_t:file manage_file_perms;
-files_pid_filetrans(monit_t, monit_run_t, file)
+allow monit_t monit_pid_t:file manage_file_perms;
+files_pid_filetrans(monit_t, monit_pid_t, file)
allow monit_t monit_var_lib_t:dir manage_dir_perms;
allow monit_t monit_var_lib_t:file manage_file_perms;
-kernel_read_system_state(monit_t)
+auth_use_nsswitch(monit_t)
corecmd_exec_bin(monit_t)
+
corenet_tcp_bind_generic_node(monit_t)
corenet_tcp_bind_monit_port(monit_t)
corenet_tcp_connect_all_ports(monit_t)
-dev_read_sysfs(monit_t)
-dev_read_urand(monit_t)
-
domain_getpgid_all_domains(monit_t)
domain_read_all_domains_state(monit_t)
files_read_all_pids(monit_t)
-fs_getattr_dos_fs(monit_t)
-fs_getattr_tmpfs(monit_t)
-fs_getattr_xattr_fs(monit_t)
-fs_search_dos(monit_t)
-
-storage_getattr_fixed_disk_dev(monit_t)
-
-auth_use_nsswitch(monit_t)
-
-miscfiles_read_localization(monit_t)
-
-sysnet_read_config(monit_t)
+ifdef(`hide_broken_symptoms',`
+ # kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6
+ dontaudit monit_t self:capability dac_override;
+')
-ifdef(`init_systemd',`
- tunable_policy(`monit_startstop_services',`
- init_get_all_units_status(monit_t)
- init_get_system_status(monit_t)
- init_startstop_all_script_services(monit_t)
- init_start_all_units(monit_t)
- init_stop_all_units(monit_t)
- init_stream_connect(monit_t)
- ')
+tunable_policy(`monit_startstop_services',`
+ init_get_all_units_status(monit_t)
+ init_get_system_status(monit_t)
+ init_start_all_units(monit_t)
+ init_stop_all_units(monit_t)
+ init_stream_connect(monit_t)
')
optional_policy(`
dbus_system_bus_client(monit_t)
')
+
+########################################
+#
+# Client policy
+#
+
+allow monit_cli_t monit_log_t:file { append_file_perms read_file_perms };
+
+allow monit_cli_t monit_pid_t:file rw_file_perms;
+
+allow monit_cli_t monit_var_lib_t:dir search_dir_perms;
+allow monit_cli_t monit_var_lib_t:file rw_file_perms;
+
+auth_use_nsswitch(monit_cli_t)
+
+corecmd_check_exec_bin_files(monit_cli_t)
+
+corenet_tcp_connect_monit_port(monit_cli_t)
+
+dev_read_rand(monit_cli_t)
+
+domain_use_interactive_fds(monit_cli_t)
+
+files_search_pids(monit_cli_t)
+files_search_var_lib(monit_cli_t)
+
+logging_search_logs(monit_cli_t)
+
+userdom_dontaudit_search_user_home_dirs(monit_cli_t)
+userdom_use_inherited_user_terminals(monit_cli_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-03-30 17:06 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: 0706c6d28350a9527ea67ae09b47fcf7ac3f0dc6
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Wed Mar 8 18:34:49 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 13:58:38 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0706c6d2
vnstatd: update
use userdom_use_inherited_user_terminals()
deprecate interfaces:
- transition to daemon domain
- access to binary lib files
policy/modules/contrib/vnstatd.if | 10 ++++++++++
policy/modules/contrib/vnstatd.te | 2 +-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/vnstatd.if b/policy/modules/contrib/vnstatd.if
index 2d863cb2..ee614638 100644
--- a/policy/modules/contrib/vnstatd.if
+++ b/policy/modules/contrib/vnstatd.if
@@ -56,6 +56,8 @@ interface(`vnstatd_run_vnstat',`
## </param>
#
interface(`vnstatd_domtrans',`
+ refpolicywarn(`$0($*) has been deprecated')
+
gen_require(`
type vnstatd_t, vnstatd_exec_t;
')
@@ -75,6 +77,8 @@ interface(`vnstatd_domtrans',`
## </param>
#
interface(`vnstatd_search_lib',`
+ refpolicywarn(`$0($*) has been deprecated')
+
gen_require(`
type vnstatd_var_lib_t;
')
@@ -95,6 +99,8 @@ interface(`vnstatd_search_lib',`
## </param>
#
interface(`vnstatd_manage_lib_dirs',`
+ refpolicywarn(`$0($*) has been deprecated')
+
gen_require(`
type vnstatd_var_lib_t;
')
@@ -114,6 +120,8 @@ interface(`vnstatd_manage_lib_dirs',`
## </param>
#
interface(`vnstatd_read_lib_files',`
+ refpolicywarn(`$0($*) has been deprecated')
+
gen_require(`
type vnstatd_var_lib_t;
')
@@ -134,6 +142,8 @@ interface(`vnstatd_read_lib_files',`
## </param>
#
interface(`vnstatd_manage_lib_files',`
+ refpolicywarn(`$0($*) has been deprecated')
+
gen_require(`
type vnstatd_var_lib_t;
')
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index 46419e83..69a93d0b 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -91,7 +91,7 @@ miscfiles_read_localization(vnstat_t)
userdom_dontaudit_search_user_home_dirs(vnstat_t)
-userdom_use_user_terminals(vnstat_t)
+userdom_use_inherited_user_terminals(vnstat_t)
optional_policy(`
cron_system_entry(vnstat_t, vnstat_exec_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-03-30 17:06 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: 573e8b4182c51b02e9a80369e5e1d319431461c9
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Mar 3 11:05:49 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 13:58:38 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=573e8b41
corecmd_read_bin_symlinks(): remove deprecated and redundant calls
after the changes to corecmd_search_bin() corecmd_read_bin_symlinks() is deprecated
policy/modules/contrib/dbus.te | 1 -
policy/modules/contrib/mailman.te | 1 -
policy/modules/contrib/nagios.te | 2 --
policy/modules/contrib/postfix.te | 1 -
policy/modules/contrib/ppp.te | 1 -
policy/modules/contrib/prelink.te | 1 -
policy/modules/contrib/remotelogin.te | 1 -
policy/modules/contrib/rshd.te | 4 ++--
policy/modules/contrib/samhain.te | 1 -
policy/modules/contrib/screen.te | 1 -
policy/modules/contrib/vlock.te | 1 -
11 files changed, 2 insertions(+), 13 deletions(-)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 78de2022..551fd2db 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -201,7 +201,6 @@ kernel_read_system_state(session_bus_type)
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-corecmd_read_bin_symlinks(session_bus_type)
corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
index 3de43d20..8282fcc4 100644
--- a/policy/modules/contrib/mailman.te
+++ b/policy/modules/contrib/mailman.te
@@ -241,7 +241,6 @@ kernel_read_system_state(mailman_queue_t)
auth_domtrans_chk_passwd(mailman_queue_t)
corecmd_read_bin_files(mailman_queue_t)
-corecmd_read_bin_symlinks(mailman_queue_t)
corenet_sendrecv_innd_client_packets(mailman_queue_t)
corenet_tcp_connect_innd_port(mailman_queue_t)
corenet_tcp_sendrecv_innd_port(mailman_queue_t)
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
index de6a62cf..3f3a60ed 100644
--- a/policy/modules/contrib/nagios.te
+++ b/policy/modules/contrib/nagios.te
@@ -297,7 +297,6 @@ optional_policy(`
#
corecmd_read_bin_files(nagios_admin_plugin_t)
-corecmd_read_bin_symlinks(nagios_admin_plugin_t)
dev_getattr_all_chr_files(nagios_admin_plugin_t)
dev_getattr_all_blk_files(nagios_admin_plugin_t)
@@ -320,7 +319,6 @@ allow nagios_mail_plugin_t self:tcp_socket { accept listen };
kernel_read_kernel_sysctls(nagios_mail_plugin_t)
corecmd_read_bin_files(nagios_mail_plugin_t)
-corecmd_read_bin_symlinks(nagios_mail_plugin_t)
files_read_etc_files(nagios_mail_plugin_t)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 94ac8471..564dd300 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -510,7 +510,6 @@ corenet_tcp_connect_all_ports(postfix_map_t)
corenet_tcp_sendrecv_all_ports(postfix_map_t)
corecmd_list_bin(postfix_map_t)
-corecmd_read_bin_symlinks(postfix_map_t)
corecmd_read_bin_files(postfix_map_t)
corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index 1015b4ee..740e03fc 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -257,7 +257,6 @@ kernel_read_system_state(pptp_t)
kernel_signal(pptp_t)
corecmd_exec_shell(pptp_t)
-corecmd_read_bin_symlinks(pptp_t)
corenet_all_recvfrom_unlabeled(pptp_t)
corenet_all_recvfrom_netlabel(pptp_t)
diff --git a/policy/modules/contrib/prelink.te b/policy/modules/contrib/prelink.te
index 8e262163..d17ba24d 100644
--- a/policy/modules/contrib/prelink.te
+++ b/policy/modules/contrib/prelink.te
@@ -72,7 +72,6 @@ kernel_read_kernel_sysctls(prelink_t)
corecmd_manage_all_executables(prelink_t)
corecmd_relabel_all_executables(prelink_t)
corecmd_mmap_all_executables(prelink_t)
-corecmd_read_bin_symlinks(prelink_t)
dev_read_urand(prelink_t)
diff --git a/policy/modules/contrib/remotelogin.te b/policy/modules/contrib/remotelogin.te
index 3130db86..f88134ce 100644
--- a/policy/modules/contrib/remotelogin.te
+++ b/policy/modules/contrib/remotelogin.te
@@ -48,7 +48,6 @@ auth_rw_login_records(remote_login_t)
auth_rw_faillog(remote_login_t)
corecmd_list_bin(remote_login_t)
-corecmd_read_bin_symlinks(remote_login_t)
domain_read_all_entry_files(remote_login_t)
diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te
index dc327424..1100ec75 100644
--- a/policy/modules/contrib/rshd.te
+++ b/policy/modules/contrib/rshd.te
@@ -27,6 +27,8 @@ allow rshd_t rshd_keytab_t:file read_file_perms;
kernel_read_kernel_sysctls(rshd_t)
+corecmd_search_bin(rshd_t)
+
corenet_all_recvfrom_unlabeled(rshd_t)
corenet_all_recvfrom_netlabel(rshd_t)
corenet_tcp_sendrecv_generic_if(rshd_t)
@@ -40,8 +42,6 @@ corenet_tcp_bind_all_rpc_ports(rshd_t)
corenet_tcp_connect_all_ports(rshd_t)
corenet_tcp_connect_all_rpc_ports(rshd_t)
-corecmd_read_bin_symlinks(rshd_t)
-
files_list_home(rshd_t)
logging_search_logs(rshd_t)
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index 865f9563..ef74778d 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -65,7 +65,6 @@ files_pid_filetrans(samhain_domain, samhain_var_run_t, file)
kernel_getattr_core_if(samhain_domain)
corecmd_list_bin(samhain_domain)
-corecmd_read_bin_symlinks(samhain_domain)
dev_read_urand(samhain_domain)
dev_dontaudit_read_rand(samhain_domain)
diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
index e376da59..e5b73a92 100644
--- a/policy/modules/contrib/screen.te
+++ b/policy/modules/contrib/screen.te
@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(screen_domain)
corecmd_list_bin(screen_domain)
corecmd_read_bin_files(screen_domain)
-corecmd_read_bin_symlinks(screen_domain)
corecmd_read_bin_pipes(screen_domain)
corecmd_read_bin_sockets(screen_domain)
diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te
index d4094916..4c9ca7af 100644
--- a/policy/modules/contrib/vlock.te
+++ b/policy/modules/contrib/vlock.te
@@ -24,7 +24,6 @@ allow vlock_t self:fifo_file rw_fifo_file_perms;
kernel_read_system_state(vlock_t)
corecmd_list_bin(vlock_t)
-corecmd_read_bin_symlinks(vlock_t)
domain_use_interactive_fds(vlock_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-03-30 17:06 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: af9c5de4ade270e689e041c4c020d17454267fcb
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Mar 5 15:48:19 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 13:58:38 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=af9c5de4
Module version bumps for fixes from cgzones.
policy/modules/contrib/aiccu.te | 2 +-
policy/modules/contrib/anaconda.te | 2 +-
policy/modules/contrib/apm.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/dpkg.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/firstboot.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/jockey.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/mailman.te | 2 +-
policy/modules/contrib/nagios.te | 2 +-
policy/modules/contrib/ncftool.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/pcmcia.te | 2 +-
policy/modules/contrib/portage.te | 2 +-
policy/modules/contrib/postfix.te | 2 +-
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/prelink.te | 2 +-
policy/modules/contrib/remotelogin.te | 2 +-
policy/modules/contrib/ricci.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/rshd.te | 2 +-
policy/modules/contrib/samhain.te | 2 +-
policy/modules/contrib/screen.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/updfstab.te | 2 +-
policy/modules/contrib/usernetctl.te | 2 +-
policy/modules/contrib/vlock.te | 2 +-
policy/modules/contrib/vmware.te | 2 +-
32 files changed, 32 insertions(+), 32 deletions(-)
diff --git a/policy/modules/contrib/aiccu.te b/policy/modules/contrib/aiccu.te
index 27168e12..6202f38c 100644
--- a/policy/modules/contrib/aiccu.te
+++ b/policy/modules/contrib/aiccu.te
@@ -1,4 +1,4 @@
-policy_module(aiccu, 1.3.0)
+policy_module(aiccu, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/anaconda.te b/policy/modules/contrib/anaconda.te
index 009c772f..6f5418f6 100644
--- a/policy/modules/contrib/anaconda.te
+++ b/policy/modules/contrib/anaconda.te
@@ -1,4 +1,4 @@
-policy_module(anaconda, 1.7.0)
+policy_module(anaconda, 1.7.1)
gen_require(`
class passwd all_passwd_perms;
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index ede687d5..7f41a450 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.16.0)
+policy_module(apm, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 551fd2db..6e011919 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.22.1)
+policy_module(dbus, 1.22.2)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index baf9349c..458afb08 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.6.1)
+policy_module(devicekit, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 5cc6ce3e..e7e50372 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.1)
+policy_module(dpkg, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 991a1d65..70f5fb43 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.5.0)
+policy_module(firewalld, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/firstboot.te b/policy/modules/contrib/firstboot.te
index 3c39c258..e5c5ecdb 100644
--- a/policy/modules/contrib/firstboot.te
+++ b/policy/modules/contrib/firstboot.te
@@ -1,4 +1,4 @@
-policy_module(firstboot, 1.13.0)
+policy_module(firstboot, 1.13.1)
gen_require(`
class passwd { passwd chfn chsh rootok };
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index 99cd1293..d260d697 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.17.0)
+policy_module(hal, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/jockey.te b/policy/modules/contrib/jockey.te
index 8060276e..be4deb65 100644
--- a/policy/modules/contrib/jockey.te
+++ b/policy/modules/contrib/jockey.te
@@ -1,4 +1,4 @@
-policy_module(jockey, 1.0.0)
+policy_module(jockey, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index ff9815b6..fb6f1378 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.5.1)
+policy_module(kdump, 1.5.2)
#######################################
#
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index 8ff1088c..b1696618 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -1,4 +1,4 @@
-policy_module(kudzu, 1.12.1)
+policy_module(kudzu, 1.12.2)
########################################
#
diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
index 8282fcc4..ee5de49c 100644
--- a/policy/modules/contrib/mailman.te
+++ b/policy/modules/contrib/mailman.te
@@ -1,4 +1,4 @@
-policy_module(mailman, 1.12.1)
+policy_module(mailman, 1.12.2)
########################################
#
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
index 3f3a60ed..15e98965 100644
--- a/policy/modules/contrib/nagios.te
+++ b/policy/modules/contrib/nagios.te
@@ -1,4 +1,4 @@
-policy_module(nagios, 1.15.1)
+policy_module(nagios, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/ncftool.te b/policy/modules/contrib/ncftool.te
index 95c16bef..736e159b 100644
--- a/policy/modules/contrib/ncftool.te
+++ b/policy/modules/contrib/ncftool.te
@@ -1,4 +1,4 @@
-policy_module(ncftool, 1.2.0)
+policy_module(ncftool, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index caa8bcfd..e7bc8487 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.2)
+policy_module(networkmanager, 1.20.3)
########################################
#
diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te
index c1dd9490..5d8ccb2f 100644
--- a/policy/modules/contrib/pcmcia.te
+++ b/policy/modules/contrib/pcmcia.te
@@ -1,4 +1,4 @@
-policy_module(pcmcia, 1.8.1)
+policy_module(pcmcia, 1.8.2)
########################################
#
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index e5c1cb9d..bf993155 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -1,4 +1,4 @@
-policy_module(portage, 1.14.0)
+policy_module(portage, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 564dd300..1b562bab 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.17.1)
+policy_module(postfix, 1.17.2)
########################################
#
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index 7b9093af..6d34d7b7 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.17.1)
+policy_module(ppp, 1.17.2)
########################################
#
diff --git a/policy/modules/contrib/prelink.te b/policy/modules/contrib/prelink.te
index d17ba24d..784b81ae 100644
--- a/policy/modules/contrib/prelink.te
+++ b/policy/modules/contrib/prelink.te
@@ -1,4 +1,4 @@
-policy_module(prelink, 1.11.0)
+policy_module(prelink, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/remotelogin.te b/policy/modules/contrib/remotelogin.te
index f88134ce..defe4c3a 100644
--- a/policy/modules/contrib/remotelogin.te
+++ b/policy/modules/contrib/remotelogin.te
@@ -1,4 +1,4 @@
-policy_module(remotelogin, 1.8.0)
+policy_module(remotelogin, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te
index 12b6bcc6..e576ff12 100644
--- a/policy/modules/contrib/ricci.te
+++ b/policy/modules/contrib/ricci.te
@@ -1,4 +1,4 @@
-policy_module(ricci, 1.10.0)
+policy_module(ricci, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 3f620534..2e3596b0 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.19.1)
+policy_module(rpm, 1.19.2)
########################################
#
diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te
index 1100ec75..78a8f3c7 100644
--- a/policy/modules/contrib/rshd.te
+++ b/policy/modules/contrib/rshd.te
@@ -1,4 +1,4 @@
-policy_module(rshd, 1.9.0)
+policy_module(rshd, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index ef74778d..9618e95c 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -1,4 +1,4 @@
-policy_module(samhain, 1.4.0)
+policy_module(samhain, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
index e5b73a92..c83d82bf 100644
--- a/policy/modules/contrib/screen.te
+++ b/policy/modules/contrib/screen.te
@@ -1,4 +1,4 @@
-policy_module(screen, 2.8.0)
+policy_module(screen, 2.8.1)
########################################
#
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index 3222f01c..e7249426 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.6.1)
+policy_module(shorewall, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/updfstab.te b/policy/modules/contrib/updfstab.te
index 5aa33bfd..02754be8 100644
--- a/policy/modules/contrib/updfstab.te
+++ b/policy/modules/contrib/updfstab.te
@@ -1,4 +1,4 @@
-policy_module(updfstab, 1.6.0)
+policy_module(updfstab, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te
index c5832ef2..1c8b8dfd 100644
--- a/policy/modules/contrib/usernetctl.te
+++ b/policy/modules/contrib/usernetctl.te
@@ -1,4 +1,4 @@
-policy_module(usernetctl, 1.7.0)
+policy_module(usernetctl, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te
index 4c9ca7af..3ef60af7 100644
--- a/policy/modules/contrib/vlock.te
+++ b/policy/modules/contrib/vlock.te
@@ -1,4 +1,4 @@
-policy_module(vlock, 1.2.0)
+policy_module(vlock, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
index 7dbcd40e..a4346aad 100644
--- a/policy/modules/contrib/vmware.te
+++ b/policy/modules/contrib/vmware.te
@@ -1,4 +1,4 @@
-policy_module(vmware, 2.8.0)
+policy_module(vmware, 2.8.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-03-30 17:06 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: 61dedbfbae31d9ab77c89176a73b09cab9700c4e
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Wed Mar 8 20:21:44 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 13:58:38 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=61dedbfb
dphysswapfile: update
policy/modules/contrib/dphysswapfile.fc | 8 +++++---
policy/modules/contrib/dphysswapfile.if | 33 +++++++++++++++++++++++++++++++++
policy/modules/contrib/dphysswapfile.te | 6 +++++-
3 files changed, 43 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/dphysswapfile.fc b/policy/modules/contrib/dphysswapfile.fc
index 3cf1968d..5c0feb83 100644
--- a/policy/modules/contrib/dphysswapfile.fc
+++ b/policy/modules/contrib/dphysswapfile.fc
@@ -1,5 +1,7 @@
-/etc/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_conf_t,s0)
+/etc/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_conf_t,s0)
-/usr/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+/etc/rc\.d/init\.d/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_initrc_exec_t,s0)
-/var/swap -- gen_context(system_u:object_r:dphysswapfile_swap_t,s0)
+/usr/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+
+/var/swap -- gen_context(system_u:object_r:dphysswapfile_swap_t,s0)
diff --git a/policy/modules/contrib/dphysswapfile.if b/policy/modules/contrib/dphysswapfile.if
index 53725743..7dda9553 100644
--- a/policy/modules/contrib/dphysswapfile.if
+++ b/policy/modules/contrib/dphysswapfile.if
@@ -17,3 +17,36 @@ interface(`dphysswapfile_dontaudit_read_swap',`
dontaudit $1 dphysswapfile_swap_t:file read_file_perms;
')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an dphys-swapfile environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dphysswapfile_admin',`
+ gen_require(`
+ type dphysswapfile_t, dphysswapfile_conf_t;
+ type dphysswapfile_initrc_exec_t;
+ ')
+
+ admin_process_pattern($1, dphysswapfile_t)
+
+ init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t)
+
+ files_search_etc($1)
+ admin_pattern($1, dphysswapfile_conf_t)
+
+ # do not grant access to swap file for now
+')
diff --git a/policy/modules/contrib/dphysswapfile.te b/policy/modules/contrib/dphysswapfile.te
index 26faf67d..cb3d194f 100644
--- a/policy/modules/contrib/dphysswapfile.te
+++ b/policy/modules/contrib/dphysswapfile.te
@@ -12,6 +12,9 @@ init_system_domain(dphysswapfile_t, dphysswapfile_exec_t)
type dphysswapfile_conf_t;
files_config_file(dphysswapfile_conf_t)
+type dphysswapfile_initrc_exec_t;
+init_script_file(dphysswapfile_initrc_exec_t)
+
type dphysswapfile_swap_t;
files_type(dphysswapfile_swap_t)
@@ -20,7 +23,7 @@ files_type(dphysswapfile_swap_t)
# Policy
#
-# sys_admin : for swapon
+# sys_admin : swapon
allow dphysswapfile_t self:capability sys_admin;
allow dphysswapfile_t self:fifo_file rw_fifo_file_perms;
allow dphysswapfile_t self:unix_stream_socket { create connect };
@@ -36,6 +39,7 @@ kernel_read_system_state(dphysswapfile_t)
corecmd_exec_bin(dphysswapfile_t)
corecmd_exec_shell(dphysswapfile_t)
+# ignore ls -l /var/swap noise
files_dontaudit_getattr_pid_dirs(dphysswapfile_t)
files_read_etc_files(dphysswapfile_t)
files_search_var(dphysswapfile_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-03-30 17:06 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: 4ab83a2a3657e6838b704166dea7b318b8046ce8
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Wed Mar 8 20:35:28 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 13:58:39 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4ab83a2a
mandb: update
fix mandb when running as root
move file label from cronjob to binary file
policy/modules/contrib/mandb.fc | 3 +--
policy/modules/contrib/mandb.if | 10 +++-------
policy/modules/contrib/mandb.te | 26 +++++++++++---------------
3 files changed, 15 insertions(+), 24 deletions(-)
diff --git a/policy/modules/contrib/mandb.fc b/policy/modules/contrib/mandb.fc
index 9f2825e9..d92a58fd 100644
--- a/policy/modules/contrib/mandb.fc
+++ b/policy/modules/contrib/mandb.fc
@@ -1,4 +1,3 @@
-/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
-# Systemd unit file
/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_u:object_r:mandb_unit_t,s0)
diff --git a/policy/modules/contrib/mandb.if b/policy/modules/contrib/mandb.if
index 327f3f72..2b5d5385 100644
--- a/policy/modules/contrib/mandb.if
+++ b/policy/modules/contrib/mandb.if
@@ -42,7 +42,7 @@ interface(`mandb_run',`
attribute_role mandb_roles;
')
- lightsquid_domtrans($1)
+ mandb_domtrans($1)
roleattribute $2 mandb_roles;
')
@@ -122,14 +122,10 @@ interface(`mandb_manage_cache_content',`
#
interface(`mandb_admin',`
gen_require(`
- type mandb_t, mandb_cache_t;
+ type mandb_t;
')
- allow $1 mandb_t:process { ptrace signal_perms };
- ps_process_pattern($1, mandb_t)
+ admin_process_pattern($1, mandb_t)
mandb_run($1, $2)
-
- # pending
- # miscfiles_manage_man_cache_content(mandb_t)
')
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 142e7e07..0358aaff 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -21,7 +21,11 @@ init_unit_file(mandb_unit_t)
# Local policy
#
-allow mandb_t self:capability { setgid setuid };
+# dac_override : write /var/cache/man/*
+# fowner : chmod /var/cache/man/*
+# chown : lchown32 /var/cache/man/*
+# fsetid : chmod /var/cache/man/*
+allow mandb_t self:capability { chown dac_override fowner fsetid setgid setuid };
allow mandb_t self:process { setsched signal };
allow mandb_t self:fifo_file rw_fifo_file_perms;
allow mandb_t self:unix_stream_socket create_stream_socket_perms;
@@ -32,28 +36,20 @@ kernel_read_system_state(mandb_t)
corecmd_exec_bin(mandb_t)
corecmd_exec_shell(mandb_t)
-dev_search_sysfs(mandb_t)
-
domain_use_interactive_fds(mandb_t)
+files_dontaudit_search_home(mandb_t)
files_read_etc_files(mandb_t)
+# search /var/run/nscd/socket
+files_search_pids(mandb_t)
+
+fs_getattr_xattr_fs(mandb_t)
miscfiles_manage_man_cache(mandb_t)
miscfiles_read_man_pages(mandb_t)
miscfiles_read_localization(mandb_t)
-ifdef(`distro_debian',`
- optional_policy(`
- apt_exec(mandb_t)
- apt_read_db(mandb_t)
- ')
-
- optional_policy(`
- dpkg_exec(mandb_t)
- dpkg_read_db(mandb_t)
- userdom_dontaudit_search_user_home_dirs(mandb_t)
- ')
-')
+userdom_use_inherited_user_terminals(mandb_t)
optional_policy(`
cron_system_entry(mandb_t, mandb_exec_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-03-16 8:18 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-03-16 8:18 UTC (permalink / raw
To: gentoo-commits
commit: e7eb672259ff2b2955cbd5f991182de9c7464c31
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 16 08:14:39 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 16 08:14:39 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e7eb6722
pulseaudio: alias pulseaudio_xdg_config_t to pulseaudio_home_t
pulseaudio_home_t was added upstream on ~/.config/pulse/ so our
_xdg_config_t can be removed
policy/modules/contrib/pulseaudio.fc | 7 +------
policy/modules/contrib/pulseaudio.te | 24 ++++--------------------
2 files changed, 5 insertions(+), 26 deletions(-)
diff --git a/policy/modules/contrib/pulseaudio.fc b/policy/modules/contrib/pulseaudio.fc
index 2ee04dce..78ae21c1 100644
--- a/policy/modules/contrib/pulseaudio.fc
+++ b/policy/modules/contrib/pulseaudio.fc
@@ -1,7 +1,7 @@
HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
-HOME_DIR/\.config/pulse(/.*)? -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
@@ -9,8 +9,3 @@ HOME_DIR/\.config/pulse(/.*)? -- gen_context(system_u:object_r:pulseaudio_home_t
/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
/run/user/%{USERID}/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_tmp_t,s0)
-
-
-ifdef(`distro_gentoo',`
-HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_xdg_config_t,s0)
-')
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index ac9811ea..b4154208 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -290,28 +290,12 @@ optional_policy(`
')
ifdef(`distro_gentoo',`
- type pulseaudio_xdg_config_t;
- xdg_config_home_content(pulseaudio_xdg_config_t)
+ typealias pulseaudio_home_t alias pulseaudio_xdg_config_t;
- # create ~/.config/pulse/
- manage_files_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
- manage_lnk_files_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
- manage_dirs_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
- xdg_config_home_filetrans(pulseaudio_t, pulseaudio_xdg_config_t, dir, "pulse")
-
- # pulseaudio cannot manage the files from its clients
- allow pulseaudio_t pulseaudio_tmpfsfile:file manage_file_perms;
-
- # pulseaudio client perms on ~/.config/pulse/
- manage_files_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
- manage_lnk_files_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
- manage_dirs_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
- xdg_config_home_filetrans(pulseaudio_client, pulseaudio_xdg_config_t, dir, "pulse")
+ # ~/.config/pulse/
+ xdg_config_home_filetrans(pulseaudio_t, pulseaudio_home_t, dir, "pulse")
+ xdg_config_home_filetrans(pulseaudio_client, pulseaudio_home_t, dir, "pulse")
# /tmp/pulse-* gets created by the clients usually as user_tmp_t, bug 556526
userdom_list_user_tmp(pulseaudio_client)
-
- # pulse 7 uses fds
- allow pulseaudio_client pulseaudio_t:fd use;
- allow pulseaudio_client pulseaudio_tmpfs_t:file rw_file_perms;
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-27 11:40 Jason Zaman
2017-02-27 10:50 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-02-27 11:40 UTC (permalink / raw
To: gentoo-commits
commit: e81afa8e462fd625e95e7458332b1cff1724654f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 16:20:03 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:44:02 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e81afa8e
Network daemon patches from Russell Coker.
policy/modules/contrib/apache.fc | 4 +++
policy/modules/contrib/apache.if | 19 +++++++++++++
policy/modules/contrib/apache.te | 46 +++++++++++++++++++++-----------
policy/modules/contrib/bind.fc | 3 +++
policy/modules/contrib/bind.te | 6 ++++-
policy/modules/contrib/inetd.te | 3 ++-
policy/modules/contrib/iodine.fc | 2 ++
policy/modules/contrib/iodine.te | 9 ++++++-
policy/modules/contrib/jabber.fc | 4 +++
policy/modules/contrib/jabber.te | 12 ++++++++-
policy/modules/contrib/nagios.te | 7 +++--
policy/modules/contrib/networkmanager.fc | 2 +-
policy/modules/contrib/networkmanager.te | 6 ++++-
policy/modules/contrib/ntp.if | 18 +++++++++++++
policy/modules/contrib/ntp.te | 3 ++-
policy/modules/contrib/openvpn.fc | 1 +
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/rpc.te | 4 ++-
policy/modules/contrib/squid.fc | 8 +++---
policy/modules/contrib/squid.if | 19 +++++++++++++
policy/modules/contrib/squid.te | 15 ++++++++++-
21 files changed, 161 insertions(+), 32 deletions(-)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index faa08802..5fded37a 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -17,6 +17,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec
/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
@@ -56,6 +57,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec
/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -110,6 +112,7 @@ ifdef(`distro_suse',`
/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -124,6 +127,7 @@ ifdef(`distro_suse',`
/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 16539db5..91191ecc 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -1254,6 +1254,25 @@ interface(`apache_dontaudit_write_tmp_files',`
########################################
## <summary>
+## Delete httpd_var_lib_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that can delete the files
+## </summary>
+## </param>
+#
+interface(`apache_delete_lib_files',`
+ gen_require(`
+ type httpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ delete_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
+')
+
+########################################
+## <summary>
## Execute CGI in the specified domain.
## </summary>
## <desc>
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 2f724b68..37af1e22 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.12.0)
+policy_module(apache, 2.12.1)
########################################
#
@@ -402,14 +402,12 @@ read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
allow httpd_t httpd_keytab_t:file read_file_perms;
+allow httpd_t httpd_lock_t:dir manage_dir_perms;
allow httpd_t httpd_lock_t:file manage_file_perms;
-files_lock_filetrans(httpd_t, httpd_lock_t, file)
+files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
-allow httpd_t httpd_log_t:dir setattr_dir_perms;
-create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
-create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)
@@ -427,6 +425,8 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+allow httpd_t httpd_sys_script_t:process signull;
+
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -444,6 +444,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
@@ -464,6 +465,8 @@ domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
kernel_read_kernel_sysctls(httpd_t)
+kernel_read_vm_sysctls(httpd_t)
+kernel_read_vm_overcommit_sysctl(httpd_t)
kernel_read_network_state(httpd_t)
kernel_read_system_state(httpd_t)
kernel_search_network_sysctl(httpd_t)
@@ -513,6 +516,8 @@ files_read_var_lib_symlinks(httpd_t)
auth_use_nsswitch(httpd_t)
+init_rw_inherited_script_tmp_files(httpd_t)
+
libs_read_lib_files(httpd_t)
logging_send_syslog_msg(httpd_t)
@@ -590,6 +595,7 @@ tunable_policy(`httpd_builtin_scripting',`
tunable_policy(`httpd_enable_cgi',`
allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+ allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -737,9 +743,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_t)
- fs_manage_nfs_dirs(httpd_t)
- fs_manage_nfs_files(httpd_t)
- fs_manage_nfs_symlinks(httpd_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1063,9 +1068,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_suexec_t)
- fs_manage_nfs_dirs(httpd_suexec_t)
- fs_manage_nfs_files(httpd_suexec_t)
- fs_manage_nfs_symlinks(httpd_suexec_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1213,8 +1217,11 @@ optional_policy(`
#
allow httpd_sys_script_t self:tcp_socket { accept listen };
+allow httpd_sys_script_t self:unix_dgram_socket { create connect connected_socket_perms };
+
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+allow httpd_sys_script_t httpd_t:unix_stream_socket { read write ioctl };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -1226,6 +1233,8 @@ allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
kernel_read_kernel_sysctls(httpd_sys_script_t)
+dev_read_sysfs(httpd_sys_script_t)
+
fs_search_auto_mountpoints(httpd_sys_script_t)
files_read_var_symlinks(httpd_sys_script_t)
@@ -1236,6 +1245,12 @@ apache_domtrans_rotatelogs(httpd_sys_script_t)
auth_use_nsswitch(httpd_sys_script_t)
+logging_send_syslog_msg(httpd_sys_script_t)
+
+ifdef(`init_systemd', `
+ init_search_pid_dirs(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_can_sendmail',`
corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
corenet_tcp_connect_smtp_port(httpd_sys_script_t)
@@ -1290,9 +1305,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_sys_script_t)
- fs_manage_nfs_dirs(httpd_sys_script_t)
- fs_manage_nfs_files(httpd_sys_script_t)
- fs_manage_nfs_symlinks(httpd_sys_script_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
index c9619a4e..de596aed 100644
--- a/policy/modules/contrib/bind.fc
+++ b/policy/modules/contrib/bind.fc
@@ -28,6 +28,8 @@
/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+
/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
@@ -53,5 +55,6 @@
/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/run/lwresd/lwresd\.pid -s gen_context(system_u:object_r:named_var_run_t,s0)
/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index bfec7c74..25329fdb 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.18.0)
+policy_module(bind, 1.18.1)
########################################
#
@@ -112,6 +112,8 @@ allow named_t named_zone_t:dir list_dir_perms;
read_files_pattern(named_t, named_zone_t, named_zone_t)
read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
+kernel_read_net_sysctls(named_t)
+kernel_read_vm_sysctls(named_t)
kernel_read_kernel_sysctls(named_t)
kernel_read_vm_overcommit_sysctl(named_t)
kernel_read_system_state(named_t)
@@ -152,6 +154,7 @@ dev_read_urand(named_t)
domain_use_interactive_fds(named_t)
files_read_etc_runtime_files(named_t)
+files_read_usr_files(named_t)
fs_getattr_all_fs(named_t)
fs_search_auto_mountpoints(named_t)
@@ -219,6 +222,7 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability2 block_suspend;
allow ndc_t self:process signal_perms;
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te
index 66c15680..70ecd1e5 100644
--- a/policy/modules/contrib/inetd.te
+++ b/policy/modules/contrib/inetd.te
@@ -1,4 +1,4 @@
-policy_module(inetd, 1.14.0)
+policy_module(inetd, 1.14.1)
########################################
#
@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
kernel_tcp_recvfrom_unlabeled(inetd_t)
corecmd_bin_domtrans(inetd_t, inetd_child_t)
+corecmd_bin_entry_type(inetd_child_t)
corenet_all_recvfrom_unlabeled(inetd_t)
corenet_all_recvfrom_netlabel(inetd_t)
diff --git a/policy/modules/contrib/iodine.fc b/policy/modules/contrib/iodine.fc
index ca07a874..42a24aaf 100644
--- a/policy/modules/contrib/iodine.fc
+++ b/policy/modules/contrib/iodine.fc
@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
+
+/var/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0)
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index c35fc069..11ef68f9 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -1,4 +1,4 @@
-policy_module(iodine, 1.2.0)
+policy_module(iodine, 1.2.1)
########################################
#
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t)
type iodined_initrc_exec_t;
init_script_file(iodined_initrc_exec_t)
+type iodined_var_run_t;
+files_pid_file(iodined_var_run_t)
+
########################################
#
# Local policy
@@ -21,6 +24,10 @@ allow iodined_t self:capability { net_admin net_raw setgid setuid sys_chroot };
allow iodined_t self:rawip_socket create_socket_perms;
allow iodined_t self:tun_socket create_socket_perms;
allow iodined_t self:udp_socket connected_socket_perms;
+allow iodined_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
+manage_files_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
kernel_read_net_sysctls(iodined_t)
kernel_read_network_state(iodined_t)
diff --git a/policy/modules/contrib/jabber.fc b/policy/modules/contrib/jabber.fc
index 96325be0..e31f56e8 100644
--- a/policy/modules/contrib/jabber.fc
+++ b/policy/modules/contrib/jabber.fc
@@ -2,6 +2,7 @@
/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/prosody -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
@@ -13,13 +14,16 @@
/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+/var/log/prosody(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0)
/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+/var/lib/prosody(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0)
/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
+/run/prosody(/.*)? -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te
index fdea29d5..36f603c3 100644
--- a/policy/modules/contrib/jabber.te
+++ b/policy/modules/contrib/jabber.te
@@ -1,4 +1,4 @@
-policy_module(jabber, 1.12.0)
+policy_module(jabber, 1.12.1)
########################################
#
@@ -73,6 +73,7 @@ allow jabberd_t self:capability dac_override;
dontaudit jabberd_t self:capability sys_tty_config;
allow jabberd_t self:tcp_socket create_socket_perms;
allow jabberd_t self:udp_socket create_socket_perms;
+allow jabberd_t self:netlink_route_socket r_netlink_socket_perms;
manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
@@ -87,8 +88,12 @@ manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+domain_dontaudit_search_all_domains_state(jabberd_t)
+
kernel_read_kernel_sysctls(jabberd_t)
+corecmd_exec_bin(jabberd_t)
+
corenet_sendrecv_jabber_client_server_packets(jabberd_t)
corenet_tcp_bind_jabber_client_port(jabberd_t)
corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
@@ -96,6 +101,7 @@ corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
corenet_tcp_bind_jabber_interserver_port(jabberd_t)
corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_interserver_port(jabberd_t)
dev_read_rand(jabberd_t)
@@ -103,9 +109,13 @@ domain_use_interactive_fds(jabberd_t)
files_read_etc_files(jabberd_t)
files_read_etc_runtime_files(jabberd_t)
+# usr for lua modules
+files_read_usr_files(jabberd_t)
fs_search_auto_mountpoints(jabberd_t)
+miscfiles_read_all_certs(jabberd_t)
+
sysnet_read_config(jabberd_t)
userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
index 44c2abcd..de6a62cf 100644
--- a/policy/modules/contrib/nagios.te
+++ b/policy/modules/contrib/nagios.te
@@ -1,4 +1,4 @@
-policy_module(nagios, 1.15.0)
+policy_module(nagios, 1.15.1)
########################################
#
@@ -216,12 +216,15 @@ optional_policy(`
# Nrpe local policy
#
-allow nrpe_t self:capability { setgid setuid };
+allow nrpe_t self:capability { dac_override setgid setuid };
dontaudit nrpe_t self:capability { sys_resource sys_tty_config };
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
allow nrpe_t self:tcp_socket { accept listen };
+allow nrpe_t nagios_etc_t:dir list_dir_perms;
+allow nrpe_t nagios_etc_t:file read_file_perms;
+
allow nrpe_t nagios_plugin_domain:process { signal sigkill };
read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index fe5f8b4c..1e6d0f5b 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -3,7 +3,7 @@
/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0)
/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
-/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/NetworkManager/dispatcher\.d(/.*)? -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
/etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index cde12ad5..1e3237e5 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.1)
+policy_module(networkmanager, 1.20.2)
########################################
#
@@ -241,6 +241,10 @@ optional_policy(`
optional_policy(`
xserver_dbus_chat_xdm(NetworkManager_t)
')
+
+ optional_policy(`
+ unconfined_dbus_send(NetworkManager_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index fa0a1839..8bbb2aa3 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -18,6 +18,24 @@ interface(`ntp_stub',`
########################################
## <summary>
+## Read ntp.conf
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_read_config',`
+ gen_require(`
+ type ntp_conf_t;
+ ')
+
+ allow $1 ntp_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Execute ntp server in the ntpd domain.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index b1969955..9af1ad5f 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.16.1)
+policy_module(ntp, 1.16.2)
########################################
#
@@ -60,6 +60,7 @@ allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:shm create_shm_perms;
allow ntpd_t self:socket create;
allow ntpd_t self:tcp_socket { accept listen };
+allow ntpd_t self:unix_dgram_socket sendto;
allow ntpd_t ntp_conf_t:file read_file_perms;
diff --git a/policy/modules/contrib/openvpn.fc b/policy/modules/contrib/openvpn.fc
index 7703264d..00d176d3 100644
--- a/policy/modules/contrib/openvpn.fc
+++ b/policy/modules/contrib/openvpn.fc
@@ -1,5 +1,6 @@
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
/etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
+/etc/openvpn/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0)
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index 465716f6..54170a62 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.15.0)
+policy_module(openvpn, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 5123f079..0b9a71fc 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.19.1)
+policy_module(rpc, 1.19.2)
########################################
#
@@ -161,6 +161,8 @@ kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
kernel_signal(rpcd_t)
+# for /proc/fs/lockd/nlm_end_grace
+kernel_write_proc_files(rpcd_t)
corecmd_exec_bin(rpcd_t)
diff --git a/policy/modules/contrib/squid.fc b/policy/modules/contrib/squid.fc
index d6b5ba09..7051c3e1 100644
--- a/policy/modules/contrib/squid.fc
+++ b/policy/modules/contrib/squid.fc
@@ -4,17 +4,17 @@
/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
-/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
+/usr/sbin/squid.* -- gen_context(system_u:object_r:squid_exec_t,s0)
/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
-/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
+/var/log/squid.* gen_context(system_u:object_r:squid_log_t,s0)
/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
-/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
+/run/squid3.* gen_context(system_u:object_r:squid_var_run_t,s0)
-/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/var/spool/squid.* gen_context(system_u:object_r:squid_cache_t,s0)
/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if
index 941cedf3..b5adfad3 100644
--- a/policy/modules/contrib/squid.if
+++ b/policy/modules/contrib/squid.if
@@ -191,6 +191,25 @@ interface(`squid_use',`
########################################
## <summary>
+## dontaudit statting tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not be audited
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_dontaudit_read_tmpfs_files',`
+ gen_require(`
+ type squid_tmpfs_t;
+ ')
+
+ dontaudit $1 squid_tmpfs_t:file getattr;
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an squid environment.
## </summary>
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 74fb3c23..f4fd15e8 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.15.0)
+policy_module(squid, 1.15.1)
########################################
#
@@ -21,6 +21,14 @@ gen_tunable(squid_connect_any, false)
## </desc>
gen_tunable(squid_use_tproxy, false)
+## <desc>
+## <p>
+## Determine whether squid can use the
+## pinger daemon (needs raw net access)
+## </p>
+## </desc>
+gen_tunable(squid_use_pinger, true)
+
type squid_t;
type squid_exec_t;
init_daemon_domain(squid_t, squid_exec_t)
@@ -188,6 +196,11 @@ tunable_policy(`squid_connect_any',`
corenet_tcp_sendrecv_all_ports(squid_t)
')
+tunable_policy(`squid_use_pinger',`
+ allow squid_t self:rawip_socket connected_socket_perms;
+ allow squid_t self:capability net_raw;
+')
+
tunable_policy(`squid_use_tproxy',`
allow squid_t self:capability net_admin;
corenet_sendrecv_netport_server_packets(squid_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-02-27 11:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-02-27 10:50 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-27 10:50 UTC (permalink / raw
To: gentoo-commits
commit: e81afa8e462fd625e95e7458332b1cff1724654f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 16:20:03 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:44:02 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e81afa8e
Network daemon patches from Russell Coker.
policy/modules/contrib/apache.fc | 4 +++
policy/modules/contrib/apache.if | 19 +++++++++++++
policy/modules/contrib/apache.te | 46 +++++++++++++++++++++-----------
policy/modules/contrib/bind.fc | 3 +++
policy/modules/contrib/bind.te | 6 ++++-
policy/modules/contrib/inetd.te | 3 ++-
policy/modules/contrib/iodine.fc | 2 ++
policy/modules/contrib/iodine.te | 9 ++++++-
policy/modules/contrib/jabber.fc | 4 +++
policy/modules/contrib/jabber.te | 12 ++++++++-
policy/modules/contrib/nagios.te | 7 +++--
policy/modules/contrib/networkmanager.fc | 2 +-
policy/modules/contrib/networkmanager.te | 6 ++++-
policy/modules/contrib/ntp.if | 18 +++++++++++++
policy/modules/contrib/ntp.te | 3 ++-
policy/modules/contrib/openvpn.fc | 1 +
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/rpc.te | 4 ++-
policy/modules/contrib/squid.fc | 8 +++---
policy/modules/contrib/squid.if | 19 +++++++++++++
policy/modules/contrib/squid.te | 15 ++++++++++-
21 files changed, 161 insertions(+), 32 deletions(-)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index faa08802..5fded37a 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -17,6 +17,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec
/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/postfixadmin(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
@@ -56,6 +57,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec
/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)?ctl -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -110,6 +112,7 @@ ifdef(`distro_suse',`
/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php5(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -124,6 +127,7 @@ ifdef(`distro_suse',`
/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/wordpress(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 16539db5..91191ecc 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -1254,6 +1254,25 @@ interface(`apache_dontaudit_write_tmp_files',`
########################################
## <summary>
+## Delete httpd_var_lib_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that can delete the files
+## </summary>
+## </param>
+#
+interface(`apache_delete_lib_files',`
+ gen_require(`
+ type httpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ delete_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
+')
+
+########################################
+## <summary>
## Execute CGI in the specified domain.
## </summary>
## <desc>
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 2f724b68..37af1e22 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.12.0)
+policy_module(apache, 2.12.1)
########################################
#
@@ -402,14 +402,12 @@ read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
allow httpd_t httpd_keytab_t:file read_file_perms;
+allow httpd_t httpd_lock_t:dir manage_dir_perms;
allow httpd_t httpd_lock_t:file manage_file_perms;
-files_lock_filetrans(httpd_t, httpd_lock_t, file)
+files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
-allow httpd_t httpd_log_t:dir setattr_dir_perms;
-create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
-create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)
@@ -427,6 +425,8 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+allow httpd_t httpd_sys_script_t:process signull;
+
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -444,6 +444,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
@@ -464,6 +465,8 @@ domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
kernel_read_kernel_sysctls(httpd_t)
+kernel_read_vm_sysctls(httpd_t)
+kernel_read_vm_overcommit_sysctl(httpd_t)
kernel_read_network_state(httpd_t)
kernel_read_system_state(httpd_t)
kernel_search_network_sysctl(httpd_t)
@@ -513,6 +516,8 @@ files_read_var_lib_symlinks(httpd_t)
auth_use_nsswitch(httpd_t)
+init_rw_inherited_script_tmp_files(httpd_t)
+
libs_read_lib_files(httpd_t)
logging_send_syslog_msg(httpd_t)
@@ -590,6 +595,7 @@ tunable_policy(`httpd_builtin_scripting',`
tunable_policy(`httpd_enable_cgi',`
allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+ allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -737,9 +743,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_t)
- fs_manage_nfs_dirs(httpd_t)
- fs_manage_nfs_files(httpd_t)
- fs_manage_nfs_symlinks(httpd_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1063,9 +1068,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_suexec_t)
- fs_manage_nfs_dirs(httpd_suexec_t)
- fs_manage_nfs_files(httpd_suexec_t)
- fs_manage_nfs_symlinks(httpd_suexec_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -1213,8 +1217,11 @@ optional_policy(`
#
allow httpd_sys_script_t self:tcp_socket { accept listen };
+allow httpd_sys_script_t self:unix_dgram_socket { create connect connected_socket_perms };
+
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+allow httpd_sys_script_t httpd_t:unix_stream_socket { read write ioctl };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -1226,6 +1233,8 @@ allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
kernel_read_kernel_sysctls(httpd_sys_script_t)
+dev_read_sysfs(httpd_sys_script_t)
+
fs_search_auto_mountpoints(httpd_sys_script_t)
files_read_var_symlinks(httpd_sys_script_t)
@@ -1236,6 +1245,12 @@ apache_domtrans_rotatelogs(httpd_sys_script_t)
auth_use_nsswitch(httpd_sys_script_t)
+logging_send_syslog_msg(httpd_sys_script_t)
+
+ifdef(`init_systemd', `
+ init_search_pid_dirs(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_can_sendmail',`
corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
corenet_tcp_connect_smtp_port(httpd_sys_script_t)
@@ -1290,9 +1305,8 @@ tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_sys_script_t)
- fs_manage_nfs_dirs(httpd_sys_script_t)
- fs_manage_nfs_files(httpd_sys_script_t)
- fs_manage_nfs_symlinks(httpd_sys_script_t)
+ rpc_manage_nfs_rw_content(httpd_t)
+ rpc_read_nfs_content(httpd_t)
')
tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
index c9619a4e..de596aed 100644
--- a/policy/modules/contrib/bind.fc
+++ b/policy/modules/contrib/bind.fc
@@ -28,6 +28,8 @@
/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+
/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
@@ -53,5 +55,6 @@
/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/run/lwresd/lwresd\.pid -s gen_context(system_u:object_r:named_var_run_t,s0)
/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index bfec7c74..25329fdb 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.18.0)
+policy_module(bind, 1.18.1)
########################################
#
@@ -112,6 +112,8 @@ allow named_t named_zone_t:dir list_dir_perms;
read_files_pattern(named_t, named_zone_t, named_zone_t)
read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
+kernel_read_net_sysctls(named_t)
+kernel_read_vm_sysctls(named_t)
kernel_read_kernel_sysctls(named_t)
kernel_read_vm_overcommit_sysctl(named_t)
kernel_read_system_state(named_t)
@@ -152,6 +154,7 @@ dev_read_urand(named_t)
domain_use_interactive_fds(named_t)
files_read_etc_runtime_files(named_t)
+files_read_usr_files(named_t)
fs_getattr_all_fs(named_t)
fs_search_auto_mountpoints(named_t)
@@ -219,6 +222,7 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability2 block_suspend;
allow ndc_t self:process signal_perms;
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te
index 66c15680..70ecd1e5 100644
--- a/policy/modules/contrib/inetd.te
+++ b/policy/modules/contrib/inetd.te
@@ -1,4 +1,4 @@
-policy_module(inetd, 1.14.0)
+policy_module(inetd, 1.14.1)
########################################
#
@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
kernel_tcp_recvfrom_unlabeled(inetd_t)
corecmd_bin_domtrans(inetd_t, inetd_child_t)
+corecmd_bin_entry_type(inetd_child_t)
corenet_all_recvfrom_unlabeled(inetd_t)
corenet_all_recvfrom_netlabel(inetd_t)
diff --git a/policy/modules/contrib/iodine.fc b/policy/modules/contrib/iodine.fc
index ca07a874..42a24aaf 100644
--- a/policy/modules/contrib/iodine.fc
+++ b/policy/modules/contrib/iodine.fc
@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
+
+/var/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0)
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index c35fc069..11ef68f9 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -1,4 +1,4 @@
-policy_module(iodine, 1.2.0)
+policy_module(iodine, 1.2.1)
########################################
#
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t)
type iodined_initrc_exec_t;
init_script_file(iodined_initrc_exec_t)
+type iodined_var_run_t;
+files_pid_file(iodined_var_run_t)
+
########################################
#
# Local policy
@@ -21,6 +24,10 @@ allow iodined_t self:capability { net_admin net_raw setgid setuid sys_chroot };
allow iodined_t self:rawip_socket create_socket_perms;
allow iodined_t self:tun_socket create_socket_perms;
allow iodined_t self:udp_socket connected_socket_perms;
+allow iodined_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
+manage_files_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t)
kernel_read_net_sysctls(iodined_t)
kernel_read_network_state(iodined_t)
diff --git a/policy/modules/contrib/jabber.fc b/policy/modules/contrib/jabber.fc
index 96325be0..e31f56e8 100644
--- a/policy/modules/contrib/jabber.fc
+++ b/policy/modules/contrib/jabber.fc
@@ -2,6 +2,7 @@
/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/prosody -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
@@ -13,13 +14,16 @@
/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+/var/log/prosody(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0)
/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+/var/lib/prosody(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0)
/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
+/run/prosody(/.*)? -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te
index fdea29d5..36f603c3 100644
--- a/policy/modules/contrib/jabber.te
+++ b/policy/modules/contrib/jabber.te
@@ -1,4 +1,4 @@
-policy_module(jabber, 1.12.0)
+policy_module(jabber, 1.12.1)
########################################
#
@@ -73,6 +73,7 @@ allow jabberd_t self:capability dac_override;
dontaudit jabberd_t self:capability sys_tty_config;
allow jabberd_t self:tcp_socket create_socket_perms;
allow jabberd_t self:udp_socket create_socket_perms;
+allow jabberd_t self:netlink_route_socket r_netlink_socket_perms;
manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
@@ -87,8 +88,12 @@ manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+domain_dontaudit_search_all_domains_state(jabberd_t)
+
kernel_read_kernel_sysctls(jabberd_t)
+corecmd_exec_bin(jabberd_t)
+
corenet_sendrecv_jabber_client_server_packets(jabberd_t)
corenet_tcp_bind_jabber_client_port(jabberd_t)
corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
@@ -96,6 +101,7 @@ corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
corenet_tcp_bind_jabber_interserver_port(jabberd_t)
corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_interserver_port(jabberd_t)
dev_read_rand(jabberd_t)
@@ -103,9 +109,13 @@ domain_use_interactive_fds(jabberd_t)
files_read_etc_files(jabberd_t)
files_read_etc_runtime_files(jabberd_t)
+# usr for lua modules
+files_read_usr_files(jabberd_t)
fs_search_auto_mountpoints(jabberd_t)
+miscfiles_read_all_certs(jabberd_t)
+
sysnet_read_config(jabberd_t)
userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
index 44c2abcd..de6a62cf 100644
--- a/policy/modules/contrib/nagios.te
+++ b/policy/modules/contrib/nagios.te
@@ -1,4 +1,4 @@
-policy_module(nagios, 1.15.0)
+policy_module(nagios, 1.15.1)
########################################
#
@@ -216,12 +216,15 @@ optional_policy(`
# Nrpe local policy
#
-allow nrpe_t self:capability { setgid setuid };
+allow nrpe_t self:capability { dac_override setgid setuid };
dontaudit nrpe_t self:capability { sys_resource sys_tty_config };
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
allow nrpe_t self:tcp_socket { accept listen };
+allow nrpe_t nagios_etc_t:dir list_dir_perms;
+allow nrpe_t nagios_etc_t:file read_file_perms;
+
allow nrpe_t nagios_plugin_domain:process { signal sigkill };
read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index fe5f8b4c..1e6d0f5b 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -3,7 +3,7 @@
/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0)
/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
-/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/NetworkManager/dispatcher\.d(/.*)? -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
/etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index cde12ad5..1e3237e5 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.1)
+policy_module(networkmanager, 1.20.2)
########################################
#
@@ -241,6 +241,10 @@ optional_policy(`
optional_policy(`
xserver_dbus_chat_xdm(NetworkManager_t)
')
+
+ optional_policy(`
+ unconfined_dbus_send(NetworkManager_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index fa0a1839..8bbb2aa3 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -18,6 +18,24 @@ interface(`ntp_stub',`
########################################
## <summary>
+## Read ntp.conf
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_read_config',`
+ gen_require(`
+ type ntp_conf_t;
+ ')
+
+ allow $1 ntp_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Execute ntp server in the ntpd domain.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index b1969955..9af1ad5f 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.16.1)
+policy_module(ntp, 1.16.2)
########################################
#
@@ -60,6 +60,7 @@ allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:shm create_shm_perms;
allow ntpd_t self:socket create;
allow ntpd_t self:tcp_socket { accept listen };
+allow ntpd_t self:unix_dgram_socket sendto;
allow ntpd_t ntp_conf_t:file read_file_perms;
diff --git a/policy/modules/contrib/openvpn.fc b/policy/modules/contrib/openvpn.fc
index 7703264d..00d176d3 100644
--- a/policy/modules/contrib/openvpn.fc
+++ b/policy/modules/contrib/openvpn.fc
@@ -1,5 +1,6 @@
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
/etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
+/etc/openvpn/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0)
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index 465716f6..54170a62 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.15.0)
+policy_module(openvpn, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 5123f079..0b9a71fc 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.19.1)
+policy_module(rpc, 1.19.2)
########################################
#
@@ -161,6 +161,8 @@ kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
kernel_signal(rpcd_t)
+# for /proc/fs/lockd/nlm_end_grace
+kernel_write_proc_files(rpcd_t)
corecmd_exec_bin(rpcd_t)
diff --git a/policy/modules/contrib/squid.fc b/policy/modules/contrib/squid.fc
index d6b5ba09..7051c3e1 100644
--- a/policy/modules/contrib/squid.fc
+++ b/policy/modules/contrib/squid.fc
@@ -4,17 +4,17 @@
/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
-/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
+/usr/sbin/squid.* -- gen_context(system_u:object_r:squid_exec_t,s0)
/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
-/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
+/var/log/squid.* gen_context(system_u:object_r:squid_log_t,s0)
/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
-/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
+/run/squid3.* gen_context(system_u:object_r:squid_var_run_t,s0)
-/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/var/spool/squid.* gen_context(system_u:object_r:squid_cache_t,s0)
/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if
index 941cedf3..b5adfad3 100644
--- a/policy/modules/contrib/squid.if
+++ b/policy/modules/contrib/squid.if
@@ -191,6 +191,25 @@ interface(`squid_use',`
########################################
## <summary>
+## dontaudit statting tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not be audited
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_dontaudit_read_tmpfs_files',`
+ gen_require(`
+ type squid_tmpfs_t;
+ ')
+
+ dontaudit $1 squid_tmpfs_t:file getattr;
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an squid environment.
## </summary>
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 74fb3c23..f4fd15e8 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.15.0)
+policy_module(squid, 1.15.1)
########################################
#
@@ -21,6 +21,14 @@ gen_tunable(squid_connect_any, false)
## </desc>
gen_tunable(squid_use_tproxy, false)
+## <desc>
+## <p>
+## Determine whether squid can use the
+## pinger daemon (needs raw net access)
+## </p>
+## </desc>
+gen_tunable(squid_use_pinger, true)
+
type squid_t;
type squid_exec_t;
init_daemon_domain(squid_t, squid_exec_t)
@@ -188,6 +196,11 @@ tunable_policy(`squid_connect_any',`
corenet_tcp_sendrecv_all_ports(squid_t)
')
+tunable_policy(`squid_use_pinger',`
+ allow squid_t self:rawip_socket connected_socket_perms;
+ allow squid_t self:capability net_raw;
+')
+
tunable_policy(`squid_use_tproxy',`
allow squid_t self:capability net_admin;
corenet_sendrecv_netport_server_packets(squid_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-27 11:40 Jason Zaman
2017-02-27 10:50 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-02-27 11:40 UTC (permalink / raw
To: gentoo-commits
commit: c12405c1bbcaeb1558c3f053671710738138e463
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 15:17:52 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:44:02 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c12405c1
MTA fixes from Russell Coker.
policy/modules/contrib/clamav.te | 11 +++++++++--
policy/modules/contrib/courier.if | 4 ++--
policy/modules/contrib/courier.te | 6 +++++-
policy/modules/contrib/dkim.if | 18 ++++++++++++++++++
policy/modules/contrib/dkim.te | 14 +++++++++++---
policy/modules/contrib/dovecot.fc | 3 +++
policy/modules/contrib/dovecot.te | 13 ++++++++++---
policy/modules/contrib/milter.if | 18 ++++++++++++++++++
policy/modules/contrib/milter.te | 10 +++++++++-
policy/modules/contrib/mta.fc | 1 +
policy/modules/contrib/mta.te | 8 +++++++-
policy/modules/contrib/perdition.fc | 2 +-
policy/modules/contrib/perdition.te | 19 +++++++++++++++----
policy/modules/contrib/postfix.fc | 30 +++++++++++++++---------------
policy/modules/contrib/postfix.te | 26 +++++++++++++++++++++++++-
policy/modules/contrib/postfixpolicyd.te | 18 +++++++++++++++---
policy/modules/contrib/postgrey.te | 7 +++++--
policy/modules/contrib/procmail.fc | 1 +
policy/modules/contrib/procmail.te | 7 ++++++-
policy/modules/contrib/spamassassin.fc | 1 +
policy/modules/contrib/spamassassin.te | 3 ++-
21 files changed, 179 insertions(+), 41 deletions(-)
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index f2664e82..11e568a6 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.14.0)
+policy_module(clamav, 1.14.1)
## <desc>
## <p>
@@ -73,7 +73,7 @@ logging_log_file(freshclam_var_log_t)
# Clamd local policy
#
-allow clamd_t self:capability { dac_override kill setgid setuid };
+allow clamd_t self:capability { chown fowner fsetid kill setgid setuid dac_override };
dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:process signal;
allow clamd_t self:fifo_file rw_fifo_file_perms;
@@ -107,6 +107,8 @@ kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
kernel_read_kernel_sysctls(clamd_t)
kernel_read_system_state(clamd_t)
+kernel_read_vm_sysctls(clamd_t)
+kernel_read_vm_overcommit_sysctl(clamd_t)
corecmd_exec_shell(clamd_t)
@@ -128,6 +130,7 @@ corenet_tcp_bind_clamd_port(clamd_t)
dev_read_rand(clamd_t)
dev_read_urand(clamd_t)
+dev_read_sysfs(clamd_t)
domain_use_interactive_fds(clamd_t)
@@ -215,6 +218,10 @@ corenet_sendrecv_http_client_packets(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
corenet_tcp_sendrecv_http_port(freshclam_t)
+corenet_sendrecv_http_cache_client_packets(freshclam_t)
+corenet_tcp_connect_http_cache_port(freshclam_t)
+corenet_tcp_sendrecv_http_cache_port(freshclam_t)
+
corenet_sendrecv_squid_client_packets(freshclam_t)
corenet_tcp_connect_squid_port(freshclam_t)
corenet_tcp_sendrecv_squid_port(freshclam_t)
diff --git a/policy/modules/contrib/courier.if b/policy/modules/contrib/courier.if
index 10f820fc..db4d192b 100644
--- a/policy/modules/contrib/courier.if
+++ b/policy/modules/contrib/courier.if
@@ -65,11 +65,11 @@ interface(`courier_domtrans_authdaemon',`
#
interface(`courier_stream_connect_authdaemon',`
gen_require(`
- type courier_authdaemon_t, courier_spool_t;
+ type courier_authdaemon_t, courier_var_run_t;
')
files_search_spool($1)
- stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
+ stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t)
')
########################################
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 176bd5c2..31ee1073 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -1,4 +1,4 @@
-policy_module(courier, 1.16.0)
+policy_module(courier, 1.16.1)
########################################
#
@@ -101,6 +101,8 @@ allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_pe
can_exec(courier_authdaemon_t, courier_exec_t)
+corecmd_exec_shell(courier_authdaemon_t)
+
domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
dev_read_urand(courier_authdaemon_t)
@@ -187,6 +189,8 @@ miscfiles_read_localization(courier_tcpd_t)
kernel_read_kernel_sysctls(courier_sqwebmail_t)
+dev_read_urand(courier_sqwebmail_t)
+
optional_policy(`
cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
')
diff --git a/policy/modules/contrib/dkim.if b/policy/modules/contrib/dkim.if
index 61e1f192..059e495a 100644
--- a/policy/modules/contrib/dkim.if
+++ b/policy/modules/contrib/dkim.if
@@ -2,6 +2,24 @@
########################################
## <summary>
+## Allow a domain to talk to dkim via Unix domain socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dkim_stream_connect',`
+ gen_require(`
+ type dkim_milter_data_t, dkim_milter_t;
+ ')
+
+ stream_connect_pattern($1, dkim_milter_data_t, dkim_milter_data_t, dkim_milter_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an dkim environment.
## </summary>
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 9ef8d760..5ffc618b 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.5.0)
+policy_module(dkim, 1.5.1)
########################################
#
@@ -20,15 +20,23 @@ init_daemon_pid_file(dkim_milter_data_t, dir, "opendkim")
# Local policy
#
-allow dkim_milter_t self:capability { setgid setuid };
-allow dkim_milter_t self:process signal;
+allow dkim_milter_t self:capability { dac_override setgid setuid };
+allow dkim_milter_t self:process { signal signull };
allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
kernel_read_kernel_sysctls(dkim_milter_t)
+kernel_read_vm_sysctls(dkim_milter_t)
+kernel_read_vm_overcommit_sysctl(dkim_milter_t)
+
+corenet_udp_bind_generic_node(dkim_milter_t)
+corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
+corenet_dontaudit_udp_bind_all_ports(dkim_milter_t)
dev_read_urand(dkim_milter_t)
+# for cpu/online
+dev_read_sysfs(dkim_milter_t)
files_search_spool(dkim_milter_t)
diff --git a/policy/modules/contrib/dovecot.fc b/policy/modules/contrib/dovecot.fc
index a8119188..c2f5734e 100644
--- a/policy/modules/contrib/dovecot.fc
+++ b/policy/modules/contrib/dovecot.fc
@@ -15,10 +15,13 @@
/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/lib/dovecot/anvil -- gen_context(system_u:object_r:dovecot_exec_t,s0)
/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/lib/dovecot/log -- gen_context(system_u:object_r:dovecot_exec_t,s0)
+/usr/lib/dovecot/ssl-params -- gen_context(system_u:object_r:dovecot_exec_t,s0)
/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index 1701e3f0..d18f9adc 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.19.0)
+policy_module(dovecot, 1.19.1)
########################################
#
@@ -92,7 +92,7 @@ miscfiles_read_localization(dovecot_domain)
# Local policy
#
-allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot };
+allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot sys_resource };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
allow dovecot_t self:tcp_socket { accept listen };
@@ -159,6 +159,8 @@ files_search_spool(dovecot_t)
files_dontaudit_list_default(dovecot_t)
files_dontaudit_search_all_dirs(dovecot_t)
files_search_all_mountpoints(dovecot_t)
+files_list_usr(dovecot_t)
+files_read_usr_files(dovecot_t)
fs_getattr_all_fs(dovecot_t)
fs_getattr_all_dirs(dovecot_t)
@@ -241,6 +243,8 @@ manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+allow dovecot_auth_t dovecot_var_run_t:file manage_file_perms;
+allow dovecot_auth_t dovecot_var_run_t:fifo_file write_fifo_file_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
@@ -249,6 +253,9 @@ files_search_pids(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
+selinux_get_enforce_mode(dovecot_auth_t)
+selinux_get_fs_mount(dovecot_auth_t)
+
auth_domtrans_chk_passwd(dovecot_auth_t)
auth_use_nsswitch(dovecot_auth_t)
@@ -256,7 +263,7 @@ init_rw_utmp(dovecot_auth_t)
logging_send_audit_msgs(dovecot_auth_t)
-seutil_dontaudit_search_config(dovecot_auth_t)
+seutil_search_default_contexts(dovecot_auth_t)
sysnet_use_ldap(dovecot_auth_t)
diff --git a/policy/modules/contrib/milter.if b/policy/modules/contrib/milter.if
index cba62db1..ffb58f9f 100644
--- a/policy/modules/contrib/milter.if
+++ b/policy/modules/contrib/milter.if
@@ -97,3 +97,21 @@ interface(`milter_manage_spamass_state',`
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
')
+
+########################################
+## <summary>
+## Get the attributes of the spamassissin milter data dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_getattr_data_dir',`
+ gen_require(`
+ type spamass_milter_data_t;
+ ')
+
+ allow $1 spamass_milter_data_t:dir getattr;
+')
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
index 7c4b347d..8295ca64 100644
--- a/policy/modules/contrib/milter.te
+++ b/policy/modules/contrib/milter.te
@@ -1,4 +1,4 @@
-policy_module(milter, 1.6.0)
+policy_module(milter, 1.6.1)
########################################
#
@@ -94,15 +94,23 @@ mta_read_config(regex_milter_t)
#
allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+allow spamass_milter_t self:process sigkill;
kernel_read_system_state(spamass_milter_t)
+kernel_read_vm_overcommit_sysctl(spamass_milter_t)
corecmd_exec_shell(spamass_milter_t)
+dev_read_sysfs(spamass_milter_t)
+
files_search_var_lib(spamass_milter_t)
mta_send_mail(spamass_milter_t)
optional_policy(`
+ postfix_search_spool(spamass_milter_t)
+')
+
+optional_policy(`
spamassassin_domtrans_client(spamass_milter_t)
')
diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
index 24681349..dd9f799a 100644
--- a/policy/modules/contrib/mta.fc
+++ b/policy/modules/contrib/mta.fc
@@ -3,6 +3,7 @@ HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/DovecotMail(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index f7280b11..22308885 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.2)
+policy_module(mta, 2.8.3)
########################################
#
@@ -199,6 +199,7 @@ selinux_getattr_fs(system_mail_t)
term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
+init_use_fds(system_mail_t)
userdom_use_user_terminals(system_mail_t)
@@ -233,6 +234,7 @@ optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
+ cron_rw_tmp_files(system_mail_t)
')
optional_policy(`
@@ -294,6 +296,10 @@ optional_policy(`
smartmon_read_tmp_files(system_mail_t)
')
+optional_policy(`
+ unconfined_use_fds(system_mail_t)
+')
+
########################################
#
# MTA user agent local policy
diff --git a/policy/modules/contrib/perdition.fc b/policy/modules/contrib/perdition.fc
index 156232f8..a7d2a8be 100644
--- a/policy/modules/contrib/perdition.fc
+++ b/policy/modules/contrib/perdition.fc
@@ -2,6 +2,6 @@
/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0)
-/usr/sbin/perdition -- gen_context(system_u:object_r:perdition_exec_t,s0)
+/usr/sbin/perdition.* -- gen_context(system_u:object_r:perdition_exec_t,s0)
/run/perdition\.pid -- gen_context(system_u:object_r:perdition_var_run_t,s0)
diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te
index 15023cee..2975c2cc 100644
--- a/policy/modules/contrib/perdition.te
+++ b/policy/modules/contrib/perdition.te
@@ -1,4 +1,4 @@
-policy_module(perdition, 1.10.0)
+policy_module(perdition, 1.10.1)
########################################
#
@@ -23,7 +23,7 @@ files_pid_file(perdition_var_run_t)
# Local policy
#
-allow perdition_t self:capability { setgid setuid };
+allow perdition_t self:capability { chown dac_override fowner setgid setuid };
dontaudit perdition_t self:capability sys_tty_config;
allow perdition_t self:process signal_perms;
allow perdition_t self:tcp_socket { accept listen };
@@ -33,7 +33,8 @@ allow perdition_t perdition_etc_t:file read_file_perms;
allow perdition_t perdition_etc_t:lnk_file read_lnk_file_perms;
manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
-files_pid_filetrans(perdition_t, perdition_var_run_t, file)
+manage_dirs_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
+files_pid_filetrans(perdition_t, perdition_var_run_t, { file dir })
kernel_read_kernel_sysctls(perdition_t)
kernel_list_proc(perdition_t)
@@ -45,12 +46,17 @@ corenet_tcp_sendrecv_generic_if(perdition_t)
corenet_tcp_sendrecv_generic_node(perdition_t)
corenet_tcp_sendrecv_all_ports(perdition_t)
corenet_tcp_bind_generic_node(perdition_t)
-
+corenet_tcp_connect_pop_port(perdition_t)
corenet_sendrecv_pop_server_packets(perdition_t)
corenet_tcp_bind_pop_port(perdition_t)
corenet_tcp_sendrecv_pop_port(perdition_t)
+corenet_tcp_connect_sieve_port(perdition_t)
+corenet_sendrecv_sieve_server_packets(perdition_t)
+corenet_tcp_bind_sieve_port(perdition_t)
+corenet_tcp_sendrecv_sieve_port(perdition_t)
dev_read_sysfs(perdition_t)
+dev_read_urand(perdition_t)
domain_use_interactive_fds(perdition_t)
@@ -67,6 +73,11 @@ userdom_dontaudit_use_unpriv_user_fds(perdition_t)
userdom_dontaudit_search_user_home_dirs(perdition_t)
optional_policy(`
+ mysql_tcp_connect(perdition_t)
+ mysql_stream_connect(perdition_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(perdition_t)
')
diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc
index b71d8442..707b5be0 100644
--- a/policy/modules/contrib/postfix.fc
+++ b/policy/modules/contrib/postfix.fc
@@ -1,24 +1,24 @@
-/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
+/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
# Remove catch-all so that .so files remain lib_t
-#/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+#/usr/lib/postfix/(sbin/)?.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib/postfix/(sbin/)?cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib/postfix/(sbin/)?local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/lib/postfix/(sbin/)?master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/lib/postfix/(sbin/)?pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/lib/postfix/(sbin/)?(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/(sbin/)?showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/lib/postfix/(sbin/)?smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/lib/postfix/(sbin/)?bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/lib/postfix/(sbin/)?pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/lib/postfix/(sbin/)?virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 74cb3d7e..94ac8471 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.17.0)
+policy_module(postfix, 1.17.1)
########################################
#
@@ -172,6 +172,7 @@ optional_policy(`
#
allow postfix_server_domain self:capability { dac_override setgid setuid };
+allow postfix_master_t self:process getsched;
allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
@@ -272,6 +273,7 @@ corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
corenet_tcp_bind_generic_node(postfix_master_t)
+corenet_udp_bind_generic_node(postfix_master_t)
corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
@@ -302,6 +304,8 @@ mcs_file_read_all(postfix_master_t)
term_dontaudit_search_ptys(postfix_master_t)
+hostname_exec(postfix_master_t)
+
miscfiles_read_man_pages(postfix_master_t)
seutil_sigchld_newrole(postfix_master_t)
@@ -326,6 +330,11 @@ optional_policy(`
optional_policy(`
mailman_manage_data_files(postfix_master_t)
+ mailman_search_data(postfix_pipe_t)
+')
+
+optional_policy(`
+ milter_getattr_data_dir(postfix_master_t)
')
optional_policy(`
@@ -371,6 +380,7 @@ allow postfix_cleanup_t self:process setrlimit;
allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
+allow postfix_cleanup_t postfix_smtpd_t:fd use;
allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
@@ -397,6 +407,10 @@ corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
mta_read_aliases(postfix_cleanup_t)
optional_policy(`
+ dkim_stream_connect(postfix_cleanup_t)
+')
+
+optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
')
@@ -432,6 +446,7 @@ tunable_policy(`postfix_local_write_mail_spool',`
optional_policy(`
clamav_search_lib(postfix_local_t)
clamav_exec_clamscan(postfix_local_t)
+ clamav_stream_connect(postfix_smtpd_t)
')
optional_policy(`
@@ -549,6 +564,7 @@ allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
+write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
@@ -567,6 +583,7 @@ optional_policy(`
optional_policy(`
mailman_domtrans_queue(postfix_pipe_t)
+ mailman_domtrans(postfix_pipe_t)
')
optional_policy(`
@@ -596,6 +613,9 @@ manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool
allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+# for /var/spool/postfix/public/pickup
+stream_connect_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t, postfix_master_t)
+
mcs_file_read_all(postfix_postdrop_t)
mcs_file_write_all(postfix_postdrop_t)
@@ -654,6 +674,10 @@ optional_policy(`
ppp_sigchld(postfix_postqueue_t)
')
+optional_policy(`
+ userdom_sigchld_all_users(postfix_postqueue_t)
+')
+
########################################
#
# Qmgr local policy
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
index 621e1817..be84e714 100644
--- a/policy/modules/contrib/postfixpolicyd.te
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -1,4 +1,4 @@
-policy_module(postfixpolicyd, 1.5.0)
+policy_module(postfixpolicyd, 1.5.1)
########################################
#
@@ -15,6 +15,9 @@ files_config_file(postfix_policyd_conf_t)
type postfix_policyd_initrc_exec_t;
init_script_file(postfix_policyd_initrc_exec_t)
+type postfix_policyd_tmp_t;
+files_type(postfix_policyd_tmp_t)
+
type postfix_policyd_var_run_t;
files_pid_file(postfix_policyd_var_run_t)
@@ -23,8 +26,8 @@ files_pid_file(postfix_policyd_var_run_t)
# Local policy
#
-allow postfix_policyd_t self:capability { setgid setuid sys_chroot sys_resource };
-allow postfix_policyd_t self:process setrlimit;
+allow postfix_policyd_t self:capability { chown sys_chroot sys_resource setgid setuid };
+allow postfix_policyd_t self:process { setrlimit signal signull };
allow postfix_policyd_t self:tcp_socket { accept listen };
allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
@@ -34,6 +37,13 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
+allow postfix_policyd_t postfix_policyd_tmp_t:{ file sock_file } manage_file_perms;
+files_tmp_filetrans(postfix_policyd_t, postfix_policyd_tmp_t, { file sock_file })
+
+kernel_search_network_sysctl(postfix_policyd_t)
+
+corecmd_exec_bin(postfix_policyd_t)
+
corenet_all_recvfrom_unlabeled(postfix_policyd_t)
corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
@@ -47,6 +57,8 @@ corenet_sendrecv_mysqld_server_packets(postfix_policyd_t)
corenet_tcp_bind_mysqld_port(postfix_policyd_t)
corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t)
+dev_read_urand(postfix_policyd_t)
+
files_read_etc_files(postfix_policyd_t)
files_read_usr_files(postfix_policyd_t)
diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te
index ab5a8d3a..4fe73487 100644
--- a/policy/modules/contrib/postgrey.te
+++ b/policy/modules/contrib/postgrey.te
@@ -1,4 +1,4 @@
-policy_module(postgrey, 1.11.0)
+policy_module(postgrey, 1.11.1)
########################################
#
@@ -34,6 +34,8 @@ dontaudit postgrey_t self:capability sys_tty_config;
allow postgrey_t self:process signal_perms;
allow postgrey_t self:fifo_file create_fifo_file_perms;
allow postgrey_t self:tcp_socket create_stream_socket_perms;
+allow postgrey_t self:netlink_route_socket r_netlink_socket_perms;
+allow postgrey_t self:udp_socket { connect connected_socket_perms };
allow postgrey_t postgrey_etc_t:dir list_dir_perms;
allow postgrey_t postgrey_etc_t:file read_file_perms;
@@ -55,7 +57,8 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
kernel_read_system_state(postgrey_t)
kernel_read_kernel_sysctls(postgrey_t)
-corecmd_search_bin(postgrey_t)
+corecmd_read_bin_files(postgrey_t)
+corecmd_exec_bin(postgrey_t)
corenet_all_recvfrom_unlabeled(postgrey_t)
corenet_all_recvfrom_netlabel(postgrey_t)
diff --git a/policy/modules/contrib/procmail.fc b/policy/modules/contrib/procmail.fc
index bdff6c93..dac08916 100644
--- a/policy/modules/contrib/procmail.fc
+++ b/policy/modules/contrib/procmail.fc
@@ -1,5 +1,6 @@
HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
+/usr/bin/maildrop -- gen_context(system_u:object_r:procmail_exec_t,s0)
/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te
index 8a842661..cdd23cc9 100644
--- a/policy/modules/contrib/procmail.te
+++ b/policy/modules/contrib/procmail.te
@@ -1,4 +1,4 @@
-policy_module(procmail, 1.14.0)
+policy_module(procmail, 1.14.1)
########################################
#
@@ -96,6 +96,11 @@ optional_policy(`
')
optional_policy(`
+ courier_read_config(procmail_t)
+ courier_stream_connect_authdaemon(procmail_t)
+')
+
+optional_policy(`
cyrus_stream_connect(procmail_t)
')
diff --git a/policy/modules/contrib/spamassassin.fc b/policy/modules/contrib/spamassassin.fc
index de27cda7..58dce766 100644
--- a/policy/modules/contrib/spamassassin.fc
+++ b/policy/modules/contrib/spamassassin.fc
@@ -23,6 +23,7 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/run/spamassassin\.pid gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 4a9153ce..2f770d2d 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.10.0)
+policy_module(spamassassin, 2.10.1)
########################################
#
@@ -46,6 +46,7 @@ type spamc_exec_t;
typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
userdom_user_application_domain(spamc_t, spamc_exec_t)
+role system_r types spamc_t;
type spamc_tmp_t;
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-02-27 11:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-02-27 10:50 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-27 10:50 UTC (permalink / raw
To: gentoo-commits
commit: c12405c1bbcaeb1558c3f053671710738138e463
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 15:17:52 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:44:02 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c12405c1
MTA fixes from Russell Coker.
policy/modules/contrib/clamav.te | 11 +++++++++--
policy/modules/contrib/courier.if | 4 ++--
policy/modules/contrib/courier.te | 6 +++++-
policy/modules/contrib/dkim.if | 18 ++++++++++++++++++
policy/modules/contrib/dkim.te | 14 +++++++++++---
policy/modules/contrib/dovecot.fc | 3 +++
policy/modules/contrib/dovecot.te | 13 ++++++++++---
policy/modules/contrib/milter.if | 18 ++++++++++++++++++
policy/modules/contrib/milter.te | 10 +++++++++-
policy/modules/contrib/mta.fc | 1 +
policy/modules/contrib/mta.te | 8 +++++++-
policy/modules/contrib/perdition.fc | 2 +-
policy/modules/contrib/perdition.te | 19 +++++++++++++++----
policy/modules/contrib/postfix.fc | 30 +++++++++++++++---------------
policy/modules/contrib/postfix.te | 26 +++++++++++++++++++++++++-
policy/modules/contrib/postfixpolicyd.te | 18 +++++++++++++++---
policy/modules/contrib/postgrey.te | 7 +++++--
policy/modules/contrib/procmail.fc | 1 +
policy/modules/contrib/procmail.te | 7 ++++++-
policy/modules/contrib/spamassassin.fc | 1 +
policy/modules/contrib/spamassassin.te | 3 ++-
21 files changed, 179 insertions(+), 41 deletions(-)
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index f2664e82..11e568a6 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.14.0)
+policy_module(clamav, 1.14.1)
## <desc>
## <p>
@@ -73,7 +73,7 @@ logging_log_file(freshclam_var_log_t)
# Clamd local policy
#
-allow clamd_t self:capability { dac_override kill setgid setuid };
+allow clamd_t self:capability { chown fowner fsetid kill setgid setuid dac_override };
dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:process signal;
allow clamd_t self:fifo_file rw_fifo_file_perms;
@@ -107,6 +107,8 @@ kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
kernel_read_kernel_sysctls(clamd_t)
kernel_read_system_state(clamd_t)
+kernel_read_vm_sysctls(clamd_t)
+kernel_read_vm_overcommit_sysctl(clamd_t)
corecmd_exec_shell(clamd_t)
@@ -128,6 +130,7 @@ corenet_tcp_bind_clamd_port(clamd_t)
dev_read_rand(clamd_t)
dev_read_urand(clamd_t)
+dev_read_sysfs(clamd_t)
domain_use_interactive_fds(clamd_t)
@@ -215,6 +218,10 @@ corenet_sendrecv_http_client_packets(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
corenet_tcp_sendrecv_http_port(freshclam_t)
+corenet_sendrecv_http_cache_client_packets(freshclam_t)
+corenet_tcp_connect_http_cache_port(freshclam_t)
+corenet_tcp_sendrecv_http_cache_port(freshclam_t)
+
corenet_sendrecv_squid_client_packets(freshclam_t)
corenet_tcp_connect_squid_port(freshclam_t)
corenet_tcp_sendrecv_squid_port(freshclam_t)
diff --git a/policy/modules/contrib/courier.if b/policy/modules/contrib/courier.if
index 10f820fc..db4d192b 100644
--- a/policy/modules/contrib/courier.if
+++ b/policy/modules/contrib/courier.if
@@ -65,11 +65,11 @@ interface(`courier_domtrans_authdaemon',`
#
interface(`courier_stream_connect_authdaemon',`
gen_require(`
- type courier_authdaemon_t, courier_spool_t;
+ type courier_authdaemon_t, courier_var_run_t;
')
files_search_spool($1)
- stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
+ stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t)
')
########################################
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 176bd5c2..31ee1073 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -1,4 +1,4 @@
-policy_module(courier, 1.16.0)
+policy_module(courier, 1.16.1)
########################################
#
@@ -101,6 +101,8 @@ allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_pe
can_exec(courier_authdaemon_t, courier_exec_t)
+corecmd_exec_shell(courier_authdaemon_t)
+
domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
dev_read_urand(courier_authdaemon_t)
@@ -187,6 +189,8 @@ miscfiles_read_localization(courier_tcpd_t)
kernel_read_kernel_sysctls(courier_sqwebmail_t)
+dev_read_urand(courier_sqwebmail_t)
+
optional_policy(`
cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
')
diff --git a/policy/modules/contrib/dkim.if b/policy/modules/contrib/dkim.if
index 61e1f192..059e495a 100644
--- a/policy/modules/contrib/dkim.if
+++ b/policy/modules/contrib/dkim.if
@@ -2,6 +2,24 @@
########################################
## <summary>
+## Allow a domain to talk to dkim via Unix domain socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dkim_stream_connect',`
+ gen_require(`
+ type dkim_milter_data_t, dkim_milter_t;
+ ')
+
+ stream_connect_pattern($1, dkim_milter_data_t, dkim_milter_data_t, dkim_milter_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an dkim environment.
## </summary>
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 9ef8d760..5ffc618b 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.5.0)
+policy_module(dkim, 1.5.1)
########################################
#
@@ -20,15 +20,23 @@ init_daemon_pid_file(dkim_milter_data_t, dir, "opendkim")
# Local policy
#
-allow dkim_milter_t self:capability { setgid setuid };
-allow dkim_milter_t self:process signal;
+allow dkim_milter_t self:capability { dac_override setgid setuid };
+allow dkim_milter_t self:process { signal signull };
allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
kernel_read_kernel_sysctls(dkim_milter_t)
+kernel_read_vm_sysctls(dkim_milter_t)
+kernel_read_vm_overcommit_sysctl(dkim_milter_t)
+
+corenet_udp_bind_generic_node(dkim_milter_t)
+corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
+corenet_dontaudit_udp_bind_all_ports(dkim_milter_t)
dev_read_urand(dkim_milter_t)
+# for cpu/online
+dev_read_sysfs(dkim_milter_t)
files_search_spool(dkim_milter_t)
diff --git a/policy/modules/contrib/dovecot.fc b/policy/modules/contrib/dovecot.fc
index a8119188..c2f5734e 100644
--- a/policy/modules/contrib/dovecot.fc
+++ b/policy/modules/contrib/dovecot.fc
@@ -15,10 +15,13 @@
/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/lib/dovecot/anvil -- gen_context(system_u:object_r:dovecot_exec_t,s0)
/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/lib/dovecot/log -- gen_context(system_u:object_r:dovecot_exec_t,s0)
+/usr/lib/dovecot/ssl-params -- gen_context(system_u:object_r:dovecot_exec_t,s0)
/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index 1701e3f0..d18f9adc 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.19.0)
+policy_module(dovecot, 1.19.1)
########################################
#
@@ -92,7 +92,7 @@ miscfiles_read_localization(dovecot_domain)
# Local policy
#
-allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot };
+allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot sys_resource };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
allow dovecot_t self:tcp_socket { accept listen };
@@ -159,6 +159,8 @@ files_search_spool(dovecot_t)
files_dontaudit_list_default(dovecot_t)
files_dontaudit_search_all_dirs(dovecot_t)
files_search_all_mountpoints(dovecot_t)
+files_list_usr(dovecot_t)
+files_read_usr_files(dovecot_t)
fs_getattr_all_fs(dovecot_t)
fs_getattr_all_dirs(dovecot_t)
@@ -241,6 +243,8 @@ manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+allow dovecot_auth_t dovecot_var_run_t:file manage_file_perms;
+allow dovecot_auth_t dovecot_var_run_t:fifo_file write_fifo_file_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
@@ -249,6 +253,9 @@ files_search_pids(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
+selinux_get_enforce_mode(dovecot_auth_t)
+selinux_get_fs_mount(dovecot_auth_t)
+
auth_domtrans_chk_passwd(dovecot_auth_t)
auth_use_nsswitch(dovecot_auth_t)
@@ -256,7 +263,7 @@ init_rw_utmp(dovecot_auth_t)
logging_send_audit_msgs(dovecot_auth_t)
-seutil_dontaudit_search_config(dovecot_auth_t)
+seutil_search_default_contexts(dovecot_auth_t)
sysnet_use_ldap(dovecot_auth_t)
diff --git a/policy/modules/contrib/milter.if b/policy/modules/contrib/milter.if
index cba62db1..ffb58f9f 100644
--- a/policy/modules/contrib/milter.if
+++ b/policy/modules/contrib/milter.if
@@ -97,3 +97,21 @@ interface(`milter_manage_spamass_state',`
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
')
+
+########################################
+## <summary>
+## Get the attributes of the spamassissin milter data dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_getattr_data_dir',`
+ gen_require(`
+ type spamass_milter_data_t;
+ ')
+
+ allow $1 spamass_milter_data_t:dir getattr;
+')
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
index 7c4b347d..8295ca64 100644
--- a/policy/modules/contrib/milter.te
+++ b/policy/modules/contrib/milter.te
@@ -1,4 +1,4 @@
-policy_module(milter, 1.6.0)
+policy_module(milter, 1.6.1)
########################################
#
@@ -94,15 +94,23 @@ mta_read_config(regex_milter_t)
#
allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+allow spamass_milter_t self:process sigkill;
kernel_read_system_state(spamass_milter_t)
+kernel_read_vm_overcommit_sysctl(spamass_milter_t)
corecmd_exec_shell(spamass_milter_t)
+dev_read_sysfs(spamass_milter_t)
+
files_search_var_lib(spamass_milter_t)
mta_send_mail(spamass_milter_t)
optional_policy(`
+ postfix_search_spool(spamass_milter_t)
+')
+
+optional_policy(`
spamassassin_domtrans_client(spamass_milter_t)
')
diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
index 24681349..dd9f799a 100644
--- a/policy/modules/contrib/mta.fc
+++ b/policy/modules/contrib/mta.fc
@@ -3,6 +3,7 @@ HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/DovecotMail(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index f7280b11..22308885 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.2)
+policy_module(mta, 2.8.3)
########################################
#
@@ -199,6 +199,7 @@ selinux_getattr_fs(system_mail_t)
term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
+init_use_fds(system_mail_t)
userdom_use_user_terminals(system_mail_t)
@@ -233,6 +234,7 @@ optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
+ cron_rw_tmp_files(system_mail_t)
')
optional_policy(`
@@ -294,6 +296,10 @@ optional_policy(`
smartmon_read_tmp_files(system_mail_t)
')
+optional_policy(`
+ unconfined_use_fds(system_mail_t)
+')
+
########################################
#
# MTA user agent local policy
diff --git a/policy/modules/contrib/perdition.fc b/policy/modules/contrib/perdition.fc
index 156232f8..a7d2a8be 100644
--- a/policy/modules/contrib/perdition.fc
+++ b/policy/modules/contrib/perdition.fc
@@ -2,6 +2,6 @@
/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0)
-/usr/sbin/perdition -- gen_context(system_u:object_r:perdition_exec_t,s0)
+/usr/sbin/perdition.* -- gen_context(system_u:object_r:perdition_exec_t,s0)
/run/perdition\.pid -- gen_context(system_u:object_r:perdition_var_run_t,s0)
diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te
index 15023cee..2975c2cc 100644
--- a/policy/modules/contrib/perdition.te
+++ b/policy/modules/contrib/perdition.te
@@ -1,4 +1,4 @@
-policy_module(perdition, 1.10.0)
+policy_module(perdition, 1.10.1)
########################################
#
@@ -23,7 +23,7 @@ files_pid_file(perdition_var_run_t)
# Local policy
#
-allow perdition_t self:capability { setgid setuid };
+allow perdition_t self:capability { chown dac_override fowner setgid setuid };
dontaudit perdition_t self:capability sys_tty_config;
allow perdition_t self:process signal_perms;
allow perdition_t self:tcp_socket { accept listen };
@@ -33,7 +33,8 @@ allow perdition_t perdition_etc_t:file read_file_perms;
allow perdition_t perdition_etc_t:lnk_file read_lnk_file_perms;
manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
-files_pid_filetrans(perdition_t, perdition_var_run_t, file)
+manage_dirs_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
+files_pid_filetrans(perdition_t, perdition_var_run_t, { file dir })
kernel_read_kernel_sysctls(perdition_t)
kernel_list_proc(perdition_t)
@@ -45,12 +46,17 @@ corenet_tcp_sendrecv_generic_if(perdition_t)
corenet_tcp_sendrecv_generic_node(perdition_t)
corenet_tcp_sendrecv_all_ports(perdition_t)
corenet_tcp_bind_generic_node(perdition_t)
-
+corenet_tcp_connect_pop_port(perdition_t)
corenet_sendrecv_pop_server_packets(perdition_t)
corenet_tcp_bind_pop_port(perdition_t)
corenet_tcp_sendrecv_pop_port(perdition_t)
+corenet_tcp_connect_sieve_port(perdition_t)
+corenet_sendrecv_sieve_server_packets(perdition_t)
+corenet_tcp_bind_sieve_port(perdition_t)
+corenet_tcp_sendrecv_sieve_port(perdition_t)
dev_read_sysfs(perdition_t)
+dev_read_urand(perdition_t)
domain_use_interactive_fds(perdition_t)
@@ -67,6 +73,11 @@ userdom_dontaudit_use_unpriv_user_fds(perdition_t)
userdom_dontaudit_search_user_home_dirs(perdition_t)
optional_policy(`
+ mysql_tcp_connect(perdition_t)
+ mysql_stream_connect(perdition_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(perdition_t)
')
diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc
index b71d8442..707b5be0 100644
--- a/policy/modules/contrib/postfix.fc
+++ b/policy/modules/contrib/postfix.fc
@@ -1,24 +1,24 @@
-/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
+/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
# Remove catch-all so that .so files remain lib_t
-#/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+#/usr/lib/postfix/(sbin/)?.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib/postfix/(sbin/)?cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib/postfix/(sbin/)?local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/lib/postfix/(sbin/)?master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/lib/postfix/(sbin/)?pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/lib/postfix/(sbin/)?(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/(sbin/)?showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/lib/postfix/(sbin/)?smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/lib/postfix/(sbin/)?bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/lib/postfix/(sbin/)?pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/lib/postfix/(sbin/)?virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 74cb3d7e..94ac8471 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.17.0)
+policy_module(postfix, 1.17.1)
########################################
#
@@ -172,6 +172,7 @@ optional_policy(`
#
allow postfix_server_domain self:capability { dac_override setgid setuid };
+allow postfix_master_t self:process getsched;
allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
@@ -272,6 +273,7 @@ corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
corenet_tcp_bind_generic_node(postfix_master_t)
+corenet_udp_bind_generic_node(postfix_master_t)
corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
@@ -302,6 +304,8 @@ mcs_file_read_all(postfix_master_t)
term_dontaudit_search_ptys(postfix_master_t)
+hostname_exec(postfix_master_t)
+
miscfiles_read_man_pages(postfix_master_t)
seutil_sigchld_newrole(postfix_master_t)
@@ -326,6 +330,11 @@ optional_policy(`
optional_policy(`
mailman_manage_data_files(postfix_master_t)
+ mailman_search_data(postfix_pipe_t)
+')
+
+optional_policy(`
+ milter_getattr_data_dir(postfix_master_t)
')
optional_policy(`
@@ -371,6 +380,7 @@ allow postfix_cleanup_t self:process setrlimit;
allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
+allow postfix_cleanup_t postfix_smtpd_t:fd use;
allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
@@ -397,6 +407,10 @@ corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
mta_read_aliases(postfix_cleanup_t)
optional_policy(`
+ dkim_stream_connect(postfix_cleanup_t)
+')
+
+optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
')
@@ -432,6 +446,7 @@ tunable_policy(`postfix_local_write_mail_spool',`
optional_policy(`
clamav_search_lib(postfix_local_t)
clamav_exec_clamscan(postfix_local_t)
+ clamav_stream_connect(postfix_smtpd_t)
')
optional_policy(`
@@ -549,6 +564,7 @@ allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
+write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
@@ -567,6 +583,7 @@ optional_policy(`
optional_policy(`
mailman_domtrans_queue(postfix_pipe_t)
+ mailman_domtrans(postfix_pipe_t)
')
optional_policy(`
@@ -596,6 +613,9 @@ manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool
allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+# for /var/spool/postfix/public/pickup
+stream_connect_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t, postfix_master_t)
+
mcs_file_read_all(postfix_postdrop_t)
mcs_file_write_all(postfix_postdrop_t)
@@ -654,6 +674,10 @@ optional_policy(`
ppp_sigchld(postfix_postqueue_t)
')
+optional_policy(`
+ userdom_sigchld_all_users(postfix_postqueue_t)
+')
+
########################################
#
# Qmgr local policy
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
index 621e1817..be84e714 100644
--- a/policy/modules/contrib/postfixpolicyd.te
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -1,4 +1,4 @@
-policy_module(postfixpolicyd, 1.5.0)
+policy_module(postfixpolicyd, 1.5.1)
########################################
#
@@ -15,6 +15,9 @@ files_config_file(postfix_policyd_conf_t)
type postfix_policyd_initrc_exec_t;
init_script_file(postfix_policyd_initrc_exec_t)
+type postfix_policyd_tmp_t;
+files_type(postfix_policyd_tmp_t)
+
type postfix_policyd_var_run_t;
files_pid_file(postfix_policyd_var_run_t)
@@ -23,8 +26,8 @@ files_pid_file(postfix_policyd_var_run_t)
# Local policy
#
-allow postfix_policyd_t self:capability { setgid setuid sys_chroot sys_resource };
-allow postfix_policyd_t self:process setrlimit;
+allow postfix_policyd_t self:capability { chown sys_chroot sys_resource setgid setuid };
+allow postfix_policyd_t self:process { setrlimit signal signull };
allow postfix_policyd_t self:tcp_socket { accept listen };
allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
@@ -34,6 +37,13 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
+allow postfix_policyd_t postfix_policyd_tmp_t:{ file sock_file } manage_file_perms;
+files_tmp_filetrans(postfix_policyd_t, postfix_policyd_tmp_t, { file sock_file })
+
+kernel_search_network_sysctl(postfix_policyd_t)
+
+corecmd_exec_bin(postfix_policyd_t)
+
corenet_all_recvfrom_unlabeled(postfix_policyd_t)
corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
@@ -47,6 +57,8 @@ corenet_sendrecv_mysqld_server_packets(postfix_policyd_t)
corenet_tcp_bind_mysqld_port(postfix_policyd_t)
corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t)
+dev_read_urand(postfix_policyd_t)
+
files_read_etc_files(postfix_policyd_t)
files_read_usr_files(postfix_policyd_t)
diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te
index ab5a8d3a..4fe73487 100644
--- a/policy/modules/contrib/postgrey.te
+++ b/policy/modules/contrib/postgrey.te
@@ -1,4 +1,4 @@
-policy_module(postgrey, 1.11.0)
+policy_module(postgrey, 1.11.1)
########################################
#
@@ -34,6 +34,8 @@ dontaudit postgrey_t self:capability sys_tty_config;
allow postgrey_t self:process signal_perms;
allow postgrey_t self:fifo_file create_fifo_file_perms;
allow postgrey_t self:tcp_socket create_stream_socket_perms;
+allow postgrey_t self:netlink_route_socket r_netlink_socket_perms;
+allow postgrey_t self:udp_socket { connect connected_socket_perms };
allow postgrey_t postgrey_etc_t:dir list_dir_perms;
allow postgrey_t postgrey_etc_t:file read_file_perms;
@@ -55,7 +57,8 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
kernel_read_system_state(postgrey_t)
kernel_read_kernel_sysctls(postgrey_t)
-corecmd_search_bin(postgrey_t)
+corecmd_read_bin_files(postgrey_t)
+corecmd_exec_bin(postgrey_t)
corenet_all_recvfrom_unlabeled(postgrey_t)
corenet_all_recvfrom_netlabel(postgrey_t)
diff --git a/policy/modules/contrib/procmail.fc b/policy/modules/contrib/procmail.fc
index bdff6c93..dac08916 100644
--- a/policy/modules/contrib/procmail.fc
+++ b/policy/modules/contrib/procmail.fc
@@ -1,5 +1,6 @@
HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
+/usr/bin/maildrop -- gen_context(system_u:object_r:procmail_exec_t,s0)
/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te
index 8a842661..cdd23cc9 100644
--- a/policy/modules/contrib/procmail.te
+++ b/policy/modules/contrib/procmail.te
@@ -1,4 +1,4 @@
-policy_module(procmail, 1.14.0)
+policy_module(procmail, 1.14.1)
########################################
#
@@ -96,6 +96,11 @@ optional_policy(`
')
optional_policy(`
+ courier_read_config(procmail_t)
+ courier_stream_connect_authdaemon(procmail_t)
+')
+
+optional_policy(`
cyrus_stream_connect(procmail_t)
')
diff --git a/policy/modules/contrib/spamassassin.fc b/policy/modules/contrib/spamassassin.fc
index de27cda7..58dce766 100644
--- a/policy/modules/contrib/spamassassin.fc
+++ b/policy/modules/contrib/spamassassin.fc
@@ -23,6 +23,7 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/run/spamassassin\.pid gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 4a9153ce..2f770d2d 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.10.0)
+policy_module(spamassassin, 2.10.1)
########################################
#
@@ -46,6 +46,7 @@ type spamc_exec_t;
typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
userdom_user_application_domain(spamc_t, spamc_exec_t)
+role system_r types spamc_t;
type spamc_tmp_t;
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-27 10:50 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-27 10:50 UTC (permalink / raw
To: gentoo-commits
commit: fb7aaf2a48166616050ebcc819fef4f9eb097e9b
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 16:49:54 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:44:02 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fb7aaf2a
apache: Fix CI error.
policy/modules/contrib/apache.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 37af1e22..1d8b1140 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.12.1)
+policy_module(apache, 2.12.2)
########################################
#
@@ -1248,7 +1248,7 @@ auth_use_nsswitch(httpd_sys_script_t)
logging_send_syslog_msg(httpd_sys_script_t)
ifdef(`init_systemd', `
- init_search_pid_dirs(httpd_sys_script_t)
+ init_search_pids(httpd_sys_script_t)
')
tunable_policy(`httpd_can_sendmail',`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 16:58 Jason Zaman
2017-02-25 16:58 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
To: gentoo-commits
commit: 8d98d8c879371ade03fdb66270e66408d3af7199
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Feb 25 16:33:58 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:33:58 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8d98d8c8
Revert "Fix bug #536666 - Assign mailman_domain to all mailman domains"
This reverts commit 8a9db2c7ce1d9ffc2b0e2f789d3eb8fec86eeb53.
This is now upstream
policy/modules/contrib/mailman.if | 5 -----
1 file changed, 5 deletions(-)
diff --git a/policy/modules/contrib/mailman.if b/policy/modules/contrib/mailman.if
index 7c7ddf4b..259f0c3e 100644
--- a/policy/modules/contrib/mailman.if
+++ b/policy/modules/contrib/mailman.if
@@ -39,11 +39,6 @@ template(`mailman_domain_template',`
files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
auth_use_nsswitch(mailman_$1_t)
-
- ifdef(`distro_gentoo',`
- # Bug #536666 - Assign mailman_domain to all mailman domains
- typeattribute mailman_$1_t mailman_domain;
- ')
')
#######################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-25 16:58 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
To: gentoo-commits
commit: 569a623ad9011d342bdc454cd166b98943e9d744
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Feb 25 16:31:50 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:31:50 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=569a623a
mailman: remove gentoo specific fcontexts that are now upstream
policy/modules/contrib/mailman.fc | 22 ----------------------
1 file changed, 22 deletions(-)
diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc
index d5734fc9..fe7a5159 100644
--- a/policy/modules/contrib/mailman.fc
+++ b/policy/modules/contrib/mailman.fc
@@ -27,25 +27,3 @@
/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-
-ifdef(`distro_gentoo',`
-# Bug 536666
-# Seems like Fedora changes trickled in refpolicy and break due to /usr/lib/mailman/bin declaration in corecommands.fc
-/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
-
-/usr/lib/cgi-bin/mailman(/.*)? gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman/bin/mm-handler -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/usr/lib/mailman/cgi-bin(/.*)? gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman/cron(/.*)? gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-
-/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-
-/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
-/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-25 15:28 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-25 15:28 UTC (permalink / raw
To: gentoo-commits
commit: fbdf6476f796ef532836e9ce0f76da7223ea8f99
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Feb 25 15:27:25 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 15:27:25 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fbdf6476
qemu: remove gentoo specific types that are now upstream
policy/modules/contrib/qemu.te | 2 --
1 file changed, 2 deletions(-)
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index b2c843f5..2183147c 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -85,8 +85,6 @@ ifdef(`distro_gentoo',`
#
# Local policy
#
- type qemu_var_run_t;
- files_pid_file(qemu_var_run_t)
# VNC/GDB support
allow qemu_t self:tcp_socket create_stream_socket_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 14:59 Jason Zaman
2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: 232701f0d9090cd34c22f350a7dfbda7c58a0ea0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:58:41 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:54 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=232701f0
mailman: Fixes from Russell Coker.
policy/modules/contrib/cron.if | 18 +++++++
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/mailman.fc | 24 ++++-----
policy/modules/contrib/mailman.te | 100 +++++++++++++++++++++++++++++++++++---
policy/modules/contrib/mta.if | 18 +++++++
policy/modules/contrib/mta.te | 2 +-
6 files changed, 143 insertions(+), 21 deletions(-)
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 6737f53c..5739d4f0 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -705,6 +705,24 @@ interface(`cron_manage_system_spool',`
########################################
## <summary>
+## Read and write crond temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_tmp_files',`
+ gen_require(`
+ type crond_tmp_t;
+ ')
+
+ allow $1 crond_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
## Read system cron job lib files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 3513e1f2..b51524a4 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.1)
+policy_module(cron, 2.11.2)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc
index 1a226daf..d5734fc9 100644
--- a/policy/modules/contrib/mailman.fc
+++ b/policy/modules/contrib/mailman.fc
@@ -2,11 +2,11 @@
/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
+/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0)
/var/lock/subsys/mailman.* -- gen_context(system_u:object_r:mailman_lock_t,s0)
@@ -17,16 +17,16 @@
/var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-/usr/lib/cgi-bin/mailman.*/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman.*/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/usr/lib/mailman.*/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman.*/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
ifdef(`distro_gentoo',`
# Bug 536666
diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
index 7421ce3a..3de43d20 100644
--- a/policy/modules/contrib/mailman.te
+++ b/policy/modules/contrib/mailman.te
@@ -1,4 +1,4 @@
-policy_module(mailman, 1.12.0)
+policy_module(mailman, 1.12.1)
########################################
#
@@ -91,12 +91,39 @@ miscfiles_read_localization(mailman_domain)
# CGI local policy
#
+allow mailman_cgi_t self:unix_dgram_socket { create connect };
+
+allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
+allow mailman_cgi_t mailman_archive_t:file read_file_perms;
+
+allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
+allow mailman_cgi_t mailman_data_t:file manage_file_perms;
+allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
+allow mailman_cgi_t mailman_lock_t:file manage_file_perms;
+
+allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
+allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
+
+kernel_read_crypto_sysctls(mailman_cgi_t)
+kernel_read_system_state(mailman_cgi_t)
+
+corecmd_exec_bin(mailman_cgi_t)
+
dev_read_urand(mailman_cgi_t)
+files_search_locks(mailman_cgi_t)
+
term_use_controlling_term(mailman_cgi_t)
libs_dontaudit_write_lib_dirs(mailman_cgi_t)
+logging_search_logs(mailman_cgi_t)
+
+miscfiles_read_localization(mailman_cgi_t)
+
+
optional_policy(`
apache_sigchld(mailman_cgi_t)
apache_use_fds(mailman_cgi_t)
@@ -116,24 +143,61 @@ optional_policy(`
#
allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
-allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:process { signal signull setsched };
+
+allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
+allow mailman_mail_t mailman_archive_t:file manage_file_perms;
+allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms;
+
+allow mailman_mail_t mailman_data_t:dir rw_dir_perms;
+allow mailman_mail_t mailman_data_t:file manage_file_perms;
+allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_mail_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_mail_t mailman_lock_t:file manage_file_perms;
+
+allow mailman_mail_t mailman_log_t:dir search;
+allow mailman_mail_t mailman_log_t:file read_file_perms;
+
+domtrans_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t)
+allow mailman_mail_t mailman_queue_exec_t:file ioctl;
+
+can_exec(mailman_mail_t, mailman_mail_exec_t)
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
-corenet_sendrecv_innd_client_packets(mailman_mail_t)
-corenet_tcp_connect_innd_port(mailman_mail_t)
-corenet_tcp_sendrecv_innd_port(mailman_mail_t)
+kernel_read_system_state(mailman_mail_t)
+corenet_tcp_connect_smtp_port(mailman_mail_t)
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
+corenet_sendrecv_innd_client_packets(mailman_mail_t)
+corenet_tcp_connect_innd_port(mailman_mail_t)
corenet_tcp_connect_spamd_port(mailman_mail_t)
+corenet_tcp_sendrecv_innd_port(mailman_mail_t)
corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
dev_read_urand(mailman_mail_t)
+corecmd_exec_bin(mailman_mail_t)
+
+files_search_locks(mailman_mail_t)
+
fs_rw_anon_inodefs_files(mailman_mail_t)
+# this is far from ideal, but systemd reduces the importance of initrc_t
+init_signal_script(mailman_mail_t)
+init_signull_script(mailman_mail_t)
+
+# for python .path file
+libs_read_lib_files(mailman_mail_t)
+
+logging_search_logs(mailman_mail_t)
+
+miscfiles_read_localization(mailman_mail_t)
+
+mta_use_mailserver_fds(mailman_mail_t)
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
mta_dontaudit_rw_queue(mailman_mail_t)
@@ -159,18 +223,40 @@ allow mailman_queue_t self:capability { setgid setuid };
allow mailman_queue_t self:process { setsched signal_perms };
allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
+allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
+allow mailman_queue_t mailman_archive_t:file manage_file_perms;
+
+allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_data_t:file manage_file_perms;
+allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_lock_t:file manage_file_perms;
+
+allow mailman_queue_t mailman_log_t:dir list_dir_perms;
+allow mailman_queue_t mailman_log_t:file manage_file_perms;
+
+kernel_read_system_state(mailman_queue_t)
+
+auth_domtrans_chk_passwd(mailman_queue_t)
+
+corecmd_read_bin_files(mailman_queue_t)
+corecmd_read_bin_symlinks(mailman_queue_t)
corenet_sendrecv_innd_client_packets(mailman_queue_t)
corenet_tcp_connect_innd_port(mailman_queue_t)
corenet_tcp_sendrecv_innd_port(mailman_queue_t)
-auth_domtrans_chk_passwd(mailman_queue_t)
-
files_dontaudit_search_pids(mailman_queue_t)
+files_search_locks(mailman_queue_t)
+
+miscfiles_read_localization(mailman_queue_t)
seutil_dontaudit_search_config(mailman_queue_t)
userdom_search_user_home_dirs(mailman_queue_t)
+cron_rw_tmp_files(mailman_queue_t)
+
optional_policy(`
apache_read_config(mailman_queue_t)
')
diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if
index a5034276..7e268b80 100644
--- a/policy/modules/contrib/mta.if
+++ b/policy/modules/contrib/mta.if
@@ -338,6 +338,24 @@ interface(`mta_sendmail_mailserver',`
typeattribute $1 mailserver_domain;
')
+########################################
+## <summary>
+## Inherit FDs from mailserver_domain domains
+## </summary>
+## <param name="type">
+## <summary>
+## Type for a list server or delivery agent that inherits fds
+## </summary>
+## </param>
+#
+interface(`mta_use_mailserver_fds',`
+ gen_require(`
+ attribute mailserver_domain;
+ ')
+
+ allow $1 mailserver_domain:fd use;
+')
+
#######################################
## <summary>
## Make a type a mailserver type used
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 9a3ee20e..f7280b11 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.1)
+policy_module(mta, 2.8.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-02-25 14:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-02-25 14:51 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-25 14:51 UTC (permalink / raw
To: gentoo-commits
commit: 232701f0d9090cd34c22f350a7dfbda7c58a0ea0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:58:41 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:54 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=232701f0
mailman: Fixes from Russell Coker.
policy/modules/contrib/cron.if | 18 +++++++
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/mailman.fc | 24 ++++-----
policy/modules/contrib/mailman.te | 100 +++++++++++++++++++++++++++++++++++---
policy/modules/contrib/mta.if | 18 +++++++
policy/modules/contrib/mta.te | 2 +-
6 files changed, 143 insertions(+), 21 deletions(-)
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 6737f53c..5739d4f0 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -705,6 +705,24 @@ interface(`cron_manage_system_spool',`
########################################
## <summary>
+## Read and write crond temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_tmp_files',`
+ gen_require(`
+ type crond_tmp_t;
+ ')
+
+ allow $1 crond_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
## Read system cron job lib files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 3513e1f2..b51524a4 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.1)
+policy_module(cron, 2.11.2)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc
index 1a226daf..d5734fc9 100644
--- a/policy/modules/contrib/mailman.fc
+++ b/policy/modules/contrib/mailman.fc
@@ -2,11 +2,11 @@
/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
+/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0)
/var/lock/subsys/mailman.* -- gen_context(system_u:object_r:mailman_lock_t,s0)
@@ -17,16 +17,16 @@
/var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-/usr/lib/cgi-bin/mailman.*/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman.*/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/usr/lib/mailman.*/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman.*/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
ifdef(`distro_gentoo',`
# Bug 536666
diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
index 7421ce3a..3de43d20 100644
--- a/policy/modules/contrib/mailman.te
+++ b/policy/modules/contrib/mailman.te
@@ -1,4 +1,4 @@
-policy_module(mailman, 1.12.0)
+policy_module(mailman, 1.12.1)
########################################
#
@@ -91,12 +91,39 @@ miscfiles_read_localization(mailman_domain)
# CGI local policy
#
+allow mailman_cgi_t self:unix_dgram_socket { create connect };
+
+allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
+allow mailman_cgi_t mailman_archive_t:file read_file_perms;
+
+allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
+allow mailman_cgi_t mailman_data_t:file manage_file_perms;
+allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
+allow mailman_cgi_t mailman_lock_t:file manage_file_perms;
+
+allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
+allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
+
+kernel_read_crypto_sysctls(mailman_cgi_t)
+kernel_read_system_state(mailman_cgi_t)
+
+corecmd_exec_bin(mailman_cgi_t)
+
dev_read_urand(mailman_cgi_t)
+files_search_locks(mailman_cgi_t)
+
term_use_controlling_term(mailman_cgi_t)
libs_dontaudit_write_lib_dirs(mailman_cgi_t)
+logging_search_logs(mailman_cgi_t)
+
+miscfiles_read_localization(mailman_cgi_t)
+
+
optional_policy(`
apache_sigchld(mailman_cgi_t)
apache_use_fds(mailman_cgi_t)
@@ -116,24 +143,61 @@ optional_policy(`
#
allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
-allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:process { signal signull setsched };
+
+allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
+allow mailman_mail_t mailman_archive_t:file manage_file_perms;
+allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms;
+
+allow mailman_mail_t mailman_data_t:dir rw_dir_perms;
+allow mailman_mail_t mailman_data_t:file manage_file_perms;
+allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_mail_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_mail_t mailman_lock_t:file manage_file_perms;
+
+allow mailman_mail_t mailman_log_t:dir search;
+allow mailman_mail_t mailman_log_t:file read_file_perms;
+
+domtrans_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t)
+allow mailman_mail_t mailman_queue_exec_t:file ioctl;
+
+can_exec(mailman_mail_t, mailman_mail_exec_t)
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
-corenet_sendrecv_innd_client_packets(mailman_mail_t)
-corenet_tcp_connect_innd_port(mailman_mail_t)
-corenet_tcp_sendrecv_innd_port(mailman_mail_t)
+kernel_read_system_state(mailman_mail_t)
+corenet_tcp_connect_smtp_port(mailman_mail_t)
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
+corenet_sendrecv_innd_client_packets(mailman_mail_t)
+corenet_tcp_connect_innd_port(mailman_mail_t)
corenet_tcp_connect_spamd_port(mailman_mail_t)
+corenet_tcp_sendrecv_innd_port(mailman_mail_t)
corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
dev_read_urand(mailman_mail_t)
+corecmd_exec_bin(mailman_mail_t)
+
+files_search_locks(mailman_mail_t)
+
fs_rw_anon_inodefs_files(mailman_mail_t)
+# this is far from ideal, but systemd reduces the importance of initrc_t
+init_signal_script(mailman_mail_t)
+init_signull_script(mailman_mail_t)
+
+# for python .path file
+libs_read_lib_files(mailman_mail_t)
+
+logging_search_logs(mailman_mail_t)
+
+miscfiles_read_localization(mailman_mail_t)
+
+mta_use_mailserver_fds(mailman_mail_t)
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
mta_dontaudit_rw_queue(mailman_mail_t)
@@ -159,18 +223,40 @@ allow mailman_queue_t self:capability { setgid setuid };
allow mailman_queue_t self:process { setsched signal_perms };
allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
+allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
+allow mailman_queue_t mailman_archive_t:file manage_file_perms;
+
+allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_data_t:file manage_file_perms;
+allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_lock_t:file manage_file_perms;
+
+allow mailman_queue_t mailman_log_t:dir list_dir_perms;
+allow mailman_queue_t mailman_log_t:file manage_file_perms;
+
+kernel_read_system_state(mailman_queue_t)
+
+auth_domtrans_chk_passwd(mailman_queue_t)
+
+corecmd_read_bin_files(mailman_queue_t)
+corecmd_read_bin_symlinks(mailman_queue_t)
corenet_sendrecv_innd_client_packets(mailman_queue_t)
corenet_tcp_connect_innd_port(mailman_queue_t)
corenet_tcp_sendrecv_innd_port(mailman_queue_t)
-auth_domtrans_chk_passwd(mailman_queue_t)
-
files_dontaudit_search_pids(mailman_queue_t)
+files_search_locks(mailman_queue_t)
+
+miscfiles_read_localization(mailman_queue_t)
seutil_dontaudit_search_config(mailman_queue_t)
userdom_search_user_home_dirs(mailman_queue_t)
+cron_rw_tmp_files(mailman_queue_t)
+
optional_policy(`
apache_read_config(mailman_queue_t)
')
diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if
index a5034276..7e268b80 100644
--- a/policy/modules/contrib/mta.if
+++ b/policy/modules/contrib/mta.if
@@ -338,6 +338,24 @@ interface(`mta_sendmail_mailserver',`
typeattribute $1 mailserver_domain;
')
+########################################
+## <summary>
+## Inherit FDs from mailserver_domain domains
+## </summary>
+## <param name="type">
+## <summary>
+## Type for a list server or delivery agent that inherits fds
+## </summary>
+## </param>
+#
+interface(`mta_use_mailserver_fds',`
+ gen_require(`
+ attribute mailserver_domain;
+ ')
+
+ allow $1 mailserver_domain:fd use;
+')
+
#######################################
## <summary>
## Make a type a mailserver type used
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 9a3ee20e..f7280b11 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.1)
+policy_module(mta, 2.8.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 14:59 Jason Zaman
2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: 8b14b48e43ea96dcd1af81b53b7543bb8c1ef4fd
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Feb 23 23:16:16 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:53 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8b14b48e
Module version bump for samba patch from Russell Coker.
policy/modules/contrib/samba.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index afff38ff..06323b49 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.20.0)
+policy_module(samba, 1.20.1)
#################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 14:59 Jason Zaman
2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: a45b31b9fba7cc7e723345310d946c86f7dc165f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Feb 23 00:00:32 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a45b31b9
Module version bump for ntp fixes from cgzones.
policy/modules/contrib/ntp.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 208bd66e..b1969955 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.16.0)
+policy_module(ntp, 1.16.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 14:59 Jason Zaman
2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: bdd606c36e4b163f5dee262d0c450a74efcd208c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:03:08 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:53 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bdd606c3
Systemd fixes from Russell Coker.
policy/modules/contrib/cron.if | 19 +++++++++++++++++++
policy/modules/contrib/cron.te | 2 +-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index c6dec2c3..6737f53c 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -686,6 +686,25 @@ interface(`cron_use_system_job_fds',`
########################################
## <summary>
+## Create, read, write, and delete the system spool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_system_spool',`
+ gen_require(`
+ type cron_system_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
+')
+
+########################################
+## <summary>
## Read system cron job lib files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 905deb16..3513e1f2 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.0)
+policy_module(cron, 2.11.1)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-02-25 14:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-02-25 14:51 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-25 14:51 UTC (permalink / raw
To: gentoo-commits
commit: bdd606c36e4b163f5dee262d0c450a74efcd208c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:03:08 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:53 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bdd606c3
Systemd fixes from Russell Coker.
policy/modules/contrib/cron.if | 19 +++++++++++++++++++
policy/modules/contrib/cron.te | 2 +-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index c6dec2c3..6737f53c 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -686,6 +686,25 @@ interface(`cron_use_system_job_fds',`
########################################
## <summary>
+## Create, read, write, and delete the system spool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_system_spool',`
+ gen_require(`
+ type cron_system_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
+')
+
+########################################
+## <summary>
## Read system cron job lib files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 905deb16..3513e1f2 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.0)
+policy_module(cron, 2.11.1)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-25 14:59 Jason Zaman
2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: 35bc01e881f75e092a6cf668400407d73081f8fc
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan 5 18:59:45 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35bc01e8
update ntp module
* add private lock type
* dontaudit sys_resource
policy/modules/contrib/ntp.fc | 47 ++++++++++++++++++++++---------------------
policy/modules/contrib/ntp.if | 7 ++++---
policy/modules/contrib/ntp.te | 37 +++++++++++++++++++++-------------
3 files changed, 51 insertions(+), 40 deletions(-)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 16428bc2..756241da 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -1,33 +1,34 @@
-/etc/cron\.daily/ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.daily/ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
-# Systemd unit file
-/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
-/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0)
-/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
-/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
+/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+/var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0)
+
+/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/run/ntpd\.sock -s gen_context(system_u:object_r:ntpd_var_run_t,s0)
ifdef(`distro_gentoo',`
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index f8534c6b..fa0a1839 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -179,14 +179,15 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
- type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
+ type ntpd_key_t, ntpd_pid_t, ntp_conf_t;
type ntpd_initrc_exec_t, ntp_drift_t;
+ type ntpd_unit_t;
')
allow $1 ntpd_t:process { ptrace signal_perms };
ps_process_pattern($1, ntpd_t)
- init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t)
+ init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t, ntpd_unit_t)
files_list_etc($1)
admin_pattern($1, { ntpd_key_t ntp_conf_t })
@@ -201,7 +202,7 @@ interface(`ntp_admin',`
admin_pattern($1, ntp_drift_t)
files_list_pids($1)
- admin_pattern($1, ntpd_var_run_t)
+ admin_pattern($1, ntpd_pid_t)
ntp_run($1, $2)
')
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 2fcf0a40..208bd66e 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -7,6 +7,9 @@ policy_module(ntp, 1.16.0)
attribute_role ntpd_roles;
+type ntp_conf_t;
+files_config_file(ntp_conf_t)
+
type ntp_drift_t;
files_type(ntp_drift_t)
@@ -18,15 +21,20 @@ role ntpd_roles types ntpd_t;
type ntpd_initrc_exec_t;
init_script_file(ntpd_initrc_exec_t)
-type ntp_conf_t;
-files_config_file(ntp_conf_t)
-
type ntpd_key_t;
files_type(ntpd_key_t)
+type ntpd_lock_t;
+files_lock_file(ntpd_lock_t)
+init_daemon_lock_file(ntpd_lock_t, file, "ntpdate")
+
type ntpd_log_t;
logging_log_file(ntpd_log_t)
+type ntpd_pid_t;
+typealias ntpd_pid_t alias ntpd_var_run_t;
+files_pid_file(ntpd_pid_t)
+
type ntpd_tmp_t;
files_tmp_file(ntpd_tmp_t)
@@ -36,9 +44,6 @@ files_tmpfs_file(ntpd_tmpfs_t)
type ntpd_unit_t;
init_unit_file(ntpd_unit_t)
-type ntpd_var_run_t;
-files_pid_file(ntpd_var_run_t)
-
type ntpdate_exec_t;
init_system_domain(ntpd_t, ntpdate_exec_t)
@@ -47,28 +52,36 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
# Local policy
#
-allow ntpd_t self:capability { chown dac_override ipc_lock ipc_owner kill setgid setuid sys_chroot sys_nice sys_resource sys_time };
-dontaudit ntpd_t self:capability { fsetid net_admin sys_nice sys_tty_config };
+# sys_time : modify system time
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice };
+dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice sys_resource };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:shm create_shm_perms;
+allow ntpd_t self:socket create;
allow ntpd_t self:tcp_socket { accept listen };
+allow ntpd_t ntp_conf_t:file read_file_perms;
+
manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
files_var_filetrans(ntpd_t, ntp_drift_t, file)
-allow ntpd_t ntp_conf_t:file read_file_perms;
-
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+allow ntpd_t ntpd_lock_t:file write_file_perms;
+
allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
+manage_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
+manage_sock_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
+files_pid_filetrans(ntpd_t, ntpd_pid_t, { file sock_file })
+
manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
@@ -77,10 +90,6 @@ manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
-manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-manage_sock_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file sock_file })
-
can_exec(ntpd_t, ntpd_exec_t)
kernel_read_kernel_sysctls(ntpd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-02-25 14:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-02-25 14:51 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-25 14:51 UTC (permalink / raw
To: gentoo-commits
commit: 35bc01e881f75e092a6cf668400407d73081f8fc
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan 5 18:59:45 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35bc01e8
update ntp module
* add private lock type
* dontaudit sys_resource
policy/modules/contrib/ntp.fc | 47 ++++++++++++++++++++++---------------------
policy/modules/contrib/ntp.if | 7 ++++---
policy/modules/contrib/ntp.te | 37 +++++++++++++++++++++-------------
3 files changed, 51 insertions(+), 40 deletions(-)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 16428bc2..756241da 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -1,33 +1,34 @@
-/etc/cron\.daily/ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.daily/ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
-# Systemd unit file
-/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
-/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0)
-/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
-/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
+/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+/var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0)
+
+/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/run/ntpd\.sock -s gen_context(system_u:object_r:ntpd_var_run_t,s0)
ifdef(`distro_gentoo',`
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index f8534c6b..fa0a1839 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -179,14 +179,15 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
- type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
+ type ntpd_key_t, ntpd_pid_t, ntp_conf_t;
type ntpd_initrc_exec_t, ntp_drift_t;
+ type ntpd_unit_t;
')
allow $1 ntpd_t:process { ptrace signal_perms };
ps_process_pattern($1, ntpd_t)
- init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t)
+ init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t, ntpd_unit_t)
files_list_etc($1)
admin_pattern($1, { ntpd_key_t ntp_conf_t })
@@ -201,7 +202,7 @@ interface(`ntp_admin',`
admin_pattern($1, ntp_drift_t)
files_list_pids($1)
- admin_pattern($1, ntpd_var_run_t)
+ admin_pattern($1, ntpd_pid_t)
ntp_run($1, $2)
')
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 2fcf0a40..208bd66e 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -7,6 +7,9 @@ policy_module(ntp, 1.16.0)
attribute_role ntpd_roles;
+type ntp_conf_t;
+files_config_file(ntp_conf_t)
+
type ntp_drift_t;
files_type(ntp_drift_t)
@@ -18,15 +21,20 @@ role ntpd_roles types ntpd_t;
type ntpd_initrc_exec_t;
init_script_file(ntpd_initrc_exec_t)
-type ntp_conf_t;
-files_config_file(ntp_conf_t)
-
type ntpd_key_t;
files_type(ntpd_key_t)
+type ntpd_lock_t;
+files_lock_file(ntpd_lock_t)
+init_daemon_lock_file(ntpd_lock_t, file, "ntpdate")
+
type ntpd_log_t;
logging_log_file(ntpd_log_t)
+type ntpd_pid_t;
+typealias ntpd_pid_t alias ntpd_var_run_t;
+files_pid_file(ntpd_pid_t)
+
type ntpd_tmp_t;
files_tmp_file(ntpd_tmp_t)
@@ -36,9 +44,6 @@ files_tmpfs_file(ntpd_tmpfs_t)
type ntpd_unit_t;
init_unit_file(ntpd_unit_t)
-type ntpd_var_run_t;
-files_pid_file(ntpd_var_run_t)
-
type ntpdate_exec_t;
init_system_domain(ntpd_t, ntpdate_exec_t)
@@ -47,28 +52,36 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
# Local policy
#
-allow ntpd_t self:capability { chown dac_override ipc_lock ipc_owner kill setgid setuid sys_chroot sys_nice sys_resource sys_time };
-dontaudit ntpd_t self:capability { fsetid net_admin sys_nice sys_tty_config };
+# sys_time : modify system time
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice };
+dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice sys_resource };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:shm create_shm_perms;
+allow ntpd_t self:socket create;
allow ntpd_t self:tcp_socket { accept listen };
+allow ntpd_t ntp_conf_t:file read_file_perms;
+
manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
files_var_filetrans(ntpd_t, ntp_drift_t, file)
-allow ntpd_t ntp_conf_t:file read_file_perms;
-
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+allow ntpd_t ntpd_lock_t:file write_file_perms;
+
allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
+manage_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
+manage_sock_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
+files_pid_filetrans(ntpd_t, ntpd_pid_t, { file sock_file })
+
manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
@@ -77,10 +90,6 @@ manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
-manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-manage_sock_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file sock_file })
-
can_exec(ntpd_t, ntpd_exec_t)
kernel_read_kernel_sysctls(ntpd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-25 14:51 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-25 14:51 UTC (permalink / raw
To: gentoo-commits
commit: 8e14efe4abf1297f7c8c341d7690802f82d798a2
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Tue Feb 21 08:29:50 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:53 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8e14efe4
patch for samba
I merged the types nmbd_var_run_t and smbd_var_run_t because nmbd_t and smbd_t
interacted with each other so much there was no benefit in separating them.
Also added a tunable for reading /etc/shadow because on one of my systems I
couldn't get samba working without it. Maybe I misconfigured samba, but
others will do the same and we need to give users the choice.
Description: samba patches
Author: Russell Coker <russell <AT> coker.com.au>
Last-Update: 2017-02-21
policy/modules/contrib/samba.fc | 30 +++++++++---------
policy/modules/contrib/samba.te | 69 ++++++++++++++++++++++++-----------------
2 files changed, 55 insertions(+), 44 deletions(-)
diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc
index d227fd82..753a009c 100644
--- a/policy/modules/contrib/samba.fc
+++ b/policy/modules/contrib/samba.fc
@@ -31,21 +31,21 @@
/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
-/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
-
-/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0)
-/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/run/samba/share_info\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/run/nmbd(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/nmbd(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0)
+
+/run/samba(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/brlock\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/connections\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/gencache\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/locking\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/messages\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/namelist\.debug -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/nmbd\.pid -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/share_info\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/smbd\.pid -- gen_context(system_u:object_r:samba_var_run_t,s0)
+/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index e7dae973..6f314b0c 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -6,6 +6,14 @@ policy_module(samba, 1.20.0)
#
## <desc>
+## <p>
+## Determine whether smbd_t can
+## read shadow files.
+## </p>
+## </desc>
+gen_tunable(samba_read_shadow, false)
+
+## <desc>
## <p>
## Determine whether samba can modify
## public files used for public file
@@ -104,8 +112,9 @@ type nmbd_t;
type nmbd_exec_t;
init_daemon_domain(nmbd_t, nmbd_exec_t)
-type nmbd_var_run_t;
-files_pid_file(nmbd_var_run_t)
+type samba_var_run_t;
+typealias samba_var_run_t alias { nmbd_var_run_t smbd_var_run_t };
+files_pid_file(samba_var_run_t)
type samba_etc_t;
files_config_file(samba_etc_t)
@@ -151,9 +160,6 @@ files_type(smbd_keytab_t)
type smbd_tmp_t;
files_tmp_file(smbd_tmp_t)
-type smbd_var_run_t;
-files_pid_file(smbd_var_run_t)
-
type smbmount_t;
type smbmount_exec_t;
application_domain(smbmount_t, smbmount_exec_t)
@@ -305,16 +311,15 @@ manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
-manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
-manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
-manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
-files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
+manage_dirs_pattern(smbd_t, samba_var_run_t, samba_var_run_t)
+manage_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t)
+manage_sock_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t)
+files_pid_filetrans(smbd_t, samba_var_run_t, { dir file })
allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms;
stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
-allow smbd_t nmbd_var_run_t:file read_file_perms;
-stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+stream_connect_pattern(smbd_t, samba_var_run_t, samba_var_run_t, nmbd_t)
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
@@ -377,6 +382,11 @@ auth_domtrans_upd_passwd(smbd_t)
auth_manage_cache(smbd_t)
auth_write_login_records(smbd_t)
+auth_can_read_shadow_passwords(smbd_t)
+tunable_policy(`samba_read_shadow',`
+ auth_tunable_read_shadow(smbd_t)
+')
+
init_rw_utmp(smbd_t)
logging_search_logs(smbd_t)
@@ -519,11 +529,10 @@ allow nmbd_t self:tcp_socket { accept listen };
allow nmbd_t self:unix_dgram_socket sendto;
allow nmbd_t self:unix_stream_socket { accept connectto listen };
-manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
-manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file })
-filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, dir)
+manage_dirs_pattern(nmbd_t, samba_var_run_t, samba_var_run_t)
+manage_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t)
+manage_sock_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t)
+files_pid_filetrans(nmbd_t, samba_var_run_t, { dir file sock_file })
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
@@ -542,7 +551,7 @@ files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")
allow nmbd_t { swat_t smbcontrol_t }:process signal;
-allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+allow nmbd_t samba_var_run_t:dir rw_dir_perms;
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
@@ -567,6 +576,8 @@ corenet_sendrecv_smbd_client_packets(nmbd_t)
corenet_tcp_connect_smbd_port(nmbd_t)
corenet_tcp_sendrecv_smbd_port(nmbd_t)
+corecmd_search_bin(nmbd_t)
+dev_read_urand(nmbd_t)
dev_read_sysfs(nmbd_t)
dev_getattr_mtrr_dev(nmbd_t)
@@ -618,7 +629,7 @@ allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
allow smbcontrol_t self:process { signal signull };
allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
-read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t })
+read_files_pattern(smbcontrol_t, samba_var_run_t, samba_var_run_t)
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
@@ -733,8 +744,8 @@ allow swat_t self:unix_stream_socket connectto;
allow swat_t { nmbd_t smbd_t }:process { signal signull };
-allow swat_t smbd_var_run_t:file read_file_perms;
-allow swat_t smbd_var_run_t:file { lock delete_file_perms };
+allow swat_t samba_var_run_t:file read_file_perms;
+allow swat_t samba_var_run_t:file { lock delete_file_perms };
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
@@ -766,8 +777,8 @@ read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms };
allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms };
-read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
-stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+read_files_pattern(swat_t, samba_var_run_t, samba_var_run_t)
+stream_connect_pattern(swat_t, samba_var_run_t, samba_var_run_t, nmbd_t)
samba_domtrans_smbd(swat_t)
samba_domtrans_nmbd(swat_t)
@@ -852,8 +863,8 @@ allow winbind_t self:tcp_socket { accept listen };
allow winbind_t nmbd_t:process { signal signull };
-allow winbind_t nmbd_var_run_t:file read_file_perms;
-stream_connect_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+allow winbind_t samba_var_run_t:file read_file_perms;
+stream_connect_pattern(winbind_t, samba_var_run_t, samba_var_run_t, nmbd_t)
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
@@ -885,15 +896,15 @@ manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
-manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
+manage_dirs_pattern(winbind_t, { samba_var_run_t winbind_var_run_t }, winbind_var_run_t)
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir })
-filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
+filetrans_pattern(winbind_t, samba_var_run_t, winbind_var_run_t, dir)
-manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
-manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
-manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
+manage_dirs_pattern(winbind_t, samba_var_run_t, samba_var_run_t)
+manage_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t)
+manage_sock_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t)
kernel_read_network_state(winbind_t)
kernel_read_kernel_sysctls(winbind_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-25 14:51 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-25 14:51 UTC (permalink / raw
To: gentoo-commits
commit: a0d699a7a8da9ce12233029519efd3581c448ad4
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:31:35 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:53 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a0d699a7
Xen fixes from Russell Coker.
policy/modules/contrib/qemu.fc | 2 ++
policy/modules/contrib/qemu.if | 38 ++++++++++++++++++++++++++++++++++++
policy/modules/contrib/qemu.te | 22 ++++++++++++++++++++-
policy/modules/contrib/xen.fc | 4 ++++
policy/modules/contrib/xen.if | 28 +++++++++++++++++++++++++++
policy/modules/contrib/xen.te | 44 +++++++++++++++++++++++++++++++++++++++---
6 files changed, 134 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index db9ff368..122ca70f 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -7,6 +7,8 @@
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/var/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0)
+
ifdef(`distro_gentoo',`
/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0)
diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if
index efdc5286..b6d8e1c2 100644
--- a/policy/modules/contrib/qemu.if
+++ b/policy/modules/contrib/qemu.if
@@ -264,6 +264,44 @@ interface(`qemu_kill',`
########################################
## <summary>
+## Connect to qemu with a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_stream_connect',`
+ gen_require(`
+ type qemu_t, qemu_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t)
+')
+
+########################################
+## <summary>
+## Unlink qemu socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_delete_pid_sock_file',`
+ gen_require(`
+ type qemu_var_run_t;
+ ')
+
+ allow $1 qemu_var_run_t:sock_file unlink;
+')
+
+########################################
+## <summary>
## Execute a domain transition to
## run qemu unconfined.
## </summary>
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 9dc09977..b2c843f5 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.9.0)
+policy_module(qemu, 1.9.1)
########################################
#
@@ -25,11 +25,21 @@ role qemu_roles types qemu_t;
type qemu_unit_t;
init_unit_file(qemu_unit_t)
+type qemu_var_run_t;
+files_pid_file(qemu_var_run_t);
+
########################################
#
# Local policy
#
+kernel_read_crypto_sysctls(qemu_t)
+
+dev_read_sysfs(qemu_t)
+
+allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms;
+files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
+
tunable_policy(`qemu_full_network',`
corenet_udp_sendrecv_generic_if(qemu_t)
corenet_udp_sendrecv_generic_node(qemu_t)
@@ -41,6 +51,16 @@ tunable_policy(`qemu_full_network',`
')
optional_policy(`
+ fs_manage_xenfs_files(qemu_t)
+
+ dev_rw_xen(qemu_t)
+
+ xen_stream_connect_xenstore(qemu_t)
+ xen_append_log(qemu_t)
+ xen_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
+')
+
+optional_policy(`
xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
')
diff --git a/policy/modules/contrib/xen.fc b/policy/modules/contrib/xen.fc
index 657a94ac..be0374df 100644
--- a/policy/modules/contrib/xen.fc
+++ b/policy/modules/contrib/xen.fc
@@ -5,6 +5,7 @@
/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
/usr/lib/xen-[^/]*/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+/usr/lib/xen-[^/]*/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
@@ -20,6 +21,8 @@
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
+/var/lock/xl -- gen_context(system_u:object_r:xen_lock_t,s0)
+
/var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
@@ -30,6 +33,7 @@
/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+/run/xen -d gen_context(system_u:object_r:xend_var_run_t,s0)
/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
diff --git a/policy/modules/contrib/xen.if b/policy/modules/contrib/xen.if
index f93558c5..44116292 100644
--- a/policy/modules/contrib/xen.if
+++ b/policy/modules/contrib/xen.if
@@ -259,6 +259,34 @@ interface(`xen_stream_connect',`
########################################
## <summary>
+## Create in a xend_var_run_t directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`xen_pid_filetrans',`
+ gen_require(`
+ type xend_var_run_t;
+ ')
+
+ filetrans_pattern($1, xend_var_run_t, $2, $3)
+')
+
+########################################
+## <summary>
## Execute a domain transition to run xm.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index 383c00a7..0d680116 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -1,4 +1,4 @@
-policy_module(xen, 1.15.0)
+policy_module(xen, 1.15.1)
########################################
#
@@ -75,6 +75,9 @@ type xend_t;
type xend_exec_t;
init_daemon_domain(xend_t, xend_exec_t)
+type xen_lock_t;
+files_lock_file(xen_lock_t)
+
type xend_tmp_t;
files_tmp_file(xend_tmp_t)
@@ -224,6 +227,7 @@ kernel_write_xen_state(xend_t)
kernel_read_xen_state(xend_t)
kernel_rw_net_sysctls(xend_t)
kernel_read_network_state(xend_t)
+kernel_read_vm_sysctls(xend_t)
corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t)
@@ -281,6 +285,8 @@ fs_manage_xenfs_dirs(xend_t)
fs_manage_xenfs_files(xend_t)
storage_read_scsi_generic(xend_t)
+# for lsscsi
+storage_getattr_fixed_disk_dev(xend_t)
term_setattr_generic_ptys(xend_t)
term_getattr_all_ptys(xend_t)
@@ -444,6 +450,8 @@ stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchn
kernel_write_xen_state(xenstored_t)
kernel_read_xen_state(xenstored_t)
+corecmd_search_bin(xenstored_t)
+
dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
dev_read_sysfs(xenstored_t)
@@ -470,12 +478,19 @@ xen_append_log(xenstored_t)
# xm local policy
#
-allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config };
-allow xm_t self:process { getcap getsched setsched setcap signal };
+allow xm_t self:capability { dac_override ipc_lock net_admin setpcap sys_nice sys_tty_config };
+allow xm_t self:process { getcap getsched setsched setcap signal sigkill };
allow xm_t self:fifo_file rw_fifo_file_perms;
allow xm_t self:unix_stream_socket { accept connectto listen };
allow xm_t self:tcp_socket { accept listen };
+allow xm_t xend_var_run_t:dir rw_dir_perms;
+
+allow xm_t xen_lock_t:file manage_file_perms;
+files_lock_filetrans(xm_t, xen_lock_t, file)
+
+manage_files_pattern(xm_t, xend_var_log_t, xend_var_log_t)
+
manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
@@ -494,6 +509,8 @@ xen_stream_connect_xenstore(xm_t)
can_exec(xm_t, xm_exec_t)
+kernel_load_module(xm_t)
+kernel_request_load_module(xm_t)
kernel_read_system_state(xm_t)
kernel_read_network_state(xm_t)
kernel_read_kernel_sysctls(xm_t)
@@ -517,8 +534,11 @@ dev_read_rand(xm_t)
dev_read_urand(xm_t)
dev_read_sysfs(xm_t)
+domain_use_interactive_fds(xm_t)
+
files_read_etc_runtime_files(xm_t)
files_read_etc_files(xm_t)
+files_read_kernel_img(xm_t)
files_read_usr_files(xm_t)
files_search_pids(xm_t)
files_search_var_lib(xm_t)
@@ -543,6 +563,13 @@ logging_send_syslog_msg(xm_t)
miscfiles_read_localization(xm_t)
sysnet_dns_name_resolve(xm_t)
+sysnet_domtrans_ifconfig(xm_t)
+
+# for vif-bridge to write to /run/xen-hotplug/iptables
+# maybe we need a different label for /run/xen-hotplug
+udev_manage_pid_files(xm_t)
+
+userdom_dontaudit_search_user_home_content(xm_t)
tunable_policy(`xen_use_fusefs',`
fs_manage_fusefs_dirs(xm_t)
@@ -563,6 +590,17 @@ tunable_policy(`xen_use_samba',`
')
optional_policy(`
+ qemu_domtrans(xm_t)
+ qemu_signal(xm_t)
+ qemu_stream_connect(xm_t)
+ qemu_delete_pid_sock_file(xm_t)
+')
+
+optional_policy(`
+ iptables_domtrans(xm_t)
+')
+
+optional_policy(`
cron_system_entry(xm_t, xm_exec_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-25 14:51 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-25 14:51 UTC (permalink / raw
To: gentoo-commits
commit: 247f0728c48ca087ecfd18cb21719420248ce0a6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Feb 23 23:15:45 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:53 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=247f0728
samba: A few line moves.
policy/modules/contrib/samba.te | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 6f314b0c..afff38ff 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -381,11 +381,7 @@ auth_domtrans_chk_passwd(smbd_t)
auth_domtrans_upd_passwd(smbd_t)
auth_manage_cache(smbd_t)
auth_write_login_records(smbd_t)
-
auth_can_read_shadow_passwords(smbd_t)
-tunable_policy(`samba_read_shadow',`
- auth_tunable_read_shadow(smbd_t)
-')
init_rw_utmp(smbd_t)
@@ -446,6 +442,10 @@ tunable_policy(`samba_portmapper',`
corenet_tcp_sendrecv_all_ports(smbd_t)
')
+tunable_policy(`samba_read_shadow',`
+ auth_tunable_read_shadow(smbd_t)
+')
+
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@@ -560,6 +560,8 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
+corecmd_search_bin(nmbd_t)
+
corenet_all_recvfrom_unlabeled(nmbd_t)
corenet_all_recvfrom_netlabel(nmbd_t)
corenet_tcp_sendrecv_generic_if(nmbd_t)
@@ -576,7 +578,6 @@ corenet_sendrecv_smbd_client_packets(nmbd_t)
corenet_tcp_connect_smbd_port(nmbd_t)
corenet_tcp_sendrecv_smbd_port(nmbd_t)
-corecmd_search_bin(nmbd_t)
dev_read_urand(nmbd_t)
dev_read_sysfs(nmbd_t)
dev_getattr_mtrr_dev(nmbd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-21 8:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-21 8:42 UTC (permalink / raw
To: gentoo-commits
commit: 0e93bbb35e964b49b7f23f42e5919c7e3cd4f834
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Feb 21 07:14:57 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:20:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0e93bbb3
phpfpm: fcontext update for /usr/lib
policy/modules/contrib/phpfpm.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/phpfpm.fc b/policy/modules/contrib/phpfpm.fc
index dd00177a..f43358d7 100644
--- a/policy/modules/contrib/phpfpm.fc
+++ b/policy/modules/contrib/phpfpm.fc
@@ -1,4 +1,4 @@
-/usr/lib(64)?/php.*/bin/php-fpm gen_context(system_u:object_r:phpfpm_exec_t,s0)
+/usr/lib/php.*/bin/php-fpm gen_context(system_u:object_r:phpfpm_exec_t,s0)
/run/php*-fpm/*.sock gen_context(system_u:object_r:phpfpm_var_run_t,s0)
/var/log/php-fpm.log gen_context(system_u:object_r:phpfpm_log_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-21 8:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-21 8:42 UTC (permalink / raw
To: gentoo-commits
commit: fb0f304abe6689428b64dffe3e8337463ca28fb2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Feb 21 08:04:56 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 08:06:53 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fb0f304a
Update deprecated interfaces
WERROR fails to build with the deprecated ones
domain_auto_trans -> domain_auto_transition_pattern
alsa_read_rw_config -> alsa_read_config
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/dirsrv.if | 2 +-
policy/modules/contrib/gorg.if | 2 +-
policy/modules/contrib/nginx.if | 2 +-
policy/modules/contrib/vde.if | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 127333e9..6946ef0a 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -130,6 +130,6 @@ ifdef(`distro_gentoo',`
# ALSA applications need access to /usr/share/alsa/*
files_read_usr_files(alsadomain)
- alsa_read_rw_config(alsadomain)
+ alsa_read_config(alsadomain)
alsa_read_home_files(alsadomain)
')
diff --git a/policy/modules/contrib/dirsrv.if b/policy/modules/contrib/dirsrv.if
index af0aebe1..cbe9ecaf 100644
--- a/policy/modules/contrib/dirsrv.if
+++ b/policy/modules/contrib/dirsrv.if
@@ -17,7 +17,7 @@ interface(`dirsrv_domtrans',`
type dirsrv_t, dirsrv_exec_t;
')
- domain_auto_trans($1,dirsrv_exec_t,dirsrv_t)
+ domain_auto_transition_pattern($1, dirsrv_exec_t, dirsrv_t)
allow dirsrv_t $1:fd use;
allow dirsrv_t $1:fifo_file rw_file_perms;
diff --git a/policy/modules/contrib/gorg.if b/policy/modules/contrib/gorg.if
index 814d5593..6c5969c1 100644
--- a/policy/modules/contrib/gorg.if
+++ b/policy/modules/contrib/gorg.if
@@ -22,7 +22,7 @@ interface(`gorg_role',`
role $1 types gorg_t;
- domain_auto_trans($2, gorg_exec_t, gorg_t)
+ domain_auto_transition_pattern($2, gorg_exec_t, gorg_t)
allow $2 gorg_t:process { noatsecure siginh rlimitinh };
allow gorg_t $2:fd use;
allow gorg_t $2:process { sigchld signull };
diff --git a/policy/modules/contrib/nginx.if b/policy/modules/contrib/nginx.if
index 6fa607a5..ebef6e75 100644
--- a/policy/modules/contrib/nginx.if
+++ b/policy/modules/contrib/nginx.if
@@ -60,7 +60,7 @@ interface(`nginx_domtrans',`
allow nginx_t $1:fifo_file rw_file_perms;
allow nginx_t $1:process sigchld;
- domain_auto_trans($1,nginx_exec_t,nginx_t)
+ domain_auto_transition_pattern($1, nginx_exec_t, nginx_t)
')
########################################
diff --git a/policy/modules/contrib/vde.if b/policy/modules/contrib/vde.if
index 4a9c208b..00b31b4c 100644
--- a/policy/modules/contrib/vde.if
+++ b/policy/modules/contrib/vde.if
@@ -33,7 +33,7 @@ interface(`vde_role',`
allow vde_t self:tun_socket { relabelfrom relabelto };
ps_process_pattern($2, vde_t)
- domain_auto_trans($2, vde_exec_t, vde_t)
+ domain_auto_transition_pattern($2, vde_exec_t, vde_t)
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-21 8:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-21 8:42 UTC (permalink / raw
To: gentoo-commits
commit: df456d5061ced9438b779626ae72fbd3e05b44b1
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Feb 18 14:33:08 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:20:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df456d50
portage: allow sandbox to set fcaps
type=AVC avc: denied { setfcap } for pid=29492 comm="setcap" capability=31 scontext=staff_u:sysadm_r:portage_sandbox_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:portage_sandbox_t:s0-s0:c0.c1023 tclass=capability permissive=0
type=SYSCALL arch=c000003e syscall=188 success=no exit=-1 a0=3f433a23dc3 a1=3d130457f80 a2=3f433a22980 a3=14 items=1 ppid=29491 pid=29492 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=4 comm="setcap" exe="/sbin/setcap" subj=staff_u:sysadm_r:portage_sandbox_t:s0-s0:c0.c1023 key=(null)
type=PATH item=0 name="/var/tmp/portage/media-libs/gstreamer-1.10.3/image//usr/lib64/gstreamer-1.0/gst-ptp-helper" inode=13862 dev=00:3a mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:portage_tmp_t:s0 nametype=NORMAL
policy/modules/contrib/portage.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index ef04131e..114a0fe4 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -350,6 +350,7 @@ optional_policy(`
# - SELinux-enforced sandbox
#
+allow portage_sandbox_t self:capability setfcap;
allow portage_sandbox_t self:process ptrace;
dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-21 7:11 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-21 7:11 UTC (permalink / raw
To: gentoo-commits
commit: 39e89f54a2b3cf6c3214d1da79e20c51198ab730
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan 5 18:49:14 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:08:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=39e89f54
vnstatd: update module
policy/modules/contrib/vnstatd.fc | 12 +++++++-----
policy/modules/contrib/vnstatd.if | 11 +++++------
policy/modules/contrib/vnstatd.te | 36 ++++++++++++++++++++++++------------
3 files changed, 36 insertions(+), 23 deletions(-)
diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc
index e15b7ea7..400d7f76 100644
--- a/policy/modules/contrib/vnstatd.fc
+++ b/policy/modules/contrib/vnstatd.fc
@@ -1,12 +1,14 @@
-/etc/rc\.d/init\.d/vnstat -- gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/vnstat -- gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0)
-/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0)
+/run/vnstat.* gen_context(system_u:object_r:vnstatd_pid_t,s0)
-/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
+/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0)
-/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0)
+/usr/lib/systemd/system/vnstat\.service -- gen_context(system_u:object_r:vnstatd_unit_t,s0)
-/run/vnstat.* gen_context(system_u:object_r:vnstatd_var_run_t,s0)
+/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
+
+/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0)
ifdef(`distro_gentoo',`
# Fix bug 528602 - name is vnstatd in Gentoo
diff --git a/policy/modules/contrib/vnstatd.if b/policy/modules/contrib/vnstatd.if
index 7ec9bd0f..2d863cb2 100644
--- a/policy/modules/contrib/vnstatd.if
+++ b/policy/modules/contrib/vnstatd.if
@@ -161,17 +161,16 @@ interface(`vnstatd_manage_lib_files',`
#
interface(`vnstatd_admin',`
gen_require(`
- type vnstatd_t, vnstatd_var_lib_t, vnstatd_initrc_exec_t;
- type vnstatd_var_run_t;
+ type vnstatd_t, vnstatd_initrc_exec_t;
+ type vnstatd_pid_t, vnstatd_unit_t, vnstatd_var_lib_t;
')
- allow $1 vnstatd_t:process { ptrace signal_perms };
- ps_process_pattern($1, vnstatd_t)
+ admin_process_pattern($1, vnstatd_t)
- init_startstop_service($1, $2, vnstatd_t, vnstatd_initrc_exec_t)
+ init_startstop_service($1, $2, vnstatd_t, vnstatd_initrc_exec_t, vnstatd_unit_t)
files_search_pids($1)
- admin_pattern($1, vnstatd_var_run_t)
+ admin_pattern($1, vnstatd_pid_t)
files_list_var_lib($1)
admin_pattern($1, vnstatd_var_lib_t)
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index 306bac94..220a2b21 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -19,12 +19,16 @@ init_daemon_domain(vnstatd_t, vnstatd_exec_t)
type vnstatd_initrc_exec_t;
init_script_file(vnstatd_initrc_exec_t)
+type vnstatd_pid_t;
+typealias vnstatd_pid_t alias vnstatd_var_run_t;
+files_pid_file(vnstatd_pid_t)
+
+type vnstatd_unit_t;
+init_unit_file(vnstatd_unit_t)
+
type vnstatd_var_lib_t;
files_type(vnstatd_var_lib_t)
-type vnstatd_var_run_t;
-files_pid_file(vnstatd_var_run_t)
-
########################################
#
# Daemon local policy
@@ -34,20 +38,20 @@ allow vnstatd_t self:process signal;
allow vnstatd_t self:fifo_file rw_fifo_file_perms;
allow vnstatd_t self:unix_stream_socket { accept listen };
+manage_files_pattern(vnstatd_t, vnstatd_pid_t, vnstatd_pid_t)
+files_pid_filetrans(vnstatd_t, vnstatd_pid_t, file)
+
manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
-
-manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file })
kernel_read_network_state(vnstatd_t)
kernel_read_system_state(vnstatd_t)
-domain_use_interactive_fds(vnstatd_t)
+# read /sys/class/net/eth0
+dev_read_sysfs(vnstatd_t)
files_read_etc_files(vnstatd_t)
+files_search_var_lib(vnstatd_t)
fs_getattr_xattr_fs(vnstatd_t)
@@ -60,27 +64,35 @@ miscfiles_read_localization(vnstatd_t)
# Client local policy
#
+# dac_override : write /var/lib/vnstat/*
+allow vnstat_t self:capability dac_override;
allow vnstat_t self:process signal;
allow vnstat_t self:fifo_file rw_fifo_file_perms;
allow vnstat_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
kernel_read_network_state(vnstat_t)
kernel_read_system_state(vnstat_t)
+# read /sys/class/net/eth0
+dev_read_sysfs(vnstat_t)
+
domain_use_interactive_fds(vnstat_t)
+files_dontaudit_search_home(vnstat_t)
files_read_etc_files(vnstat_t)
+files_search_var_lib(vnstat_t)
fs_getattr_xattr_fs(vnstat_t)
-logging_send_syslog_msg(vnstat_t)
-
miscfiles_read_localization(vnstat_t)
+userdom_dontaudit_search_user_home_dirs(vnstat_t)
+
+userdom_use_user_terminals(vnstat_t)
+
optional_policy(`
cron_system_entry(vnstat_t, vnstat_exec_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-21 7:11 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-21 7:11 UTC (permalink / raw
To: gentoo-commits
commit: aee2b8dd042e5dda3d49db7ec5b6a2593b3a32ee
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 18 16:21:10 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:06:20 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aee2b8dd
mon: Fix deprecated interface usage.
policy/modules/contrib/mon.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index c685ac26..1a9d2a1a 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -1,4 +1,4 @@
-policy_module(mon, 1.0.0)
+policy_module(mon, 1.0.1)
########################################
#
@@ -136,7 +136,7 @@ fs_getattr_xattr_fs(mon_net_test_t)
auth_use_nsswitch(mon_net_test_t)
-miscfiles_read_certs(mon_net_test_t)
+miscfiles_read_generic_certs(mon_net_test_t)
miscfiles_read_localization(mon_net_test_t)
netutils_domtrans_ping(mon_net_test_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-21 7:11 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-21 7:11 UTC (permalink / raw
To: gentoo-commits
commit: c5bcefb771f18fd43258aff78f807607e705b173
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Feb 19 21:12:33 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:06:20 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c5bcefb7
dpkg: Updates from Russell Coker.
policy/modules/contrib/dpkg.te | 57 ++++++++++++++++++++++++++----------------
1 file changed, 36 insertions(+), 21 deletions(-)
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 84dd6ba1..cc7f9dbb 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.0)
+policy_module(dpkg, 1.11.1)
########################################
#
@@ -32,6 +32,7 @@ files_type(dpkg_var_lib_t)
type dpkg_script_t;
domain_type(dpkg_script_t)
domain_entry_file(dpkg_t, dpkg_var_lib_t)
+domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
corecmd_shell_entry_type(dpkg_script_t)
domain_obj_id_change_exemption(dpkg_script_t)
domain_system_change_exemption(dpkg_script_t)
@@ -66,6 +67,8 @@ allow dpkg_t self:msg { send receive };
allow dpkg_t dpkg_lock_t:file manage_file_perms;
+spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
+
manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
@@ -84,8 +87,6 @@ files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
kernel_read_system_state(dpkg_t)
kernel_read_kernel_sysctls(dpkg_t)
-corecmd_exec_all_executables(dpkg_t)
-
corenet_all_recvfrom_unlabeled(dpkg_t)
corenet_all_recvfrom_netlabel(dpkg_t)
corenet_tcp_sendrecv_generic_if(dpkg_t)
@@ -153,6 +154,7 @@ sysnet_read_config(dpkg_t)
userdom_use_user_terminals(dpkg_t)
userdom_use_unpriv_users_fds(dpkg_t)
+userdom_use_all_users_fds(dpkg_t)
dpkg_domtrans_script(dpkg_t)
@@ -176,18 +178,10 @@ optional_policy(`
unconfined_domain(dpkg_t)
')
-# TODO: the following was copied from dpkg_script_t, and could probably
-# be removed again when dpkg_script_t is actually used...
-domain_signal_all_domains(dpkg_t)
-domain_signull_all_domains(dpkg_t)
-files_read_etc_runtime_files(dpkg_t)
-files_exec_usr_files(dpkg_t)
-miscfiles_read_localization(dpkg_t)
-modutils_run_depmod(dpkg_t, dpkg_roles)
-modutils_run_insmod(dpkg_t, dpkg_roles)
-seutil_run_loadpolicy(dpkg_t, dpkg_roles)
-seutil_run_setfiles(dpkg_t, dpkg_roles)
-userdom_use_all_users_fds(dpkg_t)
+optional_policy(`
+ modutils_run_depmod(dpkg_t, dpkg_roles)
+ modutils_run_insmod(dpkg_t, dpkg_roles)
+')
optional_policy(`
mta_send_mail(dpkg_t)
@@ -202,8 +196,8 @@ optional_policy(`
# Script Local policy
#
-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod setgid setuid sys_chroot sys_nice };
-allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setfcap setgid setuid sys_chroot sys_nice sys_ptrace };
+allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
@@ -214,6 +208,8 @@ allow dpkg_script_t self:shm create_shm_perms;
allow dpkg_script_t self:sem create_sem_perms;
allow dpkg_script_t self:msgq create_msgq_perms;
allow dpkg_script_t self:msg { send receive };
+allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow dpkg_script_t self:udp_socket create_socket_perms;
allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
@@ -233,6 +229,7 @@ kernel_read_system_state(dpkg_script_t)
corecmd_exec_all_executables(dpkg_script_t)
+dev_manage_null_service(dpkg_script_t)
dev_list_sysfs(dpkg_script_t)
# Use named file transition to fix this
# dev_manage_generic_blk_files(dpkg_script_t)
@@ -267,17 +264,28 @@ selinux_compute_access_vector(dpkg_script_t)
selinux_compute_create_context(dpkg_script_t)
selinux_compute_relabel_context(dpkg_script_t)
selinux_compute_user_contexts(dpkg_script_t)
+selinux_read_policy(dpkg_script_t)
storage_raw_read_fixed_disk(dpkg_script_t)
storage_raw_write_fixed_disk(dpkg_script_t)
term_use_all_terms(dpkg_script_t)
-auth_dontaudit_getattr_shadow(dpkg_script_t)
files_manage_non_auth_files(dpkg_script_t)
+auth_manage_shadow(dpkg_script_t)
+
init_all_labeled_script_domtrans(dpkg_script_t)
+init_get_generic_units_status(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
+init_get_system_status(dpkg_script_t)
+init_start_generic_units(dpkg_script_t)
+init_stop_generic_units(dpkg_script_t)
+init_reload(dpkg_script_t)
+init_stop_system(dpkg_script_t)
+init_telinit(dpkg_script_t)
+init_manage_script_service(dpkg_script_t)
+init_startstop_all_script_services(dpkg_script_t)
libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
@@ -287,9 +295,6 @@ logging_send_syslog_msg(dpkg_script_t)
miscfiles_read_localization(dpkg_script_t)
-modutils_run_depmod(dpkg_script_t, dpkg_roles)
-modutils_run_insmod(dpkg_script_t, dpkg_roles)
-
seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
seutil_run_setfiles(dpkg_script_t, dpkg_roles)
@@ -309,6 +314,11 @@ optional_policy(`
')
optional_policy(`
+ modutils_run_depmod(dpkg_script_t, dpkg_roles)
+ modutils_run_insmod(dpkg_script_t, dpkg_roles)
+')
+
+optional_policy(`
mta_send_mail(dpkg_script_t)
')
@@ -317,6 +327,11 @@ optional_policy(`
')
optional_policy(`
+ systemd_read_logind_state(dpkg_script_t)
+ systemd_dbus_chat_logind(dpkg_script_t)
+')
+
+optional_policy(`
unconfined_domain(dpkg_script_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-21 7:11 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-21 7:11 UTC (permalink / raw
To: gentoo-commits
commit: e5076b8b2c52d8eba12c4b552a9e491c94305c57
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Feb 20 15:33:05 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:08:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e5076b8b
fetchmail, mysql, tor: Misc fixes from Russell Coker.
policy/modules/contrib/fetchmail.te | 3 ++-
policy/modules/contrib/mysql.te | 9 +++++----
policy/modules/contrib/tor.te | 6 ++++--
3 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te
index 4a078b1a..a15bc538 100644
--- a/policy/modules/contrib/fetchmail.te
+++ b/policy/modules/contrib/fetchmail.te
@@ -1,4 +1,4 @@
-policy_module(fetchmail, 1.16.0)
+policy_module(fetchmail, 1.16.1)
########################################
#
@@ -47,6 +47,7 @@ create_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
setattr_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
+allow fetchmail_t fetchmail_uidl_cache_t:dir manage_dir_perms;
allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 571f9ce0..6fe1ce56 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.19.0)
+policy_module(mysql, 1.19.1)
########################################
#
@@ -70,7 +70,7 @@ dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
allow mysqld_t self:shm create_shm_perms;
-allow mysqld_t self:unix_stream_socket { accept listen };
+allow mysqld_t self:unix_stream_socket { connectto accept listen };
allow mysqld_t self:tcp_socket { accept listen };
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -101,6 +101,7 @@ files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
kernel_read_kernel_sysctls(mysqld_t)
kernel_read_network_state(mysqld_t)
kernel_read_system_state(mysqld_t)
+kernel_read_vm_sysctls(mysqld_t)
corenet_all_recvfrom_unlabeled(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
@@ -165,7 +166,7 @@ allow mysqld_safe_t self:capability { chown dac_override fowner kill };
allow mysqld_safe_t self:process { setsched getsched setrlimit };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
-allow mysqld_safe_t mysqld_t:process signull;
+allow mysqld_safe_t mysqld_t:process { signull sigkill };
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
@@ -190,7 +191,7 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
-dev_list_sysfs(mysqld_safe_t)
+dev_read_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 098154fe..a68e5d9e 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.13.0)
+policy_module(tor, 1.13.1)
########################################
#
@@ -41,7 +41,7 @@ init_daemon_pid_file(tor_var_run_t, dir, "tor")
# Local policy
#
-allow tor_t self:capability { setgid setuid sys_tty_config };
+allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
allow tor_t self:process signal;
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket { accept listen };
@@ -103,6 +103,8 @@ domain_use_interactive_fds(tor_t)
files_read_etc_runtime_files(tor_t)
files_read_usr_files(tor_t)
+fs_search_tmpfs(tor_t)
+
auth_use_nsswitch(tor_t)
logging_send_syslog_msg(tor_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-21 7:11 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-21 7:11 UTC (permalink / raw
To: gentoo-commits
commit: aa2ad394fa31c82c65d51b77b81dfd0749fa6f0d
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Feb 20 13:38:49 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:06:20 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aa2ad394
monit: Fix build error.
policy/modules/contrib/monit.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index 93403779..14aeddcd 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -1,4 +1,4 @@
-policy_module(monit, 1.0.0)
+policy_module(monit, 1.0.1)
########################################
#
@@ -105,7 +105,7 @@ ifdef(`init_systemd',`
tunable_policy(`monit_startstop_services',`
init_get_all_units_status(monit_t)
init_get_system_status(monit_t)
- init_restart_script_service(monit_t)
+ init_startstop_all_script_services(monit_t)
init_start_all_units(monit_t)
init_stop_all_units(monit_t)
init_stream_connect(monit_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-21 7:11 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-21 7:11 UTC (permalink / raw
To: gentoo-commits
commit: 6e50d6f81946eeb21cfec280182f0ff875a9e5e8
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jan 6 14:56:26 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:06:20 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6e50d6f8
update alsa module
policy/modules/contrib/alsa.fc | 31 ++++++++++++++---------------
policy/modules/contrib/alsa.if | 8 --------
policy/modules/contrib/alsa.te | 44 ++++++++++++++----------------------------
3 files changed, 29 insertions(+), 54 deletions(-)
diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index f26e2392..0f9e5196 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -1,25 +1,22 @@
-HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
+HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
-ifdef(`distro_debian',`
-/\.config(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
-')
+/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
+/etc/asound\.conf -- gen_context(system_u:object_r:alsa_etc_t,s0)
-/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
-/etc/asound\.conf gen_context(system_u:object_r:alsa_etc_t,s0)
+/run/alsa(/.*)? gen_context(system_u:object_r:alsa_runtime_t,s0)
-# Systemd unit files
-/usr/lib/systemd/system/[^/]*alsa-restore.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
-/usr/lib/systemd/system/[^/]*alsa-state.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
-/usr/lib/systemd/system/[^/]*alsa-store.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-restore.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-state.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-store.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
-/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
+/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
-/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
-/var/lock/asound\.state\.lock -- gen_context(system_u:object_r:alsa_var_lock_t,s0)
+/var/lock/asound\.state\.lock -- gen_context(system_u:object_r:alsa_var_lock_t,s0)
diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index 9ffed049..d50f5e33 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -135,10 +135,6 @@ interface(`alsa_read_config',`
allow $1 alsa_etc_t:dir list_dir_perms;
read_files_pattern($1, alsa_etc_t, alsa_etc_t)
read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
-
- ifdef(`distro_debian',`
- files_search_usr($1)
- ')
')
########################################
@@ -176,10 +172,6 @@ interface(`alsa_manage_config',`
allow $1 alsa_etc_t:dir list_dir_perms;
manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
-
- ifdef(`distro_debian',`
- files_search_usr($1)
- ')
')
########################################
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index f82e39ca..ed579965 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -15,6 +15,12 @@ role alsa_roles types alsa_t;
type alsa_etc_t alias alsa_etc_rw_t;
files_config_file(alsa_etc_t)
+type alsa_home_t;
+userdom_user_home_content(alsa_home_t)
+
+type alsa_runtime_t;
+files_pid_file(alsa_runtime_t)
+
type alsa_tmp_t;
files_tmp_file(alsa_tmp_t)
@@ -30,16 +36,14 @@ files_type(alsa_var_lib_t)
type alsa_var_lock_t;
files_lock_file(alsa_var_lock_t)
-type alsa_home_t;
-userdom_user_home_content(alsa_home_t)
-
########################################
#
# Local policy
#
allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid setuid };
-dontaudit alsa_t self:capability sys_admin;
+# kill : kill pulseaudio
+dontaudit alsa_t self:capability { kill sys_admin };
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket { accept listen };
@@ -52,6 +56,10 @@ read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
can_exec(alsa_t, alsa_exec_t)
+allow alsa_t alsa_runtime_t:dir manage_dir_perms;
+allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms;
+files_pid_filetrans(alsa_t, alsa_runtime_t, dir)
+
manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
@@ -71,6 +79,7 @@ kernel_read_system_state(alsa_t)
corecmd_exec_bin(alsa_t)
dev_getattr_fs(alsa_t)
+dev_read_input(alsa_t)
dev_read_sound(alsa_t)
dev_read_sysfs(alsa_t)
dev_read_urand(alsa_t)
@@ -79,14 +88,14 @@ dev_write_sound(alsa_t)
files_read_usr_files(alsa_t)
files_search_var_lib(alsa_t)
+fs_getattr_tmpfs(alsa_t)
+
term_dontaudit_use_console(alsa_t)
term_dontaudit_use_generic_ptys(alsa_t)
term_dontaudit_use_all_ptys(alsa_t)
auth_use_nsswitch(alsa_t)
-init_use_fds(alsa_t)
-
logging_send_syslog_msg(alsa_t)
miscfiles_read_localization(alsa_t)
@@ -95,29 +104,6 @@ userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
-ifdef(`distro_debian',`
- term_dontaudit_use_unallocated_ttys(alsa_t)
-
- # Gnome 3.4 bug
- dev_associate(alsa_tmpfs_t)
-
- allow alsa_t self:capability kill;
-
- manage_lnk_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
- files_root_filetrans(alsa_t, alsa_var_lib_t, dir, ".config")
-
- fs_list_tmpfs(alsa_t)
-
- optional_policy(`
- dbus_read_lib_files(alsa_t)
- ')
-
- optional_policy(`
- pulseaudio_run(alsa_t, system_r)
- pulseaudio_tmpfs_content(alsa_tmpfs_t)
- ')
-')
-
optional_policy(`
hal_use_fds(alsa_t)
hal_write_log(alsa_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-21 7:11 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-21 7:11 UTC (permalink / raw
To: gentoo-commits
commit: 6c28a4a8f522c55a04c4f9de9e85d5bf38258543
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Feb 20 17:13:46 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:08:44 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6c28a4a8
Module version bump for alsa and vnstatd fixes from cgzones.
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/vnstatd.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index ed579965..127333e9 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.16.1)
+policy_module(alsa, 1.16.2)
########################################
#
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index 220a2b21..46419e83 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -1,4 +1,4 @@
-policy_module(vnstatd, 1.3.0)
+policy_module(vnstatd, 1.3.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-21 7:11 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-21 7:11 UTC (permalink / raw
To: gentoo-commits
commit: d50fd860e9ea0385216f93170f5c3a4a4e1d9aee
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Feb 19 21:35:16 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:06:20 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d50fd860
Monit policy from Russell Coker and cgzones.
policy/modules/contrib/monit.fc | 13 +++++
policy/modules/contrib/monit.if | 1 +
policy/modules/contrib/monit.te | 117 ++++++++++++++++++++++++++++++++++++++++
3 files changed, 131 insertions(+)
diff --git a/policy/modules/contrib/monit.fc b/policy/modules/contrib/monit.fc
new file mode 100644
index 00000000..d47fa153
--- /dev/null
+++ b/policy/modules/contrib/monit.fc
@@ -0,0 +1,13 @@
+/etc/rc\.d/init\.d/monit -- gen_context(system_u:object_r:monit_initrc_exec_t,s9)
+/etc/monit(/.*)? gen_context(system_u:object_r:monit_etc_t,s0)
+
+/run/monit\.pid -- gen_context(system_u:object_r:monit_run_t,s0)
+
+/usr/bin/monit -- gen_context(system_u:object_r:monit_exec_t,s0)
+
+/usr/lib/systemd/system/monit.* -- gen_context(system_u:object_r:monit_unit_t,s0)
+
+/var/lib/monit(/.*)? gen_context(system_u:object_r:monit_var_lib_t,s0)
+
+/var/log/monit\.log.* -- gen_context(system_u:object_r:monit_log_t,s0)
+
diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if
new file mode 100644
index 00000000..d387f435
--- /dev/null
+++ b/policy/modules/contrib/monit.if
@@ -0,0 +1 @@
+## <summary>Monit system monitoring daemon</summary>
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
new file mode 100644
index 00000000..93403779
--- /dev/null
+++ b/policy/modules/contrib/monit.te
@@ -0,0 +1,117 @@
+policy_module(monit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow monit to start/stop services
+## </p>
+## </desc>
+gen_tunable(monit_startstop_services, false)
+
+attribute_role monit_interactive_roles;
+
+type monit_t;
+type monit_exec_t;
+init_daemon_domain(monit_t, monit_exec_t)
+
+type monit_etc_t;
+files_config_file(monit_etc_t)
+files_security_file(monit_etc_t) # may contain password for monit webinterface
+
+type monit_initrc_exec_t;
+init_script_file(monit_initrc_exec_t)
+
+type monit_log_t;
+logging_log_file(monit_log_t)
+
+type monit_run_t;
+files_pid_file(monit_run_t)
+
+type monit_unit_t;
+init_unit_file(monit_unit_t)
+
+type monit_var_lib_t;
+files_type(monit_var_lib_t)
+
+########################################
+#
+# Daemon policy
+#
+
+# dac_read_search : read /run/exim/*
+# net_raw : create raw sockets
+# sys_ptrace : trace processes
+allow monit_t self:capability { dac_read_search net_raw sys_ptrace };
+# kernel bug
+dontaudit monit_t self:capability dac_override;
+# setsockopt
+dontaudit monit_t self:capability net_admin;
+
+allow monit_t self:process { getpgid sigkill signal };
+allow monit_t self:fifo_file rw_fifo_file_perms;
+allow monit_t self:netlink_route_socket r_netlink_socket_perms;
+allow monit_t self:rawip_socket connected_socket_perms;
+allow monit_t self:sem rw_sem_perms;
+allow monit_t self:tcp_socket create_stream_socket_perms;
+allow monit_t self:udp_socket create_socket_perms;
+allow monit_t self:unix_stream_socket create_stream_socket_perms;
+
+allow monit_t monit_etc_t:dir list_dir_perms;
+allow monit_t monit_etc_t:file read_file_perms;
+allow monit_t monit_etc_t:lnk_file read_lnk_file_perms;
+
+allow monit_t monit_log_t:file { create read_file_perms append_file_perms };
+logging_log_filetrans(monit_t, monit_log_t, file)
+
+allow monit_t monit_run_t:file manage_file_perms;
+files_pid_filetrans(monit_t, monit_run_t, file)
+
+allow monit_t monit_var_lib_t:dir manage_dir_perms;
+allow monit_t monit_var_lib_t:file manage_file_perms;
+
+kernel_read_system_state(monit_t)
+
+corecmd_exec_bin(monit_t)
+corenet_tcp_bind_generic_node(monit_t)
+corenet_tcp_bind_monit_port(monit_t)
+corenet_tcp_connect_all_ports(monit_t)
+
+dev_read_sysfs(monit_t)
+dev_read_urand(monit_t)
+
+domain_getpgid_all_domains(monit_t)
+domain_read_all_domains_state(monit_t)
+
+files_read_all_pids(monit_t)
+
+fs_getattr_dos_fs(monit_t)
+fs_getattr_tmpfs(monit_t)
+fs_getattr_xattr_fs(monit_t)
+fs_search_dos(monit_t)
+
+storage_getattr_fixed_disk_dev(monit_t)
+
+auth_use_nsswitch(monit_t)
+
+miscfiles_read_localization(monit_t)
+
+sysnet_read_config(monit_t)
+
+ifdef(`init_systemd',`
+ tunable_policy(`monit_startstop_services',`
+ init_get_all_units_status(monit_t)
+ init_get_system_status(monit_t)
+ init_restart_script_service(monit_t)
+ init_start_all_units(monit_t)
+ init_stop_all_units(monit_t)
+ init_stream_connect(monit_t)
+ ')
+')
+
+optional_policy(`
+ dbus_system_bus_client(monit_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-21 7:11 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-21 7:11 UTC (permalink / raw
To: gentoo-commits
commit: 5e97185c4e9d63a214b3591efb8393ac65dbdc5b
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 18 14:35:03 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:06:20 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5e97185c
Little misc patch from Russell Coker.
policy/modules/contrib/kerneloops.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/kerneloops.te b/policy/modules/contrib/kerneloops.te
index f6083e5b..4ecba0ae 100644
--- a/policy/modules/contrib/kerneloops.te
+++ b/policy/modules/contrib/kerneloops.te
@@ -1,4 +1,4 @@
-policy_module(kerneloops, 1.6.0)
+policy_module(kerneloops, 1.6.1)
########################################
#
@@ -28,6 +28,7 @@ manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file)
kernel_read_ring_buffer(kerneloops_t)
+kernel_read_system_state(kerneloops_t)
domain_use_interactive_fds(kerneloops_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
2017-02-17 8:44 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: 6c4f7f44b8475c05327146520cc4f3e196f9574c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb 15 23:47:07 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:41:32 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6c4f7f44
Sort capabilities permissions from Russell Coker.
policy/modules/contrib/accountsd.te | 2 +-
policy/modules/contrib/afs.te | 2 +-
policy/modules/contrib/aisexec.te | 2 +-
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/amanda.te | 4 ++--
policy/modules/contrib/amavis.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apm.te | 4 ++--
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bacula.te | 2 +-
policy/modules/contrib/bluetooth.te | 2 +-
policy/modules/contrib/boinc.te | 2 +-
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/callweaver.te | 2 +-
policy/modules/contrib/canna.te | 2 +-
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/cdrecord.te | 2 +-
policy/modules/contrib/certmaster.te | 2 +-
policy/modules/contrib/certmonger.te | 2 +-
policy/modules/contrib/cgroup.te | 6 +++---
policy/modules/contrib/chronyd.te | 2 +-
policy/modules/contrib/cipe.te | 2 +-
policy/modules/contrib/clamav.te | 6 +++---
policy/modules/contrib/clockspeed.te | 2 +-
policy/modules/contrib/clogd.te | 2 +-
policy/modules/contrib/cmirrord.te | 2 +-
policy/modules/contrib/colord.te | 2 +-
policy/modules/contrib/comsat.te | 2 +-
policy/modules/contrib/condor.te | 12 ++++++------
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/corosync.te | 4 ++--
policy/modules/contrib/courier.te | 4 ++--
policy/modules/contrib/cron.te | 6 +++---
policy/modules/contrib/cups.te | 10 +++++-----
policy/modules/contrib/cvs.te | 2 +-
policy/modules/contrib/daemontools.te | 2 +-
policy/modules/contrib/dante.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/dcc.te | 4 ++--
policy/modules/contrib/ddcprobe.te | 2 +-
policy/modules/contrib/devicekit.te | 4 ++--
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/dictd.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/dovecot.te | 2 +-
policy/modules/contrib/dpkg.te | 4 ++--
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/fail2ban.te | 2 +-
policy/modules/contrib/finger.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/gdomap.te | 2 +-
policy/modules/contrib/glusterfs.te | 2 +-
policy/modules/contrib/gpm.te | 2 +-
policy/modules/contrib/gpsd.te | 4 ++--
policy/modules/contrib/hadoop.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/ifplugd.te | 2 +-
policy/modules/contrib/inetd.te | 4 ++--
policy/modules/contrib/iodine.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/kerberos.te | 4 ++--
policy/modules/contrib/kismet.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/likewise.te | 4 ++--
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/logwatch.te | 2 +-
policy/modules/contrib/lpd.te | 6 +++---
policy/modules/contrib/mailman.te | 2 +-
policy/modules/contrib/mailscanner.te | 2 +-
policy/modules/contrib/mandb.te | 2 +-
policy/modules/contrib/memcached.te | 2 +-
policy/modules/contrib/milter.te | 2 +-
policy/modules/contrib/minissdpd.te | 2 +-
policy/modules/contrib/mozilla.te | 4 ++--
policy/modules/contrib/mrtg.te | 2 +-
policy/modules/contrib/mta.te | 2 +-
policy/modules/contrib/nagios.te | 8 ++++----
policy/modules/contrib/networkmanager.te | 4 ++--
policy/modules/contrib/nslcd.te | 2 +-
policy/modules/contrib/ntop.te | 2 +-
policy/modules/contrib/ntp.te | 4 ++--
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/oddjob.te | 2 +-
policy/modules/contrib/oident.te | 2 +-
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/openvswitch.te | 2 +-
policy/modules/contrib/pacemaker.te | 2 +-
policy/modules/contrib/passenger.te | 2 +-
policy/modules/contrib/pcmcia.te | 2 +-
policy/modules/contrib/pegasus.te | 2 +-
policy/modules/contrib/pkcs.te | 2 +-
policy/modules/contrib/podsleuth.te | 2 +-
policy/modules/contrib/portage.if | 2 +-
policy/modules/contrib/portage.te | 4 ++--
policy/modules/contrib/portmap.te | 2 +-
policy/modules/contrib/portreserve.te | 2 +-
policy/modules/contrib/portslave.te | 2 +-
policy/modules/contrib/postfix.te | 8 ++++----
policy/modules/contrib/postfixpolicyd.te | 2 +-
policy/modules/contrib/ppp.te | 4 ++--
policy/modules/contrib/procmail.te | 2 +-
policy/modules/contrib/psad.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/puppet.te | 4 ++--
policy/modules/contrib/qemu.if | 2 +-
policy/modules/contrib/qmail.te | 2 +-
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/radvd.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/readahead.te | 2 +-
policy/modules/contrib/remotelogin.te | 2 +-
policy/modules/contrib/rgmanager.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/ricci.te | 2 +-
policy/modules/contrib/rlogin.te | 2 +-
policy/modules/contrib/rpc.te | 4 ++--
policy/modules/contrib/rpm.te | 4 ++--
policy/modules/contrib/rshd.te | 2 +-
| 2 +-
policy/modules/contrib/rsync.te | 2 +-
policy/modules/contrib/samba.te | 8 ++++----
policy/modules/contrib/samhain.te | 2 +-
policy/modules/contrib/screen.te | 2 +-
policy/modules/contrib/sendmail.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/slocate.te | 2 +-
policy/modules/contrib/smartmon.te | 2 +-
policy/modules/contrib/smokeping.te | 2 +-
policy/modules/contrib/snmp.te | 2 +-
policy/modules/contrib/snort.te | 2 +-
policy/modules/contrib/sosreport.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/sssd.te | 2 +-
policy/modules/contrib/sxid.te | 2 +-
policy/modules/contrib/systemtap.te | 2 +-
policy/modules/contrib/telnet.te | 2 +-
policy/modules/contrib/tripwire.te | 2 +-
policy/modules/contrib/ulogd.te | 2 +-
policy/modules/contrib/userhelper.te | 4 ++--
policy/modules/contrib/usernetctl.te | 2 +-
policy/modules/contrib/uucp.te | 4 ++--
policy/modules/contrib/varnishd.te | 2 +-
policy/modules/contrib/vbetool.te | 2 +-
policy/modules/contrib/vhostmd.te | 2 +-
policy/modules/contrib/virt.te | 12 ++++++------
policy/modules/contrib/vlock.te | 2 +-
policy/modules/contrib/vmware.te | 4 ++--
policy/modules/contrib/vpn.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/wdmd.te | 2 +-
policy/modules/contrib/xen.te | 4 ++--
policy/modules/contrib/yam.te | 2 +-
policy/modules/contrib/zabbix.te | 4 ++--
policy/modules/contrib/zarafa.te | 2 +-
policy/modules/contrib/zebra.te | 2 +-
160 files changed, 215 insertions(+), 215 deletions(-)
diff --git a/policy/modules/contrib/accountsd.te b/policy/modules/contrib/accountsd.te
index 3593510d..d435a2d6 100644
--- a/policy/modules/contrib/accountsd.te
+++ b/policy/modules/contrib/accountsd.te
@@ -21,7 +21,7 @@ files_type(accountsd_var_lib_t)
# Local policy
#
-allow accountsd_t self:capability { chown dac_override setuid setgid sys_ptrace };
+allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace };
allow accountsd_t self:process signal;
allow accountsd_t self:fifo_file rw_fifo_file_perms;
allow accountsd_t self:passwd { rootok passwd chfn chsh };
diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
index e685b5d3..b95757a5 100644
--- a/policy/modules/contrib/afs.te
+++ b/policy/modules/contrib/afs.te
@@ -147,7 +147,7 @@ seutil_read_config(afs_bosserver_t)
# fileserver local policy
#
-allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
+allow afs_fsserver_t self:capability { chown dac_override fowner kill sys_nice };
dontaudit afs_fsserver_t self:capability fsetid;
allow afs_fsserver_t self:process { setsched signal_perms };
allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te
index d89a243e..06b61940 100644
--- a/policy/modules/contrib/aisexec.te
+++ b/policy/modules/contrib/aisexec.te
@@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t)
# Local policy
#
-allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner };
+allow aisexec_t self:capability { ipc_lock ipc_owner sys_nice sys_resource };
allow aisexec_t self:process { setrlimit setsched signal };
allow aisexec_t self:fifo_file rw_fifo_file_perms;
allow aisexec_t self:sem create_sem_perms;
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 19046676..f82e39ca 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -38,7 +38,7 @@ userdom_user_home_content(alsa_home_t)
# Local policy
#
-allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
+allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid setuid };
dontaudit alsa_t self:capability sys_admin;
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te
index 65fa3975..ecf15211 100644
--- a/policy/modules/contrib/amanda.te
+++ b/policy/modules/contrib/amanda.te
@@ -59,7 +59,7 @@ optional_policy(`
# Local policy
#
-allow amanda_t self:capability { chown dac_override setuid kill };
+allow amanda_t self:capability { chown dac_override kill setuid };
allow amanda_t self:process { setpgid signal };
allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket { accept listen };
@@ -141,7 +141,7 @@ logging_send_syslog_msg(amanda_t)
# Recover local policy
#
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
+allow amanda_recover_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
allow amanda_recover_t self:process { sigkill sigstop signal };
allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
allow amanda_recover_t self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te
index 2f66a812..44913b37 100644
--- a/policy/modules/contrib/amavis.te
+++ b/policy/modules/contrib/amavis.te
@@ -46,7 +46,7 @@ files_type(amavis_spool_t)
# Local policy
#
-allow amavis_t self:capability { kill chown dac_override setgid setuid };
+allow amavis_t self:capability { chown dac_override kill setgid setuid };
dontaudit amavis_t self:capability sys_tty_config;
allow amavis_t self:process signal_perms;
allow amavis_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 12b80554..2f724b68 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -920,7 +920,7 @@ tunable_policy(`httpd_tty_comm',`
# Suexec local policy
#
-allow httpd_suexec_t self:capability { setuid setgid };
+allow httpd_suexec_t self:capability { setgid setuid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
allow httpd_suexec_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index f5692d58..c5647460 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -62,8 +62,8 @@ logging_send_syslog_msg(apm_t)
# Server local policy
#
-allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+allow apmd_t self:capability { kill mknod sys_admin sys_nice sys_time };
+dontaudit apmd_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index db0efef0..9c6a947f 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -39,7 +39,7 @@ init_daemon_pid_file(asterisk_var_run_t, dir, "asterisk")
# Local policy
#
-allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin };
+allow asterisk_t self:capability { chown dac_override net_admin setgid setuid sys_nice };
dontaudit asterisk_t self:capability { sys_module sys_tty_config };
allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
allow asterisk_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index ae421061..09b82b0c 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -33,7 +33,7 @@ files_pid_file(automount_var_run_t)
# Local policy
#
-allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
+allow automount_t self:capability { dac_override setgid setuid sys_admin sys_nice sys_resource };
dontaudit automount_t self:capability sys_tty_config;
allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
allow automount_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index d5d87ee3..b2e43eed 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -27,7 +27,7 @@ files_pid_file(avahi_var_run_t)
# Local policy
#
-allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
+allow avahi_t self:capability { chown dac_override fowner kill net_admin net_raw setgid setuid sys_chroot };
dontaudit avahi_t self:capability sys_tty_config;
allow avahi_t self:process { setrlimit signal_perms getcap setcap };
allow avahi_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te
index 2050984c..20b92c3f 100644
--- a/policy/modules/contrib/bacula.te
+++ b/policy/modules/contrib/bacula.te
@@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t;
# Local policy
#
-allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
+allow bacula_t self:capability { chown dac_override dac_read_search fowner fsetid };
allow bacula_t self:process signal;
allow bacula_t self:fifo_file rw_fifo_file_perms;
allow bacula_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index ceb79e63..75d739da 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -57,7 +57,7 @@ files_pid_file(bluetooth_var_run_t)
# Local policy
#
-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
+allow bluetooth_t self:capability { dac_override ipc_lock net_admin net_bind_service net_raw setpcap sys_admin sys_tty_config };
dontaudit bluetooth_t self:capability sys_tty_config;
allow bluetooth_t self:process { getcap setcap getsched signal_perms };
allow bluetooth_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te
index 64803206..ed1aaf34 100644
--- a/policy/modules/contrib/boinc.te
+++ b/policy/modules/contrib/boinc.te
@@ -168,7 +168,7 @@ optional_policy(`
# Project local policy
#
-allow boinc_project_t self:capability { setuid setgid };
+allow boinc_project_t self:capability { setgid setuid };
allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index 14fcf67c..c92149d1 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -27,7 +27,7 @@ role system_r types cachefiles_kernel_t;
# Cachefilesd local policy
#
-allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
+allow cachefilesd_t self:capability { dac_override setgid setuid sys_admin };
allow cachefilesd_t cachefiles_kernel_t:kernel_service use_as_override;
diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te
index d67ad9b8..f9443343 100644
--- a/policy/modules/contrib/callweaver.te
+++ b/policy/modules/contrib/callweaver.te
@@ -29,7 +29,7 @@ files_type(callweaver_spool_t)
# Local policy
#
-allow callweaver_t self:capability { setuid sys_nice setgid };
+allow callweaver_t self:capability { setgid setuid sys_nice };
allow callweaver_t self:process { setsched signal };
allow callweaver_t self:fifo_file rw_fifo_file_perms;
allow callweaver_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te
index 6738527a..ea8f64b5 100644
--- a/policy/modules/contrib/canna.te
+++ b/policy/modules/contrib/canna.te
@@ -26,7 +26,7 @@ files_pid_file(canna_var_run_t)
# Local policy
#
-allow canna_t self:capability { setgid setuid net_bind_service };
+allow canna_t self:capability { net_bind_service setgid setuid };
dontaudit canna_t self:capability sys_tty_config;
allow canna_t self:process signal_perms;
allow canna_t self:unix_stream_socket { accept connectto listen };
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index eacec0bf..bc766e74 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -35,7 +35,7 @@ files_pid_file(ccs_var_run_t)
# Local policy
#
-allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
+allow ccs_t self:capability { ipc_lock ipc_owner sys_admin sys_nice sys_resource };
allow ccs_t self:process { signal setrlimit setsched };
dontaudit ccs_t self:process ptrace;
allow ccs_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/cdrecord.te b/policy/modules/contrib/cdrecord.te
index 16883c9c..4af7717a 100644
--- a/policy/modules/contrib/cdrecord.te
+++ b/policy/modules/contrib/cdrecord.te
@@ -29,7 +29,7 @@ role cdrecord_roles types cdrecord_t;
# Local policy
#
-allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
+allow cdrecord_t self:capability { dac_override ipc_lock setuid sys_nice sys_rawio };
allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill };
allow cdrecord_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/certmaster.te b/policy/modules/contrib/certmaster.te
index 16420ae9..daeb417d 100644
--- a/policy/modules/contrib/certmaster.te
+++ b/policy/modules/contrib/certmaster.te
@@ -29,7 +29,7 @@ files_pid_file(certmaster_var_run_t)
# Local policy
#
-allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config };
+allow certmaster_t self:capability { dac_override dac_read_search sys_tty_config };
allow certmaster_t self:tcp_socket { accept listen };
list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index defc3467..f6c9d20d 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -23,7 +23,7 @@ files_pid_file(certmonger_var_run_t)
# Local policy
#
-allow certmonger_t self:capability { chown dac_override dac_read_search setgid setuid kill sys_nice };
+allow certmonger_t self:capability { chown dac_override dac_read_search kill setgid setuid sys_nice };
dontaudit certmonger_t self:capability sys_tty_config;
allow certmonger_t self:capability2 block_suspend;
allow certmonger_t self:process { getsched setsched sigkill signal };
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index 5d600a9f..3599d7a2 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -40,7 +40,7 @@ files_config_file(cgconfig_etc_t)
# cgclear local policy
#
-allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
+allow cgclear_t self:capability { dac_override dac_read_search sys_admin };
allow cgclear_t cgconfig_etc_t:file read_file_perms;
@@ -57,7 +57,7 @@ fs_unmount_cgroup(cgclear_t)
# cgconfig local policy
#
-allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config };
+allow cgconfig_t self:capability { chown dac_override fowner fsetid sys_admin sys_tty_config };
allow cgconfig_t cgconfig_etc_t:file read_file_perms;
@@ -77,7 +77,7 @@ fs_unmount_cgroup(cgconfig_t)
# cgred local policy
#
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
+allow cgred_t self:capability { chown dac_override fsetid net_admin sys_admin sys_ptrace };
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 97c541c6..618f6cf5 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -35,7 +35,7 @@ files_pid_file(chronyd_var_run_t)
# Local policy
#
-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+allow chronyd_t self:capability { dac_override ipc_lock setgid setuid sys_resource sys_time };
allow chronyd_t self:process { getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
allow chronyd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/cipe.te b/policy/modules/contrib/cipe.te
index e2a5c13c..729d7820 100644
--- a/policy/modules/contrib/cipe.te
+++ b/policy/modules/contrib/cipe.te
@@ -17,7 +17,7 @@ init_script_file(ciped_initrc_exec_t)
# Local policy
#
-allow ciped_t self:capability { net_admin ipc_lock sys_tty_config };
+allow ciped_t self:capability { ipc_lock net_admin sys_tty_config };
dontaudit ciped_t self:capability sys_tty_config;
allow ciped_t self:process signal_perms;
allow ciped_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index 0940e437..f2664e82 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -73,7 +73,7 @@ logging_log_file(freshclam_var_log_t)
# Clamd local policy
#
-allow clamd_t self:capability { kill setgid setuid dac_override };
+allow clamd_t self:capability { dac_override kill setgid setuid };
dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:process signal;
allow clamd_t self:fifo_file rw_fifo_file_perms;
@@ -173,7 +173,7 @@ optional_policy(`
# Freshclam local policy
#
-allow freshclam_t self:capability { setgid setuid dac_override };
+allow freshclam_t self:capability { dac_override setgid setuid };
allow freshclam_t self:fifo_file rw_fifo_file_perms;
allow freshclam_t self:unix_stream_socket { accept listen };
allow freshclam_t self:tcp_socket { accept listen };
@@ -252,7 +252,7 @@ optional_policy(`
# Clamscam local policy
#
-allow clamscan_t self:capability { setgid setuid dac_override };
+allow clamscan_t self:capability { dac_override setgid setuid };
allow clamscan_t self:fifo_file rw_fifo_file_perms;
allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
allow clamscan_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/contrib/clockspeed.te b/policy/modules/contrib/clockspeed.te
index d3e2a67e..6544d006 100644
--- a/policy/modules/contrib/clockspeed.te
+++ b/policy/modules/contrib/clockspeed.te
@@ -49,7 +49,7 @@ userdom_use_user_terminals(clockspeed_cli_t)
# Server local policy
#
-allow clockspeed_srv_t self:capability { sys_time net_bind_service };
+allow clockspeed_srv_t self:capability { net_bind_service sys_time };
allow clockspeed_srv_t self:udp_socket create_socket_perms;
allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms;
allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/contrib/clogd.te b/policy/modules/contrib/clogd.te
index 356ef465..b9a57b18 100644
--- a/policy/modules/contrib/clogd.te
+++ b/policy/modules/contrib/clogd.te
@@ -20,7 +20,7 @@ files_pid_file(clogd_var_run_t)
# Local policy
#
-allow clogd_t self:capability { net_admin mknod };
+allow clogd_t self:capability { mknod net_admin };
allow clogd_t self:process signal;
allow clogd_t self:sem create_sem_perms;
allow clogd_t self:shm create_shm_perms;
diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te
index d916d65c..ece1a1ce 100644
--- a/policy/modules/contrib/cmirrord.te
+++ b/policy/modules/contrib/cmirrord.te
@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
# Local policy
#
-allow cmirrord_t self:capability { net_admin kill };
+allow cmirrord_t self:capability { kill net_admin };
dontaudit cmirrord_t self:capability sys_tty_config;
allow cmirrord_t self:process { setfscreate signal };
allow cmirrord_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te
index b7a2b96f..0236b279 100644
--- a/policy/modules/contrib/colord.te
+++ b/policy/modules/contrib/colord.te
@@ -23,7 +23,7 @@ files_type(colord_var_lib_t)
# Local policy
#
-allow colord_t self:capability { dac_read_search dac_override };
+allow colord_t self:capability { dac_override dac_read_search };
dontaudit colord_t self:capability sys_admin;
allow colord_t self:process signal;
allow colord_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/comsat.te b/policy/modules/contrib/comsat.te
index c63cf855..9b7b3706 100644
--- a/policy/modules/contrib/comsat.te
+++ b/policy/modules/contrib/comsat.te
@@ -20,7 +20,7 @@ files_pid_file(comsat_var_run_t)
# Local policy
#
-allow comsat_t self:capability { setuid setgid };
+allow comsat_t self:capability { setgid setuid };
allow comsat_t self:process signal_perms;
allow comsat_t self:fifo_file rw_fifo_file_perms;
allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 33937669..fbb70249 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -130,7 +130,7 @@ optional_policy(`
# Master local policy
#
-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
+allow condor_master_t self:capability { dac_override setgid setuid sys_ptrace };
allow condor_master_t condor_domain:process { sigkill signal };
@@ -167,7 +167,7 @@ optional_policy(`
# Collector local policy
#
-allow condor_collector_t self:capability { setuid setgid };
+allow condor_collector_t self:capability { setgid setuid };
allow condor_collector_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
@@ -179,7 +179,7 @@ kernel_read_network_state(condor_collector_t)
# Negotiator local policy
#
-allow condor_negotiator_t self:capability { setuid setgid };
+allow condor_negotiator_t self:capability { setgid setuid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -188,7 +188,7 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
# Procd local policy
#
-allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
+allow condor_procd_t self:capability { chown dac_override fowner kill sys_ptrace };
allow condor_procd_t condor_domain:process sigkill;
@@ -199,7 +199,7 @@ domain_read_all_domains_state(condor_procd_t)
# Schedd local policy
#
-allow condor_schedd_t self:capability { setuid chown setgid dac_override };
+allow condor_schedd_t self:capability { chown dac_override setgid setuid };
allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_schedd_t condor_master_t:udp_socket getattr;
@@ -219,7 +219,7 @@ files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
# Startd local policy
#
-allow condor_startd_t self:capability { setuid net_admin setgid dac_override };
+allow condor_startd_t self:capability { dac_override net_admin setgid setuid };
allow condor_startd_t self:process execmem;
manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 5b11390c..a2a51ba8 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit")
# Local policy
#
-allow consolekit_t self:capability { chown fowner setuid setgid sys_admin sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
allow consolekit_t self:process { getsched signal setfscreate };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te
index 43ec8c61..771582f0 100644
--- a/policy/modules/contrib/corosync.te
+++ b/policy/modules/contrib/corosync.te
@@ -33,9 +33,9 @@ files_pid_file(corosync_var_run_t)
# Local policy
#
-allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
+allow corosync_t self:capability { dac_override fowner ipc_lock setgid setuid sys_admin sys_nice sys_resource };
# for hearbeat
-allow corosync_t self:capability { net_raw chown };
+allow corosync_t self:capability { chown net_raw };
allow corosync_t self:process { setpgid setrlimit setsched signal signull };
allow corosync_t self:fifo_file rw_fifo_file_perms;
allow corosync_t self:sem create_sem_perms;
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 35ba8d89..176bd5c2 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -85,7 +85,7 @@ optional_policy(`
# Authdaemon local policy
#
-allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
+allow courier_authdaemon_t self:capability { setgid setuid sys_tty_config };
allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen };
create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
@@ -123,7 +123,7 @@ userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
# Calendar (PCP) local policy
#
-allow courier_pcp_t self:capability { setuid setgid };
+allow courier_pcp_t self:capability { setgid setuid };
dev_read_rand(courier_pcp_t)
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 1c6f3867..905deb16 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -141,7 +141,7 @@ ifdef(`enable_mcs',`
# Common crontab local policy
#
-allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
+allow crontab_domain self:capability { chown dac_override fowner setgid setuid };
allow crontab_domain self:process { getcap setsched signal_perms };
allow crontab_domain self:fifo_file rw_fifo_file_perms;
@@ -217,7 +217,7 @@ tunable_policy(`fcron_crond',`
# Daemon local policy
#
-allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
+allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
@@ -425,7 +425,7 @@ optional_policy(`
# System local policy
#
-allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index c90e2120..8fdd713f 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -109,8 +109,8 @@ ifdef(`enable_mls',`
# Cups local policy
#
-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
-dontaudit cupsd_t self:capability { sys_tty_config net_admin };
+allow cupsd_t self:capability { chown dac_override dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config };
+dontaudit cupsd_t self:capability { net_admin sys_tty_config };
allow cupsd_t self:capability2 block_suspend;
allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
allow cupsd_t self:fifo_file rw_fifo_file_perms;
@@ -357,7 +357,7 @@ optional_policy(`
# Configuration daemon local policy
#
-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };
+allow cupsd_config_t self:capability { chown dac_override setgid setuid sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process { getsched signal_perms };
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
@@ -500,7 +500,7 @@ optional_policy(`
# Lpd local policy
#
-allow cupsd_lpd_t self:capability { setuid setgid };
+allow cupsd_lpd_t self:capability { setgid setuid };
allow cupsd_lpd_t self:process signal_perms;
allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_lpd_t self:tcp_socket { accept listen };
@@ -562,7 +562,7 @@ optional_policy(`
# Pdf local policy
#
-allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
+allow cups_pdf_t self:capability { chown dac_override fowner fsetid setgid setuid };
allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
index ab055c99..f090b62a 100644
--- a/policy/modules/contrib/cvs.te
+++ b/policy/modules/contrib/cvs.te
@@ -39,7 +39,7 @@ files_pid_file(cvs_var_run_t)
# Local policy
#
-allow cvs_t self:capability { setuid setgid };
+allow cvs_t self:capability { setgid setuid };
allow cvs_t self:process signal_perms;
allow cvs_t self:fifo_file rw_fifo_file_perms;
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
diff --git a/policy/modules/contrib/daemontools.te b/policy/modules/contrib/daemontools.te
index 78a01e75..d355befc 100644
--- a/policy/modules/contrib/daemontools.te
+++ b/policy/modules/contrib/daemontools.te
@@ -55,7 +55,7 @@ logging_manage_generic_logs(svc_multilog_t)
# ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
#
-allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource };
+allow svc_run_t self:capability { chown fsetid setgid setuid sys_resource };
allow svc_run_t self:process setrlimit;
allow svc_run_t self:fifo_file rw_fifo_file_perms;
allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te
index 4ed8790f..124f2c58 100644
--- a/policy/modules/contrib/dante.te
+++ b/policy/modules/contrib/dante.te
@@ -23,7 +23,7 @@ files_pid_file(dante_var_run_t)
# Local policy
#
-allow dante_t self:capability { setuid setgid };
+allow dante_t self:capability { setgid setuid };
dontaudit dante_t self:capability sys_tty_config;
allow dante_t self:process signal_perms;
allow dante_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 42c7d4fe..78de2022 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -60,7 +60,7 @@ ifdef(`enable_mls',`
# Local policy
#
-allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/dcc.te b/policy/modules/contrib/dcc.te
index 0a6abd4b..9b1c25e7 100644
--- a/policy/modules/contrib/dcc.te
+++ b/policy/modules/contrib/dcc.te
@@ -82,7 +82,7 @@ files_pid_file(dccm_var_run_t)
# Daemon controller local policy
#
-allow cdcc_t self:capability { setuid setgid };
+allow cdcc_t self:capability { setgid setuid };
manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
@@ -109,7 +109,7 @@ userdom_use_user_terminals(cdcc_t)
# Procmail interface local policy
#
-allow dcc_client_t self:capability { setuid setgid };
+allow dcc_client_t self:capability { setgid setuid };
allow dcc_client_t dcc_client_map_t:file rw_file_perms;
diff --git a/policy/modules/contrib/ddcprobe.te b/policy/modules/contrib/ddcprobe.te
index 8fa4bb99..8d1263ae 100644
--- a/policy/modules/contrib/ddcprobe.te
+++ b/policy/modules/contrib/ddcprobe.te
@@ -18,7 +18,7 @@ role ddcprobe_roles types ddcprobe_t;
# Local policy
#
-allow ddcprobe_t self:capability { sys_rawio sys_admin };
+allow ddcprobe_t self:capability { sys_admin sys_rawio };
allow ddcprobe_t self:process execmem;
kernel_read_system_state(ddcprobe_t)
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index a5926c4a..82ce25c3 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -64,7 +64,7 @@ optional_policy(`
# Disk local policy
#
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -197,7 +197,7 @@ optional_policy(`
# Power local policy
#
-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_nice sys_ptrace sys_tty_config };
allow devicekit_power_t self:capability2 wake_alarm;
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index a5f6ecd8..2fbf84ed 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -37,7 +37,7 @@ files_pid_file(dhcpd_var_run_t)
# Local policy
#
-allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
+allow dhcpd_t self:capability { chown dac_override net_raw setgid setuid sys_chroot sys_resource };
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
allow dhcpd_t self:process { getcap setcap signal_perms };
allow dhcpd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te
index 74b38850..c390b549 100644
--- a/policy/modules/contrib/dictd.te
+++ b/policy/modules/contrib/dictd.te
@@ -26,7 +26,7 @@ files_pid_file(dictd_var_run_t)
# Local policy
#
-allow dictd_t self:capability { setuid setgid };
+allow dictd_t self:capability { setgid setuid };
dontaudit dictd_t self:capability sys_tty_config;
allow dictd_t self:process { signal_perms setpgid };
allow dictd_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 23fdaa0d..ee961ce2 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -32,7 +32,7 @@ files_pid_file(dnsmasq_var_run_t)
# Local policy
#
-allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_raw };
+allow dnsmasq_t self:capability { chown dac_override net_admin net_raw setgid setuid };
dontaudit dnsmasq_t self:capability sys_tty_config;
allow dnsmasq_t self:process { getcap setcap signal_perms };
allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index fcfcf3c2..1701e3f0 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -92,7 +92,7 @@ miscfiles_read_localization(dovecot_domain)
# Local policy
#
-allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot };
+allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
allow dovecot_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 9bb9d6f6..84dd6ba1 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -49,7 +49,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t)
# Local policy
#
-allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
+allow dpkg_t self:capability { chown dac_override fowner fsetid kill linux_immutable mknod setgid setuid sys_nice sys_resource sys_tty_config };
allow dpkg_t self:process { setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_fifo_file_perms;
@@ -202,7 +202,7 @@ optional_policy(`
# Script Local policy
#
-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod setgid setuid sys_chroot sys_nice };
allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index b2376d6d..d717829a 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -110,7 +110,7 @@ userdom_user_tmpfs_file(evolution_webcal_tmpfs_t)
# Local policy
#
-allow evolution_t self:capability { setuid setgid sys_nice };
+allow evolution_t self:capability { setgid setuid sys_nice };
allow evolution_t self:process { signal getsched setsched };
allow evolution_t self:fifo_file rw_file_perms;
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 97dff0ac..66421ff3 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -73,7 +73,7 @@ ifdef(`distro_debian',`
# Local policy
#
-allow exim_t self:capability { chown dac_override fowner setuid setgid sys_resource };
+allow exim_t self:capability { chown dac_override fowner setgid setuid sys_resource };
allow exim_t self:process { setrlimit setpgid };
allow exim_t self:fifo_file rw_fifo_file_perms;
allow exim_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
index 6f34502d..215d0935 100644
--- a/policy/modules/contrib/fail2ban.te
+++ b/policy/modules/contrib/fail2ban.te
@@ -36,7 +36,7 @@ role fail2ban_client_roles types fail2ban_client_t;
# Server Local policy
#
-allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
+allow fail2ban_t self:capability { dac_override dac_read_search sys_tty_config };
allow fail2ban_t self:process signal;
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { accept connectto listen };
diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te
index 0de8ac23..d7fdd5eb 100644
--- a/policy/modules/contrib/finger.te
+++ b/policy/modules/contrib/finger.te
@@ -25,7 +25,7 @@ files_pid_file(fingerd_var_run_t)
#
allow fingerd_t self:capability { setgid setuid };
-dontaudit fingerd_t self:capability { sys_tty_config fsetid };
+dontaudit fingerd_t self:capability { fsetid sys_tty_config };
allow fingerd_t self:process signal_perms;
allow fingerd_t self:fifo_file rw_fifo_file_perms;
allow fingerd_t self:tcp_socket connected_stream_socket_perms;
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index faf6863a..7e81e249 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -170,7 +170,7 @@ ifdef(`enable_mls',`
# Local policy
#
-allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_chroot sys_admin sys_nice sys_resource };
+allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_admin sys_chroot sys_nice sys_resource };
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/gdomap.te b/policy/modules/contrib/gdomap.te
index 3227543f..e710d356 100644
--- a/policy/modules/contrib/gdomap.te
+++ b/policy/modules/contrib/gdomap.te
@@ -23,7 +23,7 @@ files_pid_file(gdomap_var_run_t)
# Local policy
#
-allow gdomap_t self:capability { setuid sys_chroot net_bind_service setgid };
+allow gdomap_t self:capability { net_bind_service setgid setuid sys_chroot };
allow gdomap_t self:tcp_socket { listen accept };
allow gdomap_t gdomap_var_run_t:file manage_file_perms;
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index 83a5806a..07bd10d7 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -32,7 +32,7 @@ files_type(glusterd_var_lib_t)
# Local policy
#
-allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner };
+allow glusterd_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_resource };
allow glusterd_t self:process { setrlimit signal };
allow glusterd_t self:fifo_file rw_fifo_file_perms;
allow glusterd_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
index 5cbfa3a6..4e2b5f9c 100644
--- a/policy/modules/contrib/gpm.te
+++ b/policy/modules/contrib/gpm.te
@@ -29,7 +29,7 @@ files_type(gpmctl_t)
# Local policy
#
-allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config };
+allow gpm_t self:capability { dac_override setpcap setuid sys_admin sys_tty_config };
allow gpm_t self:process { signal signull getcap setcap };
allow gpm_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te
index bd09110f..6f4e8b79 100644
--- a/policy/modules/contrib/gpsd.te
+++ b/policy/modules/contrib/gpsd.te
@@ -27,8 +27,8 @@ files_pid_file(gpsd_var_run_t)
# Local policy
#
-allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
-dontaudit gpsd_t self:capability { dac_read_search dac_override };
+allow gpsd_t self:capability { fowner fsetid setgid setuid sys_nice sys_time sys_tty_config };
+dontaudit gpsd_t self:capability { dac_override dac_read_search };
allow gpsd_t self:process { setsched signal_perms };
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te
index f22683e3..9f333bfd 100644
--- a/policy/modules/contrib/hadoop.te
+++ b/policy/modules/contrib/hadoop.te
@@ -246,7 +246,7 @@ optional_policy(`
# Common hadoop_initrc_domain local policy
#
-allow hadoop_initrc_domain self:capability { setuid setgid };
+allow hadoop_initrc_domain self:capability { setgid setuid };
dontaudit hadoop_initrc_domain self:capability sys_tty_config;
allow hadoop_initrc_domain self:process setsched;
allow hadoop_initrc_domain self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index d3296e28..31035d15 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -72,7 +72,7 @@ hal_stream_connect(hald_domain)
# Local policy
#
-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+allow hald_t self:capability { chown dac_override dac_read_search kill mknod net_admin setgid setuid sys_admin sys_nice sys_rawio sys_tty_config };
dontaudit hald_t self:capability { sys_ptrace sys_tty_config };
allow hald_t self:process { getsched getattr signal_perms };
allow hald_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te
index addcca5a..4f1223db 100644
--- a/policy/modules/contrib/ifplugd.te
+++ b/policy/modules/contrib/ifplugd.te
@@ -23,7 +23,7 @@ files_pid_file(ifplugd_var_run_t)
# Local policy
#
-allow ifplugd_t self:capability { net_admin sys_nice net_bind_service };
+allow ifplugd_t self:capability { net_admin net_bind_service sys_nice };
dontaudit ifplugd_t self:capability sys_tty_config;
allow ifplugd_t self:process { signal signull };
allow ifplugd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te
index 1974c112..66c15680 100644
--- a/policy/modules/contrib/inetd.te
+++ b/policy/modules/contrib/inetd.te
@@ -37,7 +37,7 @@ ifdef(`enable_mcs',`
# Local policy
#
-allow inetd_t self:capability { setuid setgid sys_resource };
+allow inetd_t self:capability { setgid setuid sys_resource };
dontaudit inetd_t self:capability sys_tty_config;
allow inetd_t self:process { setsched setexec setrlimit };
allow inetd_t self:fifo_file rw_fifo_file_perms;
@@ -204,7 +204,7 @@ optional_policy(`
# Child local policy
#
-allow inetd_child_t self:capability { setuid setgid };
+allow inetd_child_t self:capability { setgid setuid };
allow inetd_child_t self:process signal_perms;
allow inetd_child_t self:fifo_file rw_fifo_file_perms;
allow inetd_child_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index 6eb84095..c35fc069 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -17,7 +17,7 @@ init_script_file(iodined_initrc_exec_t)
# Local policy
#
-allow iodined_t self:capability { net_admin net_raw sys_chroot setgid setuid };
+allow iodined_t self:capability { net_admin net_raw setgid setuid sys_chroot };
allow iodined_t self:rawip_socket create_socket_perms;
allow iodined_t self:tun_socket create_socket_perms;
allow iodined_t self:udp_socket connected_socket_perms;
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index e758c15f..9981dc55 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -31,7 +31,7 @@ files_tmp_file(kdumpctl_tmp_t)
# Local policy
#
-allow kdump_t self:capability { sys_boot dac_override };
+allow kdump_t self:capability { dac_override sys_boot };
allow kdump_t kdump_etc_t:file read_file_perms;
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
index 38532d33..d226156e 100644
--- a/policy/modules/contrib/kerberos.te
+++ b/policy/modules/contrib/kerberos.te
@@ -74,7 +74,7 @@ files_pid_file(krb5kdc_var_run_t)
# kadmind local policy
#
-allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
+allow kadmind_t self:capability { chown dac_override fowner setgid setuid sys_nice };
dontaudit kadmind_t self:capability sys_tty_config;
allow kadmind_t self:capability2 block_suspend;
allow kadmind_t self:process { setfscreate setsched getsched signal_perms };
@@ -174,7 +174,7 @@ optional_policy(`
# Krb5kdc local policy
#
-allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
+allow krb5kdc_t self:capability { chown dac_override fowner net_admin setgid setuid sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
allow krb5kdc_t self:capability2 block_suspend;
allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te
index 30c8c689..a581ece2 100644
--- a/policy/modules/contrib/kismet.te
+++ b/policy/modules/contrib/kismet.te
@@ -38,7 +38,7 @@ files_pid_file(kismet_var_run_t)
# Local policy
#
-allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
+allow kismet_t self:capability { dac_override kill net_admin net_raw setgid setuid };
allow kismet_t self:process signal_perms;
allow kismet_t self:fifo_file rw_fifo_file_perms;
allow kismet_t self:packet_socket create_socket_perms;
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index 4116d008..00b43648 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -26,7 +26,7 @@ files_pid_file(kudzu_var_run_t)
# Local policy
#
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
+allow kudzu_t self:capability { dac_override mknod net_admin sys_admin sys_rawio sys_tty_config };
dontaudit kudzu_t self:capability sys_tty_config;
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index b740c730..023884ab 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -50,7 +50,7 @@ files_pid_file(slapd_var_run_t)
# Local policy
#
-allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
+allow slapd_t self:capability { dac_override dac_read_search kill net_raw setgid setuid };
dontaudit slapd_t self:capability sys_tty_config;
allow slapd_t self:process setsched;
allow slapd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te
index 58c05712..21d18a3c 100644
--- a/policy/modules/contrib/likewise.te
+++ b/policy/modules/contrib/likewise.te
@@ -102,7 +102,7 @@ corenet_tcp_sendrecv_epmap_port(eventlogd_t)
# lsassd local policy
#
-allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time };
+allow lsassd_t self:capability { chown dac_override fowner fsetid sys_time };
allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -165,7 +165,7 @@ optional_policy(`
# lwiod local policy
#
-allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource };
+allow lwiod_t self:capability { chown dac_override fowner fsetid sys_resource };
allow lwiod_t self:process setrlimit;
allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index e2daa42d..1179568b 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -36,7 +36,7 @@ role system_r types logrotate_mail_t;
# Local policy
#
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
+allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
allow logrotate_t self:fd use;
allow logrotate_t self:key manage_key_perms;
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
index 353a5311..24f1c17b 100644
--- a/policy/modules/contrib/logwatch.te
+++ b/policy/modules/contrib/logwatch.te
@@ -173,7 +173,7 @@ optional_policy(`
# Mail local policy
#
-allow logwatch_mail_t self:capability { dac_read_search dac_override };
+allow logwatch_mail_t self:capability { dac_override dac_read_search };
allow logwatch_mail_t logwatch_t:fd use;
allow logwatch_mail_t logwatch_t:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index fc70ff9e..8ebe2435 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -62,7 +62,7 @@ files_config_file(printconf_t)
# Checkpc local policy
#
-allow checkpc_t self:capability { setgid setuid dac_override };
+allow checkpc_t self:capability { dac_override setgid setuid };
allow checkpc_t self:process signal_perms;
allow checkpc_t self:unix_stream_socket create_socket_perms;
allow checkpc_t self:tcp_socket create_socket_perms;
@@ -126,7 +126,7 @@ optional_policy(`
# Lpd local policy
#
-allow lpd_t self:capability { setgid setuid dac_read_search dac_override chown fowner };
+allow lpd_t self:capability { chown dac_override dac_read_search fowner setgid setuid };
dontaudit lpd_t self:capability sys_tty_config;
allow lpd_t self:process signal_perms;
allow lpd_t self:fifo_file rw_fifo_file_perms;
@@ -214,7 +214,7 @@ optional_policy(`
# Lpr local policy
#
-allow lpr_t self:capability { setuid dac_override net_bind_service chown };
+allow lpr_t self:capability { chown dac_override net_bind_service setuid };
allow lpr_t self:unix_stream_socket { accept listen };
allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
index 46d98e79..7421ce3a 100644
--- a/policy/modules/contrib/mailman.te
+++ b/policy/modules/contrib/mailman.te
@@ -115,7 +115,7 @@ optional_policy(`
# Mail local policy
#
-allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
+allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
allow mailman_mail_t self:process { signal signull };
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
diff --git a/policy/modules/contrib/mailscanner.te b/policy/modules/contrib/mailscanner.te
index 14840eda..d8dcb317 100644
--- a/policy/modules/contrib/mailscanner.te
+++ b/policy/modules/contrib/mailscanner.te
@@ -29,7 +29,7 @@ files_pid_file(mscan_var_run_t)
# Local policy
#
-allow mscan_t self:capability { setuid chown setgid dac_override };
+allow mscan_t self:capability { chown dac_override setgid setuid };
allow mscan_t self:process signal;
allow mscan_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index ce0ac3c8..142e7e07 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -21,7 +21,7 @@ init_unit_file(mandb_unit_t)
# Local policy
#
-allow mandb_t self:capability { setuid setgid };
+allow mandb_t self:capability { setgid setuid };
allow mandb_t self:process { setsched signal };
allow mandb_t self:fifo_file rw_fifo_file_perms;
allow mandb_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/memcached.te b/policy/modules/contrib/memcached.te
index 570035ef..c90c632f 100644
--- a/policy/modules/contrib/memcached.te
+++ b/policy/modules/contrib/memcached.te
@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
# Local policy
#
-allow memcached_t self:capability { setuid setgid };
+allow memcached_t self:capability { setgid setuid };
dontaudit memcached_t self:capability sys_tty_config;
allow memcached_t self:process { setrlimit signal_perms };
allow memcached_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
index c25488c9..7c4b347d 100644
--- a/policy/modules/contrib/milter.te
+++ b/policy/modules/contrib/milter.te
@@ -82,7 +82,7 @@ optional_policy(`
# regex local policy
#
-allow regex_milter_t self:capability { setuid setgid dac_override };
+allow regex_milter_t self:capability { dac_override setgid setuid };
files_search_spool(regex_milter_t)
diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te
index f1a37029..d16cdb1b 100644
--- a/policy/modules/contrib/minissdpd.te
+++ b/policy/modules/contrib/minissdpd.te
@@ -23,7 +23,7 @@ files_pid_file(minissdpd_var_run_t)
# Local policy
#
-allow minissdpd_t self:capability { sys_module net_admin };
+allow minissdpd_t self:capability { net_admin sys_module };
allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms;
allow minissdpd_t self:udp_socket create_socket_perms;
allow minissdpd_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index fa651ed4..85d6bda1 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -81,7 +81,7 @@ userdom_user_tmpfs_file(mozilla_tmpfs_t)
# Local policy
#
-allow mozilla_t self:capability { sys_nice setgid setuid };
+allow mozilla_t self:capability { setgid setuid sys_nice };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
allow mozilla_t self:shm create_shm_perms;
@@ -533,7 +533,7 @@ optional_policy(`
# Plugin config local policy
#
-allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+allow mozilla_plugin_config_t self:capability { dac_override dac_read_search setgid setuid sys_nice };
allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
index 42b484c0..5126d9d5 100644
--- a/policy/modules/contrib/mrtg.te
+++ b/policy/modules/contrib/mrtg.te
@@ -32,7 +32,7 @@ files_pid_file(mrtg_var_run_t)
# Local policy
#
-allow mrtg_t self:capability { setgid setuid chown };
+allow mrtg_t self:capability { chown setgid setuid };
dontaudit mrtg_t self:capability sys_tty_config;
allow mrtg_t self:process signal_perms;
allow mrtg_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index f0c4b92c..9a3ee20e 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -55,7 +55,7 @@ userdom_user_tmp_file(user_mail_tmp_t)
# Common base mail policy
#
-allow user_mail_domain self:capability { setuid setgid chown };
+allow user_mail_domain self:capability { chown setgid setuid };
allow user_mail_domain self:process { signal_perms setrlimit };
allow user_mail_domain self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
index 3f1a7b95..44c2abcd 100644
--- a/policy/modules/contrib/nagios.te
+++ b/policy/modules/contrib/nagios.te
@@ -216,8 +216,8 @@ optional_policy(`
# Nrpe local policy
#
-allow nrpe_t self:capability { setuid setgid };
-dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
+allow nrpe_t self:capability { setgid setuid };
+dontaudit nrpe_t self:capability { sys_resource sys_tty_config };
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
allow nrpe_t self:tcp_socket { accept listen };
@@ -311,7 +311,7 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
# Mail local policy
#
-allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
+allow nagios_mail_plugin_t self:capability { dac_override setgid setuid };
allow nagios_mail_plugin_t self:tcp_socket { accept listen };
kernel_read_kernel_sysctls(nagios_mail_plugin_t)
@@ -405,7 +405,7 @@ optional_policy(`
#
allow nagios_system_plugin_t self:capability dac_override;
-dontaudit nagios_system_plugin_t self:capability { setuid setgid };
+dontaudit nagios_system_plugin_t self:capability { setgid setuid };
read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 27b92658..cde12ad5 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -47,8 +47,8 @@ ifdef(`distro_gentoo',`
# Local policy
#
-allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
-dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace };
+allow NetworkManager_t self:capability { chown dac_override fowner fsetid ipc_lock kill net_admin net_raw setgid setuid sys_nice };
+dontaudit NetworkManager_t self:capability { sys_module sys_ptrace sys_tty_config };
allow NetworkManager_t self:capability2 wake_alarm;
allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te
index 40682ca2..30639e64 100644
--- a/policy/modules/contrib/nslcd.te
+++ b/policy/modules/contrib/nslcd.te
@@ -23,7 +23,7 @@ files_config_file(nslcd_conf_t)
# Local policy
#
-allow nslcd_t self:capability { setgid setuid dac_override };
+allow nslcd_t self:capability { dac_override setgid setuid };
allow nslcd_t self:process signal;
allow nslcd_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te
index a3503716..025f5d4a 100644
--- a/policy/modules/contrib/ntop.te
+++ b/policy/modules/contrib/ntop.te
@@ -29,7 +29,7 @@ files_pid_file(ntop_var_run_t)
# Local Policy
#
-allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
+allow ntop_t self:capability { net_admin net_raw setgid setuid sys_admin };
dontaudit ntop_t self:capability sys_tty_config;
allow ntop_t self:process signal_perms;
allow ntop_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index c7c27be5..2fcf0a40 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -47,8 +47,8 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
# Local policy
#
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
-dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
+allow ntpd_t self:capability { chown dac_override ipc_lock ipc_owner kill setgid setuid sys_chroot sys_nice sys_resource sys_time };
+dontaudit ntpd_t self:capability { fsetid net_admin sys_nice sys_tty_config };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:shm create_shm_perms;
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index 8086281f..d38ced7b 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -34,7 +34,7 @@ init_daemon_pid_file(nut_var_run_t, dir, "nut")
# Common nut domain local policy
#
-allow nut_domain self:capability { setgid setuid dac_override kill };
+allow nut_domain self:capability { dac_override kill setgid setuid };
allow nut_domain self:process signal_perms;
allow nut_domain self:fifo_file rw_fifo_file_perms;
allow nut_domain self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/oddjob.te b/policy/modules/contrib/oddjob.te
index c01d4f62..507d6d24 100644
--- a/policy/modules/contrib/oddjob.te
+++ b/policy/modules/contrib/oddjob.te
@@ -74,7 +74,7 @@ optional_policy(`
# Mkhomedir local policy
#
-allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+allow oddjob_mkhomedir_t self:capability { chown dac_override fowner fsetid };
allow oddjob_mkhomedir_t self:process setfscreate;
allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/oident.te b/policy/modules/contrib/oident.te
index 0cf6cfe3..c1f42dc1 100644
--- a/policy/modules/contrib/oident.te
+++ b/policy/modules/contrib/oident.te
@@ -25,7 +25,7 @@ files_config_file(oidentd_config_t)
# Local policy
#
-allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:capability { setgid setuid };
allow oidentd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow oidentd_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index cce20317..465716f6 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -54,7 +54,7 @@ files_pid_file(openvpn_var_run_t)
# Local policy
#
-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
+allow openvpn_t self:capability { dac_override dac_read_search ipc_lock net_admin setgid setuid sys_chroot sys_nice sys_tty_config };
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te
index 04cbe909..b9790021 100644
--- a/policy/modules/contrib/openvswitch.te
+++ b/policy/modules/contrib/openvswitch.te
@@ -32,7 +32,7 @@ files_pid_file(openvswitch_var_run_t)
# Local policy
#
-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
+allow openvswitch_t self:capability { ipc_lock net_admin sys_nice sys_resource };
allow openvswitch_t self:process { setrlimit setsched signal };
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
allow openvswitch_t self:rawip_socket create_socket_perms;
diff --git a/policy/modules/contrib/pacemaker.te b/policy/modules/contrib/pacemaker.te
index 6d1b3c4d..218470bb 100644
--- a/policy/modules/contrib/pacemaker.te
+++ b/policy/modules/contrib/pacemaker.te
@@ -29,7 +29,7 @@ files_pid_file(pacemaker_var_run_t)
# Local policy
#
-allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
+allow pacemaker_t self:capability { chown dac_override fowner fsetid kill setuid };
allow pacemaker_t self:process { setrlimit signal setpgid };
allow pacemaker_t self:fifo_file rw_fifo_file_perms;
allow pacemaker_t self:unix_stream_socket { connectto accept listen };
diff --git a/policy/modules/contrib/passenger.te b/policy/modules/contrib/passenger.te
index 85fb36db..b6181456 100644
--- a/policy/modules/contrib/passenger.te
+++ b/policy/modules/contrib/passenger.te
@@ -25,7 +25,7 @@ files_pid_file(passenger_var_run_t)
# Local policy
#
-allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
+allow passenger_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace sys_resource };
allow passenger_t self:process { setpgid setsched sigkill signal };
allow passenger_t self:fifo_file rw_fifo_file_perms;
allow passenger_t self:unix_stream_socket { accept connectto listen };
diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te
index ceab5763..230f1f00 100644
--- a/policy/modules/contrib/pcmcia.te
+++ b/policy/modules/contrib/pcmcia.te
@@ -29,7 +29,7 @@ role cardmgr_roles types cardmgr_t;
# Local policy
#
-allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
+allow cardmgr_t self:capability { dac_override dac_read_search mknod net_admin setuid sys_admin sys_nice sys_tty_config };
dontaudit cardmgr_t self:capability sys_tty_config;
allow cardmgr_t self:process signal_perms;
allow cardmgr_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te
index 6d8c0192..b2138295 100644
--- a/policy/modules/contrib/pegasus.te
+++ b/policy/modules/contrib/pegasus.te
@@ -35,7 +35,7 @@ files_pid_file(pegasus_var_run_t)
# Local policy
#
-allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
+allow pegasus_t self:capability { chown dac_override ipc_lock kill net_admin net_bind_service setgid setuid sys_nice };
dontaudit pegasus_t self:capability sys_tty_config;
allow pegasus_t self:process signal;
allow pegasus_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index 1d1635d4..b10f18e7 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -29,7 +29,7 @@ files_tmpfs_file(pkcs_slotd_tmpfs_t)
# Local policy
#
-allow pkcs_slotd_t self:capability { fsetid kill chown };
+allow pkcs_slotd_t self:capability { chown fsetid kill };
allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms;
allow pkcs_slotd_t self:sem create_sem_perms;
allow pkcs_slotd_t self:shm create_shm_perms;
diff --git a/policy/modules/contrib/podsleuth.te b/policy/modules/contrib/podsleuth.te
index 9123f715..83dc77b5 100644
--- a/policy/modules/contrib/podsleuth.te
+++ b/policy/modules/contrib/podsleuth.te
@@ -28,7 +28,7 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
# Local policy
#
-allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
+allow podsleuth_t self:capability { dac_override kill sys_admin sys_rawio };
allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
allow podsleuth_t self:fifo_file rw_fifo_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index e990d79a..cad9b9f1 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -72,7 +72,7 @@ interface(`portage_compile_domain',`
type portage_tmp_t, portage_tmpfs_t;
')
- allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
+ allow $1 self:capability { chown dac_override fowner fsetid mknod net_raw setgid setuid };
dontaudit $1 self:capability sys_chroot;
allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate };
allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 87ca0c6c..ef04131e 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -160,7 +160,7 @@ optional_policy(`
# - setfscreate for merging to live fs
allow portage_t self:process { setfscreate };
# - kill for mysql merging, at least
-allow portage_t self:capability { sys_nice kill setfcap };
+allow portage_t self:capability { kill setfcap sys_nice };
dontaudit portage_t self:capability { dac_read_search };
dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -247,7 +247,7 @@ dontaudit portage_t device_type:blk_file read_blk_file_perms;
#
allow portage_fetch_t self:process signal;
-allow portage_fetch_t self:capability { dac_override fowner fsetid chown };
+allow portage_fetch_t self:capability { chown dac_override fowner fsetid };
allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
allow portage_fetch_t self:tcp_socket { accept listen };
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
index 292b3aa8..2a8c850b 100644
--- a/policy/modules/contrib/portmap.te
+++ b/policy/modules/contrib/portmap.te
@@ -30,7 +30,7 @@ files_pid_file(portmap_var_run_t)
# Local policy
#
-allow portmap_t self:capability { setuid setgid };
+allow portmap_t self:capability { setgid setuid };
dontaudit portmap_t self:capability sys_tty_config;
allow portmap_t self:unix_stream_socket { accept listen };
allow portmap_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te
index 7e05b61b..a09698ce 100644
--- a/policy/modules/contrib/portreserve.te
+++ b/policy/modules/contrib/portreserve.te
@@ -23,7 +23,7 @@ files_pid_file(portreserve_var_run_t)
# Local policy
#
-allow portreserve_t self:capability { dac_read_search dac_override };
+allow portreserve_t self:capability { dac_override dac_read_search };
allow portreserve_t self:fifo_file rw_fifo_file_perms;
allow portreserve_t self:unix_stream_socket create_stream_socket_perms;
allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto };
diff --git a/policy/modules/contrib/portslave.te b/policy/modules/contrib/portslave.te
index cbe36c1d..b34887c9 100644
--- a/policy/modules/contrib/portslave.te
+++ b/policy/modules/contrib/portslave.te
@@ -21,7 +21,7 @@ files_lock_file(portslave_lock_t)
# Local policy
#
-allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config };
+allow portslave_t self:capability { fsetid net_admin net_bind_service setgid setuid sys_tty_config };
dontaudit portslave_t self:capability sys_admin;
allow portslave_t self:process signal_perms;
allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 1f1a396f..74cb3d7e 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -108,7 +108,7 @@ mta_mailserver_delivery(postfix_virtual_t)
# Common postfix domain local policy
#
-allow postfix_domain self:capability { sys_nice sys_chroot };
+allow postfix_domain self:capability { sys_chroot sys_nice };
dontaudit postfix_domain self:capability sys_tty_config;
allow postfix_domain self:process { signal_perms setpgid setsched };
allow postfix_domain self:fifo_file rw_fifo_file_perms;
@@ -171,7 +171,7 @@ optional_policy(`
# Common postfix server domain local policy
#
-allow postfix_server_domain self:capability { setuid setgid dac_override };
+allow postfix_server_domain self:capability { dac_override setgid setuid };
allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
@@ -198,7 +198,7 @@ domain_use_interactive_fds(postfix_user_domains)
# Master local policy
#
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+allow postfix_master_t self:capability { chown dac_override fowner kill setgid setuid sys_tty_config };
allow postfix_master_t self:capability2 block_suspend;
allow postfix_master_t self:process setrlimit;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
@@ -683,7 +683,7 @@ corecmd_exec_bin(postfix_qmgr_t)
# Showq local policy
#
-allow postfix_showq_t self:capability { setuid setgid };
+allow postfix_showq_t self:capability { setgid setuid };
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
index 153fb19c..621e1817 100644
--- a/policy/modules/contrib/postfixpolicyd.te
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -23,7 +23,7 @@ files_pid_file(postfix_policyd_var_run_t)
# Local policy
#
-allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
+allow postfix_policyd_t self:capability { setgid setuid sys_chroot sys_resource };
allow postfix_policyd_t self:process setrlimit;
allow postfix_policyd_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index 27718824..1015b4ee 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -78,7 +78,7 @@ userdom_user_home_content(ppp_home_t)
# PPPD local policy
#
-allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
+allow pppd_t self:capability { dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_admin sys_nice };
dontaudit pppd_t self:capability sys_tty_config;
allow pppd_t self:process { getsched setsched signal };
allow pppd_t self:fifo_file rw_fifo_file_perms;
@@ -224,7 +224,7 @@ optional_policy(`
# PPTP local policy
#
-allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin };
+allow pptp_t self:capability { dac_override dac_read_search net_admin net_raw };
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:process signal;
allow pptp_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te
index a4fa22b0..8a842661 100644
--- a/policy/modules/contrib/procmail.te
+++ b/policy/modules/contrib/procmail.te
@@ -24,7 +24,7 @@ files_tmp_file(procmail_tmp_t)
# Local policy
#
-allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override };
+allow procmail_t self:capability { chown dac_override fsetid setgid setuid sys_nice };
allow procmail_t self:process { setsched signal signull };
allow procmail_t self:fifo_file rw_fifo_file_perms;
allow procmail_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te
index 3336ca7e..b94e44a9 100644
--- a/policy/modules/contrib/psad.te
+++ b/policy/modules/contrib/psad.te
@@ -32,7 +32,7 @@ files_tmp_file(psad_tmp_t)
# Local policy
#
-allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
+allow psad_t self:capability { dac_override net_admin net_raw setgid setuid };
dontaudit psad_t self:capability sys_tty_config;
allow psad_t self:process signal_perms;
allow psad_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index e9a4a507..ac9811ea 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -44,7 +44,7 @@ files_pid_file(pulseaudio_var_run_t)
# Local policy
#
-allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
+allow pulseaudio_t self:capability { chown fowner fsetid setgid setuid sys_nice sys_resource sys_tty_config };
allow pulseaudio_t self:process { getcap getsched setcap setrlimit setsched signal signull };
allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 4f496964..0e8161a2 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -59,7 +59,7 @@ files_tmp_file(puppetmaster_tmp_t)
# Local policy
#
-allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
+allow puppet_t self:capability { chown dac_override fowner fsetid setgid setuid sys_admin sys_nice sys_tty_config };
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:fifo_file rw_fifo_file_perms;
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
@@ -255,7 +255,7 @@ optional_policy(`
# Master local policy
#
-allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
+allow puppetmaster_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
allow puppetmaster_t self:process { signal_perms getsched setsched };
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
allow puppetmaster_t self:netlink_route_socket nlmsg_write;
diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if
index 32b48657..efdc5286 100644
--- a/policy/modules/contrib/qemu.if
+++ b/policy/modules/contrib/qemu.if
@@ -27,7 +27,7 @@ template(`qemu_domain_template',`
# Policy
#
- allow $1_t self:capability { dac_read_search dac_override };
+ allow $1_t self:capability { dac_override dac_read_search };
allow $1_t self:process { execstack execmem signal getsched };
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:shm create_shm_perms;
diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te
index a40ba2a2..455f2c0e 100644
--- a/policy/modules/contrib/qmail.te
+++ b/policy/modules/contrib/qmail.te
@@ -145,7 +145,7 @@ optional_policy(`
# Lspawn local policy
#
-allow qmail_lspawn_t self:capability { setuid setgid };
+allow qmail_lspawn_t self:capability { setgid setuid };
allow qmail_lspawn_t self:process signal_perms;
allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms;
allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index 9952f537..95fc0aa3 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -33,7 +33,7 @@ files_pid_file(quota_nld_var_run_t)
# Local policy
#
-allow quota_t self:capability { sys_admin dac_override };
+allow quota_t self:capability { dac_override sys_admin };
dontaudit quota_t self:capability sys_tty_config;
allow quota_t self:process signal_perms;
diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te
index 1d7fbfe4..41df3b57 100644
--- a/policy/modules/contrib/radvd.te
+++ b/policy/modules/contrib/radvd.te
@@ -22,7 +22,7 @@ files_pid_file(radvd_var_run_t)
# Local policy
#
-allow radvd_t self:capability { kill setgid setuid net_raw net_admin };
+allow radvd_t self:capability { kill net_admin net_raw setgid setuid };
dontaudit radvd_t self:capability sys_tty_config;
allow radvd_t self:process signal_perms;
allow radvd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index ad21e093..49c7dbb4 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -27,7 +27,7 @@ dev_associate(mdadm_var_run_t)
# Local policy
#
-allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+allow mdadm_t self:capability { dac_override ipc_lock sys_admin };
dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { getsched setsched signal_perms };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te
index 080c0ad0..ec587591 100644
--- a/policy/modules/contrib/readahead.te
+++ b/policy/modules/contrib/readahead.te
@@ -22,7 +22,7 @@ init_daemon_pid_file(readahead_var_run_t, dir, "readahead")
# Local policy
#
-allow readahead_t self:capability { sys_admin fowner dac_override dac_read_search };
+allow readahead_t self:capability { dac_override dac_read_search fowner sys_admin };
dontaudit readahead_t self:capability { net_admin sys_tty_config };
allow readahead_t self:process { setsched signal_perms };
diff --git a/policy/modules/contrib/remotelogin.te b/policy/modules/contrib/remotelogin.te
index ae308717..3130db86 100644
--- a/policy/modules/contrib/remotelogin.te
+++ b/policy/modules/contrib/remotelogin.te
@@ -18,7 +18,7 @@ files_tmp_file(remote_login_tmp_t)
# Local policy
#
-allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
+allow remote_login_t self:capability { chown dac_override fowner fsetid kill net_bind_service setgid setuid sys_nice sys_resource sys_tty_config };
allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow remote_login_t self:process { setrlimit setexec };
allow remote_login_t self:fd use;
diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te
index c533810f..905c3d44 100644
--- a/policy/modules/contrib/rgmanager.te
+++ b/policy/modules/contrib/rgmanager.te
@@ -37,7 +37,7 @@ files_pid_file(rgmanager_var_run_t)
# Local policy
#
-allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
+allow rgmanager_t self:capability { dac_override ipc_lock net_raw sys_admin sys_nice sys_resource };
allow rgmanager_t self:process { setsched signal };
allow rgmanager_t self:fifo_file rw_fifo_file_perms;
allow rgmanager_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 4c58d123..85a3a066 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -170,7 +170,7 @@ tunable_policy(`fenced_can_network_connect',`
optional_policy(`
tunable_policy(`fenced_can_ssh',`
- allow fenced_t self:capability { setuid setgid };
+ allow fenced_t self:capability { setgid setuid };
corenet_sendrecv_ssh_client_packets(fenced_t)
corenet_tcp_connect_ssh_port(fenced_t)
diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te
index 794dcd36..326d7b85 100644
--- a/policy/modules/contrib/ricci.te
+++ b/policy/modules/contrib/ricci.te
@@ -78,7 +78,7 @@ files_lock_file(ricci_modstorage_lock_t)
# Local policy
#
-allow ricci_t self:capability { setuid sys_nice sys_boot };
+allow ricci_t self:capability { setuid sys_boot sys_nice };
allow ricci_t self:process setsched;
allow ricci_t self:fifo_file rw_fifo_file_perms;
allow ricci_t self:unix_stream_socket { accept connectto listen };
diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te
index 0714e380..94d41e81 100644
--- a/policy/modules/contrib/rlogin.te
+++ b/policy/modules/contrib/rlogin.te
@@ -31,7 +31,7 @@ files_pid_file(rlogind_var_run_t)
# Local policy
#
-allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+allow rlogind_t self:capability { chown dac_override fowner fsetid setgid setuid sys_tty_config };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
allow rlogind_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index cf1f775b..5123f079 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -145,7 +145,7 @@ optional_policy(`
# Local policy
#
-allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
+allow rpcd_t self:capability { chown dac_override setgid setpcap setuid sys_admin };
allow rpcd_t self:capability2 block_suspend;
allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
@@ -288,7 +288,7 @@ optional_policy(`
# GSSD local policy
#
-allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice };
+allow gssd_t self:capability { dac_override dac_read_search setgid setuid sys_nice };
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 6ab5fd9e..1b36d097 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -73,7 +73,7 @@ files_tmpfs_file(rpm_script_tmpfs_t)
# rpm Local policy
#
-allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
+allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config };
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
@@ -241,7 +241,7 @@ optional_policy(`
# rpm-script Local policy
#
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setgid setuid sys_admin sys_chroot sys_nice sys_rawio };
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te
index 5a5f6f71..dc327424 100644
--- a/policy/modules/contrib/rshd.te
+++ b/policy/modules/contrib/rshd.te
@@ -18,7 +18,7 @@ files_type(rshd_keytab_t)
# Local policy
#
-allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
+allow rshd_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
allow rshd_t self:process { signal_perms setsched setpgid setexec };
allow rshd_t self:fifo_file rw_fifo_file_perms;
allow rshd_t self:tcp_socket create_stream_socket_perms;
--git a/policy/modules/contrib/rssh.te b/policy/modules/contrib/rssh.te
index 5c5465fe..cf6dd81e 100644
--- a/policy/modules/contrib/rssh.te
+++ b/policy/modules/contrib/rssh.te
@@ -86,7 +86,7 @@ optional_policy(`
# Chroot helper local policy
#
-allow rssh_chroot_helper_t self:capability { sys_chroot setuid };
+allow rssh_chroot_helper_t self:capability { setuid sys_chroot };
allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms;
allow rssh_chroot_helper_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index 18db99d4..2fce98b0 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -83,7 +83,7 @@ files_pid_file(rsync_var_run_t)
# Local policy
#
-allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
+allow rsync_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
allow rsync_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 0acf15a7..e7dae973 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -194,7 +194,7 @@ files_pid_file(winbind_var_run_t)
# Net local policy
#
-allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
+allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice };
allow samba_net_t self:capability2 block_suspend;
allow samba_net_t self:process { getsched setsched };
allow samba_net_t self:unix_stream_socket { accept listen };
@@ -261,7 +261,7 @@ optional_policy(`
# Smbd Local policy
#
-allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
+allow smbd_t self:capability { chown dac_override dac_read_search fowner fsetid kill lease setgid setuid sys_admin sys_chroot sys_nice sys_resource };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow smbd_t self:fd use;
@@ -650,7 +650,7 @@ optional_policy(`
# Smbmount Local policy
#
-allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown };
+allow smbmount_t self:capability { chown dac_override sys_admin sys_rawio };
allow smbmount_t self:process signal_perms;
allow smbmount_t self:tcp_socket { accept listen };
allow smbmount_t self:unix_dgram_socket create_socket_perms;
@@ -724,7 +724,7 @@ optional_policy(`
# Swat Local policy
#
-allow swat_t self:capability { dac_override setuid setgid sys_resource };
+allow swat_t self:capability { dac_override setgid setuid sys_resource };
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_fifo_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index 1d2f80f5..865f9563 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -49,7 +49,7 @@ ifdef(`enable_mls',`
#
allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock };
-dontaudit samhain_domain self:capability { sys_resource sys_ptrace };
+dontaudit samhain_domain self:capability { sys_ptrace sys_resource };
allow samhain_domain self:process { setsched setrlimit signull };
allow samhain_domain self:fd use;
allow samhain_domain self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
index e8569cb1..e376da59 100644
--- a/policy/modules/contrib/screen.te
+++ b/policy/modules/contrib/screen.te
@@ -29,7 +29,7 @@ ubac_constrained(screen_runtime_t)
#
# dac_override : read /dev/pts/ID
-allow screen_domain self:capability { setuid setgid fsetid dac_override };
+allow screen_domain self:capability { dac_override fsetid setgid setuid };
allow screen_domain self:process signal_perms;
allow screen_domain self:fd use;
allow screen_domain self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
index 1ae4a27a..dbfab0a0 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -40,7 +40,7 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
# Local policy
#
-allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config };
+allow sendmail_t self:capability { chown dac_override setgid setuid sys_nice sys_tty_config };
allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
allow sendmail_t self:fifo_file rw_fifo_file_perms;
allow sendmail_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index e2e6c30d..5e815dd8 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -32,7 +32,7 @@ logging_log_file(shorewall_log_t)
# Local policy
#
-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
+allow shorewall_t self:capability { dac_override net_admin net_raw setgid setuid sys_admin sys_nice };
dontaudit shorewall_t self:capability sys_tty_config;
allow shorewall_t self:fifo_file rw_fifo_file_perms;
allow shorewall_t self:netlink_socket create_socket_perms;
diff --git a/policy/modules/contrib/slocate.te b/policy/modules/contrib/slocate.te
index 65fe1cb6..2bf0fed4 100644
--- a/policy/modules/contrib/slocate.te
+++ b/policy/modules/contrib/slocate.te
@@ -20,7 +20,7 @@ files_pid_file(locate_var_run_t)
# Local policy
#
-allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
+allow locate_t self:capability { chown dac_override dac_read_search fowner fsetid };
allow locate_t self:process { execmem execheap execstack signal setsched };
allow locate_t self:fifo_file rw_fifo_file_perms;
allow locate_t self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te
index eb812fe8..4a7cafa7 100644
--- a/policy/modules/contrib/smartmon.te
+++ b/policy/modules/contrib/smartmon.te
@@ -38,7 +38,7 @@ ifdef(`enable_mls',`
# Local policy
#
-allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin };
+allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio };
dontaudit fsdaemon_t self:capability sys_tty_config;
allow fsdaemon_t self:process { getcap setcap signal_perms };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te
index 625d8018..cc19c38d 100644
--- a/policy/modules/contrib/smokeping.te
+++ b/policy/modules/contrib/smokeping.te
@@ -23,7 +23,7 @@ files_type(smokeping_var_lib_t)
# Local policy
#
-dontaudit smokeping_t self:capability { dac_read_search dac_override };
+dontaudit smokeping_t self:capability { dac_override dac_read_search };
allow smokeping_t self:fifo_file rw_fifo_file_perms;
allow smokeping_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te
index 49385798..fe37b52d 100644
--- a/policy/modules/contrib/snmp.te
+++ b/policy/modules/contrib/snmp.te
@@ -26,7 +26,7 @@ files_type(snmpd_var_lib_t)
# Local policy
#
-allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
+allow snmpd_t self:capability { chown dac_override ipc_lock kill net_admin setgid setuid sys_nice sys_ptrace sys_tty_config };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 30ba1e0c..536efd00 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -30,7 +30,7 @@ init_daemon_pid_file(snort_var_run_t, dir, "snort")
# Local policy
#
-allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
+allow snort_t self:capability { dac_override net_admin net_raw setgid setuid };
dontaudit snort_t self:capability sys_tty_config;
allow snort_t self:process signal_perms;
allow snort_t self:netlink_socket create_socket_perms;
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te
index 18dca447..940f220a 100644
--- a/policy/modules/contrib/sosreport.te
+++ b/policy/modules/contrib/sosreport.te
@@ -31,7 +31,7 @@ optional_policy(`
# Local policy
#
-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
+allow sosreport_t self:capability { dac_override kill net_admin net_raw setuid sys_admin sys_nice };
dontaudit sosreport_t self:capability sys_ptrace;
allow sosreport_t self:process { setsched setpgid signal_perms };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 6631a498..4a9153ce 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -270,7 +270,7 @@ optional_policy(`
# Daemon local policy
#
-allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
+allow spamd_t self:capability { dac_override kill setgid setuid sys_tty_config };
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 2852599a..74fb3c23 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -51,7 +51,7 @@ files_pid_file(squid_var_run_t)
# Local policy
#
-allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
+allow squid_t self:capability { dac_override kill setgid setuid sys_resource };
dontaudit squid_t self:capability sys_tty_config;
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow squid_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index 9be5c19c..e273c904 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -33,7 +33,7 @@ files_pid_file(sssd_var_run_t)
# Local policy
#
-allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
+allow sssd_t self:capability { chown dac_override dac_read_search kill net_admin setgid setuid sys_admin sys_nice sys_resource };
allow sssd_t self:capability2 block_suspend;
allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
allow sssd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/sxid.te b/policy/modules/contrib/sxid.te
index 01a9d0ac..010c40ce 100644
--- a/policy/modules/contrib/sxid.te
+++ b/policy/modules/contrib/sxid.te
@@ -21,7 +21,7 @@ files_tmp_file(sxid_tmp_t)
#
allow sxid_t self:capability { dac_override dac_read_search fsetid };
-dontaudit sxid_t self:capability { setuid setgid sys_tty_config };
+dontaudit sxid_t self:capability { setgid setuid sys_tty_config };
allow sxid_t self:process signal_perms;
allow sxid_t self:fifo_file rw_fifo_file_perms;
allow sxid_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/systemtap.te b/policy/modules/contrib/systemtap.te
index f2fa8494..c0ddb637 100644
--- a/policy/modules/contrib/systemtap.te
+++ b/policy/modules/contrib/systemtap.te
@@ -29,7 +29,7 @@ files_pid_file(stapserver_var_run_t)
# Local policy
#
-allow stapserver_t self:capability { dac_override kill setuid setgid };
+allow stapserver_t self:capability { dac_override kill setgid setuid };
allow stapserver_t self:process { setrlimit setsched signal };
allow stapserver_t self:fifo_file rw_fifo_file_perms;
allow stapserver_t self:key write;
diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te
index 0e70d1f4..6007d763 100644
--- a/policy/modules/contrib/telnet.te
+++ b/policy/modules/contrib/telnet.te
@@ -27,7 +27,7 @@ files_pid_file(telnetd_var_run_t)
# Local policy
#
-allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+allow telnetd_t self:capability { chown dac_override fowner fsetid setgid setuid sys_tty_config };
allow telnetd_t self:process signal_perms;
allow telnetd_t self:fifo_file rw_fifo_file_perms;
allow telnetd_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/tripwire.te b/policy/modules/contrib/tripwire.te
index 03aa6b7f..47dc24b3 100644
--- a/policy/modules/contrib/tripwire.te
+++ b/policy/modules/contrib/tripwire.te
@@ -47,7 +47,7 @@ role twprint_roles types twprint_t;
# Local policy
#
-allow tripwire_t self:capability { setgid setuid dac_override };
+allow tripwire_t self:capability { dac_override setgid setuid };
allow tripwire_t tripwire_etc_t:dir list_dir_perms;
allow tripwire_t tripwire_etc_t:file read_file_perms;
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
index 6c3a3eaf..50beee26 100644
--- a/policy/modules/contrib/ulogd.te
+++ b/policy/modules/contrib/ulogd.te
@@ -26,7 +26,7 @@ logging_log_file(ulogd_var_log_t)
# Local policy
#
-allow ulogd_t self:capability { net_admin setuid setgid sys_nice };
+allow ulogd_t self:capability { net_admin setgid setuid sys_nice };
allow ulogd_t self:process setsched;
allow ulogd_t self:netlink_nflog_socket create_socket_perms;
allow ulogd_t self:netlink_socket create_socket_perms;
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index 7a57c21a..9c7ac268 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -25,7 +25,7 @@ application_executable_file(consolehelper_exec_t)
# Common consolehelper domain local policy
#
-allow consolehelper_type self:capability { setgid setuid dac_override };
+allow consolehelper_type self:capability { dac_override setgid setuid };
allow consolehelper_type self:process signal;
allow consolehelper_type self:fifo_file rw_fifo_file_perms;
allow consolehelper_type self:unix_stream_socket create_stream_socket_perms;
@@ -94,7 +94,7 @@ optional_policy(`
# Common userhelper domain local policy
#
-allow userhelper_type self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
+allow userhelper_type self:capability { chown dac_override net_bind_service setgid setuid sys_tty_config };
allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap };
allow userhelper_type self:fd use;
allow userhelper_type self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te
index f973af82..3f774951 100644
--- a/policy/modules/contrib/usernetctl.te
+++ b/policy/modules/contrib/usernetctl.te
@@ -18,7 +18,7 @@ role usernetctl_roles types usernetctl_t;
# Local policy
#
-allow usernetctl_t self:capability { setuid setgid dac_override };
+allow usernetctl_t self:capability { dac_override setgid setuid };
allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow usernetctl_t self:fd use;
allow usernetctl_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/uucp.te b/policy/modules/contrib/uucp.te
index 9c884c46..d44d025f 100644
--- a/policy/modules/contrib/uucp.te
+++ b/policy/modules/contrib/uucp.te
@@ -46,7 +46,7 @@ role uux_roles types uux_t;
# Local policy
#
-allow uucpd_t self:capability { setuid setgid };
+allow uucpd_t self:capability { setgid setuid };
allow uucpd_t self:process signal_perms;
allow uucpd_t self:fifo_file rw_fifo_file_perms;
allow uucpd_t self:tcp_socket { accept listen };
@@ -137,7 +137,7 @@ optional_policy(`
# UUX Local policy
#
-allow uux_t self:capability { setuid setgid };
+allow uux_t self:capability { setgid setuid };
allow uux_t self:fifo_file write_fifo_file_perms;
domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t)
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index 36c32fcd..b36f69ca 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -50,7 +50,7 @@ files_type(varnishlog_log_t)
# Local policy
#
-allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+allow varnishd_t self:capability { dac_override ipc_lock kill setgid setuid };
dontaudit varnishd_t self:capability sys_tty_config;
allow varnishd_t self:process signal;
allow varnishd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/vbetool.te b/policy/modules/contrib/vbetool.te
index 2a61f752..09980a08 100644
--- a/policy/modules/contrib/vbetool.te
+++ b/policy/modules/contrib/vbetool.te
@@ -26,7 +26,7 @@ role vbetool_roles types vbetool_t;
# Local policy
#
-allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
+allow vbetool_t self:capability { dac_override sys_admin sys_tty_config };
allow vbetool_t self:process execmem;
dev_wx_raw_memory(vbetool_t)
diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te
index 4d47427d..f6636a99 100644
--- a/policy/modules/contrib/vhostmd.te
+++ b/policy/modules/contrib/vhostmd.te
@@ -23,7 +23,7 @@ files_pid_file(vhostmd_var_run_t)
# Local policy
#
-allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
+allow vhostmd_t self:capability { dac_override ipc_lock setgid setuid };
allow vhostmd_t self:process { setsched getsched signal };
allow vhostmd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index e8ac408d..eb72843f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -455,7 +455,7 @@ tunable_policy(`virt_use_vfio',`
# virtd local policy
#
-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
@@ -808,7 +808,7 @@ optional_policy(`
# Virsh local policy
#
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+allow virsh_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config };
allow virsh_t self:process { getcap getsched setsched setcap signal };
allow virsh_t self:fifo_file rw_fifo_file_perms;
allow virsh_t self:unix_stream_socket { accept connectto listen };
@@ -956,7 +956,7 @@ optional_policy(`
# Lxc local policy
#
-allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
+allow virtd_lxc_t self:capability { chown dac_override net_admin net_raw setpcap sys_admin sys_boot sys_resource };
allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms };
allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
allow virtd_lxc_t self:netlink_route_socket nlmsg_write;
@@ -1052,7 +1052,7 @@ sysnet_domtrans_ifconfig(virtd_lxc_t)
# Common virt lxc domain local policy
#
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
+allow svirt_lxc_domain self:capability { dac_override kill setgid setuid sys_boot };
allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
@@ -1149,7 +1149,7 @@ optional_policy(`
# Lxc net local policy
#
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
+allow svirt_lxc_net_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_raw setpcap sys_admin sys_nice sys_ptrace sys_resource };
dontaudit svirt_lxc_net_t self:capability2 block_suspend;
allow svirt_lxc_net_t self:process setrlimit;
allow svirt_lxc_net_t self:tcp_socket { accept listen };
@@ -1253,7 +1253,7 @@ optional_policy(`
#
allow virt_bridgehelper_t self:process { setcap getcap };
-allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
+allow virt_bridgehelper_t self:capability { net_admin setgid setpcap setuid };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te
index 6b72968e..d4094916 100644
--- a/policy/modules/contrib/vlock.te
+++ b/policy/modules/contrib/vlock.te
@@ -17,7 +17,7 @@ role vlock_roles types vlock_t;
# Local policy
#
-dontaudit vlock_t self:capability { setuid setgid };
+dontaudit vlock_t self:capability { setgid setuid };
allow vlock_t self:fd use;
allow vlock_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
index 0fa22c2b..59a32f5d 100644
--- a/policy/modules/contrib/vmware.te
+++ b/policy/modules/contrib/vmware.te
@@ -69,7 +69,7 @@ optional_policy(`
# Host local policy
#
-allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
+allow vmware_host_t self:capability { dac_override kill net_raw setgid setuid sys_nice sys_ptrace sys_time };
dontaudit vmware_host_t self:capability sys_tty_config;
allow vmware_host_t self:process { execstack execmem signal_perms };
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
@@ -186,7 +186,7 @@ optional_policy(`
# Guest local policy
#
-allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
+allow vmware_t self:capability { chown dac_override setgid setuid sys_admin sys_nice sys_rawio sys_resource };
dontaudit vmware_t self:capability sys_tty_config;
allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow vmware_t self:process { execmem execstack };
diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te
index 85353fa7..10fb1013 100644
--- a/policy/modules/contrib/vpn.te
+++ b/policy/modules/contrib/vpn.te
@@ -24,7 +24,7 @@ files_pid_file(vpnc_var_run_t)
# Local policy
#
-allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid };
+allow vpnc_t self:capability { dac_override dac_read_search ipc_lock net_admin net_raw setuid };
allow vpnc_t self:process { getsched signal };
allow vpnc_t self:fifo_file rw_fifo_file_perms;
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index a181f48b..bac0a747 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -23,7 +23,7 @@ files_pid_file(watchdog_var_run_t)
# Local policy
#
-allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource net_raw };
+allow watchdog_t self:capability { ipc_lock net_admin net_raw sys_admin sys_boot sys_nice sys_pacct sys_resource };
dontaudit watchdog_t self:capability sys_tty_config;
allow watchdog_t self:process { setsched signal_perms };
allow watchdog_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te
index a32e1988..24c3802e 100644
--- a/policy/modules/contrib/wdmd.te
+++ b/policy/modules/contrib/wdmd.te
@@ -23,7 +23,7 @@ files_pid_file(wdmd_var_run_t)
# Local policy
#
-allow wdmd_t self:capability { chown sys_nice ipc_lock };
+allow wdmd_t self:capability { chown ipc_lock sys_nice };
allow wdmd_t self:process { setsched signal };
allow wdmd_t self:fifo_file rw_fifo_file_perms;
allow wdmd_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index c134cfe5..383c00a7 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -163,7 +163,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
# xend local policy
#
-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_resource sys_rawio };
+allow xend_t self:capability { dac_override ipc_lock net_admin net_raw setuid sys_admin sys_nice sys_rawio sys_resource sys_tty_config };
dontaudit xend_t self:capability { sys_ptrace };
allow xend_t self:process { setrlimit signal sigkill };
dontaudit xend_t self:process ptrace;
@@ -470,7 +470,7 @@ xen_append_log(xenstored_t)
# xm local policy
#
-allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config };
allow xm_t self:process { getcap getsched setsched setcap signal };
allow xm_t self:fifo_file rw_fifo_file_perms;
allow xm_t self:unix_stream_socket { accept connectto listen };
diff --git a/policy/modules/contrib/yam.te b/policy/modules/contrib/yam.te
index 2695db25..4927d4d7 100644
--- a/policy/modules/contrib/yam.te
+++ b/policy/modules/contrib/yam.te
@@ -26,7 +26,7 @@ files_tmp_file(yam_tmp_t)
# Local policy
#
-allow yam_t self:capability { chown fowner fsetid dac_override };
+allow yam_t self:capability { chown dac_override fowner fsetid };
allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow yam_t self:fd use;
allow yam_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index 33822181..a021b743 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -44,7 +44,7 @@ files_pid_file(zabbix_var_run_t)
# Local policy
#
-allow zabbix_t self:capability { dac_read_search dac_override setuid setgid };
+allow zabbix_t self:capability { dac_override dac_read_search setgid setuid };
allow zabbix_t self:process { setsched signal_perms };
allow zabbix_t self:fifo_file rw_fifo_file_perms;
allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
@@ -132,7 +132,7 @@ optional_policy(`
# Agent local policy
#
-allow zabbix_agent_t self:capability { setuid setgid };
+allow zabbix_agent_t self:capability { setgid setuid };
allow zabbix_agent_t self:process { setsched getsched signal };
allow zabbix_agent_t self:fifo_file rw_fifo_file_perms;
allow zabbix_agent_t self:sem create_sem_perms;
diff --git a/policy/modules/contrib/zarafa.te b/policy/modules/contrib/zarafa.te
index 5ce3c3eb..506952fb 100644
--- a/policy/modules/contrib/zarafa.te
+++ b/policy/modules/contrib/zarafa.te
@@ -158,7 +158,7 @@ corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t)
# Zarafa domain local policy
#
-allow zarafa_domain self:capability { kill dac_override chown setgid setuid };
+allow zarafa_domain self:capability { chown dac_override kill setgid setuid };
allow zarafa_domain self:process { setrlimit signal };
allow zarafa_domain self:fifo_file rw_fifo_file_perms;
allow zarafa_domain self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
index d0b03583..bfc2d21d 100644
--- a/policy/modules/contrib/zebra.te
+++ b/policy/modules/contrib/zebra.te
@@ -37,7 +37,7 @@ files_pid_file(zebra_var_run_t)
# Local policy
#
-allow zebra_t self:capability { setgid setuid net_admin net_raw };
+allow zebra_t self:capability { net_admin net_raw setgid setuid };
dontaudit zebra_t self:capability sys_tty_config;
allow zebra_t self:process { signal_perms getcap setcap };
allow zebra_t self:fifo_file rw_fifo_file_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-02-17 8:50 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-02-17 8:44 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-17 8:44 UTC (permalink / raw
To: gentoo-commits
commit: 6c4f7f44b8475c05327146520cc4f3e196f9574c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb 15 23:47:07 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:41:32 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6c4f7f44
Sort capabilities permissions from Russell Coker.
policy/modules/contrib/accountsd.te | 2 +-
policy/modules/contrib/afs.te | 2 +-
policy/modules/contrib/aisexec.te | 2 +-
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/amanda.te | 4 ++--
policy/modules/contrib/amavis.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apm.te | 4 ++--
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bacula.te | 2 +-
policy/modules/contrib/bluetooth.te | 2 +-
policy/modules/contrib/boinc.te | 2 +-
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/callweaver.te | 2 +-
policy/modules/contrib/canna.te | 2 +-
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/cdrecord.te | 2 +-
policy/modules/contrib/certmaster.te | 2 +-
policy/modules/contrib/certmonger.te | 2 +-
policy/modules/contrib/cgroup.te | 6 +++---
policy/modules/contrib/chronyd.te | 2 +-
policy/modules/contrib/cipe.te | 2 +-
policy/modules/contrib/clamav.te | 6 +++---
policy/modules/contrib/clockspeed.te | 2 +-
policy/modules/contrib/clogd.te | 2 +-
policy/modules/contrib/cmirrord.te | 2 +-
policy/modules/contrib/colord.te | 2 +-
policy/modules/contrib/comsat.te | 2 +-
policy/modules/contrib/condor.te | 12 ++++++------
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/corosync.te | 4 ++--
policy/modules/contrib/courier.te | 4 ++--
policy/modules/contrib/cron.te | 6 +++---
policy/modules/contrib/cups.te | 10 +++++-----
policy/modules/contrib/cvs.te | 2 +-
policy/modules/contrib/daemontools.te | 2 +-
policy/modules/contrib/dante.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/dcc.te | 4 ++--
policy/modules/contrib/ddcprobe.te | 2 +-
policy/modules/contrib/devicekit.te | 4 ++--
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/dictd.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/dovecot.te | 2 +-
policy/modules/contrib/dpkg.te | 4 ++--
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/fail2ban.te | 2 +-
policy/modules/contrib/finger.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/gdomap.te | 2 +-
policy/modules/contrib/glusterfs.te | 2 +-
policy/modules/contrib/gpm.te | 2 +-
policy/modules/contrib/gpsd.te | 4 ++--
policy/modules/contrib/hadoop.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/ifplugd.te | 2 +-
policy/modules/contrib/inetd.te | 4 ++--
policy/modules/contrib/iodine.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/kerberos.te | 4 ++--
policy/modules/contrib/kismet.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/likewise.te | 4 ++--
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/logwatch.te | 2 +-
policy/modules/contrib/lpd.te | 6 +++---
policy/modules/contrib/mailman.te | 2 +-
policy/modules/contrib/mailscanner.te | 2 +-
policy/modules/contrib/mandb.te | 2 +-
policy/modules/contrib/memcached.te | 2 +-
policy/modules/contrib/milter.te | 2 +-
policy/modules/contrib/minissdpd.te | 2 +-
policy/modules/contrib/mozilla.te | 4 ++--
policy/modules/contrib/mrtg.te | 2 +-
policy/modules/contrib/mta.te | 2 +-
policy/modules/contrib/nagios.te | 8 ++++----
policy/modules/contrib/networkmanager.te | 4 ++--
policy/modules/contrib/nslcd.te | 2 +-
policy/modules/contrib/ntop.te | 2 +-
policy/modules/contrib/ntp.te | 4 ++--
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/oddjob.te | 2 +-
policy/modules/contrib/oident.te | 2 +-
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/openvswitch.te | 2 +-
policy/modules/contrib/pacemaker.te | 2 +-
policy/modules/contrib/passenger.te | 2 +-
policy/modules/contrib/pcmcia.te | 2 +-
policy/modules/contrib/pegasus.te | 2 +-
policy/modules/contrib/pkcs.te | 2 +-
policy/modules/contrib/podsleuth.te | 2 +-
policy/modules/contrib/portage.if | 2 +-
policy/modules/contrib/portage.te | 4 ++--
policy/modules/contrib/portmap.te | 2 +-
policy/modules/contrib/portreserve.te | 2 +-
policy/modules/contrib/portslave.te | 2 +-
policy/modules/contrib/postfix.te | 8 ++++----
policy/modules/contrib/postfixpolicyd.te | 2 +-
policy/modules/contrib/ppp.te | 4 ++--
policy/modules/contrib/procmail.te | 2 +-
policy/modules/contrib/psad.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/puppet.te | 4 ++--
policy/modules/contrib/qemu.if | 2 +-
policy/modules/contrib/qmail.te | 2 +-
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/radvd.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/readahead.te | 2 +-
policy/modules/contrib/remotelogin.te | 2 +-
policy/modules/contrib/rgmanager.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/ricci.te | 2 +-
policy/modules/contrib/rlogin.te | 2 +-
policy/modules/contrib/rpc.te | 4 ++--
policy/modules/contrib/rpm.te | 4 ++--
policy/modules/contrib/rshd.te | 2 +-
| 2 +-
policy/modules/contrib/rsync.te | 2 +-
policy/modules/contrib/samba.te | 8 ++++----
policy/modules/contrib/samhain.te | 2 +-
policy/modules/contrib/screen.te | 2 +-
policy/modules/contrib/sendmail.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/slocate.te | 2 +-
policy/modules/contrib/smartmon.te | 2 +-
policy/modules/contrib/smokeping.te | 2 +-
policy/modules/contrib/snmp.te | 2 +-
policy/modules/contrib/snort.te | 2 +-
policy/modules/contrib/sosreport.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/sssd.te | 2 +-
policy/modules/contrib/sxid.te | 2 +-
policy/modules/contrib/systemtap.te | 2 +-
policy/modules/contrib/telnet.te | 2 +-
policy/modules/contrib/tripwire.te | 2 +-
policy/modules/contrib/ulogd.te | 2 +-
policy/modules/contrib/userhelper.te | 4 ++--
policy/modules/contrib/usernetctl.te | 2 +-
policy/modules/contrib/uucp.te | 4 ++--
policy/modules/contrib/varnishd.te | 2 +-
policy/modules/contrib/vbetool.te | 2 +-
policy/modules/contrib/vhostmd.te | 2 +-
policy/modules/contrib/virt.te | 12 ++++++------
policy/modules/contrib/vlock.te | 2 +-
policy/modules/contrib/vmware.te | 4 ++--
policy/modules/contrib/vpn.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/wdmd.te | 2 +-
policy/modules/contrib/xen.te | 4 ++--
policy/modules/contrib/yam.te | 2 +-
policy/modules/contrib/zabbix.te | 4 ++--
policy/modules/contrib/zarafa.te | 2 +-
policy/modules/contrib/zebra.te | 2 +-
160 files changed, 215 insertions(+), 215 deletions(-)
diff --git a/policy/modules/contrib/accountsd.te b/policy/modules/contrib/accountsd.te
index 3593510d..d435a2d6 100644
--- a/policy/modules/contrib/accountsd.te
+++ b/policy/modules/contrib/accountsd.te
@@ -21,7 +21,7 @@ files_type(accountsd_var_lib_t)
# Local policy
#
-allow accountsd_t self:capability { chown dac_override setuid setgid sys_ptrace };
+allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace };
allow accountsd_t self:process signal;
allow accountsd_t self:fifo_file rw_fifo_file_perms;
allow accountsd_t self:passwd { rootok passwd chfn chsh };
diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
index e685b5d3..b95757a5 100644
--- a/policy/modules/contrib/afs.te
+++ b/policy/modules/contrib/afs.te
@@ -147,7 +147,7 @@ seutil_read_config(afs_bosserver_t)
# fileserver local policy
#
-allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
+allow afs_fsserver_t self:capability { chown dac_override fowner kill sys_nice };
dontaudit afs_fsserver_t self:capability fsetid;
allow afs_fsserver_t self:process { setsched signal_perms };
allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te
index d89a243e..06b61940 100644
--- a/policy/modules/contrib/aisexec.te
+++ b/policy/modules/contrib/aisexec.te
@@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t)
# Local policy
#
-allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner };
+allow aisexec_t self:capability { ipc_lock ipc_owner sys_nice sys_resource };
allow aisexec_t self:process { setrlimit setsched signal };
allow aisexec_t self:fifo_file rw_fifo_file_perms;
allow aisexec_t self:sem create_sem_perms;
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 19046676..f82e39ca 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -38,7 +38,7 @@ userdom_user_home_content(alsa_home_t)
# Local policy
#
-allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
+allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid setuid };
dontaudit alsa_t self:capability sys_admin;
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te
index 65fa3975..ecf15211 100644
--- a/policy/modules/contrib/amanda.te
+++ b/policy/modules/contrib/amanda.te
@@ -59,7 +59,7 @@ optional_policy(`
# Local policy
#
-allow amanda_t self:capability { chown dac_override setuid kill };
+allow amanda_t self:capability { chown dac_override kill setuid };
allow amanda_t self:process { setpgid signal };
allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket { accept listen };
@@ -141,7 +141,7 @@ logging_send_syslog_msg(amanda_t)
# Recover local policy
#
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
+allow amanda_recover_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
allow amanda_recover_t self:process { sigkill sigstop signal };
allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
allow amanda_recover_t self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te
index 2f66a812..44913b37 100644
--- a/policy/modules/contrib/amavis.te
+++ b/policy/modules/contrib/amavis.te
@@ -46,7 +46,7 @@ files_type(amavis_spool_t)
# Local policy
#
-allow amavis_t self:capability { kill chown dac_override setgid setuid };
+allow amavis_t self:capability { chown dac_override kill setgid setuid };
dontaudit amavis_t self:capability sys_tty_config;
allow amavis_t self:process signal_perms;
allow amavis_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 12b80554..2f724b68 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -920,7 +920,7 @@ tunable_policy(`httpd_tty_comm',`
# Suexec local policy
#
-allow httpd_suexec_t self:capability { setuid setgid };
+allow httpd_suexec_t self:capability { setgid setuid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
allow httpd_suexec_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index f5692d58..c5647460 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -62,8 +62,8 @@ logging_send_syslog_msg(apm_t)
# Server local policy
#
-allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+allow apmd_t self:capability { kill mknod sys_admin sys_nice sys_time };
+dontaudit apmd_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index db0efef0..9c6a947f 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -39,7 +39,7 @@ init_daemon_pid_file(asterisk_var_run_t, dir, "asterisk")
# Local policy
#
-allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin };
+allow asterisk_t self:capability { chown dac_override net_admin setgid setuid sys_nice };
dontaudit asterisk_t self:capability { sys_module sys_tty_config };
allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
allow asterisk_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index ae421061..09b82b0c 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -33,7 +33,7 @@ files_pid_file(automount_var_run_t)
# Local policy
#
-allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
+allow automount_t self:capability { dac_override setgid setuid sys_admin sys_nice sys_resource };
dontaudit automount_t self:capability sys_tty_config;
allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
allow automount_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index d5d87ee3..b2e43eed 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -27,7 +27,7 @@ files_pid_file(avahi_var_run_t)
# Local policy
#
-allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
+allow avahi_t self:capability { chown dac_override fowner kill net_admin net_raw setgid setuid sys_chroot };
dontaudit avahi_t self:capability sys_tty_config;
allow avahi_t self:process { setrlimit signal_perms getcap setcap };
allow avahi_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te
index 2050984c..20b92c3f 100644
--- a/policy/modules/contrib/bacula.te
+++ b/policy/modules/contrib/bacula.te
@@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t;
# Local policy
#
-allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
+allow bacula_t self:capability { chown dac_override dac_read_search fowner fsetid };
allow bacula_t self:process signal;
allow bacula_t self:fifo_file rw_fifo_file_perms;
allow bacula_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index ceb79e63..75d739da 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -57,7 +57,7 @@ files_pid_file(bluetooth_var_run_t)
# Local policy
#
-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
+allow bluetooth_t self:capability { dac_override ipc_lock net_admin net_bind_service net_raw setpcap sys_admin sys_tty_config };
dontaudit bluetooth_t self:capability sys_tty_config;
allow bluetooth_t self:process { getcap setcap getsched signal_perms };
allow bluetooth_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te
index 64803206..ed1aaf34 100644
--- a/policy/modules/contrib/boinc.te
+++ b/policy/modules/contrib/boinc.te
@@ -168,7 +168,7 @@ optional_policy(`
# Project local policy
#
-allow boinc_project_t self:capability { setuid setgid };
+allow boinc_project_t self:capability { setgid setuid };
allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index 14fcf67c..c92149d1 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -27,7 +27,7 @@ role system_r types cachefiles_kernel_t;
# Cachefilesd local policy
#
-allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
+allow cachefilesd_t self:capability { dac_override setgid setuid sys_admin };
allow cachefilesd_t cachefiles_kernel_t:kernel_service use_as_override;
diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te
index d67ad9b8..f9443343 100644
--- a/policy/modules/contrib/callweaver.te
+++ b/policy/modules/contrib/callweaver.te
@@ -29,7 +29,7 @@ files_type(callweaver_spool_t)
# Local policy
#
-allow callweaver_t self:capability { setuid sys_nice setgid };
+allow callweaver_t self:capability { setgid setuid sys_nice };
allow callweaver_t self:process { setsched signal };
allow callweaver_t self:fifo_file rw_fifo_file_perms;
allow callweaver_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te
index 6738527a..ea8f64b5 100644
--- a/policy/modules/contrib/canna.te
+++ b/policy/modules/contrib/canna.te
@@ -26,7 +26,7 @@ files_pid_file(canna_var_run_t)
# Local policy
#
-allow canna_t self:capability { setgid setuid net_bind_service };
+allow canna_t self:capability { net_bind_service setgid setuid };
dontaudit canna_t self:capability sys_tty_config;
allow canna_t self:process signal_perms;
allow canna_t self:unix_stream_socket { accept connectto listen };
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index eacec0bf..bc766e74 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -35,7 +35,7 @@ files_pid_file(ccs_var_run_t)
# Local policy
#
-allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
+allow ccs_t self:capability { ipc_lock ipc_owner sys_admin sys_nice sys_resource };
allow ccs_t self:process { signal setrlimit setsched };
dontaudit ccs_t self:process ptrace;
allow ccs_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/cdrecord.te b/policy/modules/contrib/cdrecord.te
index 16883c9c..4af7717a 100644
--- a/policy/modules/contrib/cdrecord.te
+++ b/policy/modules/contrib/cdrecord.te
@@ -29,7 +29,7 @@ role cdrecord_roles types cdrecord_t;
# Local policy
#
-allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
+allow cdrecord_t self:capability { dac_override ipc_lock setuid sys_nice sys_rawio };
allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill };
allow cdrecord_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/certmaster.te b/policy/modules/contrib/certmaster.te
index 16420ae9..daeb417d 100644
--- a/policy/modules/contrib/certmaster.te
+++ b/policy/modules/contrib/certmaster.te
@@ -29,7 +29,7 @@ files_pid_file(certmaster_var_run_t)
# Local policy
#
-allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config };
+allow certmaster_t self:capability { dac_override dac_read_search sys_tty_config };
allow certmaster_t self:tcp_socket { accept listen };
list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index defc3467..f6c9d20d 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -23,7 +23,7 @@ files_pid_file(certmonger_var_run_t)
# Local policy
#
-allow certmonger_t self:capability { chown dac_override dac_read_search setgid setuid kill sys_nice };
+allow certmonger_t self:capability { chown dac_override dac_read_search kill setgid setuid sys_nice };
dontaudit certmonger_t self:capability sys_tty_config;
allow certmonger_t self:capability2 block_suspend;
allow certmonger_t self:process { getsched setsched sigkill signal };
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index 5d600a9f..3599d7a2 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -40,7 +40,7 @@ files_config_file(cgconfig_etc_t)
# cgclear local policy
#
-allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
+allow cgclear_t self:capability { dac_override dac_read_search sys_admin };
allow cgclear_t cgconfig_etc_t:file read_file_perms;
@@ -57,7 +57,7 @@ fs_unmount_cgroup(cgclear_t)
# cgconfig local policy
#
-allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config };
+allow cgconfig_t self:capability { chown dac_override fowner fsetid sys_admin sys_tty_config };
allow cgconfig_t cgconfig_etc_t:file read_file_perms;
@@ -77,7 +77,7 @@ fs_unmount_cgroup(cgconfig_t)
# cgred local policy
#
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
+allow cgred_t self:capability { chown dac_override fsetid net_admin sys_admin sys_ptrace };
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 97c541c6..618f6cf5 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -35,7 +35,7 @@ files_pid_file(chronyd_var_run_t)
# Local policy
#
-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+allow chronyd_t self:capability { dac_override ipc_lock setgid setuid sys_resource sys_time };
allow chronyd_t self:process { getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
allow chronyd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/cipe.te b/policy/modules/contrib/cipe.te
index e2a5c13c..729d7820 100644
--- a/policy/modules/contrib/cipe.te
+++ b/policy/modules/contrib/cipe.te
@@ -17,7 +17,7 @@ init_script_file(ciped_initrc_exec_t)
# Local policy
#
-allow ciped_t self:capability { net_admin ipc_lock sys_tty_config };
+allow ciped_t self:capability { ipc_lock net_admin sys_tty_config };
dontaudit ciped_t self:capability sys_tty_config;
allow ciped_t self:process signal_perms;
allow ciped_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index 0940e437..f2664e82 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -73,7 +73,7 @@ logging_log_file(freshclam_var_log_t)
# Clamd local policy
#
-allow clamd_t self:capability { kill setgid setuid dac_override };
+allow clamd_t self:capability { dac_override kill setgid setuid };
dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:process signal;
allow clamd_t self:fifo_file rw_fifo_file_perms;
@@ -173,7 +173,7 @@ optional_policy(`
# Freshclam local policy
#
-allow freshclam_t self:capability { setgid setuid dac_override };
+allow freshclam_t self:capability { dac_override setgid setuid };
allow freshclam_t self:fifo_file rw_fifo_file_perms;
allow freshclam_t self:unix_stream_socket { accept listen };
allow freshclam_t self:tcp_socket { accept listen };
@@ -252,7 +252,7 @@ optional_policy(`
# Clamscam local policy
#
-allow clamscan_t self:capability { setgid setuid dac_override };
+allow clamscan_t self:capability { dac_override setgid setuid };
allow clamscan_t self:fifo_file rw_fifo_file_perms;
allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
allow clamscan_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/contrib/clockspeed.te b/policy/modules/contrib/clockspeed.te
index d3e2a67e..6544d006 100644
--- a/policy/modules/contrib/clockspeed.te
+++ b/policy/modules/contrib/clockspeed.te
@@ -49,7 +49,7 @@ userdom_use_user_terminals(clockspeed_cli_t)
# Server local policy
#
-allow clockspeed_srv_t self:capability { sys_time net_bind_service };
+allow clockspeed_srv_t self:capability { net_bind_service sys_time };
allow clockspeed_srv_t self:udp_socket create_socket_perms;
allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms;
allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/contrib/clogd.te b/policy/modules/contrib/clogd.te
index 356ef465..b9a57b18 100644
--- a/policy/modules/contrib/clogd.te
+++ b/policy/modules/contrib/clogd.te
@@ -20,7 +20,7 @@ files_pid_file(clogd_var_run_t)
# Local policy
#
-allow clogd_t self:capability { net_admin mknod };
+allow clogd_t self:capability { mknod net_admin };
allow clogd_t self:process signal;
allow clogd_t self:sem create_sem_perms;
allow clogd_t self:shm create_shm_perms;
diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te
index d916d65c..ece1a1ce 100644
--- a/policy/modules/contrib/cmirrord.te
+++ b/policy/modules/contrib/cmirrord.te
@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
# Local policy
#
-allow cmirrord_t self:capability { net_admin kill };
+allow cmirrord_t self:capability { kill net_admin };
dontaudit cmirrord_t self:capability sys_tty_config;
allow cmirrord_t self:process { setfscreate signal };
allow cmirrord_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te
index b7a2b96f..0236b279 100644
--- a/policy/modules/contrib/colord.te
+++ b/policy/modules/contrib/colord.te
@@ -23,7 +23,7 @@ files_type(colord_var_lib_t)
# Local policy
#
-allow colord_t self:capability { dac_read_search dac_override };
+allow colord_t self:capability { dac_override dac_read_search };
dontaudit colord_t self:capability sys_admin;
allow colord_t self:process signal;
allow colord_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/comsat.te b/policy/modules/contrib/comsat.te
index c63cf855..9b7b3706 100644
--- a/policy/modules/contrib/comsat.te
+++ b/policy/modules/contrib/comsat.te
@@ -20,7 +20,7 @@ files_pid_file(comsat_var_run_t)
# Local policy
#
-allow comsat_t self:capability { setuid setgid };
+allow comsat_t self:capability { setgid setuid };
allow comsat_t self:process signal_perms;
allow comsat_t self:fifo_file rw_fifo_file_perms;
allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 33937669..fbb70249 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -130,7 +130,7 @@ optional_policy(`
# Master local policy
#
-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
+allow condor_master_t self:capability { dac_override setgid setuid sys_ptrace };
allow condor_master_t condor_domain:process { sigkill signal };
@@ -167,7 +167,7 @@ optional_policy(`
# Collector local policy
#
-allow condor_collector_t self:capability { setuid setgid };
+allow condor_collector_t self:capability { setgid setuid };
allow condor_collector_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
@@ -179,7 +179,7 @@ kernel_read_network_state(condor_collector_t)
# Negotiator local policy
#
-allow condor_negotiator_t self:capability { setuid setgid };
+allow condor_negotiator_t self:capability { setgid setuid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -188,7 +188,7 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
# Procd local policy
#
-allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
+allow condor_procd_t self:capability { chown dac_override fowner kill sys_ptrace };
allow condor_procd_t condor_domain:process sigkill;
@@ -199,7 +199,7 @@ domain_read_all_domains_state(condor_procd_t)
# Schedd local policy
#
-allow condor_schedd_t self:capability { setuid chown setgid dac_override };
+allow condor_schedd_t self:capability { chown dac_override setgid setuid };
allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_schedd_t condor_master_t:udp_socket getattr;
@@ -219,7 +219,7 @@ files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
# Startd local policy
#
-allow condor_startd_t self:capability { setuid net_admin setgid dac_override };
+allow condor_startd_t self:capability { dac_override net_admin setgid setuid };
allow condor_startd_t self:process execmem;
manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 5b11390c..a2a51ba8 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit")
# Local policy
#
-allow consolekit_t self:capability { chown fowner setuid setgid sys_admin sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
allow consolekit_t self:process { getsched signal setfscreate };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te
index 43ec8c61..771582f0 100644
--- a/policy/modules/contrib/corosync.te
+++ b/policy/modules/contrib/corosync.te
@@ -33,9 +33,9 @@ files_pid_file(corosync_var_run_t)
# Local policy
#
-allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
+allow corosync_t self:capability { dac_override fowner ipc_lock setgid setuid sys_admin sys_nice sys_resource };
# for hearbeat
-allow corosync_t self:capability { net_raw chown };
+allow corosync_t self:capability { chown net_raw };
allow corosync_t self:process { setpgid setrlimit setsched signal signull };
allow corosync_t self:fifo_file rw_fifo_file_perms;
allow corosync_t self:sem create_sem_perms;
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 35ba8d89..176bd5c2 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -85,7 +85,7 @@ optional_policy(`
# Authdaemon local policy
#
-allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
+allow courier_authdaemon_t self:capability { setgid setuid sys_tty_config };
allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen };
create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
@@ -123,7 +123,7 @@ userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
# Calendar (PCP) local policy
#
-allow courier_pcp_t self:capability { setuid setgid };
+allow courier_pcp_t self:capability { setgid setuid };
dev_read_rand(courier_pcp_t)
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 1c6f3867..905deb16 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -141,7 +141,7 @@ ifdef(`enable_mcs',`
# Common crontab local policy
#
-allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
+allow crontab_domain self:capability { chown dac_override fowner setgid setuid };
allow crontab_domain self:process { getcap setsched signal_perms };
allow crontab_domain self:fifo_file rw_fifo_file_perms;
@@ -217,7 +217,7 @@ tunable_policy(`fcron_crond',`
# Daemon local policy
#
-allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
+allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
@@ -425,7 +425,7 @@ optional_policy(`
# System local policy
#
-allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index c90e2120..8fdd713f 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -109,8 +109,8 @@ ifdef(`enable_mls',`
# Cups local policy
#
-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
-dontaudit cupsd_t self:capability { sys_tty_config net_admin };
+allow cupsd_t self:capability { chown dac_override dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config };
+dontaudit cupsd_t self:capability { net_admin sys_tty_config };
allow cupsd_t self:capability2 block_suspend;
allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
allow cupsd_t self:fifo_file rw_fifo_file_perms;
@@ -357,7 +357,7 @@ optional_policy(`
# Configuration daemon local policy
#
-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };
+allow cupsd_config_t self:capability { chown dac_override setgid setuid sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process { getsched signal_perms };
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
@@ -500,7 +500,7 @@ optional_policy(`
# Lpd local policy
#
-allow cupsd_lpd_t self:capability { setuid setgid };
+allow cupsd_lpd_t self:capability { setgid setuid };
allow cupsd_lpd_t self:process signal_perms;
allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_lpd_t self:tcp_socket { accept listen };
@@ -562,7 +562,7 @@ optional_policy(`
# Pdf local policy
#
-allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
+allow cups_pdf_t self:capability { chown dac_override fowner fsetid setgid setuid };
allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
index ab055c99..f090b62a 100644
--- a/policy/modules/contrib/cvs.te
+++ b/policy/modules/contrib/cvs.te
@@ -39,7 +39,7 @@ files_pid_file(cvs_var_run_t)
# Local policy
#
-allow cvs_t self:capability { setuid setgid };
+allow cvs_t self:capability { setgid setuid };
allow cvs_t self:process signal_perms;
allow cvs_t self:fifo_file rw_fifo_file_perms;
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
diff --git a/policy/modules/contrib/daemontools.te b/policy/modules/contrib/daemontools.te
index 78a01e75..d355befc 100644
--- a/policy/modules/contrib/daemontools.te
+++ b/policy/modules/contrib/daemontools.te
@@ -55,7 +55,7 @@ logging_manage_generic_logs(svc_multilog_t)
# ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
#
-allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource };
+allow svc_run_t self:capability { chown fsetid setgid setuid sys_resource };
allow svc_run_t self:process setrlimit;
allow svc_run_t self:fifo_file rw_fifo_file_perms;
allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te
index 4ed8790f..124f2c58 100644
--- a/policy/modules/contrib/dante.te
+++ b/policy/modules/contrib/dante.te
@@ -23,7 +23,7 @@ files_pid_file(dante_var_run_t)
# Local policy
#
-allow dante_t self:capability { setuid setgid };
+allow dante_t self:capability { setgid setuid };
dontaudit dante_t self:capability sys_tty_config;
allow dante_t self:process signal_perms;
allow dante_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 42c7d4fe..78de2022 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -60,7 +60,7 @@ ifdef(`enable_mls',`
# Local policy
#
-allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/dcc.te b/policy/modules/contrib/dcc.te
index 0a6abd4b..9b1c25e7 100644
--- a/policy/modules/contrib/dcc.te
+++ b/policy/modules/contrib/dcc.te
@@ -82,7 +82,7 @@ files_pid_file(dccm_var_run_t)
# Daemon controller local policy
#
-allow cdcc_t self:capability { setuid setgid };
+allow cdcc_t self:capability { setgid setuid };
manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
@@ -109,7 +109,7 @@ userdom_use_user_terminals(cdcc_t)
# Procmail interface local policy
#
-allow dcc_client_t self:capability { setuid setgid };
+allow dcc_client_t self:capability { setgid setuid };
allow dcc_client_t dcc_client_map_t:file rw_file_perms;
diff --git a/policy/modules/contrib/ddcprobe.te b/policy/modules/contrib/ddcprobe.te
index 8fa4bb99..8d1263ae 100644
--- a/policy/modules/contrib/ddcprobe.te
+++ b/policy/modules/contrib/ddcprobe.te
@@ -18,7 +18,7 @@ role ddcprobe_roles types ddcprobe_t;
# Local policy
#
-allow ddcprobe_t self:capability { sys_rawio sys_admin };
+allow ddcprobe_t self:capability { sys_admin sys_rawio };
allow ddcprobe_t self:process execmem;
kernel_read_system_state(ddcprobe_t)
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index a5926c4a..82ce25c3 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -64,7 +64,7 @@ optional_policy(`
# Disk local policy
#
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -197,7 +197,7 @@ optional_policy(`
# Power local policy
#
-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_nice sys_ptrace sys_tty_config };
allow devicekit_power_t self:capability2 wake_alarm;
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index a5f6ecd8..2fbf84ed 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -37,7 +37,7 @@ files_pid_file(dhcpd_var_run_t)
# Local policy
#
-allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
+allow dhcpd_t self:capability { chown dac_override net_raw setgid setuid sys_chroot sys_resource };
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
allow dhcpd_t self:process { getcap setcap signal_perms };
allow dhcpd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te
index 74b38850..c390b549 100644
--- a/policy/modules/contrib/dictd.te
+++ b/policy/modules/contrib/dictd.te
@@ -26,7 +26,7 @@ files_pid_file(dictd_var_run_t)
# Local policy
#
-allow dictd_t self:capability { setuid setgid };
+allow dictd_t self:capability { setgid setuid };
dontaudit dictd_t self:capability sys_tty_config;
allow dictd_t self:process { signal_perms setpgid };
allow dictd_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 23fdaa0d..ee961ce2 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -32,7 +32,7 @@ files_pid_file(dnsmasq_var_run_t)
# Local policy
#
-allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_raw };
+allow dnsmasq_t self:capability { chown dac_override net_admin net_raw setgid setuid };
dontaudit dnsmasq_t self:capability sys_tty_config;
allow dnsmasq_t self:process { getcap setcap signal_perms };
allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index fcfcf3c2..1701e3f0 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -92,7 +92,7 @@ miscfiles_read_localization(dovecot_domain)
# Local policy
#
-allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot };
+allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
allow dovecot_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 9bb9d6f6..84dd6ba1 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -49,7 +49,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t)
# Local policy
#
-allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
+allow dpkg_t self:capability { chown dac_override fowner fsetid kill linux_immutable mknod setgid setuid sys_nice sys_resource sys_tty_config };
allow dpkg_t self:process { setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_fifo_file_perms;
@@ -202,7 +202,7 @@ optional_policy(`
# Script Local policy
#
-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod setgid setuid sys_chroot sys_nice };
allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index b2376d6d..d717829a 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -110,7 +110,7 @@ userdom_user_tmpfs_file(evolution_webcal_tmpfs_t)
# Local policy
#
-allow evolution_t self:capability { setuid setgid sys_nice };
+allow evolution_t self:capability { setgid setuid sys_nice };
allow evolution_t self:process { signal getsched setsched };
allow evolution_t self:fifo_file rw_file_perms;
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 97dff0ac..66421ff3 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -73,7 +73,7 @@ ifdef(`distro_debian',`
# Local policy
#
-allow exim_t self:capability { chown dac_override fowner setuid setgid sys_resource };
+allow exim_t self:capability { chown dac_override fowner setgid setuid sys_resource };
allow exim_t self:process { setrlimit setpgid };
allow exim_t self:fifo_file rw_fifo_file_perms;
allow exim_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
index 6f34502d..215d0935 100644
--- a/policy/modules/contrib/fail2ban.te
+++ b/policy/modules/contrib/fail2ban.te
@@ -36,7 +36,7 @@ role fail2ban_client_roles types fail2ban_client_t;
# Server Local policy
#
-allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
+allow fail2ban_t self:capability { dac_override dac_read_search sys_tty_config };
allow fail2ban_t self:process signal;
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { accept connectto listen };
diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te
index 0de8ac23..d7fdd5eb 100644
--- a/policy/modules/contrib/finger.te
+++ b/policy/modules/contrib/finger.te
@@ -25,7 +25,7 @@ files_pid_file(fingerd_var_run_t)
#
allow fingerd_t self:capability { setgid setuid };
-dontaudit fingerd_t self:capability { sys_tty_config fsetid };
+dontaudit fingerd_t self:capability { fsetid sys_tty_config };
allow fingerd_t self:process signal_perms;
allow fingerd_t self:fifo_file rw_fifo_file_perms;
allow fingerd_t self:tcp_socket connected_stream_socket_perms;
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index faf6863a..7e81e249 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -170,7 +170,7 @@ ifdef(`enable_mls',`
# Local policy
#
-allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_chroot sys_admin sys_nice sys_resource };
+allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_admin sys_chroot sys_nice sys_resource };
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/gdomap.te b/policy/modules/contrib/gdomap.te
index 3227543f..e710d356 100644
--- a/policy/modules/contrib/gdomap.te
+++ b/policy/modules/contrib/gdomap.te
@@ -23,7 +23,7 @@ files_pid_file(gdomap_var_run_t)
# Local policy
#
-allow gdomap_t self:capability { setuid sys_chroot net_bind_service setgid };
+allow gdomap_t self:capability { net_bind_service setgid setuid sys_chroot };
allow gdomap_t self:tcp_socket { listen accept };
allow gdomap_t gdomap_var_run_t:file manage_file_perms;
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index 83a5806a..07bd10d7 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -32,7 +32,7 @@ files_type(glusterd_var_lib_t)
# Local policy
#
-allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner };
+allow glusterd_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_resource };
allow glusterd_t self:process { setrlimit signal };
allow glusterd_t self:fifo_file rw_fifo_file_perms;
allow glusterd_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
index 5cbfa3a6..4e2b5f9c 100644
--- a/policy/modules/contrib/gpm.te
+++ b/policy/modules/contrib/gpm.te
@@ -29,7 +29,7 @@ files_type(gpmctl_t)
# Local policy
#
-allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config };
+allow gpm_t self:capability { dac_override setpcap setuid sys_admin sys_tty_config };
allow gpm_t self:process { signal signull getcap setcap };
allow gpm_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te
index bd09110f..6f4e8b79 100644
--- a/policy/modules/contrib/gpsd.te
+++ b/policy/modules/contrib/gpsd.te
@@ -27,8 +27,8 @@ files_pid_file(gpsd_var_run_t)
# Local policy
#
-allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
-dontaudit gpsd_t self:capability { dac_read_search dac_override };
+allow gpsd_t self:capability { fowner fsetid setgid setuid sys_nice sys_time sys_tty_config };
+dontaudit gpsd_t self:capability { dac_override dac_read_search };
allow gpsd_t self:process { setsched signal_perms };
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te
index f22683e3..9f333bfd 100644
--- a/policy/modules/contrib/hadoop.te
+++ b/policy/modules/contrib/hadoop.te
@@ -246,7 +246,7 @@ optional_policy(`
# Common hadoop_initrc_domain local policy
#
-allow hadoop_initrc_domain self:capability { setuid setgid };
+allow hadoop_initrc_domain self:capability { setgid setuid };
dontaudit hadoop_initrc_domain self:capability sys_tty_config;
allow hadoop_initrc_domain self:process setsched;
allow hadoop_initrc_domain self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index d3296e28..31035d15 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -72,7 +72,7 @@ hal_stream_connect(hald_domain)
# Local policy
#
-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+allow hald_t self:capability { chown dac_override dac_read_search kill mknod net_admin setgid setuid sys_admin sys_nice sys_rawio sys_tty_config };
dontaudit hald_t self:capability { sys_ptrace sys_tty_config };
allow hald_t self:process { getsched getattr signal_perms };
allow hald_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te
index addcca5a..4f1223db 100644
--- a/policy/modules/contrib/ifplugd.te
+++ b/policy/modules/contrib/ifplugd.te
@@ -23,7 +23,7 @@ files_pid_file(ifplugd_var_run_t)
# Local policy
#
-allow ifplugd_t self:capability { net_admin sys_nice net_bind_service };
+allow ifplugd_t self:capability { net_admin net_bind_service sys_nice };
dontaudit ifplugd_t self:capability sys_tty_config;
allow ifplugd_t self:process { signal signull };
allow ifplugd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te
index 1974c112..66c15680 100644
--- a/policy/modules/contrib/inetd.te
+++ b/policy/modules/contrib/inetd.te
@@ -37,7 +37,7 @@ ifdef(`enable_mcs',`
# Local policy
#
-allow inetd_t self:capability { setuid setgid sys_resource };
+allow inetd_t self:capability { setgid setuid sys_resource };
dontaudit inetd_t self:capability sys_tty_config;
allow inetd_t self:process { setsched setexec setrlimit };
allow inetd_t self:fifo_file rw_fifo_file_perms;
@@ -204,7 +204,7 @@ optional_policy(`
# Child local policy
#
-allow inetd_child_t self:capability { setuid setgid };
+allow inetd_child_t self:capability { setgid setuid };
allow inetd_child_t self:process signal_perms;
allow inetd_child_t self:fifo_file rw_fifo_file_perms;
allow inetd_child_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index 6eb84095..c35fc069 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -17,7 +17,7 @@ init_script_file(iodined_initrc_exec_t)
# Local policy
#
-allow iodined_t self:capability { net_admin net_raw sys_chroot setgid setuid };
+allow iodined_t self:capability { net_admin net_raw setgid setuid sys_chroot };
allow iodined_t self:rawip_socket create_socket_perms;
allow iodined_t self:tun_socket create_socket_perms;
allow iodined_t self:udp_socket connected_socket_perms;
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index e758c15f..9981dc55 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -31,7 +31,7 @@ files_tmp_file(kdumpctl_tmp_t)
# Local policy
#
-allow kdump_t self:capability { sys_boot dac_override };
+allow kdump_t self:capability { dac_override sys_boot };
allow kdump_t kdump_etc_t:file read_file_perms;
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
index 38532d33..d226156e 100644
--- a/policy/modules/contrib/kerberos.te
+++ b/policy/modules/contrib/kerberos.te
@@ -74,7 +74,7 @@ files_pid_file(krb5kdc_var_run_t)
# kadmind local policy
#
-allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
+allow kadmind_t self:capability { chown dac_override fowner setgid setuid sys_nice };
dontaudit kadmind_t self:capability sys_tty_config;
allow kadmind_t self:capability2 block_suspend;
allow kadmind_t self:process { setfscreate setsched getsched signal_perms };
@@ -174,7 +174,7 @@ optional_policy(`
# Krb5kdc local policy
#
-allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
+allow krb5kdc_t self:capability { chown dac_override fowner net_admin setgid setuid sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
allow krb5kdc_t self:capability2 block_suspend;
allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te
index 30c8c689..a581ece2 100644
--- a/policy/modules/contrib/kismet.te
+++ b/policy/modules/contrib/kismet.te
@@ -38,7 +38,7 @@ files_pid_file(kismet_var_run_t)
# Local policy
#
-allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
+allow kismet_t self:capability { dac_override kill net_admin net_raw setgid setuid };
allow kismet_t self:process signal_perms;
allow kismet_t self:fifo_file rw_fifo_file_perms;
allow kismet_t self:packet_socket create_socket_perms;
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index 4116d008..00b43648 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -26,7 +26,7 @@ files_pid_file(kudzu_var_run_t)
# Local policy
#
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
+allow kudzu_t self:capability { dac_override mknod net_admin sys_admin sys_rawio sys_tty_config };
dontaudit kudzu_t self:capability sys_tty_config;
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index b740c730..023884ab 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -50,7 +50,7 @@ files_pid_file(slapd_var_run_t)
# Local policy
#
-allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
+allow slapd_t self:capability { dac_override dac_read_search kill net_raw setgid setuid };
dontaudit slapd_t self:capability sys_tty_config;
allow slapd_t self:process setsched;
allow slapd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te
index 58c05712..21d18a3c 100644
--- a/policy/modules/contrib/likewise.te
+++ b/policy/modules/contrib/likewise.te
@@ -102,7 +102,7 @@ corenet_tcp_sendrecv_epmap_port(eventlogd_t)
# lsassd local policy
#
-allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time };
+allow lsassd_t self:capability { chown dac_override fowner fsetid sys_time };
allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -165,7 +165,7 @@ optional_policy(`
# lwiod local policy
#
-allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource };
+allow lwiod_t self:capability { chown dac_override fowner fsetid sys_resource };
allow lwiod_t self:process setrlimit;
allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index e2daa42d..1179568b 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -36,7 +36,7 @@ role system_r types logrotate_mail_t;
# Local policy
#
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
+allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
allow logrotate_t self:fd use;
allow logrotate_t self:key manage_key_perms;
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
index 353a5311..24f1c17b 100644
--- a/policy/modules/contrib/logwatch.te
+++ b/policy/modules/contrib/logwatch.te
@@ -173,7 +173,7 @@ optional_policy(`
# Mail local policy
#
-allow logwatch_mail_t self:capability { dac_read_search dac_override };
+allow logwatch_mail_t self:capability { dac_override dac_read_search };
allow logwatch_mail_t logwatch_t:fd use;
allow logwatch_mail_t logwatch_t:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index fc70ff9e..8ebe2435 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -62,7 +62,7 @@ files_config_file(printconf_t)
# Checkpc local policy
#
-allow checkpc_t self:capability { setgid setuid dac_override };
+allow checkpc_t self:capability { dac_override setgid setuid };
allow checkpc_t self:process signal_perms;
allow checkpc_t self:unix_stream_socket create_socket_perms;
allow checkpc_t self:tcp_socket create_socket_perms;
@@ -126,7 +126,7 @@ optional_policy(`
# Lpd local policy
#
-allow lpd_t self:capability { setgid setuid dac_read_search dac_override chown fowner };
+allow lpd_t self:capability { chown dac_override dac_read_search fowner setgid setuid };
dontaudit lpd_t self:capability sys_tty_config;
allow lpd_t self:process signal_perms;
allow lpd_t self:fifo_file rw_fifo_file_perms;
@@ -214,7 +214,7 @@ optional_policy(`
# Lpr local policy
#
-allow lpr_t self:capability { setuid dac_override net_bind_service chown };
+allow lpr_t self:capability { chown dac_override net_bind_service setuid };
allow lpr_t self:unix_stream_socket { accept listen };
allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
index 46d98e79..7421ce3a 100644
--- a/policy/modules/contrib/mailman.te
+++ b/policy/modules/contrib/mailman.te
@@ -115,7 +115,7 @@ optional_policy(`
# Mail local policy
#
-allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
+allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
allow mailman_mail_t self:process { signal signull };
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
diff --git a/policy/modules/contrib/mailscanner.te b/policy/modules/contrib/mailscanner.te
index 14840eda..d8dcb317 100644
--- a/policy/modules/contrib/mailscanner.te
+++ b/policy/modules/contrib/mailscanner.te
@@ -29,7 +29,7 @@ files_pid_file(mscan_var_run_t)
# Local policy
#
-allow mscan_t self:capability { setuid chown setgid dac_override };
+allow mscan_t self:capability { chown dac_override setgid setuid };
allow mscan_t self:process signal;
allow mscan_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index ce0ac3c8..142e7e07 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -21,7 +21,7 @@ init_unit_file(mandb_unit_t)
# Local policy
#
-allow mandb_t self:capability { setuid setgid };
+allow mandb_t self:capability { setgid setuid };
allow mandb_t self:process { setsched signal };
allow mandb_t self:fifo_file rw_fifo_file_perms;
allow mandb_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/memcached.te b/policy/modules/contrib/memcached.te
index 570035ef..c90c632f 100644
--- a/policy/modules/contrib/memcached.te
+++ b/policy/modules/contrib/memcached.te
@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
# Local policy
#
-allow memcached_t self:capability { setuid setgid };
+allow memcached_t self:capability { setgid setuid };
dontaudit memcached_t self:capability sys_tty_config;
allow memcached_t self:process { setrlimit signal_perms };
allow memcached_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
index c25488c9..7c4b347d 100644
--- a/policy/modules/contrib/milter.te
+++ b/policy/modules/contrib/milter.te
@@ -82,7 +82,7 @@ optional_policy(`
# regex local policy
#
-allow regex_milter_t self:capability { setuid setgid dac_override };
+allow regex_milter_t self:capability { dac_override setgid setuid };
files_search_spool(regex_milter_t)
diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te
index f1a37029..d16cdb1b 100644
--- a/policy/modules/contrib/minissdpd.te
+++ b/policy/modules/contrib/minissdpd.te
@@ -23,7 +23,7 @@ files_pid_file(minissdpd_var_run_t)
# Local policy
#
-allow minissdpd_t self:capability { sys_module net_admin };
+allow minissdpd_t self:capability { net_admin sys_module };
allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms;
allow minissdpd_t self:udp_socket create_socket_perms;
allow minissdpd_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index fa651ed4..85d6bda1 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -81,7 +81,7 @@ userdom_user_tmpfs_file(mozilla_tmpfs_t)
# Local policy
#
-allow mozilla_t self:capability { sys_nice setgid setuid };
+allow mozilla_t self:capability { setgid setuid sys_nice };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
allow mozilla_t self:shm create_shm_perms;
@@ -533,7 +533,7 @@ optional_policy(`
# Plugin config local policy
#
-allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+allow mozilla_plugin_config_t self:capability { dac_override dac_read_search setgid setuid sys_nice };
allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
index 42b484c0..5126d9d5 100644
--- a/policy/modules/contrib/mrtg.te
+++ b/policy/modules/contrib/mrtg.te
@@ -32,7 +32,7 @@ files_pid_file(mrtg_var_run_t)
# Local policy
#
-allow mrtg_t self:capability { setgid setuid chown };
+allow mrtg_t self:capability { chown setgid setuid };
dontaudit mrtg_t self:capability sys_tty_config;
allow mrtg_t self:process signal_perms;
allow mrtg_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index f0c4b92c..9a3ee20e 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -55,7 +55,7 @@ userdom_user_tmp_file(user_mail_tmp_t)
# Common base mail policy
#
-allow user_mail_domain self:capability { setuid setgid chown };
+allow user_mail_domain self:capability { chown setgid setuid };
allow user_mail_domain self:process { signal_perms setrlimit };
allow user_mail_domain self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
index 3f1a7b95..44c2abcd 100644
--- a/policy/modules/contrib/nagios.te
+++ b/policy/modules/contrib/nagios.te
@@ -216,8 +216,8 @@ optional_policy(`
# Nrpe local policy
#
-allow nrpe_t self:capability { setuid setgid };
-dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
+allow nrpe_t self:capability { setgid setuid };
+dontaudit nrpe_t self:capability { sys_resource sys_tty_config };
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
allow nrpe_t self:tcp_socket { accept listen };
@@ -311,7 +311,7 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
# Mail local policy
#
-allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
+allow nagios_mail_plugin_t self:capability { dac_override setgid setuid };
allow nagios_mail_plugin_t self:tcp_socket { accept listen };
kernel_read_kernel_sysctls(nagios_mail_plugin_t)
@@ -405,7 +405,7 @@ optional_policy(`
#
allow nagios_system_plugin_t self:capability dac_override;
-dontaudit nagios_system_plugin_t self:capability { setuid setgid };
+dontaudit nagios_system_plugin_t self:capability { setgid setuid };
read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 27b92658..cde12ad5 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -47,8 +47,8 @@ ifdef(`distro_gentoo',`
# Local policy
#
-allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
-dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace };
+allow NetworkManager_t self:capability { chown dac_override fowner fsetid ipc_lock kill net_admin net_raw setgid setuid sys_nice };
+dontaudit NetworkManager_t self:capability { sys_module sys_ptrace sys_tty_config };
allow NetworkManager_t self:capability2 wake_alarm;
allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te
index 40682ca2..30639e64 100644
--- a/policy/modules/contrib/nslcd.te
+++ b/policy/modules/contrib/nslcd.te
@@ -23,7 +23,7 @@ files_config_file(nslcd_conf_t)
# Local policy
#
-allow nslcd_t self:capability { setgid setuid dac_override };
+allow nslcd_t self:capability { dac_override setgid setuid };
allow nslcd_t self:process signal;
allow nslcd_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te
index a3503716..025f5d4a 100644
--- a/policy/modules/contrib/ntop.te
+++ b/policy/modules/contrib/ntop.te
@@ -29,7 +29,7 @@ files_pid_file(ntop_var_run_t)
# Local Policy
#
-allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
+allow ntop_t self:capability { net_admin net_raw setgid setuid sys_admin };
dontaudit ntop_t self:capability sys_tty_config;
allow ntop_t self:process signal_perms;
allow ntop_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index c7c27be5..2fcf0a40 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -47,8 +47,8 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
# Local policy
#
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
-dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
+allow ntpd_t self:capability { chown dac_override ipc_lock ipc_owner kill setgid setuid sys_chroot sys_nice sys_resource sys_time };
+dontaudit ntpd_t self:capability { fsetid net_admin sys_nice sys_tty_config };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:shm create_shm_perms;
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index 8086281f..d38ced7b 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -34,7 +34,7 @@ init_daemon_pid_file(nut_var_run_t, dir, "nut")
# Common nut domain local policy
#
-allow nut_domain self:capability { setgid setuid dac_override kill };
+allow nut_domain self:capability { dac_override kill setgid setuid };
allow nut_domain self:process signal_perms;
allow nut_domain self:fifo_file rw_fifo_file_perms;
allow nut_domain self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/oddjob.te b/policy/modules/contrib/oddjob.te
index c01d4f62..507d6d24 100644
--- a/policy/modules/contrib/oddjob.te
+++ b/policy/modules/contrib/oddjob.te
@@ -74,7 +74,7 @@ optional_policy(`
# Mkhomedir local policy
#
-allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+allow oddjob_mkhomedir_t self:capability { chown dac_override fowner fsetid };
allow oddjob_mkhomedir_t self:process setfscreate;
allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/oident.te b/policy/modules/contrib/oident.te
index 0cf6cfe3..c1f42dc1 100644
--- a/policy/modules/contrib/oident.te
+++ b/policy/modules/contrib/oident.te
@@ -25,7 +25,7 @@ files_config_file(oidentd_config_t)
# Local policy
#
-allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:capability { setgid setuid };
allow oidentd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow oidentd_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index cce20317..465716f6 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -54,7 +54,7 @@ files_pid_file(openvpn_var_run_t)
# Local policy
#
-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
+allow openvpn_t self:capability { dac_override dac_read_search ipc_lock net_admin setgid setuid sys_chroot sys_nice sys_tty_config };
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te
index 04cbe909..b9790021 100644
--- a/policy/modules/contrib/openvswitch.te
+++ b/policy/modules/contrib/openvswitch.te
@@ -32,7 +32,7 @@ files_pid_file(openvswitch_var_run_t)
# Local policy
#
-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
+allow openvswitch_t self:capability { ipc_lock net_admin sys_nice sys_resource };
allow openvswitch_t self:process { setrlimit setsched signal };
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
allow openvswitch_t self:rawip_socket create_socket_perms;
diff --git a/policy/modules/contrib/pacemaker.te b/policy/modules/contrib/pacemaker.te
index 6d1b3c4d..218470bb 100644
--- a/policy/modules/contrib/pacemaker.te
+++ b/policy/modules/contrib/pacemaker.te
@@ -29,7 +29,7 @@ files_pid_file(pacemaker_var_run_t)
# Local policy
#
-allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
+allow pacemaker_t self:capability { chown dac_override fowner fsetid kill setuid };
allow pacemaker_t self:process { setrlimit signal setpgid };
allow pacemaker_t self:fifo_file rw_fifo_file_perms;
allow pacemaker_t self:unix_stream_socket { connectto accept listen };
diff --git a/policy/modules/contrib/passenger.te b/policy/modules/contrib/passenger.te
index 85fb36db..b6181456 100644
--- a/policy/modules/contrib/passenger.te
+++ b/policy/modules/contrib/passenger.te
@@ -25,7 +25,7 @@ files_pid_file(passenger_var_run_t)
# Local policy
#
-allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
+allow passenger_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace sys_resource };
allow passenger_t self:process { setpgid setsched sigkill signal };
allow passenger_t self:fifo_file rw_fifo_file_perms;
allow passenger_t self:unix_stream_socket { accept connectto listen };
diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te
index ceab5763..230f1f00 100644
--- a/policy/modules/contrib/pcmcia.te
+++ b/policy/modules/contrib/pcmcia.te
@@ -29,7 +29,7 @@ role cardmgr_roles types cardmgr_t;
# Local policy
#
-allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
+allow cardmgr_t self:capability { dac_override dac_read_search mknod net_admin setuid sys_admin sys_nice sys_tty_config };
dontaudit cardmgr_t self:capability sys_tty_config;
allow cardmgr_t self:process signal_perms;
allow cardmgr_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te
index 6d8c0192..b2138295 100644
--- a/policy/modules/contrib/pegasus.te
+++ b/policy/modules/contrib/pegasus.te
@@ -35,7 +35,7 @@ files_pid_file(pegasus_var_run_t)
# Local policy
#
-allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
+allow pegasus_t self:capability { chown dac_override ipc_lock kill net_admin net_bind_service setgid setuid sys_nice };
dontaudit pegasus_t self:capability sys_tty_config;
allow pegasus_t self:process signal;
allow pegasus_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index 1d1635d4..b10f18e7 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -29,7 +29,7 @@ files_tmpfs_file(pkcs_slotd_tmpfs_t)
# Local policy
#
-allow pkcs_slotd_t self:capability { fsetid kill chown };
+allow pkcs_slotd_t self:capability { chown fsetid kill };
allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms;
allow pkcs_slotd_t self:sem create_sem_perms;
allow pkcs_slotd_t self:shm create_shm_perms;
diff --git a/policy/modules/contrib/podsleuth.te b/policy/modules/contrib/podsleuth.te
index 9123f715..83dc77b5 100644
--- a/policy/modules/contrib/podsleuth.te
+++ b/policy/modules/contrib/podsleuth.te
@@ -28,7 +28,7 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
# Local policy
#
-allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
+allow podsleuth_t self:capability { dac_override kill sys_admin sys_rawio };
allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
allow podsleuth_t self:fifo_file rw_fifo_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index e990d79a..cad9b9f1 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -72,7 +72,7 @@ interface(`portage_compile_domain',`
type portage_tmp_t, portage_tmpfs_t;
')
- allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
+ allow $1 self:capability { chown dac_override fowner fsetid mknod net_raw setgid setuid };
dontaudit $1 self:capability sys_chroot;
allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate };
allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 87ca0c6c..ef04131e 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -160,7 +160,7 @@ optional_policy(`
# - setfscreate for merging to live fs
allow portage_t self:process { setfscreate };
# - kill for mysql merging, at least
-allow portage_t self:capability { sys_nice kill setfcap };
+allow portage_t self:capability { kill setfcap sys_nice };
dontaudit portage_t self:capability { dac_read_search };
dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -247,7 +247,7 @@ dontaudit portage_t device_type:blk_file read_blk_file_perms;
#
allow portage_fetch_t self:process signal;
-allow portage_fetch_t self:capability { dac_override fowner fsetid chown };
+allow portage_fetch_t self:capability { chown dac_override fowner fsetid };
allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
allow portage_fetch_t self:tcp_socket { accept listen };
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
index 292b3aa8..2a8c850b 100644
--- a/policy/modules/contrib/portmap.te
+++ b/policy/modules/contrib/portmap.te
@@ -30,7 +30,7 @@ files_pid_file(portmap_var_run_t)
# Local policy
#
-allow portmap_t self:capability { setuid setgid };
+allow portmap_t self:capability { setgid setuid };
dontaudit portmap_t self:capability sys_tty_config;
allow portmap_t self:unix_stream_socket { accept listen };
allow portmap_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te
index 7e05b61b..a09698ce 100644
--- a/policy/modules/contrib/portreserve.te
+++ b/policy/modules/contrib/portreserve.te
@@ -23,7 +23,7 @@ files_pid_file(portreserve_var_run_t)
# Local policy
#
-allow portreserve_t self:capability { dac_read_search dac_override };
+allow portreserve_t self:capability { dac_override dac_read_search };
allow portreserve_t self:fifo_file rw_fifo_file_perms;
allow portreserve_t self:unix_stream_socket create_stream_socket_perms;
allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto };
diff --git a/policy/modules/contrib/portslave.te b/policy/modules/contrib/portslave.te
index cbe36c1d..b34887c9 100644
--- a/policy/modules/contrib/portslave.te
+++ b/policy/modules/contrib/portslave.te
@@ -21,7 +21,7 @@ files_lock_file(portslave_lock_t)
# Local policy
#
-allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config };
+allow portslave_t self:capability { fsetid net_admin net_bind_service setgid setuid sys_tty_config };
dontaudit portslave_t self:capability sys_admin;
allow portslave_t self:process signal_perms;
allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 1f1a396f..74cb3d7e 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -108,7 +108,7 @@ mta_mailserver_delivery(postfix_virtual_t)
# Common postfix domain local policy
#
-allow postfix_domain self:capability { sys_nice sys_chroot };
+allow postfix_domain self:capability { sys_chroot sys_nice };
dontaudit postfix_domain self:capability sys_tty_config;
allow postfix_domain self:process { signal_perms setpgid setsched };
allow postfix_domain self:fifo_file rw_fifo_file_perms;
@@ -171,7 +171,7 @@ optional_policy(`
# Common postfix server domain local policy
#
-allow postfix_server_domain self:capability { setuid setgid dac_override };
+allow postfix_server_domain self:capability { dac_override setgid setuid };
allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
@@ -198,7 +198,7 @@ domain_use_interactive_fds(postfix_user_domains)
# Master local policy
#
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+allow postfix_master_t self:capability { chown dac_override fowner kill setgid setuid sys_tty_config };
allow postfix_master_t self:capability2 block_suspend;
allow postfix_master_t self:process setrlimit;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
@@ -683,7 +683,7 @@ corecmd_exec_bin(postfix_qmgr_t)
# Showq local policy
#
-allow postfix_showq_t self:capability { setuid setgid };
+allow postfix_showq_t self:capability { setgid setuid };
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
index 153fb19c..621e1817 100644
--- a/policy/modules/contrib/postfixpolicyd.te
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -23,7 +23,7 @@ files_pid_file(postfix_policyd_var_run_t)
# Local policy
#
-allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
+allow postfix_policyd_t self:capability { setgid setuid sys_chroot sys_resource };
allow postfix_policyd_t self:process setrlimit;
allow postfix_policyd_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index 27718824..1015b4ee 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -78,7 +78,7 @@ userdom_user_home_content(ppp_home_t)
# PPPD local policy
#
-allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
+allow pppd_t self:capability { dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_admin sys_nice };
dontaudit pppd_t self:capability sys_tty_config;
allow pppd_t self:process { getsched setsched signal };
allow pppd_t self:fifo_file rw_fifo_file_perms;
@@ -224,7 +224,7 @@ optional_policy(`
# PPTP local policy
#
-allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin };
+allow pptp_t self:capability { dac_override dac_read_search net_admin net_raw };
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:process signal;
allow pptp_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te
index a4fa22b0..8a842661 100644
--- a/policy/modules/contrib/procmail.te
+++ b/policy/modules/contrib/procmail.te
@@ -24,7 +24,7 @@ files_tmp_file(procmail_tmp_t)
# Local policy
#
-allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override };
+allow procmail_t self:capability { chown dac_override fsetid setgid setuid sys_nice };
allow procmail_t self:process { setsched signal signull };
allow procmail_t self:fifo_file rw_fifo_file_perms;
allow procmail_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te
index 3336ca7e..b94e44a9 100644
--- a/policy/modules/contrib/psad.te
+++ b/policy/modules/contrib/psad.te
@@ -32,7 +32,7 @@ files_tmp_file(psad_tmp_t)
# Local policy
#
-allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
+allow psad_t self:capability { dac_override net_admin net_raw setgid setuid };
dontaudit psad_t self:capability sys_tty_config;
allow psad_t self:process signal_perms;
allow psad_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index e9a4a507..ac9811ea 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -44,7 +44,7 @@ files_pid_file(pulseaudio_var_run_t)
# Local policy
#
-allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
+allow pulseaudio_t self:capability { chown fowner fsetid setgid setuid sys_nice sys_resource sys_tty_config };
allow pulseaudio_t self:process { getcap getsched setcap setrlimit setsched signal signull };
allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 4f496964..0e8161a2 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -59,7 +59,7 @@ files_tmp_file(puppetmaster_tmp_t)
# Local policy
#
-allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
+allow puppet_t self:capability { chown dac_override fowner fsetid setgid setuid sys_admin sys_nice sys_tty_config };
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:fifo_file rw_fifo_file_perms;
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
@@ -255,7 +255,7 @@ optional_policy(`
# Master local policy
#
-allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
+allow puppetmaster_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
allow puppetmaster_t self:process { signal_perms getsched setsched };
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
allow puppetmaster_t self:netlink_route_socket nlmsg_write;
diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if
index 32b48657..efdc5286 100644
--- a/policy/modules/contrib/qemu.if
+++ b/policy/modules/contrib/qemu.if
@@ -27,7 +27,7 @@ template(`qemu_domain_template',`
# Policy
#
- allow $1_t self:capability { dac_read_search dac_override };
+ allow $1_t self:capability { dac_override dac_read_search };
allow $1_t self:process { execstack execmem signal getsched };
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:shm create_shm_perms;
diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te
index a40ba2a2..455f2c0e 100644
--- a/policy/modules/contrib/qmail.te
+++ b/policy/modules/contrib/qmail.te
@@ -145,7 +145,7 @@ optional_policy(`
# Lspawn local policy
#
-allow qmail_lspawn_t self:capability { setuid setgid };
+allow qmail_lspawn_t self:capability { setgid setuid };
allow qmail_lspawn_t self:process signal_perms;
allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms;
allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index 9952f537..95fc0aa3 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -33,7 +33,7 @@ files_pid_file(quota_nld_var_run_t)
# Local policy
#
-allow quota_t self:capability { sys_admin dac_override };
+allow quota_t self:capability { dac_override sys_admin };
dontaudit quota_t self:capability sys_tty_config;
allow quota_t self:process signal_perms;
diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te
index 1d7fbfe4..41df3b57 100644
--- a/policy/modules/contrib/radvd.te
+++ b/policy/modules/contrib/radvd.te
@@ -22,7 +22,7 @@ files_pid_file(radvd_var_run_t)
# Local policy
#
-allow radvd_t self:capability { kill setgid setuid net_raw net_admin };
+allow radvd_t self:capability { kill net_admin net_raw setgid setuid };
dontaudit radvd_t self:capability sys_tty_config;
allow radvd_t self:process signal_perms;
allow radvd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index ad21e093..49c7dbb4 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -27,7 +27,7 @@ dev_associate(mdadm_var_run_t)
# Local policy
#
-allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+allow mdadm_t self:capability { dac_override ipc_lock sys_admin };
dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { getsched setsched signal_perms };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te
index 080c0ad0..ec587591 100644
--- a/policy/modules/contrib/readahead.te
+++ b/policy/modules/contrib/readahead.te
@@ -22,7 +22,7 @@ init_daemon_pid_file(readahead_var_run_t, dir, "readahead")
# Local policy
#
-allow readahead_t self:capability { sys_admin fowner dac_override dac_read_search };
+allow readahead_t self:capability { dac_override dac_read_search fowner sys_admin };
dontaudit readahead_t self:capability { net_admin sys_tty_config };
allow readahead_t self:process { setsched signal_perms };
diff --git a/policy/modules/contrib/remotelogin.te b/policy/modules/contrib/remotelogin.te
index ae308717..3130db86 100644
--- a/policy/modules/contrib/remotelogin.te
+++ b/policy/modules/contrib/remotelogin.te
@@ -18,7 +18,7 @@ files_tmp_file(remote_login_tmp_t)
# Local policy
#
-allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
+allow remote_login_t self:capability { chown dac_override fowner fsetid kill net_bind_service setgid setuid sys_nice sys_resource sys_tty_config };
allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow remote_login_t self:process { setrlimit setexec };
allow remote_login_t self:fd use;
diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te
index c533810f..905c3d44 100644
--- a/policy/modules/contrib/rgmanager.te
+++ b/policy/modules/contrib/rgmanager.te
@@ -37,7 +37,7 @@ files_pid_file(rgmanager_var_run_t)
# Local policy
#
-allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
+allow rgmanager_t self:capability { dac_override ipc_lock net_raw sys_admin sys_nice sys_resource };
allow rgmanager_t self:process { setsched signal };
allow rgmanager_t self:fifo_file rw_fifo_file_perms;
allow rgmanager_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 4c58d123..85a3a066 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -170,7 +170,7 @@ tunable_policy(`fenced_can_network_connect',`
optional_policy(`
tunable_policy(`fenced_can_ssh',`
- allow fenced_t self:capability { setuid setgid };
+ allow fenced_t self:capability { setgid setuid };
corenet_sendrecv_ssh_client_packets(fenced_t)
corenet_tcp_connect_ssh_port(fenced_t)
diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te
index 794dcd36..326d7b85 100644
--- a/policy/modules/contrib/ricci.te
+++ b/policy/modules/contrib/ricci.te
@@ -78,7 +78,7 @@ files_lock_file(ricci_modstorage_lock_t)
# Local policy
#
-allow ricci_t self:capability { setuid sys_nice sys_boot };
+allow ricci_t self:capability { setuid sys_boot sys_nice };
allow ricci_t self:process setsched;
allow ricci_t self:fifo_file rw_fifo_file_perms;
allow ricci_t self:unix_stream_socket { accept connectto listen };
diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te
index 0714e380..94d41e81 100644
--- a/policy/modules/contrib/rlogin.te
+++ b/policy/modules/contrib/rlogin.te
@@ -31,7 +31,7 @@ files_pid_file(rlogind_var_run_t)
# Local policy
#
-allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+allow rlogind_t self:capability { chown dac_override fowner fsetid setgid setuid sys_tty_config };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
allow rlogind_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index cf1f775b..5123f079 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -145,7 +145,7 @@ optional_policy(`
# Local policy
#
-allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
+allow rpcd_t self:capability { chown dac_override setgid setpcap setuid sys_admin };
allow rpcd_t self:capability2 block_suspend;
allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
@@ -288,7 +288,7 @@ optional_policy(`
# GSSD local policy
#
-allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice };
+allow gssd_t self:capability { dac_override dac_read_search setgid setuid sys_nice };
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 6ab5fd9e..1b36d097 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -73,7 +73,7 @@ files_tmpfs_file(rpm_script_tmpfs_t)
# rpm Local policy
#
-allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
+allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config };
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
@@ -241,7 +241,7 @@ optional_policy(`
# rpm-script Local policy
#
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setgid setuid sys_admin sys_chroot sys_nice sys_rawio };
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te
index 5a5f6f71..dc327424 100644
--- a/policy/modules/contrib/rshd.te
+++ b/policy/modules/contrib/rshd.te
@@ -18,7 +18,7 @@ files_type(rshd_keytab_t)
# Local policy
#
-allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
+allow rshd_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
allow rshd_t self:process { signal_perms setsched setpgid setexec };
allow rshd_t self:fifo_file rw_fifo_file_perms;
allow rshd_t self:tcp_socket create_stream_socket_perms;
--git a/policy/modules/contrib/rssh.te b/policy/modules/contrib/rssh.te
index 5c5465fe..cf6dd81e 100644
--- a/policy/modules/contrib/rssh.te
+++ b/policy/modules/contrib/rssh.te
@@ -86,7 +86,7 @@ optional_policy(`
# Chroot helper local policy
#
-allow rssh_chroot_helper_t self:capability { sys_chroot setuid };
+allow rssh_chroot_helper_t self:capability { setuid sys_chroot };
allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms;
allow rssh_chroot_helper_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index 18db99d4..2fce98b0 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -83,7 +83,7 @@ files_pid_file(rsync_var_run_t)
# Local policy
#
-allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
+allow rsync_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
allow rsync_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 0acf15a7..e7dae973 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -194,7 +194,7 @@ files_pid_file(winbind_var_run_t)
# Net local policy
#
-allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
+allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice };
allow samba_net_t self:capability2 block_suspend;
allow samba_net_t self:process { getsched setsched };
allow samba_net_t self:unix_stream_socket { accept listen };
@@ -261,7 +261,7 @@ optional_policy(`
# Smbd Local policy
#
-allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
+allow smbd_t self:capability { chown dac_override dac_read_search fowner fsetid kill lease setgid setuid sys_admin sys_chroot sys_nice sys_resource };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow smbd_t self:fd use;
@@ -650,7 +650,7 @@ optional_policy(`
# Smbmount Local policy
#
-allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown };
+allow smbmount_t self:capability { chown dac_override sys_admin sys_rawio };
allow smbmount_t self:process signal_perms;
allow smbmount_t self:tcp_socket { accept listen };
allow smbmount_t self:unix_dgram_socket create_socket_perms;
@@ -724,7 +724,7 @@ optional_policy(`
# Swat Local policy
#
-allow swat_t self:capability { dac_override setuid setgid sys_resource };
+allow swat_t self:capability { dac_override setgid setuid sys_resource };
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_fifo_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index 1d2f80f5..865f9563 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -49,7 +49,7 @@ ifdef(`enable_mls',`
#
allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock };
-dontaudit samhain_domain self:capability { sys_resource sys_ptrace };
+dontaudit samhain_domain self:capability { sys_ptrace sys_resource };
allow samhain_domain self:process { setsched setrlimit signull };
allow samhain_domain self:fd use;
allow samhain_domain self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
index e8569cb1..e376da59 100644
--- a/policy/modules/contrib/screen.te
+++ b/policy/modules/contrib/screen.te
@@ -29,7 +29,7 @@ ubac_constrained(screen_runtime_t)
#
# dac_override : read /dev/pts/ID
-allow screen_domain self:capability { setuid setgid fsetid dac_override };
+allow screen_domain self:capability { dac_override fsetid setgid setuid };
allow screen_domain self:process signal_perms;
allow screen_domain self:fd use;
allow screen_domain self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
index 1ae4a27a..dbfab0a0 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -40,7 +40,7 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
# Local policy
#
-allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config };
+allow sendmail_t self:capability { chown dac_override setgid setuid sys_nice sys_tty_config };
allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
allow sendmail_t self:fifo_file rw_fifo_file_perms;
allow sendmail_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index e2e6c30d..5e815dd8 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -32,7 +32,7 @@ logging_log_file(shorewall_log_t)
# Local policy
#
-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
+allow shorewall_t self:capability { dac_override net_admin net_raw setgid setuid sys_admin sys_nice };
dontaudit shorewall_t self:capability sys_tty_config;
allow shorewall_t self:fifo_file rw_fifo_file_perms;
allow shorewall_t self:netlink_socket create_socket_perms;
diff --git a/policy/modules/contrib/slocate.te b/policy/modules/contrib/slocate.te
index 65fe1cb6..2bf0fed4 100644
--- a/policy/modules/contrib/slocate.te
+++ b/policy/modules/contrib/slocate.te
@@ -20,7 +20,7 @@ files_pid_file(locate_var_run_t)
# Local policy
#
-allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
+allow locate_t self:capability { chown dac_override dac_read_search fowner fsetid };
allow locate_t self:process { execmem execheap execstack signal setsched };
allow locate_t self:fifo_file rw_fifo_file_perms;
allow locate_t self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te
index eb812fe8..4a7cafa7 100644
--- a/policy/modules/contrib/smartmon.te
+++ b/policy/modules/contrib/smartmon.te
@@ -38,7 +38,7 @@ ifdef(`enable_mls',`
# Local policy
#
-allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin };
+allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio };
dontaudit fsdaemon_t self:capability sys_tty_config;
allow fsdaemon_t self:process { getcap setcap signal_perms };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te
index 625d8018..cc19c38d 100644
--- a/policy/modules/contrib/smokeping.te
+++ b/policy/modules/contrib/smokeping.te
@@ -23,7 +23,7 @@ files_type(smokeping_var_lib_t)
# Local policy
#
-dontaudit smokeping_t self:capability { dac_read_search dac_override };
+dontaudit smokeping_t self:capability { dac_override dac_read_search };
allow smokeping_t self:fifo_file rw_fifo_file_perms;
allow smokeping_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te
index 49385798..fe37b52d 100644
--- a/policy/modules/contrib/snmp.te
+++ b/policy/modules/contrib/snmp.te
@@ -26,7 +26,7 @@ files_type(snmpd_var_lib_t)
# Local policy
#
-allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
+allow snmpd_t self:capability { chown dac_override ipc_lock kill net_admin setgid setuid sys_nice sys_ptrace sys_tty_config };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 30ba1e0c..536efd00 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -30,7 +30,7 @@ init_daemon_pid_file(snort_var_run_t, dir, "snort")
# Local policy
#
-allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
+allow snort_t self:capability { dac_override net_admin net_raw setgid setuid };
dontaudit snort_t self:capability sys_tty_config;
allow snort_t self:process signal_perms;
allow snort_t self:netlink_socket create_socket_perms;
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te
index 18dca447..940f220a 100644
--- a/policy/modules/contrib/sosreport.te
+++ b/policy/modules/contrib/sosreport.te
@@ -31,7 +31,7 @@ optional_policy(`
# Local policy
#
-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
+allow sosreport_t self:capability { dac_override kill net_admin net_raw setuid sys_admin sys_nice };
dontaudit sosreport_t self:capability sys_ptrace;
allow sosreport_t self:process { setsched setpgid signal_perms };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 6631a498..4a9153ce 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -270,7 +270,7 @@ optional_policy(`
# Daemon local policy
#
-allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
+allow spamd_t self:capability { dac_override kill setgid setuid sys_tty_config };
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 2852599a..74fb3c23 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -51,7 +51,7 @@ files_pid_file(squid_var_run_t)
# Local policy
#
-allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
+allow squid_t self:capability { dac_override kill setgid setuid sys_resource };
dontaudit squid_t self:capability sys_tty_config;
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow squid_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index 9be5c19c..e273c904 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -33,7 +33,7 @@ files_pid_file(sssd_var_run_t)
# Local policy
#
-allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
+allow sssd_t self:capability { chown dac_override dac_read_search kill net_admin setgid setuid sys_admin sys_nice sys_resource };
allow sssd_t self:capability2 block_suspend;
allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
allow sssd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/sxid.te b/policy/modules/contrib/sxid.te
index 01a9d0ac..010c40ce 100644
--- a/policy/modules/contrib/sxid.te
+++ b/policy/modules/contrib/sxid.te
@@ -21,7 +21,7 @@ files_tmp_file(sxid_tmp_t)
#
allow sxid_t self:capability { dac_override dac_read_search fsetid };
-dontaudit sxid_t self:capability { setuid setgid sys_tty_config };
+dontaudit sxid_t self:capability { setgid setuid sys_tty_config };
allow sxid_t self:process signal_perms;
allow sxid_t self:fifo_file rw_fifo_file_perms;
allow sxid_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/contrib/systemtap.te b/policy/modules/contrib/systemtap.te
index f2fa8494..c0ddb637 100644
--- a/policy/modules/contrib/systemtap.te
+++ b/policy/modules/contrib/systemtap.te
@@ -29,7 +29,7 @@ files_pid_file(stapserver_var_run_t)
# Local policy
#
-allow stapserver_t self:capability { dac_override kill setuid setgid };
+allow stapserver_t self:capability { dac_override kill setgid setuid };
allow stapserver_t self:process { setrlimit setsched signal };
allow stapserver_t self:fifo_file rw_fifo_file_perms;
allow stapserver_t self:key write;
diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te
index 0e70d1f4..6007d763 100644
--- a/policy/modules/contrib/telnet.te
+++ b/policy/modules/contrib/telnet.te
@@ -27,7 +27,7 @@ files_pid_file(telnetd_var_run_t)
# Local policy
#
-allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+allow telnetd_t self:capability { chown dac_override fowner fsetid setgid setuid sys_tty_config };
allow telnetd_t self:process signal_perms;
allow telnetd_t self:fifo_file rw_fifo_file_perms;
allow telnetd_t self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/tripwire.te b/policy/modules/contrib/tripwire.te
index 03aa6b7f..47dc24b3 100644
--- a/policy/modules/contrib/tripwire.te
+++ b/policy/modules/contrib/tripwire.te
@@ -47,7 +47,7 @@ role twprint_roles types twprint_t;
# Local policy
#
-allow tripwire_t self:capability { setgid setuid dac_override };
+allow tripwire_t self:capability { dac_override setgid setuid };
allow tripwire_t tripwire_etc_t:dir list_dir_perms;
allow tripwire_t tripwire_etc_t:file read_file_perms;
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
index 6c3a3eaf..50beee26 100644
--- a/policy/modules/contrib/ulogd.te
+++ b/policy/modules/contrib/ulogd.te
@@ -26,7 +26,7 @@ logging_log_file(ulogd_var_log_t)
# Local policy
#
-allow ulogd_t self:capability { net_admin setuid setgid sys_nice };
+allow ulogd_t self:capability { net_admin setgid setuid sys_nice };
allow ulogd_t self:process setsched;
allow ulogd_t self:netlink_nflog_socket create_socket_perms;
allow ulogd_t self:netlink_socket create_socket_perms;
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index 7a57c21a..9c7ac268 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -25,7 +25,7 @@ application_executable_file(consolehelper_exec_t)
# Common consolehelper domain local policy
#
-allow consolehelper_type self:capability { setgid setuid dac_override };
+allow consolehelper_type self:capability { dac_override setgid setuid };
allow consolehelper_type self:process signal;
allow consolehelper_type self:fifo_file rw_fifo_file_perms;
allow consolehelper_type self:unix_stream_socket create_stream_socket_perms;
@@ -94,7 +94,7 @@ optional_policy(`
# Common userhelper domain local policy
#
-allow userhelper_type self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
+allow userhelper_type self:capability { chown dac_override net_bind_service setgid setuid sys_tty_config };
allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap };
allow userhelper_type self:fd use;
allow userhelper_type self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te
index f973af82..3f774951 100644
--- a/policy/modules/contrib/usernetctl.te
+++ b/policy/modules/contrib/usernetctl.te
@@ -18,7 +18,7 @@ role usernetctl_roles types usernetctl_t;
# Local policy
#
-allow usernetctl_t self:capability { setuid setgid dac_override };
+allow usernetctl_t self:capability { dac_override setgid setuid };
allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow usernetctl_t self:fd use;
allow usernetctl_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/uucp.te b/policy/modules/contrib/uucp.te
index 9c884c46..d44d025f 100644
--- a/policy/modules/contrib/uucp.te
+++ b/policy/modules/contrib/uucp.te
@@ -46,7 +46,7 @@ role uux_roles types uux_t;
# Local policy
#
-allow uucpd_t self:capability { setuid setgid };
+allow uucpd_t self:capability { setgid setuid };
allow uucpd_t self:process signal_perms;
allow uucpd_t self:fifo_file rw_fifo_file_perms;
allow uucpd_t self:tcp_socket { accept listen };
@@ -137,7 +137,7 @@ optional_policy(`
# UUX Local policy
#
-allow uux_t self:capability { setuid setgid };
+allow uux_t self:capability { setgid setuid };
allow uux_t self:fifo_file write_fifo_file_perms;
domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t)
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index 36c32fcd..b36f69ca 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -50,7 +50,7 @@ files_type(varnishlog_log_t)
# Local policy
#
-allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+allow varnishd_t self:capability { dac_override ipc_lock kill setgid setuid };
dontaudit varnishd_t self:capability sys_tty_config;
allow varnishd_t self:process signal;
allow varnishd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/vbetool.te b/policy/modules/contrib/vbetool.te
index 2a61f752..09980a08 100644
--- a/policy/modules/contrib/vbetool.te
+++ b/policy/modules/contrib/vbetool.te
@@ -26,7 +26,7 @@ role vbetool_roles types vbetool_t;
# Local policy
#
-allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
+allow vbetool_t self:capability { dac_override sys_admin sys_tty_config };
allow vbetool_t self:process execmem;
dev_wx_raw_memory(vbetool_t)
diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te
index 4d47427d..f6636a99 100644
--- a/policy/modules/contrib/vhostmd.te
+++ b/policy/modules/contrib/vhostmd.te
@@ -23,7 +23,7 @@ files_pid_file(vhostmd_var_run_t)
# Local policy
#
-allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
+allow vhostmd_t self:capability { dac_override ipc_lock setgid setuid };
allow vhostmd_t self:process { setsched getsched signal };
allow vhostmd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index e8ac408d..eb72843f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -455,7 +455,7 @@ tunable_policy(`virt_use_vfio',`
# virtd local policy
#
-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
@@ -808,7 +808,7 @@ optional_policy(`
# Virsh local policy
#
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+allow virsh_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config };
allow virsh_t self:process { getcap getsched setsched setcap signal };
allow virsh_t self:fifo_file rw_fifo_file_perms;
allow virsh_t self:unix_stream_socket { accept connectto listen };
@@ -956,7 +956,7 @@ optional_policy(`
# Lxc local policy
#
-allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
+allow virtd_lxc_t self:capability { chown dac_override net_admin net_raw setpcap sys_admin sys_boot sys_resource };
allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms };
allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
allow virtd_lxc_t self:netlink_route_socket nlmsg_write;
@@ -1052,7 +1052,7 @@ sysnet_domtrans_ifconfig(virtd_lxc_t)
# Common virt lxc domain local policy
#
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
+allow svirt_lxc_domain self:capability { dac_override kill setgid setuid sys_boot };
allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
@@ -1149,7 +1149,7 @@ optional_policy(`
# Lxc net local policy
#
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
+allow svirt_lxc_net_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_raw setpcap sys_admin sys_nice sys_ptrace sys_resource };
dontaudit svirt_lxc_net_t self:capability2 block_suspend;
allow svirt_lxc_net_t self:process setrlimit;
allow svirt_lxc_net_t self:tcp_socket { accept listen };
@@ -1253,7 +1253,7 @@ optional_policy(`
#
allow virt_bridgehelper_t self:process { setcap getcap };
-allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
+allow virt_bridgehelper_t self:capability { net_admin setgid setpcap setuid };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te
index 6b72968e..d4094916 100644
--- a/policy/modules/contrib/vlock.te
+++ b/policy/modules/contrib/vlock.te
@@ -17,7 +17,7 @@ role vlock_roles types vlock_t;
# Local policy
#
-dontaudit vlock_t self:capability { setuid setgid };
+dontaudit vlock_t self:capability { setgid setuid };
allow vlock_t self:fd use;
allow vlock_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
index 0fa22c2b..59a32f5d 100644
--- a/policy/modules/contrib/vmware.te
+++ b/policy/modules/contrib/vmware.te
@@ -69,7 +69,7 @@ optional_policy(`
# Host local policy
#
-allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
+allow vmware_host_t self:capability { dac_override kill net_raw setgid setuid sys_nice sys_ptrace sys_time };
dontaudit vmware_host_t self:capability sys_tty_config;
allow vmware_host_t self:process { execstack execmem signal_perms };
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
@@ -186,7 +186,7 @@ optional_policy(`
# Guest local policy
#
-allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
+allow vmware_t self:capability { chown dac_override setgid setuid sys_admin sys_nice sys_rawio sys_resource };
dontaudit vmware_t self:capability sys_tty_config;
allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow vmware_t self:process { execmem execstack };
diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te
index 85353fa7..10fb1013 100644
--- a/policy/modules/contrib/vpn.te
+++ b/policy/modules/contrib/vpn.te
@@ -24,7 +24,7 @@ files_pid_file(vpnc_var_run_t)
# Local policy
#
-allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid };
+allow vpnc_t self:capability { dac_override dac_read_search ipc_lock net_admin net_raw setuid };
allow vpnc_t self:process { getsched signal };
allow vpnc_t self:fifo_file rw_fifo_file_perms;
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index a181f48b..bac0a747 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -23,7 +23,7 @@ files_pid_file(watchdog_var_run_t)
# Local policy
#
-allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource net_raw };
+allow watchdog_t self:capability { ipc_lock net_admin net_raw sys_admin sys_boot sys_nice sys_pacct sys_resource };
dontaudit watchdog_t self:capability sys_tty_config;
allow watchdog_t self:process { setsched signal_perms };
allow watchdog_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te
index a32e1988..24c3802e 100644
--- a/policy/modules/contrib/wdmd.te
+++ b/policy/modules/contrib/wdmd.te
@@ -23,7 +23,7 @@ files_pid_file(wdmd_var_run_t)
# Local policy
#
-allow wdmd_t self:capability { chown sys_nice ipc_lock };
+allow wdmd_t self:capability { chown ipc_lock sys_nice };
allow wdmd_t self:process { setsched signal };
allow wdmd_t self:fifo_file rw_fifo_file_perms;
allow wdmd_t self:unix_stream_socket { accept listen };
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index c134cfe5..383c00a7 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -163,7 +163,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
# xend local policy
#
-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_resource sys_rawio };
+allow xend_t self:capability { dac_override ipc_lock net_admin net_raw setuid sys_admin sys_nice sys_rawio sys_resource sys_tty_config };
dontaudit xend_t self:capability { sys_ptrace };
allow xend_t self:process { setrlimit signal sigkill };
dontaudit xend_t self:process ptrace;
@@ -470,7 +470,7 @@ xen_append_log(xenstored_t)
# xm local policy
#
-allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config };
allow xm_t self:process { getcap getsched setsched setcap signal };
allow xm_t self:fifo_file rw_fifo_file_perms;
allow xm_t self:unix_stream_socket { accept connectto listen };
diff --git a/policy/modules/contrib/yam.te b/policy/modules/contrib/yam.te
index 2695db25..4927d4d7 100644
--- a/policy/modules/contrib/yam.te
+++ b/policy/modules/contrib/yam.te
@@ -26,7 +26,7 @@ files_tmp_file(yam_tmp_t)
# Local policy
#
-allow yam_t self:capability { chown fowner fsetid dac_override };
+allow yam_t self:capability { chown dac_override fowner fsetid };
allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow yam_t self:fd use;
allow yam_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index 33822181..a021b743 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -44,7 +44,7 @@ files_pid_file(zabbix_var_run_t)
# Local policy
#
-allow zabbix_t self:capability { dac_read_search dac_override setuid setgid };
+allow zabbix_t self:capability { dac_override dac_read_search setgid setuid };
allow zabbix_t self:process { setsched signal_perms };
allow zabbix_t self:fifo_file rw_fifo_file_perms;
allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
@@ -132,7 +132,7 @@ optional_policy(`
# Agent local policy
#
-allow zabbix_agent_t self:capability { setuid setgid };
+allow zabbix_agent_t self:capability { setgid setuid };
allow zabbix_agent_t self:process { setsched getsched signal };
allow zabbix_agent_t self:fifo_file rw_fifo_file_perms;
allow zabbix_agent_t self:sem create_sem_perms;
diff --git a/policy/modules/contrib/zarafa.te b/policy/modules/contrib/zarafa.te
index 5ce3c3eb..506952fb 100644
--- a/policy/modules/contrib/zarafa.te
+++ b/policy/modules/contrib/zarafa.te
@@ -158,7 +158,7 @@ corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t)
# Zarafa domain local policy
#
-allow zarafa_domain self:capability { kill dac_override chown setgid setuid };
+allow zarafa_domain self:capability { chown dac_override kill setgid setuid };
allow zarafa_domain self:process { setrlimit signal };
allow zarafa_domain self:fifo_file rw_fifo_file_perms;
allow zarafa_domain self:tcp_socket { accept listen };
diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
index d0b03583..bfc2d21d 100644
--- a/policy/modules/contrib/zebra.te
+++ b/policy/modules/contrib/zebra.te
@@ -37,7 +37,7 @@ files_pid_file(zebra_var_run_t)
# Local policy
#
-allow zebra_t self:capability { setgid setuid net_admin net_raw };
+allow zebra_t self:capability { net_admin net_raw setgid setuid };
dontaudit zebra_t self:capability sys_tty_config;
allow zebra_t self:process { signal_perms getcap setcap };
allow zebra_t self:fifo_file rw_fifo_file_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
2017-02-17 8:44 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: accbff6fa3d2188818a6f0d5c8d64bb82a58d46b
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu Feb 9 16:20:53 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=accbff6f
mozilla: allow stream connections to cups so that it can print
Let mozilla connect to cups using socket files so that it is
possible to print.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/mozilla.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 9eb99c30..16452264 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -237,6 +237,7 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
+ cups_stream_connect(mozilla_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
2017-02-17 8:44 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: f5d92d4af9bd6a2688884494681381e08644e698
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb 8 22:06:44 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f5d92d4a
mon policy from Russell Coker.
policy/modules/contrib/gpm.if | 1 +
policy/modules/contrib/gpm.te | 2 +-
policy/modules/contrib/mon.fc | 11 +++
policy/modules/contrib/mon.if | 1 +
policy/modules/contrib/mon.te | 223 ++++++++++++++++++++++++++++++++++++++++++
5 files changed, 237 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gpm.if b/policy/modules/contrib/gpm.if
index b9a47431..356fb6d1 100644
--- a/policy/modules/contrib/gpm.if
+++ b/policy/modules/contrib/gpm.if
@@ -38,6 +38,7 @@ interface(`gpm_getattr_gpmctl',`
dev_list_all_dev_nodes($1)
allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
+ allow $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
')
########################################
diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
index 087ddcef..5cbfa3a6 100644
--- a/policy/modules/contrib/gpm.te
+++ b/policy/modules/contrib/gpm.te
@@ -1,4 +1,4 @@
-policy_module(gpm, 1.11.0)
+policy_module(gpm, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/mon.fc b/policy/modules/contrib/mon.fc
new file mode 100644
index 00000000..fa179dd8
--- /dev/null
+++ b/policy/modules/contrib/mon.fc
@@ -0,0 +1,11 @@
+/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+
+/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
+
+/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
+
+/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0)
+/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0)
diff --git a/policy/modules/contrib/mon.if b/policy/modules/contrib/mon.if
new file mode 100644
index 00000000..d9aee2be
--- /dev/null
+++ b/policy/modules/contrib/mon.if
@@ -0,0 +1 @@
+## <summary>mon network monitoring daemon.</summary>
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
new file mode 100644
index 00000000..c685ac26
--- /dev/null
+++ b/policy/modules/contrib/mon.te
@@ -0,0 +1,223 @@
+policy_module(mon, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mon_t;
+type mon_exec_t;
+init_daemon_domain(mon_t, mon_exec_t)
+
+type mon_net_test_t;
+typealias mon_net_test_t alias mon_test_t;
+type mon_net_test_exec_t;
+typealias mon_net_test_exec_t alias mon_test_exec_t;
+
+domain_type(mon_net_test_t)
+domain_entry_file(mon_net_test_t, mon_net_test_exec_t)
+role system_r types mon_net_test_t;
+domtrans_pattern(mon_t, mon_net_test_exec_t, mon_net_test_t)
+
+type mon_local_test_t;
+type mon_local_test_exec_t;
+domain_type(mon_local_test_t)
+domain_entry_file(mon_local_test_t, mon_local_test_exec_t)
+role system_r types mon_local_test_t;
+
+type mon_var_run_t;
+files_pid_file(mon_var_run_t)
+
+type mon_var_lib_t;
+files_type(mon_var_lib_t)
+
+type mon_var_log_t;
+logging_log_file(mon_var_log_t)
+
+type mon_tmp_t;
+files_tmp_file(mon_tmp_t)
+
+########################################
+#
+# Local policy
+# mon_t is for the main mon process and for sending alerts
+#
+
+allow mon_t self:fifo_file rw_fifo_file_perms;
+allow mon_t self:tcp_socket create_stream_socket_perms;
+
+domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
+
+manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t)
+manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t)
+files_tmp_filetrans(mon_t, mon_tmp_t, { file dir })
+
+manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t)
+
+manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
+
+manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t)
+files_pid_filetrans(mon_t, mon_var_run_t, file)
+
+kernel_read_kernel_sysctls(mon_t)
+kernel_read_network_state(mon_t)
+kernel_read_system_state(mon_t)
+
+corecmd_exec_bin(mon_t)
+corecmd_exec_shell(mon_t)
+
+corenet_tcp_bind_mon_port(mon_t)
+corenet_udp_bind_mon_port(mon_t)
+corenet_tcp_bind_generic_node(mon_t)
+corenet_udp_bind_generic_node(mon_t)
+corenet_tcp_connect_jabber_client_port(mon_t)
+
+dev_read_urand(mon_t)
+dev_read_sysfs(mon_t)
+
+domain_use_interactive_fds(mon_t)
+
+files_read_etc_files(mon_t)
+files_read_etc_runtime_files(mon_t)
+files_read_usr_files(mon_t)
+
+fs_getattr_all_fs(mon_t)
+fs_search_auto_mountpoints(mon_t)
+
+term_dontaudit_search_ptys(mon_t)
+
+application_signull(mon_t)
+
+init_read_utmp(mon_t)
+
+logging_send_syslog_msg(mon_t)
+logging_search_logs(mon_t)
+
+miscfiles_read_localization(mon_t)
+
+sysnet_dns_name_resolve(mon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mon_t)
+userdom_dontaudit_search_user_home_dirs(mon_t)
+
+optional_policy(`
+ mta_send_mail(mon_t)
+')
+
+########################################
+#
+# Local policy
+# mon_net_test_t is for running tests that need network access
+#
+
+allow mon_net_test_t self:fifo_file rw_file_perms;
+
+can_exec(mon_net_test_t, mon_net_test_exec_t)
+manage_files_pattern(mon_net_test_t, mon_var_lib_t, mon_var_lib_t)
+
+kernel_dontaudit_getattr_core_if(mon_net_test_t)
+kernel_getattr_proc(mon_net_test_t)
+kernel_read_system_state(mon_net_test_t)
+
+corecmd_exec_bin(mon_net_test_t)
+corecmd_exec_shell(mon_net_test_t)
+
+corenet_tcp_connect_all_ports(mon_net_test_t)
+corenet_udp_bind_generic_node(mon_net_test_t)
+
+dev_dontaudit_getattr_all_chr_files(mon_net_test_t)
+dev_getattr_sysfs(mon_net_test_t)
+dev_read_sysfs(mon_net_test_t)
+dev_read_urand(mon_net_test_t)
+
+files_read_usr_files(mon_net_test_t)
+
+fs_getattr_xattr_fs(mon_net_test_t)
+
+auth_use_nsswitch(mon_net_test_t)
+
+miscfiles_read_certs(mon_net_test_t)
+miscfiles_read_localization(mon_net_test_t)
+
+netutils_domtrans_ping(mon_net_test_t)
+
+sysnet_read_config(mon_net_test_t)
+
+optional_policy(`
+ bind_read_zone(mon_net_test_t)
+')
+
+########################################
+#
+# Local policy
+# mon_local_test_t is for running tests that don't need network access
+# this domain has much more access to the local system!
+#
+# try not to use dontaudit rules for this
+#
+
+allow mon_local_test_t self:capability sys_admin;
+allow mon_local_test_t self:fifo_file rw_file_perms;
+
+can_exec(mon_local_test_t, mon_local_test_exec_t)
+
+manage_files_pattern(mon_local_test_t, mon_var_lib_t, mon_var_lib_t)
+
+kernel_dontaudit_getattr_core_if(mon_local_test_t)
+kernel_getattr_proc(mon_local_test_t)
+kernel_read_software_raid_state(mon_local_test_t)
+kernel_read_system_state(mon_local_test_t)
+
+corecmd_exec_bin(mon_local_test_t)
+corecmd_exec_shell(mon_local_test_t)
+
+dev_dontaudit_getattr_all_chr_files(mon_local_test_t)
+dev_getattr_sysfs(mon_local_test_t)
+dev_read_urand(mon_local_test_t)
+dev_read_sysfs(mon_local_test_t)
+
+domain_read_all_domains_state(mon_local_test_t)
+
+files_read_usr_files(mon_local_test_t)
+files_search_mnt(mon_local_test_t)
+files_search_spool(mon_local_test_t)
+files_list_boot(mon_local_test_t)
+
+fs_search_auto_mountpoints(mon_local_test_t)
+fs_getattr_nfs(mon_local_test_t)
+fs_getattr_xattr_fs(mon_local_test_t)
+fs_list_hugetlbfs(mon_local_test_t)
+fs_list_tmpfs(mon_local_test_t)
+fs_search_nfs(mon_local_test_t)
+
+storage_getattr_fixed_disk_dev(mon_local_test_t)
+storage_getattr_removable_dev(mon_local_test_t)
+
+term_getattr_generic_ptys(mon_local_test_t)
+term_list_ptys(mon_local_test_t)
+
+application_exec_all(mon_local_test_t)
+
+auth_use_nsswitch(mon_local_test_t)
+
+init_getattr_initctl(mon_local_test_t)
+
+logging_send_syslog_msg(mon_local_test_t)
+
+miscfiles_read_localization(mon_local_test_t)
+
+rpc_read_nfs_content(mon_local_test_t)
+
+sysnet_read_config(mon_local_test_t)
+
+optional_policy(`
+ gpm_getattr_gpmctl(mon_local_test_t)
+')
+
+optional_policy(`
+ postfix_search_spool(mon_local_test_t)
+')
+
+optional_policy(`
+ xserver_rw_console(mon_local_test_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-02-17 8:50 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-02-17 8:44 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-17 8:44 UTC (permalink / raw
To: gentoo-commits
commit: f5d92d4af9bd6a2688884494681381e08644e698
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb 8 22:06:44 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f5d92d4a
mon policy from Russell Coker.
policy/modules/contrib/gpm.if | 1 +
policy/modules/contrib/gpm.te | 2 +-
policy/modules/contrib/mon.fc | 11 +++
policy/modules/contrib/mon.if | 1 +
policy/modules/contrib/mon.te | 223 ++++++++++++++++++++++++++++++++++++++++++
5 files changed, 237 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gpm.if b/policy/modules/contrib/gpm.if
index b9a47431..356fb6d1 100644
--- a/policy/modules/contrib/gpm.if
+++ b/policy/modules/contrib/gpm.if
@@ -38,6 +38,7 @@ interface(`gpm_getattr_gpmctl',`
dev_list_all_dev_nodes($1)
allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
+ allow $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
')
########################################
diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
index 087ddcef..5cbfa3a6 100644
--- a/policy/modules/contrib/gpm.te
+++ b/policy/modules/contrib/gpm.te
@@ -1,4 +1,4 @@
-policy_module(gpm, 1.11.0)
+policy_module(gpm, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/mon.fc b/policy/modules/contrib/mon.fc
new file mode 100644
index 00000000..fa179dd8
--- /dev/null
+++ b/policy/modules/contrib/mon.fc
@@ -0,0 +1,11 @@
+/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+
+/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
+
+/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
+
+/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0)
+/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0)
diff --git a/policy/modules/contrib/mon.if b/policy/modules/contrib/mon.if
new file mode 100644
index 00000000..d9aee2be
--- /dev/null
+++ b/policy/modules/contrib/mon.if
@@ -0,0 +1 @@
+## <summary>mon network monitoring daemon.</summary>
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
new file mode 100644
index 00000000..c685ac26
--- /dev/null
+++ b/policy/modules/contrib/mon.te
@@ -0,0 +1,223 @@
+policy_module(mon, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mon_t;
+type mon_exec_t;
+init_daemon_domain(mon_t, mon_exec_t)
+
+type mon_net_test_t;
+typealias mon_net_test_t alias mon_test_t;
+type mon_net_test_exec_t;
+typealias mon_net_test_exec_t alias mon_test_exec_t;
+
+domain_type(mon_net_test_t)
+domain_entry_file(mon_net_test_t, mon_net_test_exec_t)
+role system_r types mon_net_test_t;
+domtrans_pattern(mon_t, mon_net_test_exec_t, mon_net_test_t)
+
+type mon_local_test_t;
+type mon_local_test_exec_t;
+domain_type(mon_local_test_t)
+domain_entry_file(mon_local_test_t, mon_local_test_exec_t)
+role system_r types mon_local_test_t;
+
+type mon_var_run_t;
+files_pid_file(mon_var_run_t)
+
+type mon_var_lib_t;
+files_type(mon_var_lib_t)
+
+type mon_var_log_t;
+logging_log_file(mon_var_log_t)
+
+type mon_tmp_t;
+files_tmp_file(mon_tmp_t)
+
+########################################
+#
+# Local policy
+# mon_t is for the main mon process and for sending alerts
+#
+
+allow mon_t self:fifo_file rw_fifo_file_perms;
+allow mon_t self:tcp_socket create_stream_socket_perms;
+
+domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
+
+manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t)
+manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t)
+files_tmp_filetrans(mon_t, mon_tmp_t, { file dir })
+
+manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t)
+
+manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
+
+manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t)
+files_pid_filetrans(mon_t, mon_var_run_t, file)
+
+kernel_read_kernel_sysctls(mon_t)
+kernel_read_network_state(mon_t)
+kernel_read_system_state(mon_t)
+
+corecmd_exec_bin(mon_t)
+corecmd_exec_shell(mon_t)
+
+corenet_tcp_bind_mon_port(mon_t)
+corenet_udp_bind_mon_port(mon_t)
+corenet_tcp_bind_generic_node(mon_t)
+corenet_udp_bind_generic_node(mon_t)
+corenet_tcp_connect_jabber_client_port(mon_t)
+
+dev_read_urand(mon_t)
+dev_read_sysfs(mon_t)
+
+domain_use_interactive_fds(mon_t)
+
+files_read_etc_files(mon_t)
+files_read_etc_runtime_files(mon_t)
+files_read_usr_files(mon_t)
+
+fs_getattr_all_fs(mon_t)
+fs_search_auto_mountpoints(mon_t)
+
+term_dontaudit_search_ptys(mon_t)
+
+application_signull(mon_t)
+
+init_read_utmp(mon_t)
+
+logging_send_syslog_msg(mon_t)
+logging_search_logs(mon_t)
+
+miscfiles_read_localization(mon_t)
+
+sysnet_dns_name_resolve(mon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mon_t)
+userdom_dontaudit_search_user_home_dirs(mon_t)
+
+optional_policy(`
+ mta_send_mail(mon_t)
+')
+
+########################################
+#
+# Local policy
+# mon_net_test_t is for running tests that need network access
+#
+
+allow mon_net_test_t self:fifo_file rw_file_perms;
+
+can_exec(mon_net_test_t, mon_net_test_exec_t)
+manage_files_pattern(mon_net_test_t, mon_var_lib_t, mon_var_lib_t)
+
+kernel_dontaudit_getattr_core_if(mon_net_test_t)
+kernel_getattr_proc(mon_net_test_t)
+kernel_read_system_state(mon_net_test_t)
+
+corecmd_exec_bin(mon_net_test_t)
+corecmd_exec_shell(mon_net_test_t)
+
+corenet_tcp_connect_all_ports(mon_net_test_t)
+corenet_udp_bind_generic_node(mon_net_test_t)
+
+dev_dontaudit_getattr_all_chr_files(mon_net_test_t)
+dev_getattr_sysfs(mon_net_test_t)
+dev_read_sysfs(mon_net_test_t)
+dev_read_urand(mon_net_test_t)
+
+files_read_usr_files(mon_net_test_t)
+
+fs_getattr_xattr_fs(mon_net_test_t)
+
+auth_use_nsswitch(mon_net_test_t)
+
+miscfiles_read_certs(mon_net_test_t)
+miscfiles_read_localization(mon_net_test_t)
+
+netutils_domtrans_ping(mon_net_test_t)
+
+sysnet_read_config(mon_net_test_t)
+
+optional_policy(`
+ bind_read_zone(mon_net_test_t)
+')
+
+########################################
+#
+# Local policy
+# mon_local_test_t is for running tests that don't need network access
+# this domain has much more access to the local system!
+#
+# try not to use dontaudit rules for this
+#
+
+allow mon_local_test_t self:capability sys_admin;
+allow mon_local_test_t self:fifo_file rw_file_perms;
+
+can_exec(mon_local_test_t, mon_local_test_exec_t)
+
+manage_files_pattern(mon_local_test_t, mon_var_lib_t, mon_var_lib_t)
+
+kernel_dontaudit_getattr_core_if(mon_local_test_t)
+kernel_getattr_proc(mon_local_test_t)
+kernel_read_software_raid_state(mon_local_test_t)
+kernel_read_system_state(mon_local_test_t)
+
+corecmd_exec_bin(mon_local_test_t)
+corecmd_exec_shell(mon_local_test_t)
+
+dev_dontaudit_getattr_all_chr_files(mon_local_test_t)
+dev_getattr_sysfs(mon_local_test_t)
+dev_read_urand(mon_local_test_t)
+dev_read_sysfs(mon_local_test_t)
+
+domain_read_all_domains_state(mon_local_test_t)
+
+files_read_usr_files(mon_local_test_t)
+files_search_mnt(mon_local_test_t)
+files_search_spool(mon_local_test_t)
+files_list_boot(mon_local_test_t)
+
+fs_search_auto_mountpoints(mon_local_test_t)
+fs_getattr_nfs(mon_local_test_t)
+fs_getattr_xattr_fs(mon_local_test_t)
+fs_list_hugetlbfs(mon_local_test_t)
+fs_list_tmpfs(mon_local_test_t)
+fs_search_nfs(mon_local_test_t)
+
+storage_getattr_fixed_disk_dev(mon_local_test_t)
+storage_getattr_removable_dev(mon_local_test_t)
+
+term_getattr_generic_ptys(mon_local_test_t)
+term_list_ptys(mon_local_test_t)
+
+application_exec_all(mon_local_test_t)
+
+auth_use_nsswitch(mon_local_test_t)
+
+init_getattr_initctl(mon_local_test_t)
+
+logging_send_syslog_msg(mon_local_test_t)
+
+miscfiles_read_localization(mon_local_test_t)
+
+rpc_read_nfs_content(mon_local_test_t)
+
+sysnet_read_config(mon_local_test_t)
+
+optional_policy(`
+ gpm_getattr_gpmctl(mon_local_test_t)
+')
+
+optional_policy(`
+ postfix_search_spool(mon_local_test_t)
+')
+
+optional_policy(`
+ xserver_rw_console(mon_local_test_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
2017-02-17 8:44 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: 37f95ed3c925df8ef1618ecb30274f5210d69665
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Feb 5 16:12:27 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=37f95ed3
java: update fcontexts for new versions of icedtea
icedtea8 is the current version, but use a regex so any future versions
work too.
policy/modules/contrib/java.fc | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/java.fc b/policy/modules/contrib/java.fc
index 7958f819..d2984281 100644
--- a/policy/modules/contrib/java.fc
+++ b/policy/modules/contrib/java.fc
@@ -22,7 +22,8 @@ HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:java_home_t,s0)
/usr/lib/bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/lib/icedtea[67]/bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/icedtea[0-9]+/bin/.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/icedtea[0-9]+/jre/bin/.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-02-17 8:50 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-02-17 8:44 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-17 8:44 UTC (permalink / raw
To: gentoo-commits
commit: 37f95ed3c925df8ef1618ecb30274f5210d69665
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Feb 5 16:12:27 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=37f95ed3
java: update fcontexts for new versions of icedtea
icedtea8 is the current version, but use a regex so any future versions
work too.
policy/modules/contrib/java.fc | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/java.fc b/policy/modules/contrib/java.fc
index 7958f819..d2984281 100644
--- a/policy/modules/contrib/java.fc
+++ b/policy/modules/contrib/java.fc
@@ -22,7 +22,8 @@ HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:java_home_t,s0)
/usr/lib/bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/lib/icedtea[67]/bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/icedtea[0-9]+/bin/.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/icedtea[0-9]+/jre/bin/.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
2017-02-17 8:44 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: 8f528ab68d375086dc9643da8f7e36f78289195c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Feb 12 18:44:46 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f528ab6
Module version bump for cups patches from Guido Trentalancia.
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/lpd.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 14a4cfd7..8810656d 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.21.1)
+policy_module(cups, 1.21.2)
########################################
#
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index 480b5e7e..1343b116 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -1,4 +1,4 @@
-policy_module(lpd, 1.15.0)
+policy_module(lpd, 1.15.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-02-17 8:50 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-02-17 8:44 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-17 8:44 UTC (permalink / raw
To: gentoo-commits
commit: 8f528ab68d375086dc9643da8f7e36f78289195c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Feb 12 18:44:46 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f528ab6
Module version bump for cups patches from Guido Trentalancia.
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/lpd.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 14a4cfd7..8810656d 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.21.1)
+policy_module(cups, 1.21.2)
########################################
#
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index 480b5e7e..1343b116 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -1,4 +1,4 @@
-policy_module(lpd, 1.15.0)
+policy_module(lpd, 1.15.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2017-02-17 8:50 Jason Zaman
2017-02-17 8:44 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-02-17 8:50 UTC (permalink / raw
To: gentoo-commits
commit: a16a1f6a2712ab32441f676c5bf0041cb8f290db
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb 15 23:43:57 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a16a1f6a
Revert "cups/lpd: read permission for cupsd_var_run_t socket files"
This reverts commit 9995442bb5f249c5d666e66e29308d2f8d201049.
policy/modules/contrib/cups.if | 19 -------------------
policy/modules/contrib/lpd.te | 1 -
2 files changed, 20 deletions(-)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index 1fb79e2b..bd6b77f4 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -129,25 +129,6 @@ interface(`cups_read_pid_files',`
########################################
## <summary>
-## Read cups socket files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cups_read_sock_files',`
- gen_require(`
- type cupsd_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 cupsd_var_run_t:sock_file read_sock_file_perms;
-')
-
-########################################
-## <summary>
## Execute cups_config in the
## cups config domain.
## </summary>
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index 1343b116..11daaf6c 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -295,7 +295,6 @@ optional_policy(`
cups_read_config(lpr_t)
cups_stream_connect(lpr_t)
cups_read_pid_files(lpr_t)
- cups_read_sock_files(lpr_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-02-17 8:50 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-02-17 8:44 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-17 8:44 UTC (permalink / raw
To: gentoo-commits
commit: a16a1f6a2712ab32441f676c5bf0041cb8f290db
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb 15 23:43:57 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a16a1f6a
Revert "cups/lpd: read permission for cupsd_var_run_t socket files"
This reverts commit 9995442bb5f249c5d666e66e29308d2f8d201049.
policy/modules/contrib/cups.if | 19 -------------------
policy/modules/contrib/lpd.te | 1 -
2 files changed, 20 deletions(-)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index 1fb79e2b..bd6b77f4 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -129,25 +129,6 @@ interface(`cups_read_pid_files',`
########################################
## <summary>
-## Read cups socket files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`cups_read_sock_files',`
- gen_require(`
- type cupsd_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 cupsd_var_run_t:sock_file read_sock_file_perms;
-')
-
-########################################
-## <summary>
## Execute cups_config in the
## cups config domain.
## </summary>
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index 1343b116..11daaf6c 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -295,7 +295,6 @@ optional_policy(`
cups_read_config(lpr_t)
cups_stream_connect(lpr_t)
cups_read_pid_files(lpr_t)
- cups_read_sock_files(lpr_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-17 8:44 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-17 8:44 UTC (permalink / raw
To: gentoo-commits
commit: 68218cecf765be819fade6909ec4a67c6491a7fd
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Feb 14 01:00:28 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68218cec
Module version bump for tbird and mozilla printing from Guido Trentalancia.
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/thunderbird.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 16452264..fa651ed4 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.11.0)
+policy_module(mozilla, 2.11.1)
########################################
#
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index 9de96c7c..9f88912c 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -1,4 +1,4 @@
-policy_module(thunderbird, 2.5.0)
+policy_module(thunderbird, 2.5.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-17 8:44 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-17 8:44 UTC (permalink / raw
To: gentoo-commits
commit: 909b13c82553151ca1c990c2bef222dbdc90af7b
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Mon Feb 13 19:31:58 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=909b13c8
thunderbird: allow stream connections to cups so that it can print
Let thunderbird connect to cups using socket files so that it is
possible to print.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/thunderbird.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index 9823d1dd..9de96c7c 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -151,6 +151,7 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(thunderbird_t)
+ cups_stream_connect(thunderbird_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-17 8:44 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-17 8:44 UTC (permalink / raw
To: gentoo-commits
commit: 9671bfb441d3b4606c944fceb142ff772309f677
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Feb 11 20:13:40 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9671bfb4
cups/lpd: read permission for cupsd_var_run_t socket files
Introduce a new interface in the cups module to read cups socket
files and call such interface from the lpd module.
Thanks to Christpher PeBenito for revising this patch.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/cups.if | 19 +++++++++++++++++++
policy/modules/contrib/lpd.te | 1 +
2 files changed, 20 insertions(+)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index bd6b77f4..1fb79e2b 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -129,6 +129,25 @@ interface(`cups_read_pid_files',`
########################################
## <summary>
+## Read cups socket files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_read_sock_files',`
+ gen_require(`
+ type cupsd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 cupsd_var_run_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
## Execute cups_config in the
## cups config domain.
## </summary>
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index 87984710..480b5e7e 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -295,6 +295,7 @@ optional_policy(`
cups_read_config(lpr_t)
cups_stream_connect(lpr_t)
cups_read_pid_files(lpr_t)
+ cups_read_sock_files(lpr_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-17 8:44 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-17 8:44 UTC (permalink / raw
To: gentoo-commits
commit: e010b2f40c2154410caae30c736c54fc20efb2ee
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb 15 23:44:26 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e010b2f4
Module version bump for cups revert.
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/lpd.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 8810656d..c90e2120 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.21.2)
+policy_module(cups, 1.21.3)
########################################
#
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index 11daaf6c..fc70ff9e 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -1,4 +1,4 @@
-policy_module(lpd, 1.15.1)
+policy_module(lpd, 1.15.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-17 8:44 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-17 8:44 UTC (permalink / raw
To: gentoo-commits
commit: 8ce244028e264e2e86a988345f6dc04ddc164db4
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu Feb 9 16:25:15 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8ce24402
cups: read permission for cupsd_var_run_t socket files in cups_stream_connect()
Modify the cups_stream_connect() interface so that it can also
read cupsd_var_run_t socket files in addition to writing them.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/cups.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index 6a2633cb..bd6b77f4 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -69,6 +69,7 @@ interface(`cups_stream_connect',`
')
files_search_pids($1)
+ allow $1 cupsd_var_run_t:sock_file read_sock_file_perms;
stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-17 8:44 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-17 8:44 UTC (permalink / raw
To: gentoo-commits
commit: 183984a40e0e043d260bb227c1f78c16ccc9ea12
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Feb 7 23:37:57 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:38:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=183984a4
Module version bump for usrmerge FC fixes from Jason Zaman.
policy/modules/contrib/dphysswapfile.te | 2 +-
policy/modules/contrib/fakehwclock.te | 2 +-
policy/modules/contrib/java.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/dphysswapfile.te b/policy/modules/contrib/dphysswapfile.te
index 485372a0..26faf67d 100644
--- a/policy/modules/contrib/dphysswapfile.te
+++ b/policy/modules/contrib/dphysswapfile.te
@@ -1,4 +1,4 @@
-policy_module(dphysswapfile, 1.0.0)
+policy_module(dphysswapfile, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/fakehwclock.te b/policy/modules/contrib/fakehwclock.te
index b5cf6632..5caedf9f 100644
--- a/policy/modules/contrib/fakehwclock.te
+++ b/policy/modules/contrib/fakehwclock.te
@@ -1,4 +1,4 @@
-policy_module(fakehwclock, 1.0.0)
+policy_module(fakehwclock, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 7568835e..722b0826 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.9.0)
+policy_module(java, 2.9.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-16 11:34 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-16 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 87279d29ccea9c9f91f970d9c7b28acb1ade7201
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Feb 5 08:04:26 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 5 15:10:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=87279d29
usrmerge: Add missed /usr fcontexts
policy/modules/contrib/dphysswapfile.fc | 2 +-
policy/modules/contrib/fakehwclock.fc | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/dphysswapfile.fc b/policy/modules/contrib/dphysswapfile.fc
index 1b2bfcca..3cf1968d 100644
--- a/policy/modules/contrib/dphysswapfile.fc
+++ b/policy/modules/contrib/dphysswapfile.fc
@@ -1,5 +1,5 @@
/etc/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_conf_t,s0)
-/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+/usr/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
/var/swap -- gen_context(system_u:object_r:dphysswapfile_swap_t,s0)
diff --git a/policy/modules/contrib/fakehwclock.fc b/policy/modules/contrib/fakehwclock.fc
index d83c6281..b0a55f6e 100644
--- a/policy/modules/contrib/fakehwclock.fc
+++ b/policy/modules/contrib/fakehwclock.fc
@@ -1,5 +1,5 @@
/etc/fake-hwclock\.data -- gen_context(system_u:object_r:fakehwclock_backup_t,s0)
-/sbin/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_exec_t,s0)
+/usr/sbin/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_exec_t,s0)
/usr/lib/systemd/system/fake-hwclock\.service -- gen_context(system_u:object_r:fakehwclock_unit_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-16 11:34 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-16 11:34 UTC (permalink / raw
To: gentoo-commits
commit: ed34f2a2082007b98285bafc17bc33f110270804
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Feb 5 08:08:00 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 5 15:10:31 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ed34f2a2
contrib: usrmerge: Add gentoo-specific /usr fcontexts
policy/modules/contrib/nut.fc | 2 +-
policy/modules/contrib/openrc.fc | 2 +-
policy/modules/contrib/resolvconf.fc | 5 ++---
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/nut.fc b/policy/modules/contrib/nut.fc
index 5fa41e6a..fdf658f1 100644
--- a/policy/modules/contrib/nut.fc
+++ b/policy/modules/contrib/nut.fc
@@ -19,5 +19,5 @@
/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
ifdef(`distro_gentoo',`
-/lib/nut/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+/usr/lib/nut/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
')
diff --git a/policy/modules/contrib/openrc.fc b/policy/modules/contrib/openrc.fc
index 25c063fe..7d62191c 100644
--- a/policy/modules/contrib/openrc.fc
+++ b/policy/modules/contrib/openrc.fc
@@ -1 +1 @@
-/lib/rc/sh/cgroup-release-agent.sh -- gen_context(system_u:object_r:openrc_cgroup_release_exec_t,s0)
+/usr/lib/rc/sh/cgroup-release-agent.sh -- gen_context(system_u:object_r:openrc_cgroup_release_exec_t,s0)
diff --git a/policy/modules/contrib/resolvconf.fc b/policy/modules/contrib/resolvconf.fc
index e6a410f6..7db4cb82 100644
--- a/policy/modules/contrib/resolvconf.fc
+++ b/policy/modules/contrib/resolvconf.fc
@@ -1,8 +1,7 @@
-
/etc/resolvconf.conf -- gen_context(system_u:object_r:resolvconf_conf_t,s0)
-/lib/resolvconf(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/resolvconf(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/sbin/resolvconf -- gen_context(system_u:object_r:resolvconf_exec_t,s0)
+/usr/sbin/resolvconf -- gen_context(system_u:object_r:resolvconf_exec_t,s0)
/var/run/resolvconf(/.*)? gen_context(system_u:object_r:resolvconf_var_run_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:usrmerge commit in: policy/modules/contrib/
@ 2017-02-05 15:13 Jason Zaman
2017-02-16 11:34 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2017-02-05 15:13 UTC (permalink / raw
To: gentoo-commits
commit: 110875d7272058d72af8735e08ebbd4704c48d99
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 4 20:18:43 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 5 15:10:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=110875d7
Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.
policy/modules/contrib/acct.fc | 2 --
policy/modules/contrib/acct.te | 2 +-
policy/modules/contrib/alsa.fc | 5 -----
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/apcupsd.fc | 2 --
policy/modules/contrib/apcupsd.te | 2 +-
policy/modules/contrib/cachefilesd.fc | 2 --
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/ccs.fc | 2 --
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/cgroup.fc | 4 ----
policy/modules/contrib/cgroup.te | 2 +-
policy/modules/contrib/cpucontrol.fc | 4 ----
policy/modules/contrib/cpucontrol.te | 2 +-
policy/modules/contrib/cups.fc | 2 --
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/dbus.fc | 4 ----
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/devicekit.fc | 3 ---
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/drbd.fc | 3 ---
policy/modules/contrib/drbd.te | 2 +-
policy/modules/contrib/iscsi.fc | 4 ----
policy/modules/contrib/iscsi.te | 2 +-
policy/modules/contrib/kdump.fc | 5 -----
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/kudzu.fc | 3 ---
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/loadkeys.fc | 3 ---
policy/modules/contrib/loadkeys.te | 2 +-
policy/modules/contrib/mta.fc | 2 --
policy/modules/contrib/mta.te | 2 +-
policy/modules/contrib/networkmanager.fc | 3 ---
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nis.fc | 2 --
policy/modules/contrib/nis.te | 2 +-
policy/modules/contrib/nut.fc | 4 ----
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/oddjob.fc | 2 --
policy/modules/contrib/oddjob.te | 2 +-
policy/modules/contrib/pcmcia.fc | 3 ---
policy/modules/contrib/pcmcia.te | 2 +-
policy/modules/contrib/plymouthd.fc | 4 ----
policy/modules/contrib/plymouthd.te | 2 +-
policy/modules/contrib/portmap.fc | 4 ----
policy/modules/contrib/portmap.te | 2 +-
policy/modules/contrib/portreserve.fc | 2 --
policy/modules/contrib/portreserve.te | 2 +-
policy/modules/contrib/ppp.fc | 3 ---
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/prelude.fc | 2 --
policy/modules/contrib/prelude.te | 2 +-
policy/modules/contrib/quota.fc | 3 ---
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/raid.fc | 8 --------
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/rdisc.fc | 2 --
policy/modules/contrib/rdisc.te | 2 +-
policy/modules/contrib/readahead.fc | 2 --
policy/modules/contrib/readahead.te | 2 +-
policy/modules/contrib/resmgr.fc | 2 --
policy/modules/contrib/resmgr.te | 2 +-
policy/modules/contrib/rpc.fc | 3 ---
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.fc | 2 --
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rpm.fc | 4 ----
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/shorewall.fc | 3 ---
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/shutdown.fc | 4 ----
policy/modules/contrib/shutdown.te | 2 +-
policy/modules/contrib/usbmodules.fc | 2 --
policy/modules/contrib/usbmodules.te | 2 +-
policy/modules/contrib/vpn.fc | 2 --
policy/modules/contrib/vpn.te | 2 +-
policy/modules/contrib/zosremote.fc | 2 --
policy/modules/contrib/zosremote.te | 2 +-
78 files changed, 39 insertions(+), 157 deletions(-)
diff --git a/policy/modules/contrib/acct.fc b/policy/modules/contrib/acct.fc
index c6d17a2..8a4f7ef 100644
--- a/policy/modules/contrib/acct.fc
+++ b/policy/modules/contrib/acct.fc
@@ -2,8 +2,6 @@
/etc/rc\.d/init\.d/psacct -- gen_context(system_u:object_r:acct_initrc_exec_t,s0)
-/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
-
/usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
/var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0)
diff --git a/policy/modules/contrib/acct.te b/policy/modules/contrib/acct.te
index 6f6fd13..aca9d80 100644
--- a/policy/modules/contrib/acct.te
+++ b/policy/modules/contrib/acct.te
@@ -1,4 +1,4 @@
-policy_module(acct, 1.7.0)
+policy_module(acct, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index 112fc62..f26e239 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -4,14 +4,9 @@ ifdef(`distro_debian',`
/\.config(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
')
-/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-
/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
/etc/asound\.conf gen_context(system_u:object_r:alsa_etc_t,s0)
-/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
-
# Systemd unit files
/usr/lib/systemd/system/[^/]*alsa-restore.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
/usr/lib/systemd/system/[^/]*alsa-state.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index f7faa4b..1904667 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.16.0)
+policy_module(alsa, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/apcupsd.fc b/policy/modules/contrib/apcupsd.fc
index 375989c..c9a7900 100644
--- a/policy/modules/contrib/apcupsd.fc
+++ b/policy/modules/contrib/apcupsd.fc
@@ -1,7 +1,5 @@
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
-/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
-
/usr/lib/systemd/system/apcupsd.*\.service -- gen_context(system_u:object_r:apcupsd_unit_t,s0)
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index 0277a90..e1586b3 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.12.0)
+policy_module(apcupsd, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/cachefilesd.fc b/policy/modules/contrib/cachefilesd.fc
index 7ee707d..1ddbe60 100644
--- a/policy/modules/contrib/cachefilesd.fc
+++ b/policy/modules/contrib/cachefilesd.fc
@@ -1,7 +1,5 @@
/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0)
-/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
-
/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0)
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index c8cf94c..14fcf67 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.3.0)
+policy_module(cachefilesd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/ccs.fc b/policy/modules/contrib/ccs.fc
index 86c73a7..4bf5e8f 100644
--- a/policy/modules/contrib/ccs.fc
+++ b/policy/modules/contrib/ccs.fc
@@ -2,8 +2,6 @@
/etc/rc\.d/init\.d/((ccs)|(ccsd)) -- gen_context(system_u:object_r:ccs_initrc_exec_t,s0)
-/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
-
/usr/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
/var/lib/cluster/((ccs)|(ccsd)).* gen_context(system_u:object_r:ccs_var_lib_t,s0)
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index 9bf4039..eacec0b 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.10.0)
+policy_module(ccs, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/cgroup.fc b/policy/modules/contrib/cgroup.fc
index a77ead6..cfe6b48 100644
--- a/policy/modules/contrib/cgroup.fc
+++ b/policy/modules/contrib/cgroup.fc
@@ -7,10 +7,6 @@
/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
-/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
-/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
-/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
-
/usr/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
/usr/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
/usr/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index b9a20ff..5d600a9 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.5.0)
+policy_module(cgroup, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/cpucontrol.fc b/policy/modules/contrib/cpucontrol.fc
index aa4b21b..06f5d0f 100644
--- a/policy/modules/contrib/cpucontrol.fc
+++ b/policy/modules/contrib/cpucontrol.fc
@@ -1,7 +1,3 @@
-/lib/firmware/microcode.*\.dat -- gen_context(system_u:object_r:cpucontrol_conf_t,s0)
-
-/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
-
/usr/lib/firmware/microcode.*\.dat -- gen_context(system_u:object_r:cpucontrol_conf_t,s0)
/usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
diff --git a/policy/modules/contrib/cpucontrol.te b/policy/modules/contrib/cpucontrol.te
index 5b7c320..cff0e16 100644
--- a/policy/modules/contrib/cpucontrol.te
+++ b/policy/modules/contrib/cpucontrol.te
@@ -1,4 +1,4 @@
-policy_module(cpucontrol, 1.6.0)
+policy_module(cpucontrol, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/cups.fc b/policy/modules/contrib/cups.fc
index 5ccf2cb..72afd97 100644
--- a/policy/modules/contrib/cups.fc
+++ b/policy/modules/contrib/cups.fc
@@ -18,8 +18,6 @@
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-
/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index f5bf055..14a4cfd 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.21.0)
+policy_module(cups, 1.21.1)
########################################
#
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index c96d02a..c7baa6b 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -2,10 +2,6 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
-/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-
-/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 996fc68..42c7d4f 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.22.0)
+policy_module(dbus, 1.22.1)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/devicekit.fc b/policy/modules/contrib/devicekit.fc
index 8161451..2b6d443 100644
--- a/policy/modules/contrib/devicekit.fc
+++ b/policy/modules/contrib/devicekit.fc
@@ -1,6 +1,3 @@
-/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
-/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
-
/usr/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/lib/udisks/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 229c6b2..a5926c4 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.6.0)
+policy_module(devicekit, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/drbd.fc b/policy/modules/contrib/drbd.fc
index 671a3fb..d5d54f7 100644
--- a/policy/modules/contrib/drbd.fc
+++ b/policy/modules/contrib/drbd.fc
@@ -1,8 +1,5 @@
/etc/rc\.d/init\.d/drbd -- gen_context(system_u:object_r:drbd_initrc_exec_t,s0)
-/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
-/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
-
/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
diff --git a/policy/modules/contrib/drbd.te b/policy/modules/contrib/drbd.te
index 0d8ed27..0d1e636 100644
--- a/policy/modules/contrib/drbd.te
+++ b/policy/modules/contrib/drbd.te
@@ -1,4 +1,4 @@
-policy_module(drbd, 1.2.0)
+policy_module(drbd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/iscsi.fc b/policy/modules/contrib/iscsi.fc
index df23b9b..29c1e5c 100644
--- a/policy/modules/contrib/iscsi.fc
+++ b/policy/modules/contrib/iscsi.fc
@@ -1,9 +1,5 @@
/etc/rc\.d/init\.d/((iscsi)|(iscsid)) -- gen_context(system_u:object_r:iscsi_initrc_exec_t,s0)
-/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-
/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index 54f187c..8061f7e 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -1,4 +1,4 @@
-policy_module(iscsi, 1.11.0)
+policy_module(iscsi, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/kdump.fc b/policy/modules/contrib/kdump.fc
index d5ec077..94c0daa 100644
--- a/policy/modules/contrib/kdump.fc
+++ b/policy/modules/contrib/kdump.fc
@@ -2,14 +2,9 @@
/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
-/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
-
/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
/usr/lib/systemd/system/kdump.*\.service -- gen_context(system_u:object_r:kdump_unit_t,s0)
-/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
-/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
-
/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 1f63509..e758c15 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.5.0)
+policy_module(kdump, 1.5.1)
#######################################
#
diff --git a/policy/modules/contrib/kudzu.fc b/policy/modules/contrib/kudzu.fc
index 0e98a01..a0030a7 100644
--- a/policy/modules/contrib/kudzu.fc
+++ b/policy/modules/contrib/kudzu.fc
@@ -1,8 +1,5 @@
/etc/rc\.d/init\.d/kudzu -- gen_context(system_u:object_r:kudzu_initrc_exec_t,s0)
-/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
-/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
-
/usr/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index a5f9182..4116d00 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -1,4 +1,4 @@
-policy_module(kudzu, 1.12.0)
+policy_module(kudzu, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/loadkeys.fc b/policy/modules/contrib/loadkeys.fc
index c6fe71b..38f91fe 100644
--- a/policy/modules/contrib/loadkeys.fc
+++ b/policy/modules/contrib/loadkeys.fc
@@ -1,5 +1,2 @@
-/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
-/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
-
/usr/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
/usr/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index ad97422..ca8e701 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -1,4 +1,4 @@
-policy_module(loadkeys, 1.11.0)
+policy_module(loadkeys, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
index f42896c..2468134 100644
--- a/policy/modules/contrib/mta.fc
+++ b/policy/modules/contrib/mta.fc
@@ -5,8 +5,6 @@ HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 51b3bbb..f0c4b92 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.0)
+policy_module(mta, 2.8.1)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index 6c54e0e..d24e9f0 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -21,9 +21,6 @@
/usr/lib/systemd/system/[^/]*NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
/usr/lib/systemd/system/[^/]*wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
-/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-
/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 3b66680..27b9265 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.0)
+policy_module(networkmanager, 1.20.1)
########################################
#
diff --git a/policy/modules/contrib/nis.fc b/policy/modules/contrib/nis.fc
index a5c3ed9..2b86f44 100644
--- a/policy/modules/contrib/nis.fc
+++ b/policy/modules/contrib/nis.fc
@@ -5,8 +5,6 @@
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
-/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
-
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/lib/systemd/system/ypbind.*\.service -- gen_context(system_u:object_r:ypbind_unit_t,s0)
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index 0fda4fa..c49ecb0 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.15.0)
+policy_module(nis, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/nut.fc b/policy/modules/contrib/nut.fc
index 54ab902..5fa41e6 100644
--- a/policy/modules/contrib/nut.fc
+++ b/policy/modules/contrib/nut.fc
@@ -4,10 +4,6 @@
/etc/rc\.d/init\.d/nut-driver -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
/etc/rc\.d/init\.d/nut-server -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
-/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
-/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
-/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
-
/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index 5471e63..8086281 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -1,4 +1,4 @@
-policy_module(nut, 1.6.0)
+policy_module(nut, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/oddjob.fc b/policy/modules/contrib/oddjob.fc
index 243a809..d20f5ea 100644
--- a/policy/modules/contrib/oddjob.fc
+++ b/policy/modules/contrib/oddjob.fc
@@ -1,5 +1,3 @@
-/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-
/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
diff --git a/policy/modules/contrib/oddjob.te b/policy/modules/contrib/oddjob.te
index cf72de7..c01d4f6 100644
--- a/policy/modules/contrib/oddjob.te
+++ b/policy/modules/contrib/oddjob.te
@@ -1,4 +1,4 @@
-policy_module(oddjob, 1.11.0)
+policy_module(oddjob, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/pcmcia.fc b/policy/modules/contrib/pcmcia.fc
index e4538bc..b508069 100644
--- a/policy/modules/contrib/pcmcia.fc
+++ b/policy/modules/contrib/pcmcia.fc
@@ -1,8 +1,5 @@
/etc/apm/event\.d/pcmcia -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
-/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
-/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
-
/usr/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
/usr/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te
index b845487..ceab576 100644
--- a/policy/modules/contrib/pcmcia.te
+++ b/policy/modules/contrib/pcmcia.te
@@ -1,4 +1,4 @@
-policy_module(pcmcia, 1.8.0)
+policy_module(pcmcia, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/plymouthd.fc b/policy/modules/contrib/plymouthd.fc
index 0f2fc4b..8eab91b 100644
--- a/policy/modules/contrib/plymouthd.fc
+++ b/policy/modules/contrib/plymouthd.fc
@@ -1,7 +1,3 @@
-/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
-
-/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
-
/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
# Systemd unit file
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index 3e19efb..c9c0404 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.4.0)
+policy_module(plymouthd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/portmap.fc b/policy/modules/contrib/portmap.fc
index 9264840..d15c707 100644
--- a/policy/modules/contrib/portmap.fc
+++ b/policy/modules/contrib/portmap.fc
@@ -1,9 +1,5 @@
/etc/rc\.d/init\.d/portmap -- gen_context(system_u:object_r:portmap_initrc_exec_t,s0)
-/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
-/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
-/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
-
/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
index b5abc87..292b3aa 100644
--- a/policy/modules/contrib/portmap.te
+++ b/policy/modules/contrib/portmap.te
@@ -1,4 +1,4 @@
-policy_module(portmap, 1.13.0)
+policy_module(portmap, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/portreserve.fc b/policy/modules/contrib/portreserve.fc
index 0207d6c..de7da13 100644
--- a/policy/modules/contrib/portreserve.fc
+++ b/policy/modules/contrib/portreserve.fc
@@ -2,8 +2,6 @@
/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
-/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
-
/usr/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0)
diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te
index 4aa79a4..7e05b61 100644
--- a/policy/modules/contrib/portreserve.te
+++ b/policy/modules/contrib/portreserve.te
@@ -1,4 +1,4 @@
-policy_module(portreserve, 1.6.0)
+policy_module(portreserve, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/ppp.fc b/policy/modules/contrib/ppp.fc
index 0b03de1..d31591a 100644
--- a/policy/modules/contrib/ppp.fc
+++ b/policy/modules/contrib/ppp.fc
@@ -9,9 +9,6 @@ HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0)
/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
-/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
-
/usr/lib/systemd/system/ppp.*\.service -- gen_context(system_u:object_r:pppd_unit_t,s0)
/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index ba85666..2771882 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.17.0)
+policy_module(ppp, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/prelude.fc b/policy/modules/contrib/prelude.fc
index fd4ccde..75df3cf 100644
--- a/policy/modules/contrib/prelude.fc
+++ b/policy/modules/contrib/prelude.fc
@@ -4,8 +4,6 @@
/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
-/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
-
/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t,s0)
/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te
index d3aa038..4f14f0b 100644
--- a/policy/modules/contrib/prelude.te
+++ b/policy/modules/contrib/prelude.te
@@ -1,4 +1,4 @@
-policy_module(prelude, 1.7.0)
+policy_module(prelude, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/quota.fc b/policy/modules/contrib/quota.fc
index a609318..c3d05ba 100644
--- a/policy/modules/contrib/quota.fc
+++ b/policy/modules/contrib/quota.fc
@@ -10,9 +10,6 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/etc/rc\.d/init\.d/quota_nld -- gen_context(system_u:object_r:quota_nld_initrc_exec_t,s0)
-/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
-/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
-
/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
/usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index 95262d4..9952f53 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -1,4 +1,4 @@
-policy_module(quota, 1.9.0)
+policy_module(quota, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/raid.fc b/policy/modules/contrib/raid.fc
index dc17e79..dc26d8d 100644
--- a/policy/modules/contrib/raid.fc
+++ b/policy/modules/contrib/raid.fc
@@ -3,14 +3,6 @@
/etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
-/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-/sbin/mdmon -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-
# Systemd unit files
/usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
/usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index 172bae9..ad21e09 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.17.0)
+policy_module(raid, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/rdisc.fc b/policy/modules/contrib/rdisc.fc
index e9765c0..168de32 100644
--- a/policy/modules/contrib/rdisc.fc
+++ b/policy/modules/contrib/rdisc.fc
@@ -1,3 +1 @@
-/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
-
/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/policy/modules/contrib/rdisc.te b/policy/modules/contrib/rdisc.te
index 9196c1d..ea6d2d9 100644
--- a/policy/modules/contrib/rdisc.te
+++ b/policy/modules/contrib/rdisc.te
@@ -1,4 +1,4 @@
-policy_module(rdisc, 1.8.0)
+policy_module(rdisc, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/readahead.fc b/policy/modules/contrib/readahead.fc
index 9519bd8..5932e20 100644
--- a/policy/modules/contrib/readahead.fc
+++ b/policy/modules/contrib/readahead.fc
@@ -1,5 +1,3 @@
-/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
-
/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te
index 9b2d53f..080c0ad 100644
--- a/policy/modules/contrib/readahead.te
+++ b/policy/modules/contrib/readahead.te
@@ -1,4 +1,4 @@
-policy_module(readahead, 1.15.0)
+policy_module(readahead, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/resmgr.fc b/policy/modules/contrib/resmgr.fc
index 9dec87b..138f76e 100644
--- a/policy/modules/contrib/resmgr.fc
+++ b/policy/modules/contrib/resmgr.fc
@@ -2,8 +2,6 @@
/etc/rc\.d/init\.d/resmgr -- gen_context(system_u:object_r:resmgrd_initrc_exec_t,s0)
-/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
-
/usr/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0)
diff --git a/policy/modules/contrib/resmgr.te b/policy/modules/contrib/resmgr.te
index db7eca5..25e4067 100644
--- a/policy/modules/contrib/resmgr.te
+++ b/policy/modules/contrib/resmgr.te
@@ -1,4 +1,4 @@
-policy_module(resmgr, 1.5.0)
+policy_module(resmgr, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc
index 17ad35a..9d6d524 100644
--- a/policy/modules/contrib/rpc.fc
+++ b/policy/modules/contrib/rpc.fc
@@ -4,9 +4,6 @@
/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
-/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-
/usr/lib/systemd/system/nfs.*\.service -- gen_context(system_u:object_r:nfsd_unit_t,s0)
/usr/lib/systemd/system/rpc.*\.service -- gen_context(system_u:object_r:rpcd_unit_t,s0)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 2e47156..cf1f775 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.19.0)
+policy_module(rpc, 1.19.1)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.fc b/policy/modules/contrib/rpcbind.fc
index b4bb017..35f6ae4 100644
--- a/policy/modules/contrib/rpcbind.fc
+++ b/policy/modules/contrib/rpcbind.fc
@@ -1,7 +1,5 @@
/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
-/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
-
/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index e3a4cc0..8e75226 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.11.0)
+policy_module(rpcbind, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
index e4c2850..71c90c7 100644
--- a/policy/modules/contrib/rpm.fc
+++ b/policy/modules/contrib/rpm.fc
@@ -1,9 +1,5 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
-/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 2a709ce..6ab5fd9 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.19.0)
+policy_module(rpm, 1.19.1)
########################################
#
diff --git a/policy/modules/contrib/shorewall.fc b/policy/modules/contrib/shorewall.fc
index 3349532..e92567a 100644
--- a/policy/modules/contrib/shorewall.fc
+++ b/policy/modules/contrib/shorewall.fc
@@ -3,9 +3,6 @@
/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
-/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
-/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
-
/usr/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
/usr/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index 29661de..e2e6c30 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.6.0)
+policy_module(shorewall, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc
index 199c689..e6730a0 100644
--- a/policy/modules/contrib/shutdown.fc
+++ b/policy/modules/contrib/shutdown.fc
@@ -1,9 +1,5 @@
/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0)
-/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
-/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index e10149f..6a0b126 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -1,4 +1,4 @@
-policy_module(shutdown, 1.4.0)
+policy_module(shutdown, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/usbmodules.fc b/policy/modules/contrib/usbmodules.fc
index 02d7253..66604b5 100644
--- a/policy/modules/contrib/usbmodules.fc
+++ b/policy/modules/contrib/usbmodules.fc
@@ -1,3 +1 @@
-/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
-
/usr/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
diff --git a/policy/modules/contrib/usbmodules.te b/policy/modules/contrib/usbmodules.te
index 279e511..d4307b9 100644
--- a/policy/modules/contrib/usbmodules.te
+++ b/policy/modules/contrib/usbmodules.te
@@ -1,4 +1,4 @@
-policy_module(usbmodules, 1.3.0)
+policy_module(usbmodules, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/vpn.fc b/policy/modules/contrib/vpn.fc
index 02701c3..1cd43c6 100644
--- a/policy/modules/contrib/vpn.fc
+++ b/policy/modules/contrib/vpn.fc
@@ -1,5 +1,3 @@
-/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
-
/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0)
/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te
index e11d751..85353fa 100644
--- a/policy/modules/contrib/vpn.te
+++ b/policy/modules/contrib/vpn.te
@@ -1,4 +1,4 @@
-policy_module(vpn, 1.17.0)
+policy_module(vpn, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/zosremote.fc b/policy/modules/contrib/zosremote.fc
index 7a7fc61..adfd4a2 100644
--- a/policy/modules/contrib/zosremote.fc
+++ b/policy/modules/contrib/zosremote.fc
@@ -1,3 +1 @@
-/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
-
/usr/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
diff --git a/policy/modules/contrib/zosremote.te b/policy/modules/contrib/zosremote.te
index bc6a5db..7139cde 100644
--- a/policy/modules/contrib/zosremote.te
+++ b/policy/modules/contrib/zosremote.te
@@ -1,4 +1,4 @@
-policy_module(zosremote, 1.2.0)
+policy_module(zosremote, 1.2.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2017-02-05 15:13 [gentoo-commits] proj/hardened-refpolicy:usrmerge " Jason Zaman
@ 2017-02-16 11:34 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-16 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 110875d7272058d72af8735e08ebbd4704c48d99
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 4 20:18:43 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 5 15:10:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=110875d7
Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.
policy/modules/contrib/acct.fc | 2 --
policy/modules/contrib/acct.te | 2 +-
policy/modules/contrib/alsa.fc | 5 -----
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/apcupsd.fc | 2 --
policy/modules/contrib/apcupsd.te | 2 +-
policy/modules/contrib/cachefilesd.fc | 2 --
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/ccs.fc | 2 --
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/cgroup.fc | 4 ----
policy/modules/contrib/cgroup.te | 2 +-
policy/modules/contrib/cpucontrol.fc | 4 ----
policy/modules/contrib/cpucontrol.te | 2 +-
policy/modules/contrib/cups.fc | 2 --
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/dbus.fc | 4 ----
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/devicekit.fc | 3 ---
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/drbd.fc | 3 ---
policy/modules/contrib/drbd.te | 2 +-
policy/modules/contrib/iscsi.fc | 4 ----
policy/modules/contrib/iscsi.te | 2 +-
policy/modules/contrib/kdump.fc | 5 -----
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/kudzu.fc | 3 ---
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/loadkeys.fc | 3 ---
policy/modules/contrib/loadkeys.te | 2 +-
policy/modules/contrib/mta.fc | 2 --
policy/modules/contrib/mta.te | 2 +-
policy/modules/contrib/networkmanager.fc | 3 ---
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nis.fc | 2 --
policy/modules/contrib/nis.te | 2 +-
policy/modules/contrib/nut.fc | 4 ----
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/oddjob.fc | 2 --
policy/modules/contrib/oddjob.te | 2 +-
policy/modules/contrib/pcmcia.fc | 3 ---
policy/modules/contrib/pcmcia.te | 2 +-
policy/modules/contrib/plymouthd.fc | 4 ----
policy/modules/contrib/plymouthd.te | 2 +-
policy/modules/contrib/portmap.fc | 4 ----
policy/modules/contrib/portmap.te | 2 +-
policy/modules/contrib/portreserve.fc | 2 --
policy/modules/contrib/portreserve.te | 2 +-
policy/modules/contrib/ppp.fc | 3 ---
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/prelude.fc | 2 --
policy/modules/contrib/prelude.te | 2 +-
policy/modules/contrib/quota.fc | 3 ---
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/raid.fc | 8 --------
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/rdisc.fc | 2 --
policy/modules/contrib/rdisc.te | 2 +-
policy/modules/contrib/readahead.fc | 2 --
policy/modules/contrib/readahead.te | 2 +-
policy/modules/contrib/resmgr.fc | 2 --
policy/modules/contrib/resmgr.te | 2 +-
policy/modules/contrib/rpc.fc | 3 ---
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.fc | 2 --
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rpm.fc | 4 ----
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/shorewall.fc | 3 ---
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/shutdown.fc | 4 ----
policy/modules/contrib/shutdown.te | 2 +-
policy/modules/contrib/usbmodules.fc | 2 --
policy/modules/contrib/usbmodules.te | 2 +-
policy/modules/contrib/vpn.fc | 2 --
policy/modules/contrib/vpn.te | 2 +-
policy/modules/contrib/zosremote.fc | 2 --
policy/modules/contrib/zosremote.te | 2 +-
78 files changed, 39 insertions(+), 157 deletions(-)
diff --git a/policy/modules/contrib/acct.fc b/policy/modules/contrib/acct.fc
index c6d17a2f..8a4f7efd 100644
--- a/policy/modules/contrib/acct.fc
+++ b/policy/modules/contrib/acct.fc
@@ -2,8 +2,6 @@
/etc/rc\.d/init\.d/psacct -- gen_context(system_u:object_r:acct_initrc_exec_t,s0)
-/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
-
/usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
/var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0)
diff --git a/policy/modules/contrib/acct.te b/policy/modules/contrib/acct.te
index 6f6fd13e..aca9d80b 100644
--- a/policy/modules/contrib/acct.te
+++ b/policy/modules/contrib/acct.te
@@ -1,4 +1,4 @@
-policy_module(acct, 1.7.0)
+policy_module(acct, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index 112fc62d..f26e2392 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -4,14 +4,9 @@ ifdef(`distro_debian',`
/\.config(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
')
-/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-
/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
/etc/asound\.conf gen_context(system_u:object_r:alsa_etc_t,s0)
-/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
-
# Systemd unit files
/usr/lib/systemd/system/[^/]*alsa-restore.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
/usr/lib/systemd/system/[^/]*alsa-state.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index f7faa4bb..19046676 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.16.0)
+policy_module(alsa, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/apcupsd.fc b/policy/modules/contrib/apcupsd.fc
index 375989c9..c9a7900c 100644
--- a/policy/modules/contrib/apcupsd.fc
+++ b/policy/modules/contrib/apcupsd.fc
@@ -1,7 +1,5 @@
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
-/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
-
/usr/lib/systemd/system/apcupsd.*\.service -- gen_context(system_u:object_r:apcupsd_unit_t,s0)
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index 0277a904..e1586b36 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.12.0)
+policy_module(apcupsd, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/cachefilesd.fc b/policy/modules/contrib/cachefilesd.fc
index 7ee707df..1ddbe60d 100644
--- a/policy/modules/contrib/cachefilesd.fc
+++ b/policy/modules/contrib/cachefilesd.fc
@@ -1,7 +1,5 @@
/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0)
-/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
-
/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0)
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index c8cf94c6..14fcf67c 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.3.0)
+policy_module(cachefilesd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/ccs.fc b/policy/modules/contrib/ccs.fc
index 86c73a7d..4bf5e8f3 100644
--- a/policy/modules/contrib/ccs.fc
+++ b/policy/modules/contrib/ccs.fc
@@ -2,8 +2,6 @@
/etc/rc\.d/init\.d/((ccs)|(ccsd)) -- gen_context(system_u:object_r:ccs_initrc_exec_t,s0)
-/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
-
/usr/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
/var/lib/cluster/((ccs)|(ccsd)).* gen_context(system_u:object_r:ccs_var_lib_t,s0)
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index 9bf4039e..eacec0bf 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.10.0)
+policy_module(ccs, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/cgroup.fc b/policy/modules/contrib/cgroup.fc
index a77ead69..cfe6b48c 100644
--- a/policy/modules/contrib/cgroup.fc
+++ b/policy/modules/contrib/cgroup.fc
@@ -7,10 +7,6 @@
/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
-/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
-/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
-/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
-
/usr/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
/usr/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
/usr/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index b9a20ff1..5d600a9f 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.5.0)
+policy_module(cgroup, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/cpucontrol.fc b/policy/modules/contrib/cpucontrol.fc
index aa4b21bf..06f5d0f9 100644
--- a/policy/modules/contrib/cpucontrol.fc
+++ b/policy/modules/contrib/cpucontrol.fc
@@ -1,7 +1,3 @@
-/lib/firmware/microcode.*\.dat -- gen_context(system_u:object_r:cpucontrol_conf_t,s0)
-
-/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
-
/usr/lib/firmware/microcode.*\.dat -- gen_context(system_u:object_r:cpucontrol_conf_t,s0)
/usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
diff --git a/policy/modules/contrib/cpucontrol.te b/policy/modules/contrib/cpucontrol.te
index 5b7c3202..cff0e16c 100644
--- a/policy/modules/contrib/cpucontrol.te
+++ b/policy/modules/contrib/cpucontrol.te
@@ -1,4 +1,4 @@
-policy_module(cpucontrol, 1.6.0)
+policy_module(cpucontrol, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/cups.fc b/policy/modules/contrib/cups.fc
index 5ccf2cb8..72afd973 100644
--- a/policy/modules/contrib/cups.fc
+++ b/policy/modules/contrib/cups.fc
@@ -18,8 +18,6 @@
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-
/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index f5bf055d..14a4cfd7 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.21.0)
+policy_module(cups, 1.21.1)
########################################
#
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index c96d02a3..c7baa6ba 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -2,10 +2,6 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
-/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-
-/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 996fc683..42c7d4fe 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.22.0)
+policy_module(dbus, 1.22.1)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/devicekit.fc b/policy/modules/contrib/devicekit.fc
index 8161451d..2b6d443c 100644
--- a/policy/modules/contrib/devicekit.fc
+++ b/policy/modules/contrib/devicekit.fc
@@ -1,6 +1,3 @@
-/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
-/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
-
/usr/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/lib/udisks/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 229c6b2d..a5926c4a 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.6.0)
+policy_module(devicekit, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/drbd.fc b/policy/modules/contrib/drbd.fc
index 671a3fb6..d5d54f78 100644
--- a/policy/modules/contrib/drbd.fc
+++ b/policy/modules/contrib/drbd.fc
@@ -1,8 +1,5 @@
/etc/rc\.d/init\.d/drbd -- gen_context(system_u:object_r:drbd_initrc_exec_t,s0)
-/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
-/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
-
/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
diff --git a/policy/modules/contrib/drbd.te b/policy/modules/contrib/drbd.te
index 0d8ed272..0d1e6366 100644
--- a/policy/modules/contrib/drbd.te
+++ b/policy/modules/contrib/drbd.te
@@ -1,4 +1,4 @@
-policy_module(drbd, 1.2.0)
+policy_module(drbd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/iscsi.fc b/policy/modules/contrib/iscsi.fc
index df23b9ba..29c1e5cd 100644
--- a/policy/modules/contrib/iscsi.fc
+++ b/policy/modules/contrib/iscsi.fc
@@ -1,9 +1,5 @@
/etc/rc\.d/init\.d/((iscsi)|(iscsid)) -- gen_context(system_u:object_r:iscsi_initrc_exec_t,s0)
-/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-
/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index 54f187cd..8061f7ea 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -1,4 +1,4 @@
-policy_module(iscsi, 1.11.0)
+policy_module(iscsi, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/kdump.fc b/policy/modules/contrib/kdump.fc
index d5ec0772..94c0daa2 100644
--- a/policy/modules/contrib/kdump.fc
+++ b/policy/modules/contrib/kdump.fc
@@ -2,14 +2,9 @@
/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
-/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
-
/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
/usr/lib/systemd/system/kdump.*\.service -- gen_context(system_u:object_r:kdump_unit_t,s0)
-/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
-/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
-
/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 1f635092..e758c15f 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.5.0)
+policy_module(kdump, 1.5.1)
#######################################
#
diff --git a/policy/modules/contrib/kudzu.fc b/policy/modules/contrib/kudzu.fc
index 0e98a015..a0030a74 100644
--- a/policy/modules/contrib/kudzu.fc
+++ b/policy/modules/contrib/kudzu.fc
@@ -1,8 +1,5 @@
/etc/rc\.d/init\.d/kudzu -- gen_context(system_u:object_r:kudzu_initrc_exec_t,s0)
-/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
-/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
-
/usr/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index a5f91822..4116d008 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -1,4 +1,4 @@
-policy_module(kudzu, 1.12.0)
+policy_module(kudzu, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/loadkeys.fc b/policy/modules/contrib/loadkeys.fc
index c6fe71b7..38f91fed 100644
--- a/policy/modules/contrib/loadkeys.fc
+++ b/policy/modules/contrib/loadkeys.fc
@@ -1,5 +1,2 @@
-/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
-/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
-
/usr/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
/usr/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index ad974220..ca8e7015 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -1,4 +1,4 @@
-policy_module(loadkeys, 1.11.0)
+policy_module(loadkeys, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
index f42896cb..24681349 100644
--- a/policy/modules/contrib/mta.fc
+++ b/policy/modules/contrib/mta.fc
@@ -5,8 +5,6 @@ HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 51b3bbb9..f0c4b92c 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.0)
+policy_module(mta, 2.8.1)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index 6c54e0e7..d24e9f0c 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -21,9 +21,6 @@
/usr/lib/systemd/system/[^/]*NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
/usr/lib/systemd/system/[^/]*wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
-/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-
/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 3b666807..27b92658 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.0)
+policy_module(networkmanager, 1.20.1)
########################################
#
diff --git a/policy/modules/contrib/nis.fc b/policy/modules/contrib/nis.fc
index a5c3ed9b..2b86f44d 100644
--- a/policy/modules/contrib/nis.fc
+++ b/policy/modules/contrib/nis.fc
@@ -5,8 +5,6 @@
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
-/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
-
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/lib/systemd/system/ypbind.*\.service -- gen_context(system_u:object_r:ypbind_unit_t,s0)
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index 0fda4fa3..c49ecb0b 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.15.0)
+policy_module(nis, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/nut.fc b/policy/modules/contrib/nut.fc
index 54ab9020..5fa41e6a 100644
--- a/policy/modules/contrib/nut.fc
+++ b/policy/modules/contrib/nut.fc
@@ -4,10 +4,6 @@
/etc/rc\.d/init\.d/nut-driver -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
/etc/rc\.d/init\.d/nut-server -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
-/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
-/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
-/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
-
/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index 5471e631..8086281f 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -1,4 +1,4 @@
-policy_module(nut, 1.6.0)
+policy_module(nut, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/oddjob.fc b/policy/modules/contrib/oddjob.fc
index 243a8098..d20f5ea2 100644
--- a/policy/modules/contrib/oddjob.fc
+++ b/policy/modules/contrib/oddjob.fc
@@ -1,5 +1,3 @@
-/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-
/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
diff --git a/policy/modules/contrib/oddjob.te b/policy/modules/contrib/oddjob.te
index cf72de7e..c01d4f62 100644
--- a/policy/modules/contrib/oddjob.te
+++ b/policy/modules/contrib/oddjob.te
@@ -1,4 +1,4 @@
-policy_module(oddjob, 1.11.0)
+policy_module(oddjob, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/pcmcia.fc b/policy/modules/contrib/pcmcia.fc
index e4538bc4..b508069e 100644
--- a/policy/modules/contrib/pcmcia.fc
+++ b/policy/modules/contrib/pcmcia.fc
@@ -1,8 +1,5 @@
/etc/apm/event\.d/pcmcia -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
-/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
-/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
-
/usr/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
/usr/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te
index b8454876..ceab5763 100644
--- a/policy/modules/contrib/pcmcia.te
+++ b/policy/modules/contrib/pcmcia.te
@@ -1,4 +1,4 @@
-policy_module(pcmcia, 1.8.0)
+policy_module(pcmcia, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/plymouthd.fc b/policy/modules/contrib/plymouthd.fc
index 0f2fc4bb..8eab91b8 100644
--- a/policy/modules/contrib/plymouthd.fc
+++ b/policy/modules/contrib/plymouthd.fc
@@ -1,7 +1,3 @@
-/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
-
-/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
-
/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
# Systemd unit file
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index 3e19efb5..c9c04040 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.4.0)
+policy_module(plymouthd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/portmap.fc b/policy/modules/contrib/portmap.fc
index 9264840d..d15c7072 100644
--- a/policy/modules/contrib/portmap.fc
+++ b/policy/modules/contrib/portmap.fc
@@ -1,9 +1,5 @@
/etc/rc\.d/init\.d/portmap -- gen_context(system_u:object_r:portmap_initrc_exec_t,s0)
-/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
-/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
-/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
-
/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
index b5abc87b..292b3aa8 100644
--- a/policy/modules/contrib/portmap.te
+++ b/policy/modules/contrib/portmap.te
@@ -1,4 +1,4 @@
-policy_module(portmap, 1.13.0)
+policy_module(portmap, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/portreserve.fc b/policy/modules/contrib/portreserve.fc
index 0207d6c8..de7da13c 100644
--- a/policy/modules/contrib/portreserve.fc
+++ b/policy/modules/contrib/portreserve.fc
@@ -2,8 +2,6 @@
/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
-/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
-
/usr/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0)
diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te
index 4aa79a45..7e05b61b 100644
--- a/policy/modules/contrib/portreserve.te
+++ b/policy/modules/contrib/portreserve.te
@@ -1,4 +1,4 @@
-policy_module(portreserve, 1.6.0)
+policy_module(portreserve, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/ppp.fc b/policy/modules/contrib/ppp.fc
index 0b03de18..d31591a5 100644
--- a/policy/modules/contrib/ppp.fc
+++ b/policy/modules/contrib/ppp.fc
@@ -9,9 +9,6 @@ HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0)
/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
-/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
-/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
-
/usr/lib/systemd/system/ppp.*\.service -- gen_context(system_u:object_r:pppd_unit_t,s0)
/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index ba856667..27718824 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.17.0)
+policy_module(ppp, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/prelude.fc b/policy/modules/contrib/prelude.fc
index fd4ccde3..75df3cf6 100644
--- a/policy/modules/contrib/prelude.fc
+++ b/policy/modules/contrib/prelude.fc
@@ -4,8 +4,6 @@
/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
-/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
-
/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t,s0)
/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te
index d3aa038a..4f14f0b6 100644
--- a/policy/modules/contrib/prelude.te
+++ b/policy/modules/contrib/prelude.te
@@ -1,4 +1,4 @@
-policy_module(prelude, 1.7.0)
+policy_module(prelude, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/quota.fc b/policy/modules/contrib/quota.fc
index a6093189..c3d05ba1 100644
--- a/policy/modules/contrib/quota.fc
+++ b/policy/modules/contrib/quota.fc
@@ -10,9 +10,6 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/etc/rc\.d/init\.d/quota_nld -- gen_context(system_u:object_r:quota_nld_initrc_exec_t,s0)
-/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
-/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
-
/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
/usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index 95262d48..9952f537 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -1,4 +1,4 @@
-policy_module(quota, 1.9.0)
+policy_module(quota, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/raid.fc b/policy/modules/contrib/raid.fc
index dc17e796..dc26d8d3 100644
--- a/policy/modules/contrib/raid.fc
+++ b/policy/modules/contrib/raid.fc
@@ -3,14 +3,6 @@
/etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
-/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-/sbin/mdmon -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-
# Systemd unit files
/usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
/usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index 172bae9b..ad21e093 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.17.0)
+policy_module(raid, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/rdisc.fc b/policy/modules/contrib/rdisc.fc
index e9765c0f..168de323 100644
--- a/policy/modules/contrib/rdisc.fc
+++ b/policy/modules/contrib/rdisc.fc
@@ -1,3 +1 @@
-/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
-
/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/policy/modules/contrib/rdisc.te b/policy/modules/contrib/rdisc.te
index 9196c1db..ea6d2d92 100644
--- a/policy/modules/contrib/rdisc.te
+++ b/policy/modules/contrib/rdisc.te
@@ -1,4 +1,4 @@
-policy_module(rdisc, 1.8.0)
+policy_module(rdisc, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/readahead.fc b/policy/modules/contrib/readahead.fc
index 9519bd88..5932e207 100644
--- a/policy/modules/contrib/readahead.fc
+++ b/policy/modules/contrib/readahead.fc
@@ -1,5 +1,3 @@
-/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
-
/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te
index 9b2d53fd..080c0ad0 100644
--- a/policy/modules/contrib/readahead.te
+++ b/policy/modules/contrib/readahead.te
@@ -1,4 +1,4 @@
-policy_module(readahead, 1.15.0)
+policy_module(readahead, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/resmgr.fc b/policy/modules/contrib/resmgr.fc
index 9dec87b4..138f76e2 100644
--- a/policy/modules/contrib/resmgr.fc
+++ b/policy/modules/contrib/resmgr.fc
@@ -2,8 +2,6 @@
/etc/rc\.d/init\.d/resmgr -- gen_context(system_u:object_r:resmgrd_initrc_exec_t,s0)
-/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
-
/usr/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0)
diff --git a/policy/modules/contrib/resmgr.te b/policy/modules/contrib/resmgr.te
index db7eca57..25e40670 100644
--- a/policy/modules/contrib/resmgr.te
+++ b/policy/modules/contrib/resmgr.te
@@ -1,4 +1,4 @@
-policy_module(resmgr, 1.5.0)
+policy_module(resmgr, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc
index 17ad35a5..9d6d5241 100644
--- a/policy/modules/contrib/rpc.fc
+++ b/policy/modules/contrib/rpc.fc
@@ -4,9 +4,6 @@
/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
-/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
-
/usr/lib/systemd/system/nfs.*\.service -- gen_context(system_u:object_r:nfsd_unit_t,s0)
/usr/lib/systemd/system/rpc.*\.service -- gen_context(system_u:object_r:rpcd_unit_t,s0)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 2e471568..cf1f775b 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.19.0)
+policy_module(rpc, 1.19.1)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.fc b/policy/modules/contrib/rpcbind.fc
index b4bb017f..35f6ae43 100644
--- a/policy/modules/contrib/rpcbind.fc
+++ b/policy/modules/contrib/rpcbind.fc
@@ -1,7 +1,5 @@
/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
-/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
-
/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index e3a4cc00..8e752265 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.11.0)
+policy_module(rpcbind, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
index e4c28502..71c90c7e 100644
--- a/policy/modules/contrib/rpm.fc
+++ b/policy/modules/contrib/rpm.fc
@@ -1,9 +1,5 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
-/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 2a709ce6..6ab5fd9e 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.19.0)
+policy_module(rpm, 1.19.1)
########################################
#
diff --git a/policy/modules/contrib/shorewall.fc b/policy/modules/contrib/shorewall.fc
index 3349532e..e92567aa 100644
--- a/policy/modules/contrib/shorewall.fc
+++ b/policy/modules/contrib/shorewall.fc
@@ -3,9 +3,6 @@
/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
-/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
-/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
-
/usr/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
/usr/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index 29661dea..e2e6c30d 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.6.0)
+policy_module(shorewall, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc
index 199c6894..e6730a03 100644
--- a/policy/modules/contrib/shutdown.fc
+++ b/policy/modules/contrib/shutdown.fc
@@ -1,9 +1,5 @@
/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0)
-/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
-/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-
/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index e10149f1..6a0b126e 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -1,4 +1,4 @@
-policy_module(shutdown, 1.4.0)
+policy_module(shutdown, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/usbmodules.fc b/policy/modules/contrib/usbmodules.fc
index 02d72531..66604b50 100644
--- a/policy/modules/contrib/usbmodules.fc
+++ b/policy/modules/contrib/usbmodules.fc
@@ -1,3 +1 @@
-/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
-
/usr/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
diff --git a/policy/modules/contrib/usbmodules.te b/policy/modules/contrib/usbmodules.te
index 279e511d..d4307b9d 100644
--- a/policy/modules/contrib/usbmodules.te
+++ b/policy/modules/contrib/usbmodules.te
@@ -1,4 +1,4 @@
-policy_module(usbmodules, 1.3.0)
+policy_module(usbmodules, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/vpn.fc b/policy/modules/contrib/vpn.fc
index 02701c33..1cd43c66 100644
--- a/policy/modules/contrib/vpn.fc
+++ b/policy/modules/contrib/vpn.fc
@@ -1,5 +1,3 @@
-/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
-
/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0)
/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te
index e11d7511..85353fa7 100644
--- a/policy/modules/contrib/vpn.te
+++ b/policy/modules/contrib/vpn.te
@@ -1,4 +1,4 @@
-policy_module(vpn, 1.17.0)
+policy_module(vpn, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/zosremote.fc b/policy/modules/contrib/zosremote.fc
index 7a7fc614..adfd4a21 100644
--- a/policy/modules/contrib/zosremote.fc
+++ b/policy/modules/contrib/zosremote.fc
@@ -1,3 +1 @@
-/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
-
/usr/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
diff --git a/policy/modules/contrib/zosremote.te b/policy/modules/contrib/zosremote.te
index bc6a5db7..7139cde4 100644
--- a/policy/modules/contrib/zosremote.te
+++ b/policy/modules/contrib/zosremote.te
@@ -1,4 +1,4 @@
-policy_module(zosremote, 1.2.0)
+policy_module(zosremote, 1.2.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-05 6:29 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-05 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 23dbbea7dd09110633f8b4aeb1707573f841aa90
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 4 18:30:54 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 5 06:26:54 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=23dbbea7
Update Changelog for release.
policy/modules/contrib/Changelog | 114 +++++++++++++++++++++++++++++++++++++++
1 file changed, 114 insertions(+)
diff --git a/policy/modules/contrib/Changelog b/policy/modules/contrib/Changelog
index f143cb9..907847c 100644
--- a/policy/modules/contrib/Changelog
+++ b/policy/modules/contrib/Changelog
@@ -1,3 +1,117 @@
+* Sat Feb 04 2017 Chris PeBenito <pebenito@ieee.org> - 2.20170204
+Chris PeBenito (41):
+ Module version bump for patches from Jason Zaman.
+ authbind: Remove dead policy.
+ Module version bump for cups patch from Guido Trentalancia.
+ Merge pull request #29 from cgzones/deprecated_macros
+ Module version bump for Debian fprintd fc entry from Laurent Bigonville.
+ Module version bumps for openoffice patches from Guido Trentalancia.
+ Module version bumps for patches from Guido Trentalancia.
+ Merge pull request #30 from cgzones/trailing_whitespaces
+ Module version bumps for mozilla and gpg patches from Luis Ressel.
+ Module version bump for patches from Guido Trentalancia.
+ Module version bump for patches from Guido Trentalancia.
+ rtkit, wm: Remove calls to nonexistant interfaces.
+ Module version bumps for patches from Guido Trentalancia.
+ rtkit: enable dbus chat with xdm
+ Module version bump for patches from Guido Trentalancia.
+ Module version bump for xscreensaver patch from Guido Trentalancia.
+ Merge branch 'run_transition' of
+ git://github.com/cgzones/refpolicy-contrib
+ Module version bumps for /run fc changes from cgzones.
+ Module version bump for openoffice and wm patches from Guido Trentalancia.
+ Module version bump for patches from Guido Trentalancia.
+ Module version bump for wm patch from Guido Trentalancia.
+ Merge branch 'usr-fc' of
+ git://github.com/fishilico/selinux-refpolicy-contrib
+ Module version bump for fc updates from Nicolas Iooss.
+ Module version bump for patches from Guido Trentalancia.
+ Module version bump for capability2 fixes from Guido Trentalancia.
+ Module version bump for plymouth fix from Guido Trentalancia.
+ boinc: Update from Russell Coker.
+ Module version bump for mozilla update from Guido Trentalancia.
+ Merge pull request #47 from cgzones/dphysswap_module
+ Merge pull request #40 from cgzones/fakehwclock_module
+ Merge branch 'gpg_module' of git://github.com/cgzones/refpolicy-contrib
+ Merge branch 'irqbalance_module' of
+ git://github.com/cgzones/refpolicy-contrib
+ Merge branch 'loadkeys_module' of
+ git://github.com/cgzones/refpolicy-contrib
+ Module version bumps for patches from cgzones.
+ Merge branch 'exim_module' of git://github.com/cgzones/refpolicy-contrib
+ Merge branch 'screen_module' of git://github.com/cgzones/refpolicy-contrib
+ Module version bump for screen and exim changes from cgzones.
+ screen: Revert broken interface call.
+ cups: Move hplip_domtrans interface.
+ Module version bump for cups patch from Guido Trentalancia.
+ Bump module versions for release.
+
+Dominick Grift (1):
+ Re-add raid fc spec that must have been removed earlier by mistake
+
+Guido Trentalancia (29):
+ cups: descend "rw" directories when reading configuration files
+ Apache OpenOffice module (contrib policy part)
+ openoffice: rename two interfaces in openoffice and evolution
+ mozilla: extend dbus connection permissions
+ openoffice: permission to read user temporary files
+ xguest: restrict ability to execute files on noxattr filesystems
+ pulseaudio: update server and client permissions
+ mozilla: remove redundant pulseaudio interface calls
+ networkmanager: read user certs not user content (was enable
+ userdom_read_user_certs() throughout the policy)
+ Make several calls to mta interfaces optional
+ wm: update the window manager (wm) module and enable its role template
+ (v7)
+ rtkit: enable dbus chat with xdm
+ networkmanager: enable dbus chat with xdm
+ policykit: enable dbus chat with xdm
+ games: general update and improved pulseaudio integration
+ wm: improved integration with games
+ xscreensaver: update the module so that it can be effectively used
+ wm: properly set domain entrypoint in wm_application_domain()
+ openoffice: add writer support for sending email directly to multiple
+ recipients
+ contrib: use new genhomedircon template for username
+ contrib: extend wm ability to launch confined graphical applications
+ contrib: support the new interface to manage X session logs
+ networkmanager: dbus chat with cups
+ cups: add cups-browsed executable fc
+ devicekit: add new wake_alarm permission (capability2)
+ networkmanager: add new wake_alarm permission (capability2)
+ plymouth: use the correct running domain for the client
+ mozilla: execute evolution to send emails
+ cups: new interface to execute HPLIP applications in their own domain
+
+Jason Zaman (4):
+ pcscd: dbus and domain lookup
+ devicekit: fcontext for udisks2
+ gnome: add gkeyring rules and fcontext
+ gpg: add new socket paths
+
+Laurent Bigonville (1):
+ Add debian path for fprintd daemon
+
+Luis Ressel (3):
+ gpg: Add filetrans for scdaemon socket and gpg-agent extra sockets
+ gpg.fc: Adjust whitespace
+ mozilla: Add miscfiles_dontaudit_setattr_fonts_cache_dirs()
+
+Nicolas Iooss (1):
+ Add file contexts for files in /usr/{lib,sbin}
+
+cgzones (10):
+ use domain_auto_transition_pattern instead of domain_auto_trans
+ remove trailing whitespaces
+ transition file contexts to /run
+ update loadkeys module
+ add fakehwclock module
+ add dphysswapfile module
+ update gpg module
+ update screen module
+ update irqbalance module
+ update exim module
+
* Sun Oct 23 2016 Chris PeBenito <pebenito@ieee.org> - 2.20161023
Adam Tkac (2):
varnishncsa (varnishlog_t) reads localization files
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-02-05 6:29 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-02-05 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 7400e924df4723b1702e49ede475902d28c5caf2
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 4 18:30:53 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 5 06:26:54 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7400e924
Bump module versions for release.
policy/modules/contrib/abrt.te | 2 +-
policy/modules/contrib/aiccu.te | 2 +-
policy/modules/contrib/aisexec.te | 2 +-
policy/modules/contrib/amavis.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apcupsd.te | 2 +-
policy/modules/contrib/apm.te | 2 +-
policy/modules/contrib/arpwatch.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bacula.te | 2 +-
policy/modules/contrib/bcfg2.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/bird.te | 2 +-
policy/modules/contrib/bitlbee.te | 2 +-
policy/modules/contrib/bluetooth.te | 2 +-
policy/modules/contrib/boinc.te | 2 +-
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/callweaver.te | 2 +-
policy/modules/contrib/canna.te | 2 +-
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/certmaster.te | 2 +-
policy/modules/contrib/certmonger.te | 2 +-
policy/modules/contrib/cgroup.te | 2 +-
policy/modules/contrib/chronyd.te | 2 +-
policy/modules/contrib/clamav.te | 2 +-
policy/modules/contrib/clogd.te | 2 +-
policy/modules/contrib/cmirrord.te | 2 +-
policy/modules/contrib/collectd.te | 2 +-
policy/modules/contrib/colord.te | 2 +-
policy/modules/contrib/condor.te | 2 +-
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/corosync.te | 2 +-
policy/modules/contrib/couchdb.te | 2 +-
policy/modules/contrib/courier.te | 2 +-
policy/modules/contrib/cpucontrol.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/ctdb.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/cvs.te | 2 +-
policy/modules/contrib/cyphesis.te | 2 +-
policy/modules/contrib/cyrus.te | 2 +-
policy/modules/contrib/dante.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/dcc.te | 2 +-
policy/modules/contrib/ddclient.te | 2 +-
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/dictd.te | 2 +-
policy/modules/contrib/dirmngr.te | 2 +-
policy/modules/contrib/distcc.te | 2 +-
policy/modules/contrib/dkim.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/dnssectrigger.te | 2 +-
policy/modules/contrib/dovecot.te | 2 +-
policy/modules/contrib/dspam.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/fail2ban.te | 2 +-
policy/modules/contrib/fcoe.te | 2 +-
policy/modules/contrib/fetchmail.te | 2 +-
policy/modules/contrib/finger.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/fprintd.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/games.te | 2 +-
policy/modules/contrib/gatekeeper.te | 2 +-
policy/modules/contrib/gdomap.te | 2 +-
policy/modules/contrib/gift.te | 2 +-
policy/modules/contrib/glance.te | 2 +-
policy/modules/contrib/glusterfs.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/gpm.te | 2 +-
policy/modules/contrib/gpsd.te | 2 +-
policy/modules/contrib/hadoop.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/howl.te | 2 +-
policy/modules/contrib/hwloc.te | 2 +-
policy/modules/contrib/i18n_input.te | 2 +-
policy/modules/contrib/icecast.te | 2 +-
policy/modules/contrib/ifplugd.te | 2 +-
policy/modules/contrib/imaze.te | 2 +-
policy/modules/contrib/inetd.te | 2 +-
policy/modules/contrib/inn.te | 2 +-
policy/modules/contrib/ircd.te | 2 +-
policy/modules/contrib/irqbalance.te | 2 +-
policy/modules/contrib/iscsi.te | 2 +-
policy/modules/contrib/isns.te | 2 +-
policy/modules/contrib/jabber.te | 2 +-
policy/modules/contrib/java.te | 2 +-
policy/modules/contrib/kismet.te | 2 +-
policy/modules/contrib/ksmtuned.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/l2tp.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/likewise.te | 2 +-
policy/modules/contrib/lircd.te | 2 +-
policy/modules/contrib/lldpad.te | 2 +-
policy/modules/contrib/loadkeys.te | 2 +-
policy/modules/contrib/logwatch.te | 2 +-
policy/modules/contrib/lpd.te | 2 +-
policy/modules/contrib/lsm.te | 2 +-
policy/modules/contrib/mailman.te | 2 +-
policy/modules/contrib/mailscanner.te | 2 +-
policy/modules/contrib/mcelog.te | 2 +-
policy/modules/contrib/memcached.te | 2 +-
policy/modules/contrib/milter.te | 2 +-
policy/modules/contrib/minidlna.te | 2 +-
policy/modules/contrib/minissdpd.te | 2 +-
policy/modules/contrib/mojomojo.te | 2 +-
policy/modules/contrib/mongodb.te | 2 +-
policy/modules/contrib/mono.te | 2 +-
policy/modules/contrib/monop.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mplayer.te | 2 +-
policy/modules/contrib/mrtg.te | 2 +-
policy/modules/contrib/munin.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/nagios.te | 2 +-
policy/modules/contrib/nessus.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nis.te | 2 +-
policy/modules/contrib/nscd.te | 2 +-
policy/modules/contrib/nsd.te | 2 +-
policy/modules/contrib/nslcd.te | 2 +-
policy/modules/contrib/ntop.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/numad.te | 2 +-
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/oddjob.te | 2 +-
policy/modules/contrib/openct.te | 2 +-
policy/modules/contrib/openhpi.te | 2 +-
policy/modules/contrib/openoffice.te | 2 +-
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/openvswitch.te | 2 +-
policy/modules/contrib/pacemaker.te | 2 +-
policy/modules/contrib/pads.te | 2 +-
policy/modules/contrib/passenger.te | 2 +-
policy/modules/contrib/pcmcia.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
policy/modules/contrib/pegasus.te | 2 +-
policy/modules/contrib/perdition.te | 2 +-
policy/modules/contrib/pkcs.te | 2 +-
policy/modules/contrib/plymouthd.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
policy/modules/contrib/polipo.te | 2 +-
policy/modules/contrib/portmap.te | 2 +-
policy/modules/contrib/portreserve.te | 2 +-
policy/modules/contrib/postfixpolicyd.te | 2 +-
policy/modules/contrib/postgrey.te | 2 +-
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/prelude.te | 2 +-
policy/modules/contrib/privoxy.te | 2 +-
policy/modules/contrib/psad.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/puppet.te | 2 +-
policy/modules/contrib/pwauth.te | 2 +-
policy/modules/contrib/pxe.te | 2 +-
policy/modules/contrib/pyicqt.te | 2 +-
policy/modules/contrib/qpid.te | 2 +-
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/rabbitmq.te | 2 +-
policy/modules/contrib/radius.te | 2 +-
policy/modules/contrib/radvd.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/readahead.te | 2 +-
policy/modules/contrib/redis.te | 2 +-
policy/modules/contrib/resmgr.te | 2 +-
policy/modules/contrib/rgmanager.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/rhsmcertd.te | 2 +-
policy/modules/contrib/ricci.te | 2 +-
policy/modules/contrib/rngd.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/rsync.te | 2 +-
policy/modules/contrib/rtkit.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/samhain.te | 2 +-
policy/modules/contrib/sanlock.te | 2 +-
policy/modules/contrib/sasl.te | 2 +-
policy/modules/contrib/sblim.te | 2 +-
policy/modules/contrib/screen.te | 2 +-
policy/modules/contrib/sendmail.te | 2 +-
policy/modules/contrib/sensord.te | 2 +-
policy/modules/contrib/setroubleshoot.te | 2 +-
policy/modules/contrib/shibboleth.te | 2 +-
policy/modules/contrib/shutdown.te | 2 +-
policy/modules/contrib/slocate.te | 2 +-
policy/modules/contrib/slpd.te | 2 +-
policy/modules/contrib/slrnpull.te | 2 +-
policy/modules/contrib/smartmon.te | 2 +-
policy/modules/contrib/smokeping.te | 2 +-
policy/modules/contrib/smstools.te | 2 +-
policy/modules/contrib/snmp.te | 2 +-
policy/modules/contrib/snort.te | 2 +-
policy/modules/contrib/soundserver.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
policy/modules/contrib/speedtouch.te | 2 +-
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/sssd.te | 2 +-
policy/modules/contrib/stunnel.te | 2 +-
policy/modules/contrib/svnserve.te | 2 +-
policy/modules/contrib/systemtap.te | 2 +-
policy/modules/contrib/telepathy.te | 2 +-
policy/modules/contrib/tgtd.te | 2 +-
policy/modules/contrib/thunderbird.te | 2 +-
policy/modules/contrib/tor.te | 2 +-
policy/modules/contrib/transproxy.te | 2 +-
policy/modules/contrib/tuned.te | 2 +-
policy/modules/contrib/tvtime.te | 2 +-
policy/modules/contrib/uml.te | 2 +-
policy/modules/contrib/uptime.te | 2 +-
policy/modules/contrib/usbmuxd.te | 2 +-
policy/modules/contrib/uuidd.te | 2 +-
policy/modules/contrib/uwimap.te | 2 +-
policy/modules/contrib/varnishd.te | 2 +-
policy/modules/contrib/vdagent.te | 2 +-
policy/modules/contrib/vhostmd.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
policy/modules/contrib/vmware.te | 2 +-
policy/modules/contrib/vnstatd.te | 2 +-
policy/modules/contrib/vpn.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/wdmd.te | 2 +-
policy/modules/contrib/wine.te | 2 +-
policy/modules/contrib/wireshark.te | 2 +-
policy/modules/contrib/wm.te | 2 +-
policy/modules/contrib/xen.te | 2 +-
policy/modules/contrib/xfs.te | 2 +-
policy/modules/contrib/xguest.te | 2 +-
policy/modules/contrib/xscreensaver.te | 2 +-
policy/modules/contrib/zabbix.te | 2 +-
policy/modules/contrib/zarafa.te | 2 +-
policy/modules/contrib/zebra.te | 2 +-
239 files changed, 239 insertions(+), 239 deletions(-)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index 978faf2..8c52ac9 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.6.1)
+policy_module(abrt, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/aiccu.te b/policy/modules/contrib/aiccu.te
index 74a8ddd..78c8653 100644
--- a/policy/modules/contrib/aiccu.te
+++ b/policy/modules/contrib/aiccu.te
@@ -1,4 +1,4 @@
-policy_module(aiccu, 1.2.1)
+policy_module(aiccu, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te
index 544c810..d89a243 100644
--- a/policy/modules/contrib/aisexec.te
+++ b/policy/modules/contrib/aisexec.te
@@ -1,4 +1,4 @@
-policy_module(aisexec, 1.3.1)
+policy_module(aisexec, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te
index fe1cea3..2f66a81 100644
--- a/policy/modules/contrib/amavis.te
+++ b/policy/modules/contrib/amavis.te
@@ -1,4 +1,4 @@
-policy_module(amavis, 1.16.1)
+policy_module(amavis, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 787603e..12b8055 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.11.1)
+policy_module(apache, 2.12.0)
########################################
#
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index 7ec3669..0277a90 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.11.1)
+policy_module(apcupsd, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index 9a9e006..f5692d5 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.15.1)
+policy_module(apm, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index dedcee2..8c1ded6 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.13.2)
+policy_module(arpwatch, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index 9d8b56e..db0efef 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.16.1)
+policy_module(asterisk, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index a8692da..ae42106 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.17.1)
+policy_module(automount, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index fe8b0da..d5d87ee 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.17.1)
+policy_module(avahi, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te
index d32e85a..2050984 100644
--- a/policy/modules/contrib/bacula.te
+++ b/policy/modules/contrib/bacula.te
@@ -1,4 +1,4 @@
-policy_module(bacula, 1.3.1)
+policy_module(bacula, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/bcfg2.te b/policy/modules/contrib/bcfg2.te
index cf7c671..24e70b8 100644
--- a/policy/modules/contrib/bcfg2.te
+++ b/policy/modules/contrib/bcfg2.te
@@ -1,4 +1,4 @@
-policy_module(bcfg2, 1.2.1)
+policy_module(bcfg2, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 5f0106e..bfec7c7 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.17.1)
+policy_module(bind, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/bird.te b/policy/modules/contrib/bird.te
index 9f77835..dcf8f0b 100644
--- a/policy/modules/contrib/bird.te
+++ b/policy/modules/contrib/bird.te
@@ -1,4 +1,4 @@
-policy_module(bird, 1.2.1)
+policy_module(bird, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te
index 26ffa0d..93d4385 100644
--- a/policy/modules/contrib/bitlbee.te
+++ b/policy/modules/contrib/bitlbee.te
@@ -1,4 +1,4 @@
-policy_module(bitlbee, 1.6.1)
+policy_module(bitlbee, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index ef3dd9a..ceb79e6 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -1,4 +1,4 @@
-policy_module(bluetooth, 3.6.1)
+policy_module(bluetooth, 3.7.0)
########################################
#
diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te
index 0296cd1..6480320 100644
--- a/policy/modules/contrib/boinc.te
+++ b/policy/modules/contrib/boinc.te
@@ -1,4 +1,4 @@
-policy_module(boinc, 1.4.1)
+policy_module(boinc, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index b4a509e..c8cf94c 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.2.1)
+policy_module(cachefilesd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te
index 6d5e4f7..d67ad9b 100644
--- a/policy/modules/contrib/callweaver.te
+++ b/policy/modules/contrib/callweaver.te
@@ -1,4 +1,4 @@
-policy_module(callweaver, 1.2.1)
+policy_module(callweaver, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te
index d7cf9e1..6738527 100644
--- a/policy/modules/contrib/canna.te
+++ b/policy/modules/contrib/canna.te
@@ -1,4 +1,4 @@
-policy_module(canna, 1.13.1)
+policy_module(canna, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index c176887..9bf4039 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.9.1)
+policy_module(ccs, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/certmaster.te b/policy/modules/contrib/certmaster.te
index 605d0c9..16420ae 100644
--- a/policy/modules/contrib/certmaster.te
+++ b/policy/modules/contrib/certmaster.te
@@ -1,4 +1,4 @@
-policy_module(certmaster, 1.4.1)
+policy_module(certmaster, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index 5c76d12..defc346 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.4.1)
+policy_module(certmonger, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index 3538fee..b9a20ff 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.4.1)
+policy_module(cgroup, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index e1f2083..97c541c 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.3.1)
+policy_module(chronyd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index f6bef6e..0940e43 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.13.1)
+policy_module(clamav, 1.14.0)
## <desc>
## <p>
diff --git a/policy/modules/contrib/clogd.te b/policy/modules/contrib/clogd.te
index 9784fe7..356ef46 100644
--- a/policy/modules/contrib/clogd.te
+++ b/policy/modules/contrib/clogd.te
@@ -1,4 +1,4 @@
-policy_module(clogd, 1.1.1)
+policy_module(clogd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te
index bebf008..d916d65 100644
--- a/policy/modules/contrib/cmirrord.te
+++ b/policy/modules/contrib/cmirrord.te
@@ -1,4 +1,4 @@
-policy_module(cmirrord, 1.2.1)
+policy_module(cmirrord, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/collectd.te b/policy/modules/contrib/collectd.te
index d1d5a80..e9e6d13 100644
--- a/policy/modules/contrib/collectd.te
+++ b/policy/modules/contrib/collectd.te
@@ -1,4 +1,4 @@
-policy_module(collectd, 1.2.1)
+policy_module(collectd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te
index 48c177a..b7a2b96 100644
--- a/policy/modules/contrib/colord.te
+++ b/policy/modules/contrib/colord.te
@@ -1,4 +1,4 @@
-policy_module(colord, 1.2.1)
+policy_module(colord, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index df34bb2..3393766 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -1,4 +1,4 @@
-policy_module(condor, 1.3.1)
+policy_module(condor, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index e842f68..5b11390 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -1,4 +1,4 @@
-policy_module(consolekit, 1.11.1)
+policy_module(consolekit, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te
index 231db79..43ec8c6 100644
--- a/policy/modules/contrib/corosync.te
+++ b/policy/modules/contrib/corosync.te
@@ -1,4 +1,4 @@
-policy_module(corosync, 1.2.1)
+policy_module(corosync, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/couchdb.te b/policy/modules/contrib/couchdb.te
index 4dc1d49..dbb4cf9 100644
--- a/policy/modules/contrib/couchdb.te
+++ b/policy/modules/contrib/couchdb.te
@@ -1,4 +1,4 @@
-policy_module(couchdb, 1.4.1)
+policy_module(couchdb, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index bf81144..35ba8d8 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -1,4 +1,4 @@
-policy_module(courier, 1.15.1)
+policy_module(courier, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/cpucontrol.te b/policy/modules/contrib/cpucontrol.te
index 6ad420e..5b7c320 100644
--- a/policy/modules/contrib/cpucontrol.te
+++ b/policy/modules/contrib/cpucontrol.te
@@ -1,4 +1,4 @@
-policy_module(cpucontrol, 1.5.2)
+policy_module(cpucontrol, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index f37849e..1c6f386 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.10.1)
+policy_module(cron, 2.11.0)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/ctdb.te b/policy/modules/contrib/ctdb.te
index 93e5ffc..4f9c3f0 100644
--- a/policy/modules/contrib/ctdb.te
+++ b/policy/modules/contrib/ctdb.te
@@ -1,4 +1,4 @@
-policy_module(ctdb, 1.3.1)
+policy_module(ctdb, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index d20fc88..f5bf055 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.20.4)
+policy_module(cups, 1.21.0)
########################################
#
diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
index 26c8a35..ab055c9 100644
--- a/policy/modules/contrib/cvs.te
+++ b/policy/modules/contrib/cvs.te
@@ -1,4 +1,4 @@
-policy_module(cvs, 1.12.2)
+policy_module(cvs, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/cyphesis.te b/policy/modules/contrib/cyphesis.te
index b32dc2c..5707b61 100644
--- a/policy/modules/contrib/cyphesis.te
+++ b/policy/modules/contrib/cyphesis.te
@@ -1,4 +1,4 @@
-policy_module(cyphesis, 1.4.1)
+policy_module(cyphesis, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
index d81b208..02c0a74 100644
--- a/policy/modules/contrib/cyrus.te
+++ b/policy/modules/contrib/cyrus.te
@@ -1,4 +1,4 @@
-policy_module(cyrus, 1.15.1)
+policy_module(cyrus, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te
index ce7ef47..4ed8790 100644
--- a/policy/modules/contrib/dante.te
+++ b/policy/modules/contrib/dante.te
@@ -1,4 +1,4 @@
-policy_module(dante, 1.10.1)
+policy_module(dante, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 0dc15a7..996fc68 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.21.3)
+policy_module(dbus, 1.22.0)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/dcc.te b/policy/modules/contrib/dcc.te
index 6a0e589..0a6abd4 100644
--- a/policy/modules/contrib/dcc.te
+++ b/policy/modules/contrib/dcc.te
@@ -1,4 +1,4 @@
-policy_module(dcc, 1.12.1)
+policy_module(dcc, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/ddclient.te b/policy/modules/contrib/ddclient.te
index 023d483..333d309 100644
--- a/policy/modules/contrib/ddclient.te
+++ b/policy/modules/contrib/ddclient.te
@@ -1,4 +1,4 @@
-policy_module(ddclient, 1.11.1)
+policy_module(ddclient, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index ecf3ac6..229c6b2 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.5.3)
+policy_module(devicekit, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index b71e0d6..a5f6ecd 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.13.1)
+policy_module(dhcp, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te
index 17a088e..74b3885 100644
--- a/policy/modules/contrib/dictd.te
+++ b/policy/modules/contrib/dictd.te
@@ -1,4 +1,4 @@
-policy_module(dictd, 1.9.1)
+policy_module(dictd, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index de012ff..df4963b 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -1,4 +1,4 @@
-policy_module(dirmngr, 1.1.1)
+policy_module(dirmngr, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/distcc.te b/policy/modules/contrib/distcc.te
index d235e7b..4239519 100644
--- a/policy/modules/contrib/distcc.te
+++ b/policy/modules/contrib/distcc.te
@@ -1,4 +1,4 @@
-policy_module(distcc, 1.11.1)
+policy_module(distcc, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index b9b4a25..9ef8d76 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.4.1)
+policy_module(dkim, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 471e52f..23fdaa0 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.13.1)
+policy_module(dnsmasq, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/dnssectrigger.te b/policy/modules/contrib/dnssectrigger.te
index 7911814..e6c5840 100644
--- a/policy/modules/contrib/dnssectrigger.te
+++ b/policy/modules/contrib/dnssectrigger.te
@@ -1,4 +1,4 @@
-policy_module(dnssectrigger, 1.2.1)
+policy_module(dnssectrigger, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index 528a38b..fcfcf3c 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.18.1)
+policy_module(dovecot, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/dspam.te b/policy/modules/contrib/dspam.te
index fdeb91a..c90f7ff 100644
--- a/policy/modules/contrib/dspam.te
+++ b/policy/modules/contrib/dspam.te
@@ -1,4 +1,4 @@
-policy_module(dspam, 1.2.1)
+policy_module(dspam, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index 939e534..991b621 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.10.1)
+policy_module(entropyd, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 7218d82..b2376d6 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.5.4)
+policy_module(evolution, 2.6.0)
########################################
#
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 26b187a..97dff0a 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.9.2)
+policy_module(exim, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
index cf31033..6f34502 100644
--- a/policy/modules/contrib/fail2ban.te
+++ b/policy/modules/contrib/fail2ban.te
@@ -1,4 +1,4 @@
-policy_module(fail2ban, 1.6.2)
+policy_module(fail2ban, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/fcoe.te b/policy/modules/contrib/fcoe.te
index e331fc5..706874f 100644
--- a/policy/modules/contrib/fcoe.te
+++ b/policy/modules/contrib/fcoe.te
@@ -1,4 +1,4 @@
-policy_module(fcoe, 1.2.1)
+policy_module(fcoe, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te
index 790d0bf..4a078b1 100644
--- a/policy/modules/contrib/fetchmail.te
+++ b/policy/modules/contrib/fetchmail.te
@@ -1,4 +1,4 @@
-policy_module(fetchmail, 1.15.1)
+policy_module(fetchmail, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te
index 31c5dc5..0de8ac2 100644
--- a/policy/modules/contrib/finger.te
+++ b/policy/modules/contrib/finger.te
@@ -1,4 +1,4 @@
-policy_module(finger, 1.11.1)
+policy_module(finger, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 3b8185e..6ae370b 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.4.1)
+policy_module(firewalld, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/fprintd.te b/policy/modules/contrib/fprintd.te
index 00099f9..4ff45da 100644
--- a/policy/modules/contrib/fprintd.te
+++ b/policy/modules/contrib/fprintd.te
@@ -1,4 +1,4 @@
-policy_module(fprintd, 1.2.1)
+policy_module(fprintd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index d2de1cb..faf6863 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.19.1)
+policy_module(ftp, 1.20.0)
########################################
#
diff --git a/policy/modules/contrib/games.te b/policy/modules/contrib/games.te
index 97627c0..0cdebe6 100644
--- a/policy/modules/contrib/games.te
+++ b/policy/modules/contrib/games.te
@@ -1,4 +1,4 @@
-policy_module(games, 2.3.2)
+policy_module(games, 2.4.0)
########################################
#
diff --git a/policy/modules/contrib/gatekeeper.te b/policy/modules/contrib/gatekeeper.te
index 805478b..01dc456 100644
--- a/policy/modules/contrib/gatekeeper.te
+++ b/policy/modules/contrib/gatekeeper.te
@@ -1,4 +1,4 @@
-policy_module(gatekeeper, 1.9.1)
+policy_module(gatekeeper, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/gdomap.te b/policy/modules/contrib/gdomap.te
index e7a0647..3227543 100644
--- a/policy/modules/contrib/gdomap.te
+++ b/policy/modules/contrib/gdomap.te
@@ -1,4 +1,4 @@
-policy_module(gdomap, 1.2.1)
+policy_module(gdomap, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/gift.te b/policy/modules/contrib/gift.te
index 7e3cc68..2169290 100644
--- a/policy/modules/contrib/gift.te
+++ b/policy/modules/contrib/gift.te
@@ -1,4 +1,4 @@
-policy_module(gift, 2.4.2)
+policy_module(gift, 2.5.0)
########################################
#
diff --git a/policy/modules/contrib/glance.te b/policy/modules/contrib/glance.te
index 26ddf47..20f0ff2 100644
--- a/policy/modules/contrib/glance.te
+++ b/policy/modules/contrib/glance.te
@@ -1,4 +1,4 @@
-policy_module(glance, 1.2.1)
+policy_module(glance, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index 19dc06f..83a5806 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -1,4 +1,4 @@
-policy_module(glusterfs, 1.3.1)
+policy_module(glusterfs, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 4ad4f09..f69c10b 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.6.4)
+policy_module(gnome, 2.7.0)
##############################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 44ee6ca..4345bd0 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.10.4)
+policy_module(gpg, 2.11.0)
########################################
#
diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
index fc4643e..087ddce 100644
--- a/policy/modules/contrib/gpm.te
+++ b/policy/modules/contrib/gpm.te
@@ -1,4 +1,4 @@
-policy_module(gpm, 1.10.1)
+policy_module(gpm, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te
index 4021a88..bd09110 100644
--- a/policy/modules/contrib/gpsd.te
+++ b/policy/modules/contrib/gpsd.te
@@ -1,4 +1,4 @@
-policy_module(gpsd, 1.3.1)
+policy_module(gpsd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te
index 62707b9..f22683e 100644
--- a/policy/modules/contrib/hadoop.te
+++ b/policy/modules/contrib/hadoop.te
@@ -1,4 +1,4 @@
-policy_module(hadoop, 1.4.1)
+policy_module(hadoop, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index 1f7ad0d..d3296e2 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.16.1)
+policy_module(hal, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/howl.te b/policy/modules/contrib/howl.te
index a45f048..6bbede5 100644
--- a/policy/modules/contrib/howl.te
+++ b/policy/modules/contrib/howl.te
@@ -1,4 +1,4 @@
-policy_module(howl, 1.11.1)
+policy_module(howl, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/hwloc.te b/policy/modules/contrib/hwloc.te
index 00ecbd8..716a590 100644
--- a/policy/modules/contrib/hwloc.te
+++ b/policy/modules/contrib/hwloc.te
@@ -1,4 +1,4 @@
-policy_module(hwloc, 1.0.1)
+policy_module(hwloc, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/i18n_input.te b/policy/modules/contrib/i18n_input.te
index 8f31165..d1a4266 100644
--- a/policy/modules/contrib/i18n_input.te
+++ b/policy/modules/contrib/i18n_input.te
@@ -1,4 +1,4 @@
-policy_module(i18n_input, 1.10.1)
+policy_module(i18n_input, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/icecast.te b/policy/modules/contrib/icecast.te
index b0794b9..acbb3fc 100644
--- a/policy/modules/contrib/icecast.te
+++ b/policy/modules/contrib/icecast.te
@@ -1,4 +1,4 @@
-policy_module(icecast, 1.3.1)
+policy_module(icecast, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te
index 8bdd562..addcca5 100644
--- a/policy/modules/contrib/ifplugd.te
+++ b/policy/modules/contrib/ifplugd.te
@@ -1,4 +1,4 @@
-policy_module(ifplugd, 1.2.1)
+policy_module(ifplugd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/imaze.te b/policy/modules/contrib/imaze.te
index 3c6db52..f7b386b 100644
--- a/policy/modules/contrib/imaze.te
+++ b/policy/modules/contrib/imaze.te
@@ -1,4 +1,4 @@
-policy_module(imaze, 1.8.1)
+policy_module(imaze, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te
index 7d07ae6..1974c11 100644
--- a/policy/modules/contrib/inetd.te
+++ b/policy/modules/contrib/inetd.te
@@ -1,4 +1,4 @@
-policy_module(inetd, 1.13.1)
+policy_module(inetd, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/inn.te b/policy/modules/contrib/inn.te
index d086ffd..dc5c007 100644
--- a/policy/modules/contrib/inn.te
+++ b/policy/modules/contrib/inn.te
@@ -1,4 +1,4 @@
-policy_module(inn, 1.12.1)
+policy_module(inn, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/ircd.te b/policy/modules/contrib/ircd.te
index 3c93051..94c9c23 100644
--- a/policy/modules/contrib/ircd.te
+++ b/policy/modules/contrib/ircd.te
@@ -1,4 +1,4 @@
-policy_module(ircd, 1.9.1)
+policy_module(ircd, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te
index 5ce12a3..b8cea5e 100644
--- a/policy/modules/contrib/irqbalance.te
+++ b/policy/modules/contrib/irqbalance.te
@@ -1,4 +1,4 @@
-policy_module(irqbalance, 1.8.2)
+policy_module(irqbalance, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index 4bf0535..54f187c 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -1,4 +1,4 @@
-policy_module(iscsi, 1.10.1)
+policy_module(iscsi, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/isns.te b/policy/modules/contrib/isns.te
index 1d581b3..83356b9 100644
--- a/policy/modules/contrib/isns.te
+++ b/policy/modules/contrib/isns.te
@@ -1,4 +1,4 @@
-policy_module(isns, 1.1.1)
+policy_module(isns, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te
index 0975b1d..fdea29d 100644
--- a/policy/modules/contrib/jabber.te
+++ b/policy/modules/contrib/jabber.te
@@ -1,4 +1,4 @@
-policy_module(jabber, 1.11.1)
+policy_module(jabber, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 37f0015..7568835 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.8.1)
+policy_module(java, 2.9.0)
########################################
#
diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te
index d791b71..30c8c68 100644
--- a/policy/modules/contrib/kismet.te
+++ b/policy/modules/contrib/kismet.te
@@ -1,4 +1,4 @@
-policy_module(kismet, 1.9.1)
+policy_module(kismet, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/ksmtuned.te b/policy/modules/contrib/ksmtuned.te
index 4a2873e..f03cf59 100644
--- a/policy/modules/contrib/ksmtuned.te
+++ b/policy/modules/contrib/ksmtuned.te
@@ -1,4 +1,4 @@
-policy_module(ksmtuned, 1.3.1)
+policy_module(ksmtuned, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index 8406d30..a5f9182 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -1,4 +1,4 @@
-policy_module(kudzu, 1.11.1)
+policy_module(kudzu, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/l2tp.te b/policy/modules/contrib/l2tp.te
index 8d6a822..b45a216 100644
--- a/policy/modules/contrib/l2tp.te
+++ b/policy/modules/contrib/l2tp.te
@@ -1,4 +1,4 @@
-policy_module(l2tp, 1.2.1)
+policy_module(l2tp, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index bdae0f2..b740c73 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.14.1)
+policy_module(ldap, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te
index 5a9b126..58c0571 100644
--- a/policy/modules/contrib/likewise.te
+++ b/policy/modules/contrib/likewise.te
@@ -1,4 +1,4 @@
-policy_module(likewise, 1.4.1)
+policy_module(likewise, 1.5.0)
#################################
#
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index 43bd5aa..8807802 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -1,4 +1,4 @@
-policy_module(lircd, 1.3.1)
+policy_module(lircd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te
index 0f2c094..803bf48 100644
--- a/policy/modules/contrib/lldpad.te
+++ b/policy/modules/contrib/lldpad.te
@@ -1,4 +1,4 @@
-policy_module(lldpad, 1.2.1)
+policy_module(lldpad, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index 2ad9e9d..ad97422 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -1,4 +1,4 @@
-policy_module(loadkeys, 1.10.1)
+policy_module(loadkeys, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
index e8cc44a..353a531 100644
--- a/policy/modules/contrib/logwatch.te
+++ b/policy/modules/contrib/logwatch.te
@@ -1,4 +1,4 @@
-policy_module(logwatch, 1.13.1)
+policy_module(logwatch, 1.14.0)
#################################
#
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index 7a769d1..8798471 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -1,4 +1,4 @@
-policy_module(lpd, 1.14.1)
+policy_module(lpd, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/lsm.te b/policy/modules/contrib/lsm.te
index 06a710c..423296d 100644
--- a/policy/modules/contrib/lsm.te
+++ b/policy/modules/contrib/lsm.te
@@ -1,4 +1,4 @@
-policy_module(lsm, 1.0.1)
+policy_module(lsm, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
index 8d52f41..46d98e7 100644
--- a/policy/modules/contrib/mailman.te
+++ b/policy/modules/contrib/mailman.te
@@ -1,4 +1,4 @@
-policy_module(mailman, 1.11.1)
+policy_module(mailman, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/mailscanner.te b/policy/modules/contrib/mailscanner.te
index a88daca..14840ed 100644
--- a/policy/modules/contrib/mailscanner.te
+++ b/policy/modules/contrib/mailscanner.te
@@ -1,4 +1,4 @@
-policy_module(mailscanner, 1.2.1)
+policy_module(mailscanner, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te
index f7fad77..8e62b7a 100644
--- a/policy/modules/contrib/mcelog.te
+++ b/policy/modules/contrib/mcelog.te
@@ -1,4 +1,4 @@
-policy_module(mcelog, 1.4.1)
+policy_module(mcelog, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/memcached.te b/policy/modules/contrib/memcached.te
index fb0c723..570035e 100644
--- a/policy/modules/contrib/memcached.te
+++ b/policy/modules/contrib/memcached.te
@@ -1,4 +1,4 @@
-policy_module(memcached, 1.5.1)
+policy_module(memcached, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
index e8a2975..c25488c 100644
--- a/policy/modules/contrib/milter.te
+++ b/policy/modules/contrib/milter.te
@@ -1,4 +1,4 @@
-policy_module(milter, 1.5.1)
+policy_module(milter, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/minidlna.te b/policy/modules/contrib/minidlna.te
index 84a6d06..3ab4189 100644
--- a/policy/modules/contrib/minidlna.te
+++ b/policy/modules/contrib/minidlna.te
@@ -1,4 +1,4 @@
-policy_module(minidlna, 1.0.1)
+policy_module(minidlna, 1.1.0)
#############################################
#
diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te
index 294da71..f1a3702 100644
--- a/policy/modules/contrib/minissdpd.te
+++ b/policy/modules/contrib/minissdpd.te
@@ -1,4 +1,4 @@
-policy_module(minissdpd, 1.2.1)
+policy_module(minissdpd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/mojomojo.te b/policy/modules/contrib/mojomojo.te
index c1d0ce4..8f4d477 100644
--- a/policy/modules/contrib/mojomojo.te
+++ b/policy/modules/contrib/mojomojo.te
@@ -1,4 +1,4 @@
-policy_module(mojomojo, 1.1.1)
+policy_module(mojomojo, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/mongodb.te b/policy/modules/contrib/mongodb.te
index 8264071..bf2b56f 100644
--- a/policy/modules/contrib/mongodb.te
+++ b/policy/modules/contrib/mongodb.te
@@ -1,4 +1,4 @@
-policy_module(mongodb, 1.2.1)
+policy_module(mongodb, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/mono.te b/policy/modules/contrib/mono.te
index 9d46bc5..3bb756a 100644
--- a/policy/modules/contrib/mono.te
+++ b/policy/modules/contrib/mono.te
@@ -1,4 +1,4 @@
-policy_module(mono, 1.9.1)
+policy_module(mono, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/monop.te b/policy/modules/contrib/monop.te
index c24bca0..091f315 100644
--- a/policy/modules/contrib/monop.te
+++ b/policy/modules/contrib/monop.te
@@ -1,4 +1,4 @@
-policy_module(monop, 1.9.1)
+policy_module(monop, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 454bd3d..9eb99c3 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.10.6)
+policy_module(mozilla, 2.11.0)
########################################
#
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index d39f7d4..97390a8 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -1,4 +1,4 @@
-policy_module(mplayer, 2.6.1)
+policy_module(mplayer, 2.7.0)
########################################
#
diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
index 87d3adc..42b484c 100644
--- a/policy/modules/contrib/mrtg.te
+++ b/policy/modules/contrib/mrtg.te
@@ -1,4 +1,4 @@
-policy_module(mrtg, 1.10.1)
+policy_module(mrtg, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/munin.te b/policy/modules/contrib/munin.te
index e4c7b55..16f15dd 100644
--- a/policy/modules/contrib/munin.te
+++ b/policy/modules/contrib/munin.te
@@ -1,4 +1,4 @@
-policy_module(munin, 1.11.1)
+policy_module(munin, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 8534001..571f9ce 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.18.1)
+policy_module(mysql, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
index ee16a5a..3f1a7b9 100644
--- a/policy/modules/contrib/nagios.te
+++ b/policy/modules/contrib/nagios.te
@@ -1,4 +1,4 @@
-policy_module(nagios, 1.14.2)
+policy_module(nagios, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/nessus.te b/policy/modules/contrib/nessus.te
index 7739066..e14a3f3 100644
--- a/policy/modules/contrib/nessus.te
+++ b/policy/modules/contrib/nessus.te
@@ -1,4 +1,4 @@
-policy_module(nessus, 1.10.1)
+policy_module(nessus, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 269031a..3b66680 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.19.5)
+policy_module(networkmanager, 1.20.0)
########################################
#
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index 5d974b7..0fda4fa 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.14.1)
+policy_module(nis, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index dbcdee9..dfd1adf 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.14.1)
+policy_module(nscd, 1.15.0)
gen_require(`
class nscd all_nscd_perms;
diff --git a/policy/modules/contrib/nsd.te b/policy/modules/contrib/nsd.te
index 0e0ce6b..911aa8c 100644
--- a/policy/modules/contrib/nsd.te
+++ b/policy/modules/contrib/nsd.te
@@ -1,4 +1,4 @@
-policy_module(nsd, 1.9.1)
+policy_module(nsd, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te
index f4e1211..40682ca 100644
--- a/policy/modules/contrib/nslcd.te
+++ b/policy/modules/contrib/nslcd.te
@@ -1,4 +1,4 @@
-policy_module(nslcd, 1.6.1)
+policy_module(nslcd, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te
index 8f84398..a350371 100644
--- a/policy/modules/contrib/ntop.te
+++ b/policy/modules/contrib/ntop.te
@@ -1,4 +1,4 @@
-policy_module(ntop, 1.11.1)
+policy_module(ntop, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 424ec65..c7c27be 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.15.1)
+policy_module(ntp, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/numad.te b/policy/modules/contrib/numad.te
index 267aac4..f3d831a 100644
--- a/policy/modules/contrib/numad.te
+++ b/policy/modules/contrib/numad.te
@@ -1,4 +1,4 @@
-policy_module(numad, 1.2.1)
+policy_module(numad, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index 51ed2fb..5471e63 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -1,4 +1,4 @@
-policy_module(nut, 1.5.2)
+policy_module(nut, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/oddjob.te b/policy/modules/contrib/oddjob.te
index e46b1d6..cf72de7 100644
--- a/policy/modules/contrib/oddjob.te
+++ b/policy/modules/contrib/oddjob.te
@@ -1,4 +1,4 @@
-policy_module(oddjob, 1.10.1)
+policy_module(oddjob, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/openct.te b/policy/modules/contrib/openct.te
index 4dfe446..5002e6a 100644
--- a/policy/modules/contrib/openct.te
+++ b/policy/modules/contrib/openct.te
@@ -1,4 +1,4 @@
-policy_module(openct, 1.8.1)
+policy_module(openct, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/openhpi.te b/policy/modules/contrib/openhpi.te
index ee5eabc..ea84055 100644
--- a/policy/modules/contrib/openhpi.te
+++ b/policy/modules/contrib/openhpi.te
@@ -1,4 +1,4 @@
-policy_module(openhpi, 1.2.1)
+policy_module(openhpi, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index 111263a..148ff23 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -1,4 +1,4 @@
-policy_module(openoffice, 1.0.4)
+policy_module(openoffice, 1.1.0)
##############################
#
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index 28b1a52..cce2031 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.14.1)
+policy_module(openvpn, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te
index a5bcfb5..04cbe90 100644
--- a/policy/modules/contrib/openvswitch.te
+++ b/policy/modules/contrib/openvswitch.te
@@ -1,4 +1,4 @@
-policy_module(openvswitch, 1.3.1)
+policy_module(openvswitch, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/pacemaker.te b/policy/modules/contrib/pacemaker.te
index d897b26..6d1b3c4 100644
--- a/policy/modules/contrib/pacemaker.te
+++ b/policy/modules/contrib/pacemaker.te
@@ -1,4 +1,4 @@
-policy_module(pacemaker, 1.2.1)
+policy_module(pacemaker, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/pads.te b/policy/modules/contrib/pads.te
index 42a9337..98d22bf 100644
--- a/policy/modules/contrib/pads.te
+++ b/policy/modules/contrib/pads.te
@@ -1,4 +1,4 @@
-policy_module(pads, 1.2.1)
+policy_module(pads, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/passenger.te b/policy/modules/contrib/passenger.te
index eb8d545..85fb36d 100644
--- a/policy/modules/contrib/passenger.te
+++ b/policy/modules/contrib/passenger.te
@@ -1,4 +1,4 @@
-policy_module(passenger, 1.2.1)
+policy_module(passenger, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te
index 489aca1..b845487 100644
--- a/policy/modules/contrib/pcmcia.te
+++ b/policy/modules/contrib/pcmcia.te
@@ -1,4 +1,4 @@
-policy_module(pcmcia, 1.7.1)
+policy_module(pcmcia, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index 38dd067..e33dc6b 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.11.2)
+policy_module(pcscd, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te
index 1953a25..6d8c019 100644
--- a/policy/modules/contrib/pegasus.te
+++ b/policy/modules/contrib/pegasus.te
@@ -1,4 +1,4 @@
-policy_module(pegasus, 1.11.1)
+policy_module(pegasus, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te
index ab07330..15023ce 100644
--- a/policy/modules/contrib/perdition.te
+++ b/policy/modules/contrib/perdition.te
@@ -1,4 +1,4 @@
-policy_module(perdition, 1.9.1)
+policy_module(perdition, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index 49fc2ed..1d1635d 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -1,4 +1,4 @@
-policy_module(pkcs, 1.2.1)
+policy_module(pkcs, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index 8eb76e9..3e19efb 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.3.2)
+policy_module(plymouthd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index fba43c9..21ab30e 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.5.2)
+policy_module(policykit, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/polipo.te b/policy/modules/contrib/polipo.te
index c9acfaa..5f72416 100644
--- a/policy/modules/contrib/polipo.te
+++ b/policy/modules/contrib/polipo.te
@@ -1,4 +1,4 @@
-policy_module(polipo, 1.3.1)
+policy_module(polipo, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
index 9656294..b5abc87 100644
--- a/policy/modules/contrib/portmap.te
+++ b/policy/modules/contrib/portmap.te
@@ -1,4 +1,4 @@
-policy_module(portmap, 1.12.1)
+policy_module(portmap, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te
index 5767015..4aa79a4 100644
--- a/policy/modules/contrib/portreserve.te
+++ b/policy/modules/contrib/portreserve.te
@@ -1,4 +1,4 @@
-policy_module(portreserve, 1.5.1)
+policy_module(portreserve, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
index 417c357..153fb19 100644
--- a/policy/modules/contrib/postfixpolicyd.te
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -1,4 +1,4 @@
-policy_module(postfixpolicyd, 1.4.1)
+policy_module(postfixpolicyd, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te
index 7e5d8b3..ab5a8d3 100644
--- a/policy/modules/contrib/postgrey.te
+++ b/policy/modules/contrib/postgrey.te
@@ -1,4 +1,4 @@
-policy_module(postgrey, 1.10.1)
+policy_module(postgrey, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index b04f33f..ba85666 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.16.1)
+policy_module(ppp, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te
index 7ce0a6e..d3aa038 100644
--- a/policy/modules/contrib/prelude.te
+++ b/policy/modules/contrib/prelude.te
@@ -1,4 +1,4 @@
-policy_module(prelude, 1.6.1)
+policy_module(prelude, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/privoxy.te b/policy/modules/contrib/privoxy.te
index 86c13b0..ce34491 100644
--- a/policy/modules/contrib/privoxy.te
+++ b/policy/modules/contrib/privoxy.te
@@ -1,4 +1,4 @@
-policy_module(privoxy, 1.13.1)
+policy_module(privoxy, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te
index 76839e8..3336ca7 100644
--- a/policy/modules/contrib/psad.te
+++ b/policy/modules/contrib/psad.te
@@ -1,4 +1,4 @@
-policy_module(psad, 1.3.1)
+policy_module(psad, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 2cf3a36..e9a4a50 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.9.2)
+policy_module(pulseaudio, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 176e4fa..4f49696 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.7.1)
+policy_module(puppet, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/pwauth.te b/policy/modules/contrib/pwauth.te
index 4664d0a..dda0373 100644
--- a/policy/modules/contrib/pwauth.te
+++ b/policy/modules/contrib/pwauth.te
@@ -1,4 +1,4 @@
-policy_module(pwauth, 1.0.1)
+policy_module(pwauth, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/pxe.te b/policy/modules/contrib/pxe.te
index 711647f..8694d85 100644
--- a/policy/modules/contrib/pxe.te
+++ b/policy/modules/contrib/pxe.te
@@ -1,4 +1,4 @@
-policy_module(pxe, 1.6.1)
+policy_module(pxe, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/pyicqt.te b/policy/modules/contrib/pyicqt.te
index c028441..6861a4a 100644
--- a/policy/modules/contrib/pyicqt.te
+++ b/policy/modules/contrib/pyicqt.te
@@ -1,4 +1,4 @@
-policy_module(pyicqt, 1.2.1)
+policy_module(pyicqt, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/qpid.te b/policy/modules/contrib/qpid.te
index df83aab..edae187 100644
--- a/policy/modules/contrib/qpid.te
+++ b/policy/modules/contrib/qpid.te
@@ -1,4 +1,4 @@
-policy_module(qpid, 1.2.1)
+policy_module(qpid, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index b412d96..95262d4 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -1,4 +1,4 @@
-policy_module(quota, 1.8.1)
+policy_module(quota, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/rabbitmq.te b/policy/modules/contrib/rabbitmq.te
index 33dd4bd..3aa2084 100644
--- a/policy/modules/contrib/rabbitmq.te
+++ b/policy/modules/contrib/rabbitmq.te
@@ -1,4 +1,4 @@
-policy_module(rabbitmq, 1.2.1)
+policy_module(rabbitmq, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
index 5bd9b51..bbe4e1c 100644
--- a/policy/modules/contrib/radius.te
+++ b/policy/modules/contrib/radius.te
@@ -1,4 +1,4 @@
-policy_module(radius, 1.14.1)
+policy_module(radius, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te
index 015b7eb..1d7fbfe 100644
--- a/policy/modules/contrib/radvd.te
+++ b/policy/modules/contrib/radvd.te
@@ -1,4 +1,4 @@
-policy_module(radvd, 1.15.1)
+policy_module(radvd, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index 0b2ee90..172bae9 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.16.2)
+policy_module(raid, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te
index c554242..9b2d53f 100644
--- a/policy/modules/contrib/readahead.te
+++ b/policy/modules/contrib/readahead.te
@@ -1,4 +1,4 @@
-policy_module(readahead, 1.14.1)
+policy_module(readahead, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index e5efccd..b516205 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.3.1)
+policy_module(redis, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/resmgr.te b/policy/modules/contrib/resmgr.te
index cfcadc2..db7eca5 100644
--- a/policy/modules/contrib/resmgr.te
+++ b/policy/modules/contrib/resmgr.te
@@ -1,4 +1,4 @@
-policy_module(resmgr, 1.4.1)
+policy_module(resmgr, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te
index 7999239..c533810 100644
--- a/policy/modules/contrib/rgmanager.te
+++ b/policy/modules/contrib/rgmanager.te
@@ -1,4 +1,4 @@
-policy_module(rgmanager, 1.5.1)
+policy_module(rgmanager, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 0ee49b0..4c58d12 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -1,4 +1,4 @@
-policy_module(rhcs, 1.5.1)
+policy_module(rhcs, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/rhsmcertd.te b/policy/modules/contrib/rhsmcertd.te
index f3e1c95..4419243 100644
--- a/policy/modules/contrib/rhsmcertd.te
+++ b/policy/modules/contrib/rhsmcertd.te
@@ -1,4 +1,4 @@
-policy_module(rhsmcertd, 1.3.1)
+policy_module(rhsmcertd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te
index 1037e8e..794dcd3 100644
--- a/policy/modules/contrib/ricci.te
+++ b/policy/modules/contrib/ricci.te
@@ -1,4 +1,4 @@
-policy_module(ricci, 1.9.1)
+policy_module(ricci, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
index c33d12a..ee1f134 100644
--- a/policy/modules/contrib/rngd.te
+++ b/policy/modules/contrib/rngd.te
@@ -1,4 +1,4 @@
-policy_module(rngd, 1.3.1)
+policy_module(rngd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 5cacbdb..2e47156 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.18.1)
+policy_module(rpc, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 3f3a7e7..e3a4cc0 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.10.1)
+policy_module(rpcbind, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 5d52d12..2a709ce 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.18.2)
+policy_module(rpm, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index 9b0ea69..18db99d 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -1,4 +1,4 @@
-policy_module(rsync, 1.14.1)
+policy_module(rsync, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 0bd4a66..c5e7783 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.4.2)
+policy_module(rtkit, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index e588ce8..0acf15a 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.19.1)
+policy_module(samba, 1.20.0)
#################################
#
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index 9675ed1..1d2f80f 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -1,4 +1,4 @@
-policy_module(samhain, 1.3.1)
+policy_module(samhain, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/sanlock.te b/policy/modules/contrib/sanlock.te
index ff49a17..fccc1c2 100644
--- a/policy/modules/contrib/sanlock.te
+++ b/policy/modules/contrib/sanlock.te
@@ -1,4 +1,4 @@
-policy_module(sanlock, 1.2.1)
+policy_module(sanlock, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te
index b28eb33..235a66d 100644
--- a/policy/modules/contrib/sasl.te
+++ b/policy/modules/contrib/sasl.te
@@ -1,4 +1,4 @@
-policy_module(sasl, 1.17.1)
+policy_module(sasl, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/sblim.te b/policy/modules/contrib/sblim.te
index 2e933c8..77632c2 100644
--- a/policy/modules/contrib/sblim.te
+++ b/policy/modules/contrib/sblim.te
@@ -1,4 +1,4 @@
-policy_module(sblim, 1.2.1)
+policy_module(sblim, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
index ab14ac3..e8569cb 100644
--- a/policy/modules/contrib/screen.te
+++ b/policy/modules/contrib/screen.te
@@ -1,4 +1,4 @@
-policy_module(screen, 2.7.3)
+policy_module(screen, 2.8.0)
########################################
#
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
index 44a5dc3..1ae4a27 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -1,4 +1,4 @@
-policy_module(sendmail, 1.14.1)
+policy_module(sendmail, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/sensord.te b/policy/modules/contrib/sensord.te
index 9262f26..f5d4288 100644
--- a/policy/modules/contrib/sensord.te
+++ b/policy/modules/contrib/sensord.te
@@ -1,4 +1,4 @@
-policy_module(sensord, 1.1.1)
+policy_module(sensord, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/setroubleshoot.te b/policy/modules/contrib/setroubleshoot.te
index eaa678d..68f546f 100644
--- a/policy/modules/contrib/setroubleshoot.te
+++ b/policy/modules/contrib/setroubleshoot.te
@@ -1,4 +1,4 @@
-policy_module(setroubleshoot, 1.14.1)
+policy_module(setroubleshoot, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/shibboleth.te b/policy/modules/contrib/shibboleth.te
index ae6009e..0d74204 100644
--- a/policy/modules/contrib/shibboleth.te
+++ b/policy/modules/contrib/shibboleth.te
@@ -1,4 +1,4 @@
-policy_module(shibboleth, 1.1.1)
+policy_module(shibboleth, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index 533f38e..e10149f 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -1,4 +1,4 @@
-policy_module(shutdown, 1.3.1)
+policy_module(shutdown, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/slocate.te b/policy/modules/contrib/slocate.te
index ad9e155..65fe1cb 100644
--- a/policy/modules/contrib/slocate.te
+++ b/policy/modules/contrib/slocate.te
@@ -1,4 +1,4 @@
-policy_module(slocate, 1.13.1)
+policy_module(slocate, 1.14.0)
#################################
#
diff --git a/policy/modules/contrib/slpd.te b/policy/modules/contrib/slpd.te
index ba1dd61..f4f1edf 100644
--- a/policy/modules/contrib/slpd.te
+++ b/policy/modules/contrib/slpd.te
@@ -1,4 +1,4 @@
-policy_module(slpd, 1.2.1)
+policy_module(slpd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/slrnpull.te b/policy/modules/contrib/slrnpull.te
index 299ed57..9d4515a 100644
--- a/policy/modules/contrib/slrnpull.te
+++ b/policy/modules/contrib/slrnpull.te
@@ -1,4 +1,4 @@
-policy_module(slrnpull, 1.5.1)
+policy_module(slrnpull, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te
index 74b59d1..eb812fe 100644
--- a/policy/modules/contrib/smartmon.te
+++ b/policy/modules/contrib/smartmon.te
@@ -1,4 +1,4 @@
-policy_module(smartmon, 1.13.1)
+policy_module(smartmon, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te
index ab75d45..625d801 100644
--- a/policy/modules/contrib/smokeping.te
+++ b/policy/modules/contrib/smokeping.te
@@ -1,4 +1,4 @@
-policy_module(smokeping, 1.3.2)
+policy_module(smokeping, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/smstools.te b/policy/modules/contrib/smstools.te
index 2ad3def..55096f6 100644
--- a/policy/modules/contrib/smstools.te
+++ b/policy/modules/contrib/smstools.te
@@ -1,4 +1,4 @@
-policy_module(smstools, 1.1.1)
+policy_module(smstools, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te
index ce66470..4938579 100644
--- a/policy/modules/contrib/snmp.te
+++ b/policy/modules/contrib/snmp.te
@@ -1,4 +1,4 @@
-policy_module(snmp, 1.15.1)
+policy_module(snmp, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 541ce2f..30ba1e0 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -1,4 +1,4 @@
-policy_module(snort, 1.13.1)
+policy_module(snort, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/soundserver.te b/policy/modules/contrib/soundserver.te
index 9346f5b..5b8bd92 100644
--- a/policy/modules/contrib/soundserver.te
+++ b/policy/modules/contrib/soundserver.te
@@ -1,4 +1,4 @@
-policy_module(soundserver, 1.10.1)
+policy_module(soundserver, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 30df392..6631a49 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.9.1)
+policy_module(spamassassin, 2.10.0)
########################################
#
diff --git a/policy/modules/contrib/speedtouch.te b/policy/modules/contrib/speedtouch.te
index e51f848..70dcf8d 100644
--- a/policy/modules/contrib/speedtouch.te
+++ b/policy/modules/contrib/speedtouch.te
@@ -1,4 +1,4 @@
-policy_module(speedtouch, 1.5.1)
+policy_module(speedtouch, 1.6.0)
#######################################
#
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index e8a0056..2852599 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.14.1)
+policy_module(squid, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index b27a7eb..9be5c19 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -1,4 +1,4 @@
-policy_module(sssd, 1.3.1)
+policy_module(sssd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te
index bc4bab4..f7e315e 100644
--- a/policy/modules/contrib/stunnel.te
+++ b/policy/modules/contrib/stunnel.te
@@ -1,4 +1,4 @@
-policy_module(stunnel, 1.11.1)
+policy_module(stunnel, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/svnserve.te b/policy/modules/contrib/svnserve.te
index 9f5563c..5fcd8b4 100644
--- a/policy/modules/contrib/svnserve.te
+++ b/policy/modules/contrib/svnserve.te
@@ -1,4 +1,4 @@
-policy_module(svnserve, 1.3.1)
+policy_module(svnserve, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/systemtap.te b/policy/modules/contrib/systemtap.te
index 8e697a1..f2fa849 100644
--- a/policy/modules/contrib/systemtap.te
+++ b/policy/modules/contrib/systemtap.te
@@ -1,4 +1,4 @@
-policy_module(systemtap, 1.3.1)
+policy_module(systemtap, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te
index c84c80d..f1bee7f 100644
--- a/policy/modules/contrib/telepathy.te
+++ b/policy/modules/contrib/telepathy.te
@@ -1,4 +1,4 @@
-policy_module(telepathy, 1.7.2)
+policy_module(telepathy, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/tgtd.te b/policy/modules/contrib/tgtd.te
index 9aa72bd..c376118 100644
--- a/policy/modules/contrib/tgtd.te
+++ b/policy/modules/contrib/tgtd.te
@@ -1,4 +1,4 @@
-policy_module(tgtd, 1.5.1)
+policy_module(tgtd, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index 30f3fd8..9823d1d 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -1,4 +1,4 @@
-policy_module(thunderbird, 2.4.4)
+policy_module(thunderbird, 2.5.0)
########################################
#
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 3fa6bae..098154f 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.12.1)
+policy_module(tor, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/transproxy.te b/policy/modules/contrib/transproxy.te
index 6204ef1..61b6f5c 100644
--- a/policy/modules/contrib/transproxy.te
+++ b/policy/modules/contrib/transproxy.te
@@ -1,4 +1,4 @@
-policy_module(transproxy, 1.9.1)
+policy_module(transproxy, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/tuned.te b/policy/modules/contrib/tuned.te
index 5cfe295..ba1e147 100644
--- a/policy/modules/contrib/tuned.te
+++ b/policy/modules/contrib/tuned.te
@@ -1,4 +1,4 @@
-policy_module(tuned, 1.3.1)
+policy_module(tuned, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te
index bc264d4..1b138dd 100644
--- a/policy/modules/contrib/tvtime.te
+++ b/policy/modules/contrib/tvtime.te
@@ -1,4 +1,4 @@
-policy_module(tvtime, 2.3.2)
+policy_module(tvtime, 2.4.0)
########################################
#
diff --git a/policy/modules/contrib/uml.te b/policy/modules/contrib/uml.te
index 62d0119..0e2f4c9 100644
--- a/policy/modules/contrib/uml.te
+++ b/policy/modules/contrib/uml.te
@@ -1,4 +1,4 @@
-policy_module(uml, 2.3.1)
+policy_module(uml, 2.4.0)
########################################
#
diff --git a/policy/modules/contrib/uptime.te b/policy/modules/contrib/uptime.te
index 088e913..79c6c8e 100644
--- a/policy/modules/contrib/uptime.te
+++ b/policy/modules/contrib/uptime.te
@@ -1,4 +1,4 @@
-policy_module(uptime, 1.7.1)
+policy_module(uptime, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/usbmuxd.te b/policy/modules/contrib/usbmuxd.te
index 6d44da4..a1d498e 100644
--- a/policy/modules/contrib/usbmuxd.te
+++ b/policy/modules/contrib/usbmuxd.te
@@ -1,4 +1,4 @@
-policy_module(usbmuxd, 1.2.1)
+policy_module(usbmuxd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/uuidd.te b/policy/modules/contrib/uuidd.te
index 41e41d3..176ae29 100644
--- a/policy/modules/contrib/uuidd.te
+++ b/policy/modules/contrib/uuidd.te
@@ -1,4 +1,4 @@
-policy_module(uuidd, 1.2.1)
+policy_module(uuidd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/uwimap.te b/policy/modules/contrib/uwimap.te
index 5df6457..02a45cf 100644
--- a/policy/modules/contrib/uwimap.te
+++ b/policy/modules/contrib/uwimap.te
@@ -1,4 +1,4 @@
-policy_module(uwimap, 1.10.1)
+policy_module(uwimap, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index 5cbc541..36c32fc 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -1,4 +1,4 @@
-policy_module(varnishd, 1.4.1)
+policy_module(varnishd, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te
index bd5edff..4ceabe0 100644
--- a/policy/modules/contrib/vdagent.te
+++ b/policy/modules/contrib/vdagent.te
@@ -1,4 +1,4 @@
-policy_module(vdagent, 1.3.1)
+policy_module(vdagent, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te
index 0c5f94c..4d47427 100644
--- a/policy/modules/contrib/vhostmd.te
+++ b/policy/modules/contrib/vhostmd.te
@@ -1,4 +1,4 @@
-policy_module(vhostmd, 1.2.1)
+policy_module(vhostmd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 41a352d..e8ac408 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.10.1)
+policy_module(virt, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
index ffe0fb0..0fa22c2 100644
--- a/policy/modules/contrib/vmware.te
+++ b/policy/modules/contrib/vmware.te
@@ -1,4 +1,4 @@
-policy_module(vmware, 2.7.3)
+policy_module(vmware, 2.8.0)
########################################
#
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index fdce10d..306bac9 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -1,4 +1,4 @@
-policy_module(vnstatd, 1.2.1)
+policy_module(vnstatd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te
index a1c2da8..e11d751 100644
--- a/policy/modules/contrib/vpn.te
+++ b/policy/modules/contrib/vpn.te
@@ -1,4 +1,4 @@
-policy_module(vpn, 1.16.1)
+policy_module(vpn, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 69dfc59..a181f48 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.11.1)
+policy_module(watchdog, 1.12.0)
#################################
#
diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te
index 5a43020..a32e198 100644
--- a/policy/modules/contrib/wdmd.te
+++ b/policy/modules/contrib/wdmd.te
@@ -1,4 +1,4 @@
-policy_module(wdmd, 1.2.1)
+policy_module(wdmd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
index c9dc27e..8ec8c96 100644
--- a/policy/modules/contrib/wine.te
+++ b/policy/modules/contrib/wine.te
@@ -1,4 +1,4 @@
-policy_module(wine, 1.12.2)
+policy_module(wine, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te
index a2c96ba..a398fd7 100644
--- a/policy/modules/contrib/wireshark.te
+++ b/policy/modules/contrib/wireshark.te
@@ -1,4 +1,4 @@
-policy_module(wireshark, 2.4.2)
+policy_module(wireshark, 2.5.0)
########################################
#
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index bbc8b16..e5f6531 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.5.4)
+policy_module(wm, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index 797ad04..c134cfe 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -1,4 +1,4 @@
-policy_module(xen, 1.14.1)
+policy_module(xen, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/xfs.te b/policy/modules/contrib/xfs.te
index 8d4b846..3fc2a1b 100644
--- a/policy/modules/contrib/xfs.te
+++ b/policy/modules/contrib/xfs.te
@@ -1,4 +1,4 @@
-policy_module(xfs, 1.8.1)
+policy_module(xfs, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/xguest.te b/policy/modules/contrib/xguest.te
index f8f3038..1e7f643 100644
--- a/policy/modules/contrib/xguest.te
+++ b/policy/modules/contrib/xguest.te
@@ -1,4 +1,4 @@
-policy_module(xguest, 1.2.1)
+policy_module(xguest, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
index b724b4e..1f58110 100644
--- a/policy/modules/contrib/xscreensaver.te
+++ b/policy/modules/contrib/xscreensaver.te
@@ -1,4 +1,4 @@
-policy_module(xscreensaver, 1.2.2)
+policy_module(xscreensaver, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index e89ab91..3382218 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.9.1)
+policy_module(zabbix, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/zarafa.te b/policy/modules/contrib/zarafa.te
index 19dcdad..5ce3c3e 100644
--- a/policy/modules/contrib/zarafa.te
+++ b/policy/modules/contrib/zarafa.te
@@ -1,4 +1,4 @@
-policy_module(zarafa, 1.3.1)
+policy_module(zarafa, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
index cf6d4cd..d0b0358 100644
--- a/policy/modules/contrib/zebra.te
+++ b/policy/modules/contrib/zebra.te
@@ -1,4 +1,4 @@
-policy_module(zebra, 1.14.1)
+policy_module(zebra, 1.15.0)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-01-25 11:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-01-25 11:59 UTC (permalink / raw
To: gentoo-commits
commit: e0bfa34ed7854bb95ca797dc48596936ed3c83cf
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Jan 20 01:06:09 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jan 25 07:08:14 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e0bfa34e
cups: new interface to execute HPLIP applications in their own domain
Add a new interface to the cups module to execute HP Linux Imaging
and Printing (HPLIP) applications in their own domain.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/cups.if | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index a6bcb68..f0261ca 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -375,3 +375,24 @@ interface(`cups_admin',`
admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t })
admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t })
')
+
+########################################
+## <summary>
+## Execute HP Linux Imaging and
+## Printing applications in their
+## own domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cups_domtrans_hplip',`
+ gen_require(`
+ type hplip_t, hplip_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, hplip_exec_t, hplip_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-01-25 11:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-01-25 11:59 UTC (permalink / raw
To: gentoo-commits
commit: 82777d9740f9c8cd39423eea988823647bdc68ea
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Jan 23 23:50:08 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jan 25 07:08:14 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=82777d97
cups: Move hplip_domtrans interface.
policy/modules/contrib/cups.if | 42 +++++++++++++++++++++---------------------
1 file changed, 21 insertions(+), 21 deletions(-)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index f0261ca..6a2633c 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -326,6 +326,27 @@ interface(`cups_read_state',`
########################################
## <summary>
+## Execute HP Linux Imaging and
+## Printing applications in their
+## own domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cups_domtrans_hplip',`
+ gen_require(`
+ type hplip_t, hplip_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, hplip_exec_t, hplip_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an cups environment.
## </summary>
@@ -375,24 +396,3 @@ interface(`cups_admin',`
admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t })
admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t })
')
-
-########################################
-## <summary>
-## Execute HP Linux Imaging and
-## Printing applications in their
-## own domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`cups_domtrans_hplip',`
- gen_require(`
- type hplip_t, hplip_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, hplip_exec_t, hplip_t)
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-01-25 11:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-01-25 11:59 UTC (permalink / raw
To: gentoo-commits
commit: 723dac4b3046ab8990fb7df69c479580a9e2c3ea
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Jan 23 23:50:26 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jan 25 07:08:14 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=723dac4b
Module version bump for cups patch from Guido Trentalancia.
policy/modules/contrib/cups.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index ca9c8dc..d20fc88 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.20.3)
+policy_module(cups, 1.20.4)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-01-23 15:44 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-01-23 15:44 UTC (permalink / raw
To: gentoo-commits
commit: de23c604d42ab232f8dc51f27b66d47ba2a2eaba
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Jan 15 18:17:43 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jan 23 12:56:05 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de23c604
Module version bump for screen and exim changes from cgzones.
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/screen.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 5f2810f..26b187a 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.9.1)
+policy_module(exim, 1.9.2)
########################################
#
diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
index d50f157..91967b0 100644
--- a/policy/modules/contrib/screen.te
+++ b/policy/modules/contrib/screen.te
@@ -1,4 +1,4 @@
-policy_module(screen, 2.7.1)
+policy_module(screen, 2.7.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-01-23 15:44 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-01-23 15:44 UTC (permalink / raw
To: gentoo-commits
commit: 045e19bda47a4abb2725672b0da50dafaaf85739
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan 5 19:12:45 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jan 23 12:56:05 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=045e19bd
update exim module
policy/modules/contrib/exim.fc | 14 +++++++-------
policy/modules/contrib/exim.if | 8 ++++----
policy/modules/contrib/exim.te | 25 +++++++++++++------------
3 files changed, 24 insertions(+), 23 deletions(-)
diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc
index 9e04a0d..842cb34 100644
--- a/policy/modules/contrib/exim.fc
+++ b/policy/modules/contrib/exim.fc
@@ -1,13 +1,13 @@
/etc/rc\.d/init\.d/exim[0-9]? -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
-/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
-/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
+/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_pid_t,s0)
+/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_pid_t,s0)
-/var/lib/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_lib_t,s0)
+/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
+/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
-/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
+/var/lib/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_lib_t,s0)
-/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
-/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
+/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
-/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
+/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
index 51655bb..c75f5fa 100644
--- a/policy/modules/contrib/exim.if
+++ b/policy/modules/contrib/exim.if
@@ -96,10 +96,10 @@ interface(`exim_read_tmp_files',`
#
interface(`exim_read_pid_files',`
gen_require(`
- type exim_var_run_t;
+ type exim_pid_t;
')
- allow $1 exim_var_run_t:file read_file_perms;
+ allow $1 exim_pid_t:file read_file_perms;
files_search_pids($1)
')
@@ -281,7 +281,7 @@ interface(`exim_manage_var_lib_files',`
interface(`exim_admin',`
gen_require(`
type exim_t, exim_spool_t, exim_log_t;
- type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
+ type exim_pid_t, exim_initrc_exec_t, exim_tmp_t;
type exim_keytab_t;
')
@@ -300,7 +300,7 @@ interface(`exim_admin',`
admin_pattern($1, exim_log_t)
files_search_pids($1)
- admin_pattern($1, exim_var_run_t)
+ admin_pattern($1, exim_pid_t)
files_search_tmp($1)
admin_pattern($1, exim_tmp_t)
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index b8de337..5f2810f 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -54,17 +54,18 @@ files_type(exim_var_lib_t)
type exim_log_t;
logging_log_file(exim_log_t)
+type exim_pid_t;
+typealias exim_pid_t alias exim_var_run_t;
+files_pid_file(exim_pid_t)
+
type exim_spool_t;
files_type(exim_spool_t)
type exim_tmp_t;
files_tmp_file(exim_tmp_t)
-type exim_var_run_t;
-files_pid_file(exim_var_run_t)
-
ifdef(`distro_debian',`
- init_daemon_pid_file(exim_var_run_t, dir, "exim4")
+ init_daemon_pid_file(exim_pid_t, dir, "exim4")
')
########################################
@@ -72,21 +73,25 @@ ifdef(`distro_debian',`
# Local policy
#
-allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
+allow exim_t self:capability { chown dac_override fowner setuid setgid sys_resource };
allow exim_t self:process { setrlimit setpgid };
allow exim_t self:fifo_file rw_fifo_file_perms;
allow exim_t self:unix_stream_socket { accept listen };
allow exim_t self:tcp_socket { accept listen };
-allow exim_t exim_keytab_t:file read_file_perms;
+can_exec(exim_t, exim_exec_t)
-manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
+allow exim_t exim_keytab_t:file read_file_perms;
append_files_pattern(exim_t, exim_log_t, exim_log_t)
create_files_pattern(exim_t, exim_log_t, exim_log_t)
setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
logging_log_filetrans(exim_t, exim_log_t, file)
+manage_dirs_pattern(exim_t, exim_pid_t, exim_pid_t)
+manage_files_pattern(exim_t, exim_pid_t, exim_pid_t)
+files_pid_filetrans(exim_t, exim_pid_t, { dir file })
+
manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)
manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)
manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)
@@ -96,11 +101,7 @@ manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
files_tmp_filetrans(exim_t, exim_tmp_t, { dir file })
-manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)
-manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
-files_pid_filetrans(exim_t, exim_var_run_t, { dir file })
-
-can_exec(exim_t, exim_exec_t)
+manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
kernel_read_crypto_sysctls(exim_t)
kernel_read_kernel_sysctls(exim_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-01-23 15:44 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-01-23 15:44 UTC (permalink / raw
To: gentoo-commits
commit: 95bb9a0c4c8e7b00b48cd5ba7675efe259a03d41
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan 5 19:14:47 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jan 23 12:56:05 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=95bb9a0c
update screen module
policy/modules/contrib/screen.fc | 10 +++++-----
policy/modules/contrib/screen.if | 10 +++++-----
policy/modules/contrib/screen.te | 29 ++++++++++++-----------------
3 files changed, 22 insertions(+), 27 deletions(-)
diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc
index 975d48f..7196c59 100644
--- a/policy/modules/contrib/screen.fc
+++ b/policy/modules/contrib/screen.fc
@@ -1,9 +1,9 @@
-HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
+HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
-/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
-/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
+/run/screen(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
+/run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
-/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
-/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
+/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
diff --git a/policy/modules/contrib/screen.if b/policy/modules/contrib/screen.if
index 2795f69..884e261 100644
--- a/policy/modules/contrib/screen.if
+++ b/policy/modules/contrib/screen.if
@@ -26,7 +26,7 @@ template(`screen_role_template',`
attribute screen_domain;
attribute_role screen_roles;
type screen_exec_t, screen_tmp_t;
- type screen_home_t, screen_var_run_t;
+ type screen_home_t, screen_runtime_t;
')
########################################
@@ -69,10 +69,10 @@ template(`screen_role_template',`
userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
- manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
- manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
- manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
- manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
+ manage_dirs_pattern($3, screen_runtime_t, screen_runtime_t)
+ manage_files_pattern($3, screen_runtime_t, screen_runtime_t)
+ manage_lnk_files_pattern($3, screen_runtime_t, screen_runtime_t)
+ manage_fifo_files_pattern($3, screen_runtime_t, screen_runtime_t)
corecmd_bin_domtrans($1_screen_t, $3)
corecmd_shell_domtrans($1_screen_t, $3)
diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
index bebb3ec..d50f157 100644
--- a/policy/modules/contrib/screen.te
+++ b/policy/modules/contrib/screen.te
@@ -13,27 +13,23 @@ type screen_exec_t;
application_executable_file(screen_exec_t)
type screen_home_t;
-typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_screen_home_t };
-typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t };
userdom_user_home_content(screen_home_t)
type screen_tmp_t;
-typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
-typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
userdom_user_tmp_file(screen_tmp_t)
-type screen_var_run_t;
-typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
-typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
-files_pid_file(screen_var_run_t)
-ubac_constrained(screen_var_run_t)
+type screen_runtime_t;
+typealias screen_runtime_t alias screen_var_run_t;
+files_pid_file(screen_runtime_t)
+ubac_constrained(screen_runtime_t)
########################################
#
# Common screen domain local policy
#
-allow screen_domain self:capability { setuid setgid fsetid };
+# dac_override : read /dev/pts/ID
+allow screen_domain self:capability { setuid setgid fsetid dac_override };
allow screen_domain self:process signal_perms;
allow screen_domain self:fd use;
allow screen_domain self:fifo_file rw_fifo_file_perms;
@@ -44,12 +40,12 @@ manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
-filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file)
+filetrans_pattern(screen_domain, screen_tmp_t, screen_runtime_t, sock_file)
-manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
-manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
-manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
-files_pid_filetrans(screen_domain, screen_var_run_t, dir)
+manage_fifo_files_pattern(screen_domain, screen_runtime_t, screen_runtime_t)
+manage_dirs_pattern(screen_domain, screen_runtime_t, screen_runtime_t)
+manage_sock_files_pattern(screen_domain, screen_runtime_t, screen_runtime_t)
+files_pid_filetrans(screen_domain, screen_runtime_t, dir)
manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
read_files_pattern(screen_domain, screen_home_t, screen_home_t)
@@ -91,8 +87,7 @@ fs_getattr_all_fs(screen_domain)
auth_dontaudit_read_shadow(screen_domain)
auth_dontaudit_exec_utempter(screen_domain)
-
-init_rw_utmp(screen_domain)
+auth_rw_utmp(screen_domain)
logging_send_syslog_msg(screen_domain)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-01-23 15:44 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2017-01-23 15:44 UTC (permalink / raw
To: gentoo-commits
commit: 6f672d3b95cc16e632a122d530c7b406e0b634a3
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Jan 15 18:33:09 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jan 23 12:56:05 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6f672d3b
screen: Revert broken interface call.
policy/modules/contrib/screen.te | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
index 91967b0..ab14ac3 100644
--- a/policy/modules/contrib/screen.te
+++ b/policy/modules/contrib/screen.te
@@ -1,4 +1,4 @@
-policy_module(screen, 2.7.2)
+policy_module(screen, 2.7.3)
########################################
#
@@ -87,7 +87,8 @@ fs_getattr_all_fs(screen_domain)
auth_dontaudit_read_shadow(screen_domain)
auth_dontaudit_exec_utempter(screen_domain)
-auth_rw_utmp(screen_domain)
+
+init_rw_utmp(screen_domain)
logging_send_syslog_msg(screen_domain)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-01-13 18:43 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2017-01-13 18:43 UTC (permalink / raw
To: gentoo-commits
commit: d49992a94bdadb621c569535a9c2b20fdd273cd7
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Jan 8 14:10:29 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:42:04 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d49992a9
update gpg module
* remove dead type aliases
* prefix pinentry_exec_t with gpg module name
policy/modules/contrib/gpg.fc | 22 +++++++++++-----------
policy/modules/contrib/gpg.te | 23 +++++++----------------
2 files changed, 18 insertions(+), 27 deletions(-)
diff --git a/policy/modules/contrib/gpg.fc b/policy/modules/contrib/gpg.fc
index da72db0..c428eb5 100644
--- a/policy/modules/contrib/gpg.fc
+++ b/policy/modules/contrib/gpg.fc
@@ -1,14 +1,14 @@
-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
-HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
-HOME_DIR/\.gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
-HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
-/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
-/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
+/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
+/usr/bin/pinentry.* -- gen_context(system_u:object_r:gpg_pinentry_exec_t,s0)
-/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
-/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 62f5827..dca3a22 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -26,40 +26,29 @@ attribute_role gpg_pinentry_roles;
type gpg_t;
type gpg_exec_t;
-typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
-typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
userdom_user_application_domain(gpg_t, gpg_exec_t)
role gpg_roles types gpg_t;
type gpg_agent_t;
type gpg_agent_exec_t;
-typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
-typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
role gpg_agent_roles types gpg_agent_t;
type gpg_agent_tmp_t;
-typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
-typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
userdom_user_tmp_file(gpg_agent_tmp_t)
type gpg_secret_t;
-typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
-typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t };
userdom_user_home_content(gpg_secret_t)
type gpg_helper_t;
type gpg_helper_exec_t;
-typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
-typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t)
role gpg_helper_roles types gpg_helper_t;
type gpg_pinentry_t;
-type pinentry_exec_t;
-typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
-typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
-userdom_user_application_domain(gpg_pinentry_t, pinentry_exec_t)
+type gpg_pinentry_exec_t;
+typealias gpg_pinentry_exec_t alias pinentry_exec_t; # 20170105
+userdom_user_application_domain(gpg_pinentry_t, gpg_pinentry_exec_t)
role gpg_pinentry_roles types gpg_pinentry_t;
type gpg_pinentry_tmp_t;
@@ -99,6 +88,8 @@ domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
kernel_read_sysctl(gpg_t)
+# read /proc/cpuinfo
+kernel_read_system_state(gpg_t)
corecmd_exec_shell(gpg_t)
corecmd_exec_bin(gpg_t)
@@ -235,7 +226,7 @@ filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-
filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
-domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
+domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)
kernel_dontaudit_search_sysctl(gpg_agent_t)
kernel_read_core_if(gpg_agent_t)
@@ -305,7 +296,7 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
-can_exec(gpg_pinentry_t, pinentry_exec_t)
+can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
kernel_read_system_state(gpg_pinentry_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-01-13 18:43 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2017-01-13 18:43 UTC (permalink / raw
To: gentoo-commits
commit: 2de54e4adba981379d14e07bba8ab110e65942c9
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Jan 10 01:33:35 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:42:11 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2de54e4a
Module version bumps for patches from cgzones.
policy/modules/contrib/dphysswapfile.te | 2 +-
policy/modules/contrib/fakehwclock.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/irqbalance.te | 2 +-
policy/modules/contrib/loadkeys.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/dphysswapfile.te b/policy/modules/contrib/dphysswapfile.te
index 1dabdb1..485372a 100644
--- a/policy/modules/contrib/dphysswapfile.te
+++ b/policy/modules/contrib/dphysswapfile.te
@@ -1,4 +1,4 @@
-policy_module(dphysswapfile, 0.0.1)
+policy_module(dphysswapfile, 1.0.0)
########################################
#
diff --git a/policy/modules/contrib/fakehwclock.te b/policy/modules/contrib/fakehwclock.te
index 6f2958f..b5cf663 100644
--- a/policy/modules/contrib/fakehwclock.te
+++ b/policy/modules/contrib/fakehwclock.te
@@ -1,4 +1,4 @@
-policy_module(fakehwclock, 0.0.1)
+policy_module(fakehwclock, 1.0.0)
########################################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index dca3a22..44ee6ca 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.10.3)
+policy_module(gpg, 2.10.4)
########################################
#
diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te
index 7c8af64..5ce12a3 100644
--- a/policy/modules/contrib/irqbalance.te
+++ b/policy/modules/contrib/irqbalance.te
@@ -1,4 +1,4 @@
-policy_module(irqbalance, 1.8.1)
+policy_module(irqbalance, 1.8.2)
########################################
#
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index 45583cf..2ad9e9d 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -1,4 +1,4 @@
-policy_module(loadkeys, 1.10.0)
+policy_module(loadkeys, 1.10.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-01-13 18:43 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2017-01-13 18:43 UTC (permalink / raw
To: gentoo-commits
commit: daf2971d9e410585f2bcb9599a40ea969466a060
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan 5 19:59:37 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:42:07 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=daf2971d
update irqbalance module
policy/modules/contrib/irqbalance.fc | 8 +++++---
policy/modules/contrib/irqbalance.if | 7 ++++---
policy/modules/contrib/irqbalance.te | 22 +++++++++-------------
3 files changed, 18 insertions(+), 19 deletions(-)
diff --git a/policy/modules/contrib/irqbalance.fc b/policy/modules/contrib/irqbalance.fc
index acc75dd..7753008 100644
--- a/policy/modules/contrib/irqbalance.fc
+++ b/policy/modules/contrib/irqbalance.fc
@@ -1,5 +1,7 @@
-/etc/rc\.d/init\.d/irqbalance -- gen_context(system_u:object_r:irqbalance_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/irqbalance -- gen_context(system_u:object_r:irqbalance_initrc_exec_t,s0)
-/usr/sbin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0)
+/usr/lib/systemd/system/irqbalance\.service -- gen_context(system_u:object_r:irqbalance_unit_t,s0)
-/run/irqbalance\.pid -- gen_context(system_u:object_r:irqbalance_var_run_t,s0)
+/run/irqbalance\.pid -- gen_context(system_u:object_r:irqbalance_pid_t,s0)
+
+/usr/sbin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0)
diff --git a/policy/modules/contrib/irqbalance.if b/policy/modules/contrib/irqbalance.if
index 9e943d3..a8e452f 100644
--- a/policy/modules/contrib/irqbalance.if
+++ b/policy/modules/contrib/irqbalance.if
@@ -19,14 +19,15 @@
#
interface(`irqbalance_admin',`
gen_require(`
- type irqbalance_t, irqbalance_initrc_exec_t, irqbalance_var_run_t;
+ type irqbalance_t, irqbalance_initrc_exec_t;
+ type irqbalance_pid_t, irqbalance_unit_t;
')
allow $1 irqbalance_t:process { ptrace signal_perms };
ps_process_pattern($1, irqbalance_t)
- init_startstop_service($1, $2, irqbalance_t, irqbalance_initrc_exec_t)
+ init_startstop_service($1, $2, irqbalance_t, irqbalance_initrc_exec_t, irqbalance_unit_t)
files_search_pids($1)
- admin_pattern($1, irqbalance_var_run_t)
+ admin_pattern($1, irqbalance_pid_t)
')
diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te
index 0a06815..7c8af64 100644
--- a/policy/modules/contrib/irqbalance.te
+++ b/policy/modules/contrib/irqbalance.te
@@ -12,21 +12,25 @@ init_daemon_domain(irqbalance_t, irqbalance_exec_t)
type irqbalance_initrc_exec_t;
init_script_file(irqbalance_initrc_exec_t)
-type irqbalance_var_run_t;
-files_pid_file(irqbalance_var_run_t)
+type irqbalance_pid_t;
+typealias irqbalance_pid_t alias irqbalance_var_run_t;
+files_pid_file(irqbalance_pid_t)
+
+type irqbalance_unit_t;
+init_unit_file(irqbalance_unit_t)
########################################
#
# Local policy
#
-allow irqbalance_t self:capability { setpcap net_admin };
+allow irqbalance_t self:capability { setpcap };
dontaudit irqbalance_t self:capability sys_tty_config;
allow irqbalance_t self:process { getcap getsched setcap signal_perms };
allow irqbalance_t self:udp_socket create_socket_perms;
-manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
-files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file)
+manage_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
+files_pid_filetrans(irqbalance_t, irqbalance_pid_t, file)
kernel_read_network_state(irqbalance_t)
kernel_read_system_state(irqbalance_t)
@@ -50,14 +54,6 @@ miscfiles_read_localization(irqbalance_t)
userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
userdom_dontaudit_search_user_home_dirs(irqbalance_t)
-ifdef(`hide_broken_symptoms',`
- dontaudit irqbalance_t self:capability sys_module;
-')
-
-optional_policy(`
- seutil_sigchld_newrole(irqbalance_t)
-')
-
optional_policy(`
udev_read_db(irqbalance_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-01-13 18:43 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2017-01-13 18:43 UTC (permalink / raw
To: gentoo-commits
commit: c72f1e4fdabf0695266956696329d063be64a398
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Jan 2 18:28:56 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:40:49 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c72f1e4f
Module version bump for mozilla update from Guido Trentalancia.
policy/modules/contrib/mozilla.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 08ad6a1..454bd3d 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.10.5)
+policy_module(mozilla, 2.10.6)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-01-13 18:43 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2017-01-13 18:43 UTC (permalink / raw
To: gentoo-commits
commit: 8633756a1c6a363cd56ef5571b6266b8849ca10c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Jan 2 18:10:39 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:40:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8633756a
boinc: Update from Russell Coker.
policy/modules/contrib/boinc.te | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te
index 557c8f9..0296cd1 100644
--- a/policy/modules/contrib/boinc.te
+++ b/policy/modules/contrib/boinc.te
@@ -1,4 +1,4 @@
-policy_module(boinc, 1.4.0)
+policy_module(boinc, 1.4.1)
########################################
#
@@ -85,6 +85,7 @@ domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
kernel_read_system_state(boinc_t)
kernel_search_vm_sysctl(boinc_t)
+kernel_read_crypto_sysctls(boinc_t)
corenet_all_recvfrom_unlabeled(boinc_t)
corenet_all_recvfrom_netlabel(boinc_t)
@@ -155,6 +156,13 @@ optional_policy(`
sysnet_dns_name_resolve(boinc_t)
')
+optional_policy(`
+ corenet_tcp_connect_xserver_port(boinc_t)
+
+ xserver_list_xdm_tmp(boinc_t)
+ xserver_non_drawing_client(boinc_t)
+')
+
########################################
#
# Project local policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-01-13 18:43 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2017-01-13 18:43 UTC (permalink / raw
To: gentoo-commits
commit: af66987e2bf472c609166af2e3364c4f14312c5f
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Mon Jan 2 00:15:41 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:40:48 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=af66987e
mozilla: execute evolution to send emails
Let mozilla execute evolution in its own domain to send emails.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/mozilla.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 3034af8..08ad6a1 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -258,6 +258,10 @@ optional_policy(`
')
optional_policy(`
+ evolution_domtrans(mozilla_t)
+')
+
+optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_generic_gconf_home_content(mozilla_t)
gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconf")
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2017-01-13 18:43 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2017-01-13 18:43 UTC (permalink / raw
To: gentoo-commits
commit: ad6c6888c3d4e5307bc21ceeeef69674c9530ac7
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan 5 19:29:56 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:40:52 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ad6c6888
update loadkeys module
policy/modules/contrib/loadkeys.fc | 4 ++--
policy/modules/contrib/loadkeys.te | 11 ++++-------
2 files changed, 6 insertions(+), 9 deletions(-)
diff --git a/policy/modules/contrib/loadkeys.fc b/policy/modules/contrib/loadkeys.fc
index e50749f..c6fe71b 100644
--- a/policy/modules/contrib/loadkeys.fc
+++ b/policy/modules/contrib/loadkeys.fc
@@ -1,5 +1,5 @@
-/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
-/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
+/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
+/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
/usr/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
/usr/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index 07b72a7..45583cf 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -19,6 +19,7 @@ role loadkeys_roles types loadkeys_t;
allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config };
allow loadkeys_t self:fifo_file rw_fifo_file_perms;
+allow loadkeys_t self:unix_stream_socket { connect create };
kernel_read_system_state(loadkeys_t)
@@ -29,13 +30,13 @@ files_read_etc_files(loadkeys_t)
files_read_etc_runtime_files(loadkeys_t)
# keymap files are in /usr/share/keymaps or /usr/share/kbd/keymaps
files_read_usr_files(loadkeys_t)
+files_search_pids(loadkeys_t)
+files_search_src(loadkeys_t)
+files_search_tmp(loadkeys_t)
term_dontaudit_use_console(loadkeys_t)
term_use_unallocated_ttys(loadkeys_t)
-init_dontaudit_use_fds(loadkeys_t)
-init_dontaudit_use_script_ptys(loadkeys_t)
-
locallogin_use_fds(loadkeys_t)
miscfiles_read_localization(loadkeys_t)
@@ -43,10 +44,6 @@ miscfiles_read_localization(loadkeys_t)
userdom_use_user_ttys(loadkeys_t)
userdom_list_user_home_content(loadkeys_t)
-ifdef(`hide_broken_symptoms',`
- dev_dontaudit_rw_lvm_control(loadkeys_t)
-')
-
optional_policy(`
keyboardd_read_pipes(loadkeys_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-12-11 15:05 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-11 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 916def21ffb97eafafd694acaf86ddc259733371
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Dec 8 23:34:11 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 11 14:57:26 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=916def21
Module version bumps for patches from Guido Trentalancia.
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/openoffice.te | 2 +-
policy/modules/contrib/thunderbird.te | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 29031e0..cdde543 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.5.1)
+policy_module(evolution, 2.5.2)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 4eca30b..fb30987 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.10.1)
+policy_module(mozilla, 2.10.2)
########################################
#
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index fbb3f4a..9588d41 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -1,4 +1,4 @@
-policy_module(openoffice, 1.0.0)
+policy_module(openoffice, 1.0.1)
##############################
#
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index a28ae1a..609658a 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -1,4 +1,4 @@
-policy_module(thunderbird, 2.4.1)
+policy_module(thunderbird, 2.4.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-12-11 15:05 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-11 15:05 UTC (permalink / raw
To: gentoo-commits
commit: e9482a3144076e24b1f8c2fca0d12751011a35a3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Dec 11 15:02:34 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 11 15:02:34 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e9482a31
portage: allow to read vm overcommit
policy/modules/contrib/portage.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 52c6bf9..87ca0c6 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -444,6 +444,8 @@ gen_tunable(portage_enable_test, false)
allow portage_t portage_exec_t:file relabel_file_perms;
allow portage_t portage_fetch_exec_t:file relabel_file_perms;
+ kernel_read_vm_overcommit_sysctl(portage_t)
+
# Portage is selinuxaware, transitions on calling ebuild, now marked as bin_t
corecmd_bin_entry_type(portage_t)
# Support self-update of Portage
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-12-11 15:05 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-11 15:05 UTC (permalink / raw
To: gentoo-commits
commit: dad6881ee3fe0f4bd69e0e157d4d7b8b6a6e36e6
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed Dec 7 13:04:00 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 11 14:57:26 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dad6881e
openoffice: rename two interfaces in openoffice and evolution
Rename 1 openoffice interface and 1 evolution interfaces that
have been recently added with the new openoffice module.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/evolution.if | 2 +-
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/openoffice.if | 2 +-
policy/modules/contrib/openoffice.te | 2 +-
policy/modules/contrib/thunderbird.te | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/evolution.if b/policy/modules/contrib/evolution.if
index 558f68e..4319443 100644
--- a/policy/modules/contrib/evolution.if
+++ b/policy/modules/contrib/evolution.if
@@ -115,7 +115,7 @@ interface(`evolution_home_filetrans',`
## </summary>
## </param>
#
-interface(`evolution_read_evolution_home_files',`
+interface(`evolution_read_home_files',`
gen_require(`
type evolution_t, evolution_home_t;
')
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 64cc6a6..29031e0 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -271,7 +271,7 @@ optional_policy(`
optional_policy(`
ooffice_domtrans(evolution_t)
- ooffice_rw_ooffice_tmp_files(evolution_t)
+ ooffice_rw_tmp_files(evolution_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 20fc82e..e2bcbab 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -274,7 +274,7 @@ optional_policy(`
optional_policy(`
ooffice_domtrans(mozilla_t)
- ooffice_rw_ooffice_tmp_files(mozilla_t)
+ ooffice_rw_tmp_files(mozilla_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/openoffice.if b/policy/modules/contrib/openoffice.if
index e47acf7..5a579e0 100644
--- a/policy/modules/contrib/openoffice.if
+++ b/policy/modules/contrib/openoffice.if
@@ -60,7 +60,7 @@ interface(`ooffice_domtrans',`
## </summary>
## </param>
#
-interface(`ooffice_rw_ooffice_tmp_files',`
+interface(`ooffice_rw_tmp_files',`
gen_require(`
type ooffice_tmp_t;
')
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
index 1500fd2..fbb3f4a 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -92,7 +92,7 @@ optional_policy(`
optional_policy(`
evolution_domtrans(ooffice_t)
- evolution_read_evolution_home_files(ooffice_t)
+ evolution_read_home_files(ooffice_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index 52192c0..a28ae1a 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -210,5 +210,5 @@ ifdef(`distro_gentoo',`
optional_policy(`
ooffice_domtrans(thunderbird_t)
- ooffice_rw_ooffice_tmp_files(thunderbird_t)
+ ooffice_rw_tmp_files(thunderbird_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-12-11 15:05 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-11 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 26f4988f2a2f51156e24f424d6619bcf43c8c601
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed Dec 7 16:49:53 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 11 14:57:26 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26f4988f
mozilla: extend dbus connection permissions
Allow dbus_connect_all_session_bus() not only from the
mozilla_plugin_t domain but also from the mozilla_t domain.
This is currently required by the epiphany web browser.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/mozilla.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index e2bcbab..4eca30b 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -236,6 +236,7 @@ optional_policy(`
optional_policy(`
dbus_all_session_bus_client(mozilla_t)
+ dbus_connect_all_session_bus(mozilla_t)
dbus_system_bus_client(mozilla_t)
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-08 5:03 Jason Zaman
2016-12-08 4:47 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-12-08 5:03 UTC (permalink / raw
To: gentoo-commits
commit: 04485a6efa37a46b0b2d4a329f1fc99133bc8728
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Tue Dec 6 20:41:47 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 8 04:47:22 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04485a6e
Apache OpenOffice module (contrib policy part)
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (contrib policy part, 2/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
The sixth version of the patch adds the ability to run the
evolution email application.
The seventh version of the patch, improves the integration with
the evolution email application.
The eighth version of the patch, adds the support for integration
with mozilla and improves the integration with thunderbird.
This nineth version of the patch, avoids auditing some denial
messages.
All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.
Although this patch has only been tested with Apache OpenOffice
version 4, it might also work with earlier versions (in particular
version 3) or at least it can be easily adapted for the purpose.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/evolution.if | 38 +++++++++++
policy/modules/contrib/evolution.te | 5 ++
policy/modules/contrib/mozilla.te | 5 ++
policy/modules/contrib/openoffice.fc | 30 +++++++++
policy/modules/contrib/openoffice.if | 88 +++++++++++++++++++++++++
policy/modules/contrib/openoffice.te | 120 ++++++++++++++++++++++++++++++++++
policy/modules/contrib/thunderbird.te | 5 ++
7 files changed, 291 insertions(+)
diff --git a/policy/modules/contrib/evolution.if b/policy/modules/contrib/evolution.if
index 7c21ba1..558f68e 100644
--- a/policy/modules/contrib/evolution.if
+++ b/policy/modules/contrib/evolution.if
@@ -107,6 +107,24 @@ interface(`evolution_home_filetrans',`
########################################
## <summary>
+## Read evolution home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_read_evolution_home_files',`
+ gen_require(`
+ type evolution_t, evolution_home_t;
+ ')
+
+ read_files_pattern($1, evolution_home_t, evolution_home_t)
+')
+
+########################################
+## <summary>
## Connect to evolution using a unix
## domain stream socket.
## </summary>
@@ -188,3 +206,23 @@ interface(`evolution_alarm_dbus_chat',`
allow $1 evolution_alarm_t:dbus send_msg;
allow evolution_alarm_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Make a domain transition to the
+## evolution target domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_domtrans',`
+ gen_require(`
+ type evolution_t, evolution_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, evolution_exec_t, evolution_t);
+')
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 1d5421b..e5adf09 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -270,6 +270,11 @@ optional_policy(`
')
optional_policy(`
+ ooffice_domtrans(evolution_t)
+ ooffice_rw_ooffice_tmp_files(evolution_t)
+')
+
+optional_policy(`
spamassassin_exec_spamd(evolution_t)
spamassassin_domtrans_client(evolution_t)
spamassassin_domtrans_local_client(evolution_t)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 1331491..f755c6b 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -273,6 +273,11 @@ optional_policy(`
')
optional_policy(`
+ ooffice_domtrans(mozilla_t)
+ ooffice_rw_ooffice_tmp_files(mozilla_t)
+')
+
+optional_policy(`
pulseaudio_run(mozilla_t, mozilla_roles)
pulseaudio_rw_tmpfs_files(mozilla_t)
pulseaudio_use_fds(mozilla_t)
diff --git a/policy/modules/contrib/openoffice.fc b/policy/modules/contrib/openoffice.fc
new file mode 100644
index 0000000..6613bb4
--- /dev/null
+++ b/policy/modules/contrib/openoffice.fc
@@ -0,0 +1,30 @@
+HOME_DIR/\.openoffice(\.org)?(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0)
+
+/opt/openoffice(.*)?/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0)
diff --git a/policy/modules/contrib/openoffice.if b/policy/modules/contrib/openoffice.if
new file mode 100644
index 0000000..e47acf7
--- /dev/null
+++ b/policy/modules/contrib/openoffice.if
@@ -0,0 +1,88 @@
+## <summary>Openoffice suite.</summary>
+
+############################################################
+## <summary>
+## Role access for openoffice.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`ooffice_role',`
+ gen_require(`
+ attribute_role ooffice_roles;
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ roleattribute $1 ooffice_roles;
+
+ allow ooffice_t $2:unix_stream_socket connectto;
+
+ domtrans_pattern($2, ooffice_exec_t, ooffice_t)
+
+ allow $2 ooffice_t:process { ptrace signal_perms };
+ ps_process_pattern($2, ooffice_t)
+')
+
+########################################
+## <summary>
+## Run openoffice in its own domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ooffice_domtrans',`
+ gen_require(`
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ domtrans_pattern($1, ooffice_exec_t, ooffice_t)
+')
+
+########################################
+## <summary>
+## Read and write temporary
+## openoffice files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_rw_ooffice_tmp_files',`
+ gen_require(`
+ type ooffice_tmp_t;
+ ')
+
+ rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`ooffice_dontaudit_exec_tmp_files',`
+ gen_require(`
+ type ooffice_tmp_t;
+ ')
+
+ dontaudit $1 ooffice_tmp_t:file exec_file_perms;
+')
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
new file mode 100644
index 0000000..1500fd2
--- /dev/null
+++ b/policy/modules/contrib/openoffice.te
@@ -0,0 +1,120 @@
+policy_module(openoffice, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether openoffice can
+## download software updates from the
+## network (application and/or
+## extensions).
+## </p>
+## </desc>
+gen_tunable(openoffice_allow_update, true)
+
+attribute_role ooffice_roles;
+
+type ooffice_t;
+type ooffice_exec_t;
+userdom_user_application_domain(ooffice_t, ooffice_exec_t)
+role ooffice_roles types ooffice_t;
+
+type ooffice_home_t;
+userdom_user_home_content(ooffice_home_t)
+
+type ooffice_tmp_t;
+files_tmp_file(ooffice_tmp_t)
+
+##############################
+#
+# Openoffice local policy
+#
+
+allow ooffice_t self:process { execmem getsched signal };
+allow ooffice_t self:shm create_shm_perms;
+allow ooffice_t self:fifo_file rw_fifo_file_perms;
+allow ooffice_t self:unix_stream_socket connectto;
+
+allow ooffice_t ooffice_home_t:dir manage_dir_perms;
+allow ooffice_t ooffice_home_t:file manage_file_perms;
+allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice")
+
+manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+
+can_exec(ooffice_t, ooffice_exec_t)
+
+corecmd_exec_bin(ooffice_t)
+corecmd_exec_shell(ooffice_t)
+
+dev_read_sysfs(ooffice_t)
+dev_read_urand(ooffice_t)
+
+files_getattr_all_dirs(ooffice_t)
+files_getattr_all_files(ooffice_t)
+files_getattr_all_symlinks(ooffice_t)
+files_read_etc_files(ooffice_t)
+files_read_usr_files(ooffice_t)
+
+fs_getattr_xattr_fs(ooffice_t)
+
+miscfiles_read_fonts(ooffice_t)
+miscfiles_read_localization(ooffice_t)
+
+ooffice_dontaudit_exec_tmp_files(ooffice_t)
+
+sysnet_dns_name_resolve(ooffice_t)
+
+userdom_dontaudit_exec_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_dirs(ooffice_t)
+userdom_manage_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_symlinks(ooffice_t)
+userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
+
+tunable_policy(`openoffice_allow_update',`
+ corenet_tcp_connect_http_port(ooffice_t)
+')
+
+optional_policy(`
+ cups_read_config(ooffice_t)
+ cups_stream_connect(ooffice_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(ooffice_t)
+')
+
+optional_policy(`
+ evolution_domtrans(ooffice_t)
+ evolution_read_evolution_home_files(ooffice_t)
+')
+
+optional_policy(`
+ hostname_exec(ooffice_t)
+')
+
+optional_policy(`
+ java_exec(ooffice_t)
+')
+
+optional_policy(`
+ mozilla_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ thunderbird_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ xserver_read_user_iceauth(ooffice_t)
+ xserver_read_user_xauth(ooffice_t)
+ xserver_read_xdm_tmp_files(ooffice_t)
+ xserver_stream_connect(ooffice_t)
+ xserver_stream_connect_xdm(ooffice_t)
+')
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index cbf9e39..844d07f 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -207,3 +207,8 @@ ifdef(`distro_gentoo',`
pulseaudio_client_domain(thunderbird_t, thunderbird_tmpfs_t)
')
')
+
+optional_policy(`
+ ooffice_domtrans(thunderbird_t)
+ ooffice_rw_ooffice_tmp_files(thunderbird_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-12-08 5:03 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2016-12-08 4:47 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-08 4:47 UTC (permalink / raw
To: gentoo-commits
commit: 04485a6efa37a46b0b2d4a329f1fc99133bc8728
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Tue Dec 6 20:41:47 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 8 04:47:22 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04485a6e
Apache OpenOffice module (contrib policy part)
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (contrib policy part, 2/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
The sixth version of the patch adds the ability to run the
evolution email application.
The seventh version of the patch, improves the integration with
the evolution email application.
The eighth version of the patch, adds the support for integration
with mozilla and improves the integration with thunderbird.
This nineth version of the patch, avoids auditing some denial
messages.
All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.
Although this patch has only been tested with Apache OpenOffice
version 4, it might also work with earlier versions (in particular
version 3) or at least it can be easily adapted for the purpose.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/evolution.if | 38 +++++++++++
policy/modules/contrib/evolution.te | 5 ++
policy/modules/contrib/mozilla.te | 5 ++
policy/modules/contrib/openoffice.fc | 30 +++++++++
policy/modules/contrib/openoffice.if | 88 +++++++++++++++++++++++++
policy/modules/contrib/openoffice.te | 120 ++++++++++++++++++++++++++++++++++
policy/modules/contrib/thunderbird.te | 5 ++
7 files changed, 291 insertions(+)
diff --git a/policy/modules/contrib/evolution.if b/policy/modules/contrib/evolution.if
index 7c21ba1..558f68e 100644
--- a/policy/modules/contrib/evolution.if
+++ b/policy/modules/contrib/evolution.if
@@ -107,6 +107,24 @@ interface(`evolution_home_filetrans',`
########################################
## <summary>
+## Read evolution home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_read_evolution_home_files',`
+ gen_require(`
+ type evolution_t, evolution_home_t;
+ ')
+
+ read_files_pattern($1, evolution_home_t, evolution_home_t)
+')
+
+########################################
+## <summary>
## Connect to evolution using a unix
## domain stream socket.
## </summary>
@@ -188,3 +206,23 @@ interface(`evolution_alarm_dbus_chat',`
allow $1 evolution_alarm_t:dbus send_msg;
allow evolution_alarm_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Make a domain transition to the
+## evolution target domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_domtrans',`
+ gen_require(`
+ type evolution_t, evolution_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, evolution_exec_t, evolution_t);
+')
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 1d5421b..e5adf09 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -270,6 +270,11 @@ optional_policy(`
')
optional_policy(`
+ ooffice_domtrans(evolution_t)
+ ooffice_rw_ooffice_tmp_files(evolution_t)
+')
+
+optional_policy(`
spamassassin_exec_spamd(evolution_t)
spamassassin_domtrans_client(evolution_t)
spamassassin_domtrans_local_client(evolution_t)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 1331491..f755c6b 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -273,6 +273,11 @@ optional_policy(`
')
optional_policy(`
+ ooffice_domtrans(mozilla_t)
+ ooffice_rw_ooffice_tmp_files(mozilla_t)
+')
+
+optional_policy(`
pulseaudio_run(mozilla_t, mozilla_roles)
pulseaudio_rw_tmpfs_files(mozilla_t)
pulseaudio_use_fds(mozilla_t)
diff --git a/policy/modules/contrib/openoffice.fc b/policy/modules/contrib/openoffice.fc
new file mode 100644
index 0000000..6613bb4
--- /dev/null
+++ b/policy/modules/contrib/openoffice.fc
@@ -0,0 +1,30 @@
+HOME_DIR/\.openoffice(\.org)?(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0)
+
+/opt/openoffice(.*)?/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0)
diff --git a/policy/modules/contrib/openoffice.if b/policy/modules/contrib/openoffice.if
new file mode 100644
index 0000000..e47acf7
--- /dev/null
+++ b/policy/modules/contrib/openoffice.if
@@ -0,0 +1,88 @@
+## <summary>Openoffice suite.</summary>
+
+############################################################
+## <summary>
+## Role access for openoffice.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`ooffice_role',`
+ gen_require(`
+ attribute_role ooffice_roles;
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ roleattribute $1 ooffice_roles;
+
+ allow ooffice_t $2:unix_stream_socket connectto;
+
+ domtrans_pattern($2, ooffice_exec_t, ooffice_t)
+
+ allow $2 ooffice_t:process { ptrace signal_perms };
+ ps_process_pattern($2, ooffice_t)
+')
+
+########################################
+## <summary>
+## Run openoffice in its own domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ooffice_domtrans',`
+ gen_require(`
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ domtrans_pattern($1, ooffice_exec_t, ooffice_t)
+')
+
+########################################
+## <summary>
+## Read and write temporary
+## openoffice files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_rw_ooffice_tmp_files',`
+ gen_require(`
+ type ooffice_tmp_t;
+ ')
+
+ rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`ooffice_dontaudit_exec_tmp_files',`
+ gen_require(`
+ type ooffice_tmp_t;
+ ')
+
+ dontaudit $1 ooffice_tmp_t:file exec_file_perms;
+')
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
new file mode 100644
index 0000000..1500fd2
--- /dev/null
+++ b/policy/modules/contrib/openoffice.te
@@ -0,0 +1,120 @@
+policy_module(openoffice, 1.0.0)
+
+##############################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether openoffice can
+## download software updates from the
+## network (application and/or
+## extensions).
+## </p>
+## </desc>
+gen_tunable(openoffice_allow_update, true)
+
+attribute_role ooffice_roles;
+
+type ooffice_t;
+type ooffice_exec_t;
+userdom_user_application_domain(ooffice_t, ooffice_exec_t)
+role ooffice_roles types ooffice_t;
+
+type ooffice_home_t;
+userdom_user_home_content(ooffice_home_t)
+
+type ooffice_tmp_t;
+files_tmp_file(ooffice_tmp_t)
+
+##############################
+#
+# Openoffice local policy
+#
+
+allow ooffice_t self:process { execmem getsched signal };
+allow ooffice_t self:shm create_shm_perms;
+allow ooffice_t self:fifo_file rw_fifo_file_perms;
+allow ooffice_t self:unix_stream_socket connectto;
+
+allow ooffice_t ooffice_home_t:dir manage_dir_perms;
+allow ooffice_t ooffice_home_t:file manage_file_perms;
+allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice")
+
+manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+
+can_exec(ooffice_t, ooffice_exec_t)
+
+corecmd_exec_bin(ooffice_t)
+corecmd_exec_shell(ooffice_t)
+
+dev_read_sysfs(ooffice_t)
+dev_read_urand(ooffice_t)
+
+files_getattr_all_dirs(ooffice_t)
+files_getattr_all_files(ooffice_t)
+files_getattr_all_symlinks(ooffice_t)
+files_read_etc_files(ooffice_t)
+files_read_usr_files(ooffice_t)
+
+fs_getattr_xattr_fs(ooffice_t)
+
+miscfiles_read_fonts(ooffice_t)
+miscfiles_read_localization(ooffice_t)
+
+ooffice_dontaudit_exec_tmp_files(ooffice_t)
+
+sysnet_dns_name_resolve(ooffice_t)
+
+userdom_dontaudit_exec_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_dirs(ooffice_t)
+userdom_manage_user_home_content_files(ooffice_t)
+userdom_manage_user_home_content_symlinks(ooffice_t)
+userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
+
+tunable_policy(`openoffice_allow_update',`
+ corenet_tcp_connect_http_port(ooffice_t)
+')
+
+optional_policy(`
+ cups_read_config(ooffice_t)
+ cups_stream_connect(ooffice_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(ooffice_t)
+')
+
+optional_policy(`
+ evolution_domtrans(ooffice_t)
+ evolution_read_evolution_home_files(ooffice_t)
+')
+
+optional_policy(`
+ hostname_exec(ooffice_t)
+')
+
+optional_policy(`
+ java_exec(ooffice_t)
+')
+
+optional_policy(`
+ mozilla_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ thunderbird_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ xserver_read_user_iceauth(ooffice_t)
+ xserver_read_user_xauth(ooffice_t)
+ xserver_read_xdm_tmp_files(ooffice_t)
+ xserver_stream_connect(ooffice_t)
+ xserver_stream_connect_xdm(ooffice_t)
+')
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index cbf9e39..844d07f 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -207,3 +207,8 @@ ifdef(`distro_gentoo',`
pulseaudio_client_domain(thunderbird_t, thunderbird_tmpfs_t)
')
')
+
+optional_policy(`
+ ooffice_domtrans(thunderbird_t)
+ ooffice_rw_ooffice_tmp_files(thunderbird_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-12-08 4:47 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-08 4:47 UTC (permalink / raw
To: gentoo-commits
commit: 571467b17b4ed06c9cac315d7d74f02851af398c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec 7 01:18:56 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 8 04:47:22 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=571467b1
Module version bumps for openoffice patches from Guido Trentalancia.
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/thunderbird.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index e5adf09..64cc6a6 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.5.0)
+policy_module(evolution, 2.5.1)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index f755c6b..20fc82e 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.10.0)
+policy_module(mozilla, 2.10.1)
########################################
#
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index 844d07f..52192c0 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -1,4 +1,4 @@
-policy_module(thunderbird, 2.4.0)
+policy_module(thunderbird, 2.4.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 15:10 Jason Zaman
2016-12-06 15:21 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-12-06 15:10 UTC (permalink / raw
To: gentoo-commits
commit: 6fec98ded6c9bda1c731ab48a87265ace6cc43b1
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Dec 6 15:00:17 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 15:02:34 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6fec98de
portage: add signal and FEATURES=test perms
policy/modules/contrib/portage.te | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 19bd8c8..52c6bf9 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -436,6 +436,8 @@ gen_tunable(portage_enable_test, false)
allow portage_t self:capability2 block_suspend;
+ allow portage_t { portage_fetch_t portage_sandbox_t }:process signal_perms;
+
# Support self-update of Portage
allow portage_t portage_tmp_t:dir relabel_dir_perms;
allow portage_t portage_tmp_t:lnk_file relabel_lnk_file_perms;
@@ -490,9 +492,12 @@ gen_tunable(portage_enable_test, false)
tunable_policy(`portage_enable_test',`
# lots of tests connect over loopback
- corenet_tcp_bind_generic_node(portage_sandbox_t)
corenet_tcp_bind_all_unreserved_ports(portage_sandbox_t)
+ corenet_tcp_bind_generic_node(portage_sandbox_t)
corenet_tcp_connect_all_unreserved_ports(portage_sandbox_t)
+ corenet_udp_bind_all_unreserved_ports(portage_sandbox_t)
+ corenet_udp_bind_generic_node(portage_sandbox_t)
+ corenet_udp_sendrecv_all_ports(portage_sandbox_t)
')
##########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-12-06 15:10 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2016-12-06 15:21 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-06 15:21 UTC (permalink / raw
To: gentoo-commits
commit: 6fec98ded6c9bda1c731ab48a87265ace6cc43b1
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Dec 6 15:00:17 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 15:02:34 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6fec98de
portage: add signal and FEATURES=test perms
policy/modules/contrib/portage.te | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 19bd8c8..52c6bf9 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -436,6 +436,8 @@ gen_tunable(portage_enable_test, false)
allow portage_t self:capability2 block_suspend;
+ allow portage_t { portage_fetch_t portage_sandbox_t }:process signal_perms;
+
# Support self-update of Portage
allow portage_t portage_tmp_t:dir relabel_dir_perms;
allow portage_t portage_tmp_t:lnk_file relabel_lnk_file_perms;
@@ -490,9 +492,12 @@ gen_tunable(portage_enable_test, false)
tunable_policy(`portage_enable_test',`
# lots of tests connect over loopback
- corenet_tcp_bind_generic_node(portage_sandbox_t)
corenet_tcp_bind_all_unreserved_ports(portage_sandbox_t)
+ corenet_tcp_bind_generic_node(portage_sandbox_t)
corenet_tcp_connect_all_unreserved_ports(portage_sandbox_t)
+ corenet_udp_bind_all_unreserved_ports(portage_sandbox_t)
+ corenet_udp_bind_generic_node(portage_sandbox_t)
+ corenet_udp_sendrecv_all_ports(portage_sandbox_t)
')
##########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 14:25 Jason Zaman
2016-12-06 14:21 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: acec90e60dfa2f47ee6fb883ec25baed3868aa8e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Oct 26 05:35:36 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 14:20:13 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=acec90e6
gnome: add gentoo-specific gkeyring fcontext
policy/modules/contrib/gnome.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index cd2ead4..f31230e 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -26,4 +26,5 @@ ifdef(`distro_gentoo',`
HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_config_home_t,s0)
HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
HOME_DIR/\.cache/keyring-.* gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
+HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gnome_xdg_data_home_t,s0)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 14:25 Jason Zaman
2016-12-06 13:39 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: 98732751e002526aa86963b6c0425846bccd93d2
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Nov 29 02:00:14 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=98732751
Module version bump for cups patch from Guido Trentalancia.
policy/modules/contrib/cups.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 7674df8..e630014 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.20.0)
+policy_module(cups, 1.20.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 14:25 Jason Zaman
2016-12-06 13:39 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: 1c472ba023387394309b157827e9b8acfe08a2d4
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Dec 4 17:47:47 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1c472ba0
Module version bump for Debian fprintd fc entry from Laurent Bigonville.
policy/modules/contrib/fprintd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/fprintd.te b/policy/modules/contrib/fprintd.te
index 92a6479..00099f9 100644
--- a/policy/modules/contrib/fprintd.te
+++ b/policy/modules/contrib/fprintd.te
@@ -1,4 +1,4 @@
-policy_module(fprintd, 1.2.0)
+policy_module(fprintd, 1.2.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-12-06 14:25 Jason Zaman
2016-12-06 13:39 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-12-06 14:25 UTC (permalink / raw
To: gentoo-commits
commit: 897a8e2008bdb9d73db6d692272ca98e870a0566
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Nov 23 03:18:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=897a8e20
authbind: Remove dead policy.
policy/modules/contrib/authbind.fc | 3 ---
policy/modules/contrib/authbind.if | 46 --------------------------------------
policy/modules/contrib/authbind.te | 34 ----------------------------
3 files changed, 83 deletions(-)
diff --git a/policy/modules/contrib/authbind.fc b/policy/modules/contrib/authbind.fc
deleted file mode 100644
index 699ecc1..0000000
--- a/policy/modules/contrib/authbind.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/etc/authbind(/.*)? gen_context(system_u:object_r:authbind_etc_t,s0)
-
-/usr/lib/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0)
diff --git a/policy/modules/contrib/authbind.if b/policy/modules/contrib/authbind.if
deleted file mode 100644
index 40fdc75..0000000
--- a/policy/modules/contrib/authbind.if
+++ /dev/null
@@ -1,46 +0,0 @@
-## <summary>Tool for non-root processes to bind to reserved ports.</summary>
-
-########################################
-## <summary>
-## Execute authbind in the authbind domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`authbind_domtrans',`
- gen_require(`
- type authbind_t, authbind_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, authbind_exec_t, authbind_t)
-')
-
-########################################
-## <summary>
-## Execute authbind in the authbind
-## domain, and allow the specified
-## role the authbind domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-#
-interface(`authbind_run',`
- gen_require(`
- attribute_role authbind_roles;
- ')
-
- authbind_domtrans($1)
- roleattribute $2 authbind_roles;
-')
diff --git a/policy/modules/contrib/authbind.te b/policy/modules/contrib/authbind.te
deleted file mode 100644
index dd9d215..0000000
--- a/policy/modules/contrib/authbind.te
+++ /dev/null
@@ -1,34 +0,0 @@
-policy_module(authbind, 1.3.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role authbind_roles;
-roleattribute system_r authbind_roles;
-
-type authbind_t;
-type authbind_exec_t;
-application_domain(authbind_t, authbind_exec_t)
-role authbind_roles types authbind_t;
-
-type authbind_etc_t;
-files_config_file(authbind_etc_t)
-
-########################################
-#
-# Local policy
-#
-
-allow authbind_t self:capability net_bind_service;
-
-allow authbind_t authbind_etc_t:dir list_dir_perms;
-exec_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t)
-read_lnk_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t)
-
-files_list_etc(authbind_t)
-
-term_use_console(authbind_t)
-
-logging_send_syslog_msg(authbind_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-12-06 14:25 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2016-12-06 13:39 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
To: gentoo-commits
commit: 897a8e2008bdb9d73db6d692272ca98e870a0566
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Nov 23 03:18:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=897a8e20
authbind: Remove dead policy.
policy/modules/contrib/authbind.fc | 3 ---
policy/modules/contrib/authbind.if | 46 --------------------------------------
policy/modules/contrib/authbind.te | 34 ----------------------------
3 files changed, 83 deletions(-)
diff --git a/policy/modules/contrib/authbind.fc b/policy/modules/contrib/authbind.fc
deleted file mode 100644
index 699ecc1..0000000
--- a/policy/modules/contrib/authbind.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/etc/authbind(/.*)? gen_context(system_u:object_r:authbind_etc_t,s0)
-
-/usr/lib/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0)
diff --git a/policy/modules/contrib/authbind.if b/policy/modules/contrib/authbind.if
deleted file mode 100644
index 40fdc75..0000000
--- a/policy/modules/contrib/authbind.if
+++ /dev/null
@@ -1,46 +0,0 @@
-## <summary>Tool for non-root processes to bind to reserved ports.</summary>
-
-########################################
-## <summary>
-## Execute authbind in the authbind domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`authbind_domtrans',`
- gen_require(`
- type authbind_t, authbind_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, authbind_exec_t, authbind_t)
-')
-
-########################################
-## <summary>
-## Execute authbind in the authbind
-## domain, and allow the specified
-## role the authbind domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-#
-interface(`authbind_run',`
- gen_require(`
- attribute_role authbind_roles;
- ')
-
- authbind_domtrans($1)
- roleattribute $2 authbind_roles;
-')
diff --git a/policy/modules/contrib/authbind.te b/policy/modules/contrib/authbind.te
deleted file mode 100644
index dd9d215..0000000
--- a/policy/modules/contrib/authbind.te
+++ /dev/null
@@ -1,34 +0,0 @@
-policy_module(authbind, 1.3.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role authbind_roles;
-roleattribute system_r authbind_roles;
-
-type authbind_t;
-type authbind_exec_t;
-application_domain(authbind_t, authbind_exec_t)
-role authbind_roles types authbind_t;
-
-type authbind_etc_t;
-files_config_file(authbind_etc_t)
-
-########################################
-#
-# Local policy
-#
-
-allow authbind_t self:capability net_bind_service;
-
-allow authbind_t authbind_etc_t:dir list_dir_perms;
-exec_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t)
-read_lnk_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t)
-
-files_list_etc(authbind_t)
-
-term_use_console(authbind_t)
-
-logging_send_syslog_msg(authbind_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-12-06 14:21 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-06 14:21 UTC (permalink / raw
To: gentoo-commits
commit: a2f1ba7050cdedf754c399f9c22375bff161b78f
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sat Nov 26 18:05:35 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:58:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a2f1ba70
Allow portage compile domains to relabel portage_tmp_t:dir's
This permission is requested by a 'cp' in the multibuild.eclass (see bug
600926). It's not actually required, but since we already allow the same
permission for files and allowing it for directories doesn't have any
security implications, I've chosen use "allow" instead of "dontaudit".
policy/modules/contrib/portage.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 14c4fb6..e990d79 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -118,6 +118,7 @@ interface(`portage_compile_domain',`
files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })
# SELinux-enabled programs running in the sandbox
allow $1 portage_tmp_t:file relabel_file_perms;
+ allow $1 portage_tmp_t:dir relabel_dir_perms;
manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-12-06 13:39 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
To: gentoo-commits
commit: b822b1181b81fd74038c8987162a1cfe86611720
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Nov 25 22:14:47 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b822b118
cups: descend "rw" directories when reading configuration files
When reading CUPS configuration files under /etc, let the caller
search (i.e. descend into) "rw" directories (such as "ppd").
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/cups.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index cad7df2..a6bcb68 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -203,7 +203,7 @@ interface(`cups_read_config',`
')
files_search_etc($1)
- read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t })
+ read_files_pattern($1, { cupsd_etc_t cupsd_rw_etc_t }, { cupsd_etc_t cupsd_rw_etc_t })
')
########################################
@@ -223,7 +223,7 @@ interface(`cups_read_rw_config',`
')
files_search_etc($1)
- read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
+ read_files_pattern($1, { cupsd_etc_t cupsd_rw_etc_t }, cupsd_rw_etc_t)
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-12-06 13:39 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
To: gentoo-commits
commit: 48faa5c437079c8cf7626d2814e9fc2f87d35811
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Sun Nov 6 07:49:13 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=48faa5c4
Re-add raid fc spec that must have been removed earlier by mistake
Reported-By: Nicolas Iooss <nicolas.iooss <AT> m4x.org>
policy/modules/contrib/raid.fc | 1 +
policy/modules/contrib/raid.te | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/raid.fc b/policy/modules/contrib/raid.fc
index 2ea0889..f5b8ff4 100644
--- a/policy/modules/contrib/raid.fc
+++ b/policy/modules/contrib/raid.fc
@@ -19,6 +19,7 @@
/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/sbin/mdmon -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index e65f673..84fdfdf 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.16.0)
+policy_module(raid, 1.16.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-12-06 13:39 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
To: gentoo-commits
commit: 761a962e70701012d49907883a314147ef944263
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Dec 1 18:48:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=761a962e
use domain_auto_transition_pattern instead of domain_auto_trans
policy/modules/contrib/daemontools.if | 2 +-
policy/modules/contrib/gpg.if | 2 +-
policy/modules/contrib/lircd.if | 2 +-
policy/modules/contrib/mta.if | 2 +-
policy/modules/contrib/qemu.if | 2 +-
policy/modules/contrib/rsync.if | 4 ++--
6 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/daemontools.if b/policy/modules/contrib/daemontools.if
index 3b3d9a0..54c71e1 100644
--- a/policy/modules/contrib/daemontools.if
+++ b/policy/modules/contrib/daemontools.if
@@ -43,7 +43,7 @@ interface(`daemontools_service_domain',`
type svc_run_t;
')
- domain_auto_trans(svc_run_t, $2, $1)
+ domain_auto_transition_pattern(svc_run_t, $2, $1)
daemontools_ipc_domain($1)
allow svc_run_t $1:process signal;
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 5f4cefc..efffff8 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -120,7 +120,7 @@ interface(`gpg_spec_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, gpg_exec_t, $2)
+ domain_auto_transition_pattern($1, gpg_exec_t, $2)
')
######################################
diff --git a/policy/modules/contrib/lircd.if b/policy/modules/contrib/lircd.if
index f54240e..de2543b 100644
--- a/policy/modules/contrib/lircd.if
+++ b/policy/modules/contrib/lircd.if
@@ -16,7 +16,7 @@ interface(`lircd_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, lircd_exec_t, lircd_t)
+ domain_auto_transition_pattern($1, lircd_exec_t, lircd_t)
')
######################################
diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if
index 48a2845..a503427 100644
--- a/policy/modules/contrib/mta.if
+++ b/policy/modules/contrib/mta.if
@@ -457,7 +457,7 @@ interface(`mta_sendmail_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, sendmail_exec_t, $2)
+ domain_auto_transition_pattern($1, sendmail_exec_t, $2)
allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
')
diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if
index ea947bc..32b4865 100644
--- a/policy/modules/contrib/qemu.if
+++ b/policy/modules/contrib/qemu.if
@@ -353,7 +353,7 @@ interface(`qemu_spec_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, qemu_exec_t, $2)
+ domain_auto_transition_pattern($1, qemu_exec_t, $2)
')
######################################
diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if
index c7b19aa..7a14937 100644
--- a/policy/modules/contrib/rsync.if
+++ b/policy/modules/contrib/rsync.if
@@ -50,7 +50,7 @@ interface(`rsync_entry_spec_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, rsync_exec_t, $2)
+ domain_auto_transition_pattern($1, rsync_exec_t, $2)
')
########################################
@@ -84,7 +84,7 @@ interface(`rsync_entry_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, rsync_exec_t, $2)
+ domain_auto_transition_pattern($1, rsync_exec_t, $2)
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-12-06 13:39 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
To: gentoo-commits
commit: 4c91124f97d8669fa37ea1b4def8cf36124d8661
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Oct 27 14:59:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4c91124f
gpg: add new socket paths
GPG 2.1 has sockets in /run/user/UID/gnupg/ and
~/.gnupg/S.gpg-agent{,.ssh}.
also allow pinentry to dbus chat gkeyring
policy/modules/contrib/gpg.fc | 4 ++++
policy/modules/contrib/gpg.if | 4 ++++
policy/modules/contrib/gpg.te | 8 ++++++++
3 files changed, 16 insertions(+)
diff --git a/policy/modules/contrib/gpg.fc b/policy/modules/contrib/gpg.fc
index 888cd2c..3f1d1d2 100644
--- a/policy/modules/contrib/gpg.fc
+++ b/policy/modules/contrib/gpg.fc
@@ -1,5 +1,7 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S\.gpg-agent -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S\.gpg-agent\.ssh -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
@@ -8,3 +10,5 @@ HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+
+/var/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 0370dd1..5f4cefc 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -205,9 +205,13 @@ interface(`gpg_rw_agent_pipes',`
interface(`gpg_stream_connect_agent',`
gen_require(`
type gpg_agent_t, gpg_agent_tmp_t;
+ type gpg_secret_t;
')
stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_runtime($1)
+ userdom_search_user_home_dirs($1)
')
########################################
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index c62a7f3..441d696 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -229,6 +229,8 @@ manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
@@ -250,6 +252,8 @@ miscfiles_read_localization(gpg_agent_t)
userdom_use_user_terminals(gpg_agent_t)
userdom_search_user_home_dirs(gpg_agent_t)
+userdom_search_user_runtime(gpg_agent_t)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -347,6 +351,10 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_all_session_bus_client(gpg_pinentry_t)
dbus_system_bus_client(gpg_pinentry_t)
+
+ optional_policy(`
+ gnome_dbus_chat_all_gkeyringd(gpg_pinentry_t)
+ ')
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-12-06 13:39 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
To: gentoo-commits
commit: f379a19944626a91093b7e9d598d9559ae0afa63
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sat Dec 3 23:30:32 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f379a199
Add debian path for fprintd daemon
Add debian path for fprintd daemon (/usr/lib/fprintd/fprintd)
policy/modules/contrib/fprintd.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/fprintd.fc b/policy/modules/contrib/fprintd.fc
index d861e88..81317ea 100644
--- a/policy/modules/contrib/fprintd.fc
+++ b/policy/modules/contrib/fprintd.fc
@@ -1,3 +1,5 @@
+/usr/lib/fprintd/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0)
+
/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0)
/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-12-06 13:39 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
To: gentoo-commits
commit: e0ed083c6bc22c8a33c45498d1e97ed945f8ce5e
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Oct 30 18:20:42 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e0ed083c
Module version bump for patches from Jason Zaman.
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index ccee3f9..8b8a4cc 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.5.0)
+policy_module(devicekit, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index a874924..7c2e27d 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.6.0)
+policy_module(gnome, 2.6.1)
##############################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 441d696..e32b7f8 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.10.0)
+policy_module(gpg, 2.10.1)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index bcc863c..f9b6e1b 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.11.0)
+policy_module(pcscd, 1.11.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-12-06 13:39 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
To: gentoo-commits
commit: b90d7f0d0f52f0b0847be67866c6bd34984bf625
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Oct 26 17:19:18 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 12:41:59 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b90d7f0d
pcscd: dbus and domain lookup
Allow dbus chat to policykit.
pcscd needs to lookup the domain that connects to the socket.
type=AVC msg=audit(1477409841.224:12512): avc: denied { open } for pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1477409841.224:12513): avc: denied { getattr } for pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1
policy/modules/contrib/pcscd.if | 3 +++
policy/modules/contrib/pcscd.te | 4 ++++
2 files changed, 7 insertions(+)
diff --git a/policy/modules/contrib/pcscd.if b/policy/modules/contrib/pcscd.if
index ac7e60c..b5c522d 100644
--- a/policy/modules/contrib/pcscd.if
+++ b/policy/modules/contrib/pcscd.if
@@ -101,6 +101,9 @@ interface(`pcscd_stream_connect',`
files_search_pids($1)
stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t)
+
+ allow pcscd_t $1:dir list_dir_perms;
+ allow pcscd_t $1:file read_file_perms;
')
########################################
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index 1828900..bcc863c 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -73,6 +73,10 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(pcscd_t)
')
+
+ optional_policy(`
+ policykit_dbus_chat(pcscd_t)
+ ')
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-12-06 13:39 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
To: gentoo-commits
commit: 6291bac4cdcbd366f63d6d0b66f73a535ecc0340
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Oct 26 17:19:21 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:19:40 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6291bac4
gnome: add gkeyring rules and fcontext
policy/modules/contrib/gnome.fc | 1 +
policy/modules/contrib/gnome.if | 2 ++
policy/modules/contrib/gnome.te | 4 +++-
3 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index ce12193..cd2ead4 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -18,6 +18,7 @@ HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/var/run/user/%{USERID}/keyring(/.*)? gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 190fa16..b08670b 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -778,6 +778,7 @@ interface(`gnome_stream_connect_gkeyringd',`
')
files_search_tmp($2)
+ userdom_search_user_runtime($2)
stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
')
@@ -799,6 +800,7 @@ interface(`gnome_stream_connect_all_gkeyringd',`
')
files_search_tmp($1)
+ userdom_search_user_runtime($1)
stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
')
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 5a6f728..a874924 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -123,9 +123,11 @@ gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+userdom_user_runtime_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
-kernel_read_system_state(gkeyringd_domain)
kernel_read_crypto_sysctls(gkeyringd_domain)
+kernel_read_kernel_sysctls(gkeyringd_domain)
+kernel_read_system_state(gkeyringd_domain)
dev_read_rand(gkeyringd_domain)
dev_read_sysfs(gkeyringd_domain)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-12-06 13:39 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
To: gentoo-commits
commit: 68baf3fd885ca06420812d2ff3cbf1b7f7fc2ad6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Oct 26 17:19:20 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 12:41:59 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68baf3fd
devicekit: fcontext for udisks2
policy/modules/contrib/devicekit.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/devicekit.fc b/policy/modules/contrib/devicekit.fc
index ae49c9d..8908ab6 100644
--- a/policy/modules/contrib/devicekit.fc
+++ b/policy/modules/contrib/devicekit.fc
@@ -10,6 +10,7 @@
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-10-26 17:28 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-10-26 17:28 UTC (permalink / raw
To: gentoo-commits
commit: bc146768530b6c515642d38ec4d0973fc7a323a2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Oct 26 08:04:54 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Oct 26 17:25:54 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bc146768
chromium: allow dbus chat to gnome keyring and upower
For saving secrets and inhibiting power management eg during videos
policy/modules/contrib/chromium.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 10bcd9f..8764370 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -230,6 +230,12 @@ optional_policy(`
optional_policy(`
unconfined_dbus_chat(chromium_t)
')
+ optional_policy(`
+ gnome_dbus_chat_all_gkeyringd(chromium_t)
+ ')
+ optional_policy(`
+ devicekit_dbus_chat_power(chromium_t)
+ ')
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-10-26 17:28 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-10-26 17:28 UTC (permalink / raw
To: gentoo-commits
commit: d68f77b461f3f6ee359866ae11a79c0211a74ff4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Oct 26 11:49:32 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Oct 26 17:25:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d68f77b4
chromium: allow random
Fails to start with:
gcrypt-Message: no entropy gathering module detected
policy/modules/contrib/chromium.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 8764370..cd1e111 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -149,6 +149,7 @@ corenet_udp_bind_all_unreserved_ports(chromium_t)
dev_read_sound(chromium_t)
dev_write_sound(chromium_t)
dev_read_urand(chromium_t)
+dev_read_rand(chromium_t)
domain_dontaudit_search_all_domains_state(chromium_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-10-24 16:56 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:56 UTC (permalink / raw
To: gentoo-commits
commit: d58ed8ba1ef188c67ec5ecbfc091abb0014dd6e4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Oct 9 04:37:10 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:47:46 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d58ed8ba
chromium: perms for user_cert_t
policy/modules/contrib/chromium.te | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 3185640..10bcd9f 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -88,7 +88,8 @@ xdg_cache_home_content(chromium_xdg_cache_t)
# chromium local policy
#
-allow chromium_t self:process { getsched setcap setrlimit setsched sigkill signal };
+# execmem for load in plugins
+allow chromium_t self:process { execmem getsched setcap setrlimit setsched sigkill signal };
allow chromium_t self:fifo_file rw_fifo_file_perms;;
allow chromium_t self:sem create_sem_perms;
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
@@ -108,8 +109,6 @@ allow chromium_t chromium_sandbox_t:unix_stream_socket { read write };
allow chromium_t chromium_naclhelper_t:process { share };
-allow chromium_t self:process execmem; # Load in plugins
-
# tmp has a wide class access (used for plugins)
manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
@@ -164,18 +163,17 @@ fs_dontaudit_getattr_xattr_fs(chromium_t)
getty_dontaudit_use_fds(chromium_t)
-miscfiles_manage_user_certs(chromium_t)
miscfiles_read_all_certs(chromium_t)
miscfiles_read_localization(chromium_t)
-miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".nss")
-miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".pki")
-sysnet_dns_name_resolve(chromium_t)
+sysnet_dns_name_resolve(chromium_t)
userdom_user_content_access_template(chromium, chromium_t)
userdom_dontaudit_list_user_home_dirs(chromium_t)
# Debugging. Also on user_tty_device_t if X is started through "startx" for instance
userdom_use_user_terminals(chromium_t)
+userdom_manage_user_certs(chromium_t)
+userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki")
xdg_create_cache_home_dirs(chromium_t)
xdg_create_config_home_dirs(chromium_t)
@@ -194,6 +192,7 @@ tunable_policy(`chromium_bind_tcp_unreserved_ports',`
tunable_policy(`chromium_rw_usb_dev',`
dev_rw_generic_usb_dev(chromium_t)
+ udev_read_db(chromium_t)
')
tunable_policy(`chromium_read_system_info',`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-24 16:03 Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:03 UTC (permalink / raw
To: gentoo-commits
commit: 7ba6a2c036470cfa2cf1cac7665275ba48f45627
Author: Russell Coker via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Wed Oct 19 06:07:20 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:35 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7ba6a2c0
webalizer patch for inclusion
Thanks Chris for the suggestions, here's a patch that I think is worthy of
inclusion.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/logrotate.te | 5 +++++
policy/modules/contrib/webalizer.if | 20 ++++++++++++++++++++
policy/modules/contrib/webalizer.te | 2 ++
3 files changed, 27 insertions(+)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index a1670d0..f7a70da 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -242,6 +242,11 @@ optional_policy(`
varnishd_manage_log(logrotate_t)
')
+optional_policy(`
+ manage_webalizer_var_lib(logrotate_t)
+ webalizer_run(logrotate_t, system_r)
+')
+
#######################################
#
# Mail local policy
diff --git a/policy/modules/contrib/webalizer.if b/policy/modules/contrib/webalizer.if
index fa28353..cc831b6 100644
--- a/policy/modules/contrib/webalizer.if
+++ b/policy/modules/contrib/webalizer.if
@@ -45,3 +45,23 @@ interface(`webalizer_run',`
webalizer_domtrans($1)
roleattribute $2 webalizer_roles;
')
+
+########################################
+## <summary>
+## Manage webalizer usage files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to manage webalizer usage files
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`manage_webalizer_var_lib',`
+ gen_require(`
+ type webalizer_var_lib_t;
+ ')
+
+ allow $1 webalizer_var_lib_t:dir manage_dir_perms;
+ allow $1 webalizer_var_lib_t:file manage_file_perms;
+')
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 99bef4a..ff69b41 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -36,6 +36,7 @@ allow webalizer_t self:unix_stream_socket { accept connectto listen };
allow webalizer_t self:tcp_socket { accept listen };
allow webalizer_t webalizer_etc_t:file read_file_perms;
+files_read_usr_files(webalizer_t)
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
@@ -50,6 +51,7 @@ kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
+miscfiles_read_fonts(webalizer_t)
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-10-24 16:03 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
@ 2016-10-24 16:02 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 7ba6a2c036470cfa2cf1cac7665275ba48f45627
Author: Russell Coker via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Wed Oct 19 06:07:20 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:35 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7ba6a2c0
webalizer patch for inclusion
Thanks Chris for the suggestions, here's a patch that I think is worthy of
inclusion.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/logrotate.te | 5 +++++
policy/modules/contrib/webalizer.if | 20 ++++++++++++++++++++
policy/modules/contrib/webalizer.te | 2 ++
3 files changed, 27 insertions(+)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index a1670d0..f7a70da 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -242,6 +242,11 @@ optional_policy(`
varnishd_manage_log(logrotate_t)
')
+optional_policy(`
+ manage_webalizer_var_lib(logrotate_t)
+ webalizer_run(logrotate_t, system_r)
+')
+
#######################################
#
# Mail local policy
diff --git a/policy/modules/contrib/webalizer.if b/policy/modules/contrib/webalizer.if
index fa28353..cc831b6 100644
--- a/policy/modules/contrib/webalizer.if
+++ b/policy/modules/contrib/webalizer.if
@@ -45,3 +45,23 @@ interface(`webalizer_run',`
webalizer_domtrans($1)
roleattribute $2 webalizer_roles;
')
+
+########################################
+## <summary>
+## Manage webalizer usage files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to manage webalizer usage files
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`manage_webalizer_var_lib',`
+ gen_require(`
+ type webalizer_var_lib_t;
+ ')
+
+ allow $1 webalizer_var_lib_t:dir manage_dir_perms;
+ allow $1 webalizer_var_lib_t:file manage_file_perms;
+')
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 99bef4a..ff69b41 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -36,6 +36,7 @@ allow webalizer_t self:unix_stream_socket { accept connectto listen };
allow webalizer_t self:tcp_socket { accept listen };
allow webalizer_t webalizer_etc_t:file read_file_perms;
+files_read_usr_files(webalizer_t)
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
@@ -50,6 +51,7 @@ kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
+miscfiles_read_fonts(webalizer_t)
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 16:02 Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 2643b904b25db0560e375d37753018c0cd561cc0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Oct 19 22:57:38 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:42 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2643b904
webalizer: Rearrange a couple lines.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/webalizer.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index ff69b41..5e0a9e6 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -36,7 +36,6 @@ allow webalizer_t self:unix_stream_socket { accept connectto listen };
allow webalizer_t self:tcp_socket { accept listen };
allow webalizer_t webalizer_etc_t:file read_file_perms;
-files_read_usr_files(webalizer_t)
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
@@ -51,7 +50,7 @@ kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
-miscfiles_read_fonts(webalizer_t)
+files_read_usr_files(webalizer_t)
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
@@ -64,6 +63,7 @@ logging_send_syslog_msg(webalizer_t)
miscfiles_read_localization(webalizer_t)
miscfiles_read_public_files(webalizer_t)
+miscfiles_read_fonts(webalizer_t)
userdom_use_user_terminals(webalizer_t)
userdom_use_unpriv_users_fds(webalizer_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
@ 2016-10-24 16:02 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 2643b904b25db0560e375d37753018c0cd561cc0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Oct 19 22:57:38 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:42 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2643b904
webalizer: Rearrange a couple lines.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/webalizer.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index ff69b41..5e0a9e6 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -36,7 +36,6 @@ allow webalizer_t self:unix_stream_socket { accept connectto listen };
allow webalizer_t self:tcp_socket { accept listen };
allow webalizer_t webalizer_etc_t:file read_file_perms;
-files_read_usr_files(webalizer_t)
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
@@ -51,7 +50,7 @@ kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
-miscfiles_read_fonts(webalizer_t)
+files_read_usr_files(webalizer_t)
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
@@ -64,6 +63,7 @@ logging_send_syslog_msg(webalizer_t)
miscfiles_read_localization(webalizer_t)
miscfiles_read_public_files(webalizer_t)
+miscfiles_read_fonts(webalizer_t)
userdom_use_user_terminals(webalizer_t)
userdom_use_unpriv_users_fds(webalizer_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 16:02 Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 75bde71a956a7d9cd2ad48387d75dfda32c21e1c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Oct 23 20:58:59 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:53 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=75bde71a
Bump module versions for release.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/amanda.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apcupsd.te | 2 +-
policy/modules/contrib/apm.te | 2 +-
policy/modules/contrib/arpwatch.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/boinc.te | 2 +-
policy/modules/contrib/certmonger.te | 2 +-
policy/modules/contrib/cgroup.te | 2 +-
policy/modules/contrib/clamav.te | 2 +-
policy/modules/contrib/collectd.te | 2 +-
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/cpucontrol.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/geoclue.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/mailman.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mplayer.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nis.te | 2 +-
policy/modules/contrib/nscd.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/puppet.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/redis.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rtkit.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/telepathy.te | 2 +-
policy/modules/contrib/tor.te | 2 +-
policy/modules/contrib/userhelper.te | 2 +-
policy/modules/contrib/varnishd.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/webalizer.te | 2 +-
policy/modules/contrib/wm.te | 2 +-
60 files changed, 60 insertions(+), 60 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index dc87030..f7faa4b 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.15.1)
+policy_module(alsa, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te
index 5f579aa..65fa397 100644
--- a/policy/modules/contrib/amanda.te
+++ b/policy/modules/contrib/amanda.te
@@ -1,4 +1,4 @@
-policy_module(amanda, 1.15.1)
+policy_module(amanda, 1.16.0)
#######################################
#
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index e02fcdc..2afcf1c 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.10.1)
+policy_module(apache, 2.11.0)
########################################
#
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index 586104d..2432884 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.10.1)
+policy_module(apcupsd, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index 449f23f..7c54285 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.14.2)
+policy_module(apm, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index 0cda29a..cb9258d 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.12.1)
+policy_module(arpwatch, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index dee9f93..203d5e4 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.15.1)
+policy_module(asterisk, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index 2f5852e..6f3dc40 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.16.1)
+policy_module(automount, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index 40cba10..8c4bbb4 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.16.1)
+policy_module(avahi, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index e3072c7..23645e9 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.16.2)
+policy_module(bind, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te
index 58468ea..557c8f9 100644
--- a/policy/modules/contrib/boinc.te
+++ b/policy/modules/contrib/boinc.te
@@ -1,4 +1,4 @@
-policy_module(boinc, 1.3.1)
+policy_module(boinc, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index cfbb41c..a98db0b 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.3.1)
+policy_module(certmonger, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index 736856f..24c2ee7 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.3.1)
+policy_module(cgroup, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index d733ffb..f615884 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.12.1)
+policy_module(clamav, 1.13.0)
## <desc>
## <p>
diff --git a/policy/modules/contrib/collectd.te b/policy/modules/contrib/collectd.te
index cb20d84..9c8f218 100644
--- a/policy/modules/contrib/collectd.te
+++ b/policy/modules/contrib/collectd.te
@@ -1,4 +1,4 @@
-policy_module(collectd, 1.1.1)
+policy_module(collectd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 80c18fa..a41c47f 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -1,4 +1,4 @@
-policy_module(consolekit, 1.10.2)
+policy_module(consolekit, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/cpucontrol.te b/policy/modules/contrib/cpucontrol.te
index 901911b..0c3ec09 100644
--- a/policy/modules/contrib/cpucontrol.te
+++ b/policy/modules/contrib/cpucontrol.te
@@ -1,4 +1,4 @@
-policy_module(cpucontrol, 1.4.1)
+policy_module(cpucontrol, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 0125df0..20a645c 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.9.2)
+policy_module(cron, 2.10.0)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 1d6fd86..7674df8 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.19.2)
+policy_module(cups, 1.20.0)
########################################
#
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 3fc7f7c..ccee3f9 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.4.1)
+policy_module(devicekit, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index 927e1d9..9421ef8 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.12.1)
+policy_module(dhcp, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index e1f6d58..e5c943b 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.9.1)
+policy_module(entropyd, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 1580c95..1d5421b 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.4.3)
+policy_module(evolution, 2.5.0)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index aa0d713..e9d23e1 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.3.1)
+policy_module(firewalld, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 8b83ad7..300d0dc 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.18.2)
+policy_module(ftp, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te
index 9edb92c..c6e6640 100644
--- a/policy/modules/contrib/geoclue.te
+++ b/policy/modules/contrib/geoclue.te
@@ -1,4 +1,4 @@
-policy_module(geoclue, 1.0.4)
+policy_module(geoclue, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index c30e596..5a6f728 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.5.2)
+policy_module(gnome, 2.6.0)
##############################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index f76aed4..c62a7f3 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.9.2)
+policy_module(gpg, 2.10.0)
########################################
#
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index beef250..18e3082 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.15.1)
+policy_module(hal, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 215a680..1f63509 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.4.2)
+policy_module(kdump, 1.5.0)
#######################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 5abf625..6b069f2 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.13.1)
+policy_module(ldap, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index fabf459..e2daa42 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.17.1)
+policy_module(logrotate, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
index 609a9ea..9ec364b 100644
--- a/policy/modules/contrib/mailman.te
+++ b/policy/modules/contrib/mailman.te
@@ -1,4 +1,4 @@
-policy_module(mailman, 1.10.1)
+policy_module(mailman, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 42fb9bf..1331491 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.9.3)
+policy_module(mozilla, 2.10.0)
########################################
#
diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index 755e1ef..43de2d9 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -1,4 +1,4 @@
-policy_module(mpd, 1.3.1)
+policy_module(mpd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index 6915313..758b127 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -1,4 +1,4 @@
-policy_module(mplayer, 2.5.2)
+policy_module(mplayer, 2.6.0)
########################################
#
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 455fd81..023c7db 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.17.1)
+policy_module(mysql, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 45bbc02..5e7a002 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.18.4)
+policy_module(networkmanager, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index 3d3936d..9715d63 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.13.2)
+policy_module(nis, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index 4ba589d..eec2928 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.13.1)
+policy_module(nscd, 1.14.0)
gen_require(`
class nscd all_nscd_perms;
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 215c57d..51747ad 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.14.2)
+policy_module(ntp, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index b0e00eb..6c5f592 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.4.1)
+policy_module(policykit, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index 8473117..f09e8ca 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.15.1)
+policy_module(ppp, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 72064a2..e641031 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.7)
+policy_module(pulseaudio, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 4516018..dabc6d8 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.6.1)
+policy_module(puppet, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index ec54379..e65f673 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.15.1)
+policy_module(raid, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index 25cf846..d8bbd67 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.2.2)
+policy_module(redis, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 6703f96..027eb78 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.17.1)
+policy_module(rpc, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 88dbc6b..6e39fe7 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.9.1)
+policy_module(rpcbind, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 3e68e7f..3310d80 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.3.1)
+policy_module(rtkit, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 602be98..15b53a1 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.18.1)
+policy_module(samba, 1.19.0)
#################################
#
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index c4f6477..29661de 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.5.1)
+policy_module(shorewall, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te
index 4bb3c6f..1ffeaa7 100644
--- a/policy/modules/contrib/telepathy.te
+++ b/policy/modules/contrib/telepathy.te
@@ -1,4 +1,4 @@
-policy_module(telepathy, 1.6.1)
+policy_module(telepathy, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 3c596d8..1f0832d 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.11.1)
+policy_module(tor, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index 8a0dc1d..7a57c21 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -1,4 +1,4 @@
-policy_module(userhelper, 1.9.1)
+policy_module(userhelper, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index 9d24d0d..9ff049b 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -1,4 +1,4 @@
-policy_module(varnishd, 1.3.2)
+policy_module(varnishd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 38aa474..c45ba2d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.9.3)
+policy_module(virt, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 0793afa..4d903b6 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.10.1)
+policy_module(watchdog, 1.11.0)
#################################
#
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 9e87be9..06f9d33 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -1,4 +1,4 @@
-policy_module(webalizer, 1.13.2)
+policy_module(webalizer, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 02329e0..2cecd32 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.4.1)
+policy_module(wm, 1.5.0)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
@ 2016-10-24 16:02 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 75bde71a956a7d9cd2ad48387d75dfda32c21e1c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Oct 23 20:58:59 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:53 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=75bde71a
Bump module versions for release.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/amanda.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apcupsd.te | 2 +-
policy/modules/contrib/apm.te | 2 +-
policy/modules/contrib/arpwatch.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/boinc.te | 2 +-
policy/modules/contrib/certmonger.te | 2 +-
policy/modules/contrib/cgroup.te | 2 +-
policy/modules/contrib/clamav.te | 2 +-
policy/modules/contrib/collectd.te | 2 +-
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/cpucontrol.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/geoclue.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/mailman.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mplayer.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nis.te | 2 +-
policy/modules/contrib/nscd.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/puppet.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/redis.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rtkit.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/telepathy.te | 2 +-
policy/modules/contrib/tor.te | 2 +-
policy/modules/contrib/userhelper.te | 2 +-
policy/modules/contrib/varnishd.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/webalizer.te | 2 +-
policy/modules/contrib/wm.te | 2 +-
60 files changed, 60 insertions(+), 60 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index dc87030..f7faa4b 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.15.1)
+policy_module(alsa, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te
index 5f579aa..65fa397 100644
--- a/policy/modules/contrib/amanda.te
+++ b/policy/modules/contrib/amanda.te
@@ -1,4 +1,4 @@
-policy_module(amanda, 1.15.1)
+policy_module(amanda, 1.16.0)
#######################################
#
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index e02fcdc..2afcf1c 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.10.1)
+policy_module(apache, 2.11.0)
########################################
#
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index 586104d..2432884 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.10.1)
+policy_module(apcupsd, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index 449f23f..7c54285 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.14.2)
+policy_module(apm, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index 0cda29a..cb9258d 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.12.1)
+policy_module(arpwatch, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index dee9f93..203d5e4 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.15.1)
+policy_module(asterisk, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index 2f5852e..6f3dc40 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.16.1)
+policy_module(automount, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index 40cba10..8c4bbb4 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.16.1)
+policy_module(avahi, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index e3072c7..23645e9 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.16.2)
+policy_module(bind, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te
index 58468ea..557c8f9 100644
--- a/policy/modules/contrib/boinc.te
+++ b/policy/modules/contrib/boinc.te
@@ -1,4 +1,4 @@
-policy_module(boinc, 1.3.1)
+policy_module(boinc, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index cfbb41c..a98db0b 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.3.1)
+policy_module(certmonger, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index 736856f..24c2ee7 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.3.1)
+policy_module(cgroup, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index d733ffb..f615884 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.12.1)
+policy_module(clamav, 1.13.0)
## <desc>
## <p>
diff --git a/policy/modules/contrib/collectd.te b/policy/modules/contrib/collectd.te
index cb20d84..9c8f218 100644
--- a/policy/modules/contrib/collectd.te
+++ b/policy/modules/contrib/collectd.te
@@ -1,4 +1,4 @@
-policy_module(collectd, 1.1.1)
+policy_module(collectd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 80c18fa..a41c47f 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -1,4 +1,4 @@
-policy_module(consolekit, 1.10.2)
+policy_module(consolekit, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/cpucontrol.te b/policy/modules/contrib/cpucontrol.te
index 901911b..0c3ec09 100644
--- a/policy/modules/contrib/cpucontrol.te
+++ b/policy/modules/contrib/cpucontrol.te
@@ -1,4 +1,4 @@
-policy_module(cpucontrol, 1.4.1)
+policy_module(cpucontrol, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 0125df0..20a645c 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.9.2)
+policy_module(cron, 2.10.0)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 1d6fd86..7674df8 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.19.2)
+policy_module(cups, 1.20.0)
########################################
#
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 3fc7f7c..ccee3f9 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.4.1)
+policy_module(devicekit, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index 927e1d9..9421ef8 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.12.1)
+policy_module(dhcp, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index e1f6d58..e5c943b 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.9.1)
+policy_module(entropyd, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 1580c95..1d5421b 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.4.3)
+policy_module(evolution, 2.5.0)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index aa0d713..e9d23e1 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.3.1)
+policy_module(firewalld, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 8b83ad7..300d0dc 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.18.2)
+policy_module(ftp, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te
index 9edb92c..c6e6640 100644
--- a/policy/modules/contrib/geoclue.te
+++ b/policy/modules/contrib/geoclue.te
@@ -1,4 +1,4 @@
-policy_module(geoclue, 1.0.4)
+policy_module(geoclue, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index c30e596..5a6f728 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.5.2)
+policy_module(gnome, 2.6.0)
##############################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index f76aed4..c62a7f3 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.9.2)
+policy_module(gpg, 2.10.0)
########################################
#
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index beef250..18e3082 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.15.1)
+policy_module(hal, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 215a680..1f63509 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.4.2)
+policy_module(kdump, 1.5.0)
#######################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 5abf625..6b069f2 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.13.1)
+policy_module(ldap, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index fabf459..e2daa42 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.17.1)
+policy_module(logrotate, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
index 609a9ea..9ec364b 100644
--- a/policy/modules/contrib/mailman.te
+++ b/policy/modules/contrib/mailman.te
@@ -1,4 +1,4 @@
-policy_module(mailman, 1.10.1)
+policy_module(mailman, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 42fb9bf..1331491 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.9.3)
+policy_module(mozilla, 2.10.0)
########################################
#
diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index 755e1ef..43de2d9 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -1,4 +1,4 @@
-policy_module(mpd, 1.3.1)
+policy_module(mpd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index 6915313..758b127 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -1,4 +1,4 @@
-policy_module(mplayer, 2.5.2)
+policy_module(mplayer, 2.6.0)
########################################
#
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 455fd81..023c7db 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.17.1)
+policy_module(mysql, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 45bbc02..5e7a002 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.18.4)
+policy_module(networkmanager, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index 3d3936d..9715d63 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.13.2)
+policy_module(nis, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index 4ba589d..eec2928 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.13.1)
+policy_module(nscd, 1.14.0)
gen_require(`
class nscd all_nscd_perms;
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 215c57d..51747ad 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.14.2)
+policy_module(ntp, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index b0e00eb..6c5f592 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.4.1)
+policy_module(policykit, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index 8473117..f09e8ca 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.15.1)
+policy_module(ppp, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 72064a2..e641031 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.7)
+policy_module(pulseaudio, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 4516018..dabc6d8 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.6.1)
+policy_module(puppet, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index ec54379..e65f673 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.15.1)
+policy_module(raid, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index 25cf846..d8bbd67 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.2.2)
+policy_module(redis, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 6703f96..027eb78 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.17.1)
+policy_module(rpc, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 88dbc6b..6e39fe7 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.9.1)
+policy_module(rpcbind, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 3e68e7f..3310d80 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.3.1)
+policy_module(rtkit, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 602be98..15b53a1 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.18.1)
+policy_module(samba, 1.19.0)
#################################
#
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index c4f6477..29661de 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.5.1)
+policy_module(shorewall, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te
index 4bb3c6f..1ffeaa7 100644
--- a/policy/modules/contrib/telepathy.te
+++ b/policy/modules/contrib/telepathy.te
@@ -1,4 +1,4 @@
-policy_module(telepathy, 1.6.1)
+policy_module(telepathy, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 3c596d8..1f0832d 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.11.1)
+policy_module(tor, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index 8a0dc1d..7a57c21 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -1,4 +1,4 @@
-policy_module(userhelper, 1.9.1)
+policy_module(userhelper, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index 9d24d0d..9ff049b 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -1,4 +1,4 @@
-policy_module(varnishd, 1.3.2)
+policy_module(varnishd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 38aa474..c45ba2d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.9.3)
+policy_module(virt, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 0793afa..4d903b6 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.10.1)
+policy_module(watchdog, 1.11.0)
#################################
#
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 9e87be9..06f9d33 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -1,4 +1,4 @@
-policy_module(webalizer, 1.13.2)
+policy_module(webalizer, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 02329e0..2cecd32 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.4.1)
+policy_module(wm, 1.5.0)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-10-24 16:02 Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 4fe949b5d5a054cf70cc8fe2a7f24aa56e5ef941
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Oct 19 22:57:55 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:45 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4fe949b5
Module version bump for webalizer patch from Russell Coker.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/webalizer.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index f7a70da..fabf459 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.17.0)
+policy_module(logrotate, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 5e0a9e6..9e87be9 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -1,4 +1,4 @@
-policy_module(webalizer, 1.13.1)
+policy_module(webalizer, 1.13.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
@ 2016-10-24 16:02 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 4fe949b5d5a054cf70cc8fe2a7f24aa56e5ef941
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Oct 19 22:57:55 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:45 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4fe949b5
Module version bump for webalizer patch from Russell Coker.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/webalizer.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index f7a70da..fabf459 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.17.0)
+policy_module(logrotate, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 5e0a9e6..9e87be9 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -1,4 +1,4 @@
-policy_module(webalizer, 1.13.1)
+policy_module(webalizer, 1.13.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-10-24 16:02 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 25d7f7a7b3dfe131f56d593cfc26816e45ba72f4
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Oct 23 20:58:59 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:57 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=25d7f7a7
Update Changelog for release.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/Changelog | 160 +++++++++++++++++++++++++++++++++++++++
1 file changed, 160 insertions(+)
diff --git a/policy/modules/contrib/Changelog b/policy/modules/contrib/Changelog
index 63c8ea9..f143cb9 100644
--- a/policy/modules/contrib/Changelog
+++ b/policy/modules/contrib/Changelog
@@ -1,3 +1,163 @@
+* Sun Oct 23 2016 Chris PeBenito <pebenito@ieee.org> - 2.20161023
+Adam Tkac (2):
+ varnishncsa (varnishlog_t) reads localization files
+ Grant certmonger "chown" capability
+
+Chris PeBenito (42):
+ Merge branch 'bigon-geoclue'
+ Add additional comments in geoclue.
+ Merge branch 'bigon-virt-1'
+ Merge branch 'nm-1' of git://github.com/bigon/refpolicy-contrib into
+ bigon-nm-1
+ Merge branch 'bigon-nm-1'
+ Module version bump for virt and networkmanager patches from Laurent
+ Bigonville.
+ Merge branch 'master' of git://github.com/bigon/refpolicy-contrib
+ Module version bump for firewalld updates from Laurent Bigonville.
+ Module version bump for collectd update from Jason Zaman.
+ Module version bumps for user runtime fixes from Jason Zaman.
+ Boinc updates from Russell Coker.
+ rpcbind: Read /sys/devices/system/cpu/online from Russell Coker.
+ watchdog: Move line.
+ Module version bump for watchdog pidfile option from Russell Coker.
+ Systemd units from Russell Coker.
+ Module version bump for pulseaudio fc fix from Jason Zaman.
+ cpucontrol: revise cpucontrol_conf_t labeling, from Guido Trentalancia.
+ Module version bumps for patches from Guido Trentalancia.
+ Update the telepathy module:
+ Update the alsa module so that the alsa_etc_t file context (previously
+ alsa_etc_rw_t) is widened to the whole alsa share directory, instead of
+ just a couple of files.
+ alsa: Add compatibility alias for alsa_etc_rw_t.
+ Update the sysnetwork module to add some permissions needed by the dhcp
+ client (another separate patch makes changes to the ifconfig part).
+ Module version bump for various patches from Guido Trentalancia.
+ pulseaudio: Fix compile errors.
+ Merge branch 'master' of
+ https://github.com/SeanPlacchetti/refpolicy-contrib
+ Module version bump for webalizer dead type removal from Sean Placchetti.
+ Module version bump for Evolution SSL fix from Guido Trentalancia.
+ evolution: Read user certs from Guido Trentalancia.
+ cups: Move can_exec() line.
+ cups: Module version bump for hplip patch from Guido Trentalancia
+ pulseaudio: Move interface definitions.
+ Module version bump for mozilla patch from Guido Trentalancia.
+ Module version bump for gnome patch from Guido Trentalancia.
+ Module version bump for evolution patch from Guido Trentalancia.
+ gpg: Whitespace fix.
+ Merge branch 'feature/fix-networkmanager-varrun-macro' of
+ https://github.com/rfkrocktk/refpolicy-contrib
+ Module version bump for networkmanager fix from Naftuli Tzvi Kay.
+ Merge branch 'rfkrocktk-feature/syncthing'
+ Rearrange lines in syncthing.
+ webalizer: Rearrange a couple lines.
+ Module version bump for webalizer patch from Russell Coker.
+ Bump module versions for release.
+
+Dominick Grift (18):
+ Module version bump for changes to the geoclue module by Laurent
+ Bigonville.
+ Module version bump for changes to various modules from Laurent
+ Bigonville.
+ geoclue: move kernel interface call to the appropriate position
+ Actually associate mailmain_domain attribute with mailman domains
+ Module version bumps for changes to various modules by Nicolas Iooss
+ Module version bump for changes to the cron module by Jason Zaman
+ Module version bump for changes to the redis module by Grant Ridder
+ Module version bump for changes to the raid module by Laurent Bigonville
+ Module version bump for changes to the networkmanager module by Laurent
+ Bigonville.
+ Module version bump for changes to the redis module by Grant Ridder.
+ Module version bump for changes to the mozilla module by Laurent
+ Bigonville.
+ Module version bump for changes to the geoclue module by Nicolas Iooss.
+ Add hwloc-dump-hwdata SELinux policy
+ Module version bump for changes to the varnishd module by Robert Moucha
+ Module version bump for changes to the puppet module by Thomas Mueller
+ Module version bump for changes to the varnishd module by Adam Tkac
+ Module version bump for changes to the certmonger module by Adam Tkac
+ Revert "dbus: allow system, and session bus clients to answer to dbus
+ unconfined domains"
+
+Grant Ridder (2):
+ Add read/write perms for redis-sentinel
+ Allow tcp_connect to redis_port_t for redis_t
+
+Guido Trentalancia (7):
+ Policykit module: add fs_getattr_xattr_fs()
+ Update the policy for module apm
+ Let gpg disable core dumps
+ Update the rtkit module
+ Update the pulseaudio module for usability and ORC support
+ cups: update permissions for HP printers (load firmware)
+ gpg: public key signature verification in evolution
+
+Guido Trentalancia via refpolicy (3):
+ evolution: read SSL certificates
+ mozilla: let mozilla play audio
+ gnome: add support for the OIL Runtime Compiler (ORC) optimized code
+ execution
+
+Jason Zaman (10):
+ cron: Allow locks to be lnk_files
+ collectd: update policy for 5.5
+ consolekit: allow managing user runtime
+ pulseaudio: fcontext and filetrans for runtime
+ ftp: Add filetrans from user_runtime
+ gnome: Add filetrans from user_runtime
+ mplayer: Add filetrans from user_runtime
+ userhelper: Add filetrans from user_runtime
+ wm: Add filetrans from user_runtime
+ pulseaudio: fix user runtime fcontext
+
+Laurent Bigonville (13):
+ Add initial geoclue 2 module
+ Properly escape dot in the path to the geoclue daemon
+ Use auth_use_nsswitch() as we need DNS resolving and access nsswitch.conf
+ virt.fc: Add some debian contexts
+ networkmanager.fc: nm-dispatcher.action has been renamed to nm-dispatcher
+ Allow some domain to read sysctl_vm_overcommit_t
+ Allow mdadm read efivarfs files
+ Allow /var/run/firewalld/ directory to transition to firewalld_var_run_t
+ Add an interface to allow a domain to read firewalld_var_run_t files
+ Allow firewalld to create firewalld_var_run_t directory.
+ dontaudit firewalld attempt to relabel its own config files
+ Allow NM to execute arping
+ Debian now ships firefox-esr, properly label the executable
+
+Luis Ressel (1):
+ New policy for tboot utilities
+
+Naftuli Tzvi Kay (2):
+ Fix NetworkManager Read Pid Files Macro
+ Syncthing Policy
+
+Nicolas Iooss (3):
+ Describe _initrc_domtrans interfaces differently from the _domtrans ones
+ Fix typos in several interfaces
+ Add Arch Linux path for geoclue module
+
+Robert Moucha (1):
+ Fix trivial typo in varnishncsa name
+
+Russell Coker (2):
+ watchdog reads pid files
+ named reads vm sysctls
+
+Russell Coker via refpolicy (1):
+ webalizer patch for inclusion
+
+Sean Placchetti (1):
+ -Remove unused declarations from webalizer type enforcement file
+
+Thomas Mueller (1):
+ Allow puppet_t transtition to shorewall_t
+
+doverride (3):
+ Merge pull request #8 from bigon/geoclue
+ Merge pull request #11 from bigon/overcommit-1
+ Merge pull request #12 from fishilico/typos
+
* Tue Dec 08 2015 Chris PeBenito <selinux@tresys.com> - 2.20151208
Alexander Wetzel (1):
add vfio support for libvirt
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: 227d4173a648167242aef6f7243eda3788c88304
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Sep 11 13:01:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:06:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=227d4173
pulseaudio: Move interface definitions.
policy/modules/contrib/pulseaudio.if | 76 ++++++++++++++++++------------------
1 file changed, 38 insertions(+), 38 deletions(-)
diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if
index 11238f2..af0f950 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -146,6 +146,44 @@ interface(`pulseaudio_signull',`
allow $1 pulseaudio_t:process signull;
')
+########################################
+## <summary>
+## Use file descriptors for
+## pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ allow $1 pulseaudio_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use the
+## file descriptors for pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ dontaudit $1 pulseaudio_t:fd use;
+')
+
#####################################
## <summary>
## Connect to pulseaudio with a unix
@@ -410,41 +448,3 @@ interface(`pulseaudio_rw_tmpfs_files',`
fs_search_tmpfs($1)
rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
')
-
-########################################
-## <summary>
-## Use file descriptors for
-## pulseaudio.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`pulseaudio_use_fds',`
- gen_require(`
- type pulseaudio_t;
- ')
-
- allow $1 pulseaudio_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to use the
-## file descriptors for pulseaudio.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`pulseaudio_dontaudit_use_fds',`
- gen_require(`
- type pulseaudio_t;
- ')
-
- dontaudit $1 pulseaudio_t:fd use;
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-10-03 6:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2016-10-03 6:20 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:20 UTC (permalink / raw
To: gentoo-commits
commit: 227d4173a648167242aef6f7243eda3788c88304
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Sep 11 13:01:55 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:06:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=227d4173
pulseaudio: Move interface definitions.
policy/modules/contrib/pulseaudio.if | 76 ++++++++++++++++++------------------
1 file changed, 38 insertions(+), 38 deletions(-)
diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if
index 11238f2..af0f950 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -146,6 +146,44 @@ interface(`pulseaudio_signull',`
allow $1 pulseaudio_t:process signull;
')
+########################################
+## <summary>
+## Use file descriptors for
+## pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ allow $1 pulseaudio_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use the
+## file descriptors for pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ dontaudit $1 pulseaudio_t:fd use;
+')
+
#####################################
## <summary>
## Connect to pulseaudio with a unix
@@ -410,41 +448,3 @@ interface(`pulseaudio_rw_tmpfs_files',`
fs_search_tmpfs($1)
rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
')
-
-########################################
-## <summary>
-## Use file descriptors for
-## pulseaudio.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`pulseaudio_use_fds',`
- gen_require(`
- type pulseaudio_t;
- ')
-
- allow $1 pulseaudio_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to use the
-## file descriptors for pulseaudio.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`pulseaudio_dontaudit_use_fds',`
- gen_require(`
- type pulseaudio_t;
- ')
-
- dontaudit $1 pulseaudio_t:fd use;
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: c568bc4bfa98a347210c4ffd3a8aebe1a203d2d8
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Sep 2 11:35:53 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c568bc4b
gpg: public key signature verification in evolution
Let gpg verify public key signatures in the evolution mail client application.
It doesn't need write permissions on such files for signing/encrypting messages.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/evolution.if | 21 +++++++++++++++++++++
policy/modules/contrib/gpg.te | 4 ++++
2 files changed, 25 insertions(+)
diff --git a/policy/modules/contrib/evolution.if b/policy/modules/contrib/evolution.if
index d9c17d2..7c21ba1 100644
--- a/policy/modules/contrib/evolution.if
+++ b/policy/modules/contrib/evolution.if
@@ -128,6 +128,27 @@ interface(`evolution_stream_connect',`
########################################
## <summary>
+## Read evolution orbit temporary
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_read_orbit_tmp_files',`
+ gen_require(`
+ type evolution_orbit_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, evolution_orbit_tmp_t, evolution_orbit_tmp_t)
+')
+
+
+########################################
+## <summary>
## Send and receive messages from
## evolution over dbus.
## </summary>
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 072047d..0eedb45 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -147,6 +147,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ evolution_read_orbit_tmp_files(gpg_t)
+ ')
+
+optional_policy(`
gnome_read_generic_home_content(gpg_t)
gnome_stream_connect_all_gkeyringd(gpg_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-10-03 6:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2016-10-03 6:20 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:20 UTC (permalink / raw
To: gentoo-commits
commit: c568bc4bfa98a347210c4ffd3a8aebe1a203d2d8
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Sep 2 11:35:53 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c568bc4b
gpg: public key signature verification in evolution
Let gpg verify public key signatures in the evolution mail client application.
It doesn't need write permissions on such files for signing/encrypting messages.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/evolution.if | 21 +++++++++++++++++++++
policy/modules/contrib/gpg.te | 4 ++++
2 files changed, 25 insertions(+)
diff --git a/policy/modules/contrib/evolution.if b/policy/modules/contrib/evolution.if
index d9c17d2..7c21ba1 100644
--- a/policy/modules/contrib/evolution.if
+++ b/policy/modules/contrib/evolution.if
@@ -128,6 +128,27 @@ interface(`evolution_stream_connect',`
########################################
## <summary>
+## Read evolution orbit temporary
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_read_orbit_tmp_files',`
+ gen_require(`
+ type evolution_orbit_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, evolution_orbit_tmp_t, evolution_orbit_tmp_t)
+')
+
+
+########################################
+## <summary>
## Send and receive messages from
## evolution over dbus.
## </summary>
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 072047d..0eedb45 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -147,6 +147,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ evolution_read_orbit_tmp_files(gpg_t)
+ ')
+
+optional_policy(`
gnome_read_generic_home_content(gpg_t)
gnome_stream_connect_all_gkeyringd(gpg_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: b27815edef70f38fdcf432a880d1c9419981311f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Sep 19 22:30:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b27815ed
Module version bump for gnome patch from Guido Trentalancia.
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 8c79849..c30e596 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.5.1)
+policy_module(gnome, 2.5.2)
##############################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 7f30a72..72064a2 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.6)
+policy_module(pulseaudio, 1.8.7)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-10-03 6:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2016-10-03 6:20 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:20 UTC (permalink / raw
To: gentoo-commits
commit: b27815edef70f38fdcf432a880d1c9419981311f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Sep 19 22:30:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b27815ed
Module version bump for gnome patch from Guido Trentalancia.
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 8c79849..c30e596 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.5.1)
+policy_module(gnome, 2.5.2)
##############################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 7f30a72..72064a2 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.6)
+policy_module(pulseaudio, 1.8.7)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: abdacce1d5c0894bc44af2822d436ce670e68935
Author: Naftuli Tzvi Kay <rfkrocktk <AT> gmail <DOT> com>
AuthorDate: Tue Sep 27 20:40:57 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=abdacce1
Fix NetworkManager Read Pid Files Macro
Bug found in pull #26 - permissions aren't granted for searching
the NetworkManager_var_run_t directory, only to reading its files.
policy/modules/contrib/networkmanager.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index 152dc57..10688d2 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -247,6 +247,7 @@ interface(`networkmanager_read_pid_files',`
')
files_search_pids($1)
+ allow $1 NetworkManager_var_run_t:dir search_dir_perms;
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: 18ddac2acc0a71975ba87e0683cc3846ed72bb9f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Sep 10 15:28:14 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=18ddac2a
cups: Move can_exec() line.
policy/modules/contrib/cups.te | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 1b0dffa..245926b 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -633,6 +633,9 @@ allow hplip_t hplip_etc_t:dir list_dir_perms;
allow hplip_t hplip_etc_t:file read_file_perms;
allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
+# e.g. execute python script to load the firmware
+can_exec(hplip_t, hplip_exec_t)
+
manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
@@ -647,9 +650,6 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
-# e.g. execute python script to load the firmware
-can_exec(hplip_t, hplip_exec_t)
-
corenet_all_recvfrom_unlabeled(hplip_t)
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-10-03 6:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2016-10-03 6:20 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:20 UTC (permalink / raw
To: gentoo-commits
commit: 18ddac2acc0a71975ba87e0683cc3846ed72bb9f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Sep 10 15:28:14 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=18ddac2a
cups: Move can_exec() line.
policy/modules/contrib/cups.te | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 1b0dffa..245926b 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -633,6 +633,9 @@ allow hplip_t hplip_etc_t:dir list_dir_perms;
allow hplip_t hplip_etc_t:file read_file_perms;
allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
+# e.g. execute python script to load the firmware
+can_exec(hplip_t, hplip_exec_t)
+
manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
@@ -647,9 +650,6 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
-# e.g. execute python script to load the firmware
-can_exec(hplip_t, hplip_exec_t)
-
corenet_all_recvfrom_unlabeled(hplip_t)
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: 31afb6134c5d0dca49042de96801d28601a905d3
Author: Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Sat Sep 10 16:26:46 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:06:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=31afb613
mozilla: let mozilla play audio
Let mozilla play audio:
- add new interfaces to the pulseaudio module;
- let mozilla read alsa configuration files;
- add further permissions to mozilla needed to use
pulseaudio to play audio.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/mozilla.te | 9 +++++
policy/modules/contrib/pulseaudio.if | 77 ++++++++++++++++++++++++++++++++++++
2 files changed, 86 insertions(+)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index cd1aea3..ca45f5c 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -217,6 +217,11 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ alsa_read_config(mozilla_t)
+ alsa_read_home_files(mozilla_t)
+')
+
+optional_policy(`
apache_read_user_scripts(mozilla_t)
apache_read_user_content(mozilla_t)
')
@@ -269,6 +274,8 @@ optional_policy(`
optional_policy(`
pulseaudio_run(mozilla_t, mozilla_roles)
+ pulseaudio_rw_tmpfs_files(mozilla_t)
+ pulseaudio_use_fds(mozilla_t)
')
optional_policy(`
@@ -493,6 +500,8 @@ optional_policy(`
optional_policy(`
pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
+ pulseaudio_rw_tmpfs_files(mozilla_plugin_t)
+ pulseaudio_use_fds(mozilla_plugin_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if
index f057680..11238f2 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -371,3 +371,80 @@ interface(`pulseaudio_client_domain',`
pulseaudio_domtrans($1)
pulseaudio_tmpfs_content($2)
')
+
+#######################################
+## <summary>
+## Read pulseaudio tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_read_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+#######################################
+## <summary>
+## Read and write pulseaudio tmpfs
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_rw_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Use file descriptors for
+## pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ allow $1 pulseaudio_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use the
+## file descriptors for pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ dontaudit $1 pulseaudio_t:fd use;
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-10-03 6:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2016-10-03 6:20 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:20 UTC (permalink / raw
To: gentoo-commits
commit: 31afb6134c5d0dca49042de96801d28601a905d3
Author: Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Sat Sep 10 16:26:46 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:06:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=31afb613
mozilla: let mozilla play audio
Let mozilla play audio:
- add new interfaces to the pulseaudio module;
- let mozilla read alsa configuration files;
- add further permissions to mozilla needed to use
pulseaudio to play audio.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/mozilla.te | 9 +++++
policy/modules/contrib/pulseaudio.if | 77 ++++++++++++++++++++++++++++++++++++
2 files changed, 86 insertions(+)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index cd1aea3..ca45f5c 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -217,6 +217,11 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ alsa_read_config(mozilla_t)
+ alsa_read_home_files(mozilla_t)
+')
+
+optional_policy(`
apache_read_user_scripts(mozilla_t)
apache_read_user_content(mozilla_t)
')
@@ -269,6 +274,8 @@ optional_policy(`
optional_policy(`
pulseaudio_run(mozilla_t, mozilla_roles)
+ pulseaudio_rw_tmpfs_files(mozilla_t)
+ pulseaudio_use_fds(mozilla_t)
')
optional_policy(`
@@ -493,6 +500,8 @@ optional_policy(`
optional_policy(`
pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
+ pulseaudio_rw_tmpfs_files(mozilla_plugin_t)
+ pulseaudio_use_fds(mozilla_plugin_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if
index f057680..11238f2 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -371,3 +371,80 @@ interface(`pulseaudio_client_domain',`
pulseaudio_domtrans($1)
pulseaudio_tmpfs_content($2)
')
+
+#######################################
+## <summary>
+## Read pulseaudio tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_read_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+#######################################
+## <summary>
+## Read and write pulseaudio tmpfs
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_rw_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Use file descriptors for
+## pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ allow $1 pulseaudio_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use the
+## file descriptors for pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ dontaudit $1 pulseaudio_t:fd use;
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: 71beba0776f9e6a4ad9d4f02b9cdaa793622fc31
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Sep 27 22:45:34 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71beba07
Module version bump for networkmanager fix from Naftuli Tzvi Kay.
policy/modules/contrib/networkmanager.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 1ae3fde..45bbc02 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.18.3)
+policy_module(networkmanager, 1.18.4)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: cb341f0bcb4701f28a7a4ee0e452240e86bd9941
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Sep 27 22:31:13 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cb341f0b
gpg: Whitespace fix.
policy/modules/contrib/gpg.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 4d200ff..f76aed4 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -148,7 +148,7 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
evolution_read_orbit_tmp_files(gpg_t)
- ')
+')
optional_policy(`
gnome_read_generic_home_content(gpg_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-10-03 6:26 Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:26 UTC (permalink / raw
To: gentoo-commits
commit: a3cfff743285e946ebafb7bc1c2c9a5cdb4aa039
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Sep 1 23:36:29 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a3cfff74
Module version bump for Evolution SSL fix from Guido Trentalancia.
policy/modules/contrib/evolution.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 28d619c..55ee470 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.4.0)
+policy_module(evolution, 2.4.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-10-03 6:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:20 UTC (permalink / raw
To: gentoo-commits
commit: d2251e5d5b63f988488a732febefa2cd115da04c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Sep 27 22:24:08 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d2251e5d
Module version bump for evolution patch from Guido Trentalancia.
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index a3cf532..1580c95 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.4.2)
+policy_module(evolution, 2.4.3)
########################################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 0eedb45..4d200ff 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.9.1)
+policy_module(gpg, 2.9.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-10-03 6:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:20 UTC (permalink / raw
To: gentoo-commits
commit: ee7d0d58ccbabc7af9e2a2f7ca7ba276d1884292
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Sep 11 13:02:28 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:06:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ee7d0d58
Module version bump for mozilla patch from Guido Trentalancia.
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index ca45f5c..42fb9bf 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.9.2)
+policy_module(mozilla, 2.9.3)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 4be64ec..214e9c6 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.5)
+policy_module(pulseaudio, 1.8.6)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-10-03 6:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:20 UTC (permalink / raw
To: gentoo-commits
commit: d08361ee81045093ab652fa49234e465b730a8f3
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Sep 10 15:43:08 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d08361ee
cups: Module version bump for hplip patch from Guido Trentalancia
policy/modules/contrib/cups.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 245926b..1d6fd86 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.19.1)
+policy_module(cups, 1.19.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-10-03 6:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:20 UTC (permalink / raw
To: gentoo-commits
commit: ad72efd64eb17bf500c13b58120437b3dacc4aab
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Sep 8 23:15:11 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ad72efd6
evolution: Read user certs from Guido Trentalancia.
policy/modules/contrib/evolution.te | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 55ee470..a3cf532 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,10 +1,19 @@
-policy_module(evolution, 2.4.1)
+policy_module(evolution, 2.4.2)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow evolution to create and write
+## user certificates in addition to
+## being able to read them
+## </p>
+## </desc>
+gen_tunable(evolution_manage_user_certs, false)
+
attribute_role evolution_roles;
type evolution_t;
@@ -185,6 +194,13 @@ udev_read_state(evolution_t)
userdom_use_user_terminals(evolution_t)
+tunable_policy(`evolution_manage_user_certs',`
+ userdom_manage_user_certs(evolution_t)
+',`
+ userdom_dontaudit_manage_user_certs(evolution_t)
+ userdom_read_user_certs(evolution_t)
+')
+
userdom_manage_user_tmp_dirs(evolution_t)
userdom_manage_user_tmp_files(evolution_t)
@@ -437,6 +453,13 @@ miscfiles_read_generic_certs(evolution_server_t)
userdom_dontaudit_read_user_home_content_files(evolution_server_t)
+tunable_policy(`evolution_manage_user_certs',`
+ userdom_manage_user_certs(evolution_server_t)
+',`
+ userdom_dontaudit_manage_user_certs(evolution_server_t)
+ userdom_read_user_certs(evolution_server_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(evolution_server_t)
fs_manage_nfs_files(evolution_server_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-10-03 6:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:20 UTC (permalink / raw
To: gentoo-commits
commit: 53fc0ccf1852accb94ea5e13e45ffd69224f4e2f
Author: Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Thu Sep 1 17:25:08 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=53fc0ccf
evolution: read SSL certificates
Update the evolution modules so that:
- it is able to read SSL certificates (e.g. for server authentication);
- it is able to read the random number generator device;
- it doesn't audit attempts to get the attributes of
extended attributes filesystems.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/evolution.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index c99e07c..28d619c 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -164,18 +164,21 @@ corenet_tcp_connect_ldap_port(evolution_t)
corenet_sendrecv_ipp_client_packets(evolution_t)
corenet_tcp_connect_ipp_port(evolution_t)
+dev_read_rand(evolution_t)
dev_read_urand(evolution_t)
domain_dontaudit_read_all_domains_state(evolution_t)
files_read_usr_files(evolution_t)
+fs_dontaudit_getattr_xattr_fs(evolution_t)
fs_search_auto_mountpoints(evolution_t)
auth_use_nsswitch(evolution_t)
logging_send_syslog_msg(evolution_t)
+miscfiles_read_generic_certs(evolution_t)
miscfiles_read_localization(evolution_t)
udev_read_state(evolution_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-10-03 6:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:20 UTC (permalink / raw
To: gentoo-commits
commit: 756d18c85f9a8e62ab510f6ab7026944ed028d3b
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Sep 9 12:11:16 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:05:14 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=756d18c8
cups: update permissions for HP printers (load firmware)
Update the cups module with some permissions needed to run HP
printers (in particular to be able to load firmware on those
printers that need it every time they are connected).
The permission to execute shell scripts has been removed in
this new version, as this is not required.
Compared to previous versions, this new version creates a
specific hplip pty (as suggested by Christopher PeBenito).
Here is the list of printers that require firmware loading:
HP LaserJet 1000
HP LaserJet 1005 series
HP LaserJet 1018
HP LaserJet 1020
HP LaserJet p1005
HP LaserJet p1006
HP LaserJet p1007
HP LaserJet p1008
HP LaserJet p1009
HP LaserJet p1505
HP LaserJet Professional p1102
HP LaserJet Professional p1102w
HP LaserJet Professional p1566
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/cups.te | 27 +++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 6fd2ee5..1b0dffa 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -71,6 +71,9 @@ type hplip_exec_t;
init_daemon_domain(hplip_t, hplip_exec_t)
cups_backend(hplip_t, hplip_exec_t)
+type hplip_devpts_t;
+term_pty(hplip_devpts_t)
+
type hplip_etc_t;
files_config_file(hplip_etc_t)
@@ -157,6 +160,10 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
allow cupsd_t hplip_var_run_t:file read_file_perms;
+# hpcups
+read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
+read_lnk_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
+
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
@@ -300,6 +307,10 @@ optional_policy(`
')
optional_policy(`
+ init_dbus_chat_script(cupsd_t)
+')
+
+optional_policy(`
kerberos_manage_host_rcache(cupsd_t)
kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
')
@@ -426,6 +437,8 @@ miscfiles_read_hwdata(cupsd_config_t)
seutil_dontaudit_search_config(cupsd_config_t)
+term_use_generic_ptys(cupsd_config_t)
+
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
@@ -433,10 +446,6 @@ userdom_read_user_tmp_symlinks(cupsd_config_t)
userdom_rw_user_tmp_files(cupsd_config_t)
optional_policy(`
- term_use_generic_ptys(cupsd_config_t)
-')
-
-optional_policy(`
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
@@ -608,9 +617,12 @@ allow hplip_t self:capability { dac_override dac_read_search net_raw };
dontaudit hplip_t self:capability sys_tty_config;
allow hplip_t self:fifo_file rw_fifo_file_perms;
allow hplip_t self:process signal_perms;
+allow hplip_t self:netlink_kobject_uevent_socket create_socket_perms;
allow hplip_t self:tcp_socket { accept listen };
allow hplip_t self:rawip_socket create_socket_perms;
+allow hplip_t hplip_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+
allow hplip_t cupsd_etc_t:dir search_dir_perms;
manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
@@ -635,6 +647,9 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
+# e.g. execute python script to load the firmware
+can_exec(hplip_t, hplip_exec_t)
+
corenet_all_recvfrom_unlabeled(hplip_t)
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
@@ -684,6 +699,10 @@ miscfiles_read_localization(hplip_t)
sysnet_dns_name_resolve(hplip_t)
+term_create_pty(hplip_t, hplip_devpts_t)
+term_use_generic_ptys(hplip_t)
+term_use_ptmx(hplip_t)
+
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-10-03 6:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-10-03 6:20 UTC (permalink / raw
To: gentoo-commits
commit: fa460d674228cdbe2e16cd33b5b5d83c85e72008
Author: Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Mon Sep 19 11:15:44 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:13:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fa460d67
gnome: add support for the OIL Runtime Compiler (ORC) optimized code execution
Add a new gstreamer_orcexec_t type and file context to the gnome
module in order to support the OIL Runtime Compiler (ORC) optimized
code execution (used for example by pulseaudio).
Add optional policy to the pulseaudio module to support the ORC
optimized code execution.
This patch has been anticipated a few weeks ago as part of a
larger gnome patch. It has now been split as a smaller patch,
as required.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/gnome.fc | 4 ++
policy/modules/contrib/gnome.if | 98 ++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gnome.te | 3 ++
policy/modules/contrib/pulseaudio.te | 6 +++
4 files changed, 111 insertions(+)
diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index 31d8c6c..ce12193 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -7,6 +7,8 @@ HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
@@ -16,6 +18,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
ifdef(`distro_gentoo',`
HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_config_home_t,s0)
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index cad0e95..190fa16 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -610,6 +610,66 @@ interface(`gnome_gconf_home_filetrans',`
########################################
## <summary>
+## Create objects in user home
+## directories with the gstreamer
+## orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create objects in the user
+## runtime directories with the
+## gstreamer orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
## Read generic gnome keyring home files.
## </summary>
## <param name="domain">
@@ -764,3 +824,41 @@ interface(`gnome_dbus_chat_gconfd',`
allow $1 gconfd_t:dbus send_msg;
allow gconfd_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Manage gstreamer ORC optimized
+## code.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ allow $1 gstreamer_orcexec_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Mmap gstreamer ORC optimized
+## code.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_mmap_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ allow $1 gstreamer_orcexec_t:file mmap_file_perms;
+')
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index dd6ac04..8c79849 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_home_t)
type gnome_keyring_tmp_t;
userdom_user_tmp_file(gnome_keyring_tmp_t)
+type gstreamer_orcexec_t;
+application_executable_file(gstreamer_orcexec_t)
+
##############################
#
# Common local Policy
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 214e9c6..7f30a72 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -193,6 +193,12 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(pulseaudio_t)
+
+ # OIL Runtime Compiler (ORC) optimized code execution
+ gnome_manage_gstreamer_orcexec(pulseaudio_t)
+ gnome_mmap_gstreamer_orcexec(pulseaudio_t)
+ gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+ gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-08-31 16:38 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-31 16:38 UTC (permalink / raw
To: gentoo-commits
commit: dc06a3ac8e1e7043065f5e48d459f9f42640e790
Author: Sean Placchetti <Sean.P.Placchetti <AT> gmail <DOT> com>
AuthorDate: Sun Aug 21 02:14:20 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 31 16:06:19 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dc06a3ac
-Remove unused declarations from webalizer type enforcement file
policy/modules/contrib/webalizer.te | 6 ------
1 file changed, 6 deletions(-)
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index ae919b9..6074b57 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -16,18 +16,12 @@ role webalizer_roles types webalizer_t;
type webalizer_etc_t;
files_config_file(webalizer_etc_t)
-type webalizer_usage_t;
-files_type(webalizer_usage_t)
-
type webalizer_tmp_t;
files_tmp_file(webalizer_tmp_t)
type webalizer_var_lib_t;
files_type(webalizer_var_lib_t)
-type webalizer_write_t;
-files_type(webalizer_write_t)
-
########################################
#
# Local policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-08-31 16:38 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-31 16:38 UTC (permalink / raw
To: gentoo-commits
commit: a4b11e6f0296a059183a761a6fa32c875976fb36
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Aug 23 23:23:33 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 31 16:06:19 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4b11e6f
Module version bump for webalizer dead type removal from Sean Placchetti.
policy/modules/contrib/webalizer.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 6074b57..99bef4a 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -1,4 +1,4 @@
-policy_module(webalizer, 1.13.0)
+policy_module(webalizer, 1.13.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-08-31 16:38 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-31 16:38 UTC (permalink / raw
To: gentoo-commits
commit: 832dbf1a63d2a601396a302297e497109561ca8d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 17 17:05:06 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 17:05:06 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=832dbf1a
ntp: fcontext for ntpctl
ntpctl is hardlinked to ntpd and causes a labelling conflict randomly.
Set the fcontext on both to be the same so there are no issues.
policy/modules/contrib/ntp.fc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 01ae073..96f03d8 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -33,4 +33,7 @@
ifdef(`distro_gentoo',`
/usr/bin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
/var/lib/openntpd/ntpd.drift -- gen_context(system_u:object_r:ntp_drift_t,s0)
+
+# hardlinked to ntpd
+/usr/sbin/ntpctl -- gen_context(system_u:object_r:ntpd_exec_t,s0)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-17 16:59 Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: 836b8ae8f3e978659e15e206b72958bbc680a28b
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:11:09 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:42:19 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=836b8ae8
Update the telepathy module:
- add an interface to support chat over dbus in the mission
control domain;
- add support for dbus chat in the mission control domain for
the telepathy role.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/telepathy.if | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/policy/modules/contrib/telepathy.if b/policy/modules/contrib/telepathy.if
index 0d58469..b9a5b8a 100644
--- a/policy/modules/contrib/telepathy.if
+++ b/policy/modules/contrib/telepathy.if
@@ -114,6 +114,8 @@ template(`telepathy_role_template',`
allow $3 telepathy_tmp_content:dir { manage_dir_perms relabel_dir_perms };
allow $3 telepathy_tmp_content:file { manage_file_perms relabel_file_perms };
allow $3 telepathy_tmp_content:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+ telepathy_mission_control_dbus_chat($3)
')
########################################
@@ -159,6 +161,27 @@ interface(`telepathy_gabble_dbus_chat',`
########################################
## <summary>
+## Send dbus messages to and from
+## mission control.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_mission_control_dbus_chat',`
+ gen_require(`
+ type telepathy_mission_control_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 telepathy_mission_control_t:dbus send_msg;
+ allow telepathy_mission_control_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Read mission control process state files.
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2016-08-17 16:59 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: 836b8ae8f3e978659e15e206b72958bbc680a28b
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:11:09 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:42:19 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=836b8ae8
Update the telepathy module:
- add an interface to support chat over dbus in the mission
control domain;
- add support for dbus chat in the mission control domain for
the telepathy role.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/telepathy.if | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/policy/modules/contrib/telepathy.if b/policy/modules/contrib/telepathy.if
index 0d58469..b9a5b8a 100644
--- a/policy/modules/contrib/telepathy.if
+++ b/policy/modules/contrib/telepathy.if
@@ -114,6 +114,8 @@ template(`telepathy_role_template',`
allow $3 telepathy_tmp_content:dir { manage_dir_perms relabel_dir_perms };
allow $3 telepathy_tmp_content:file { manage_file_perms relabel_file_perms };
allow $3 telepathy_tmp_content:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+ telepathy_mission_control_dbus_chat($3)
')
########################################
@@ -159,6 +161,27 @@ interface(`telepathy_gabble_dbus_chat',`
########################################
## <summary>
+## Send dbus messages to and from
+## mission control.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_mission_control_dbus_chat',`
+ gen_require(`
+ type telepathy_mission_control_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 telepathy_mission_control_t:dbus send_msg;
+ allow telepathy_mission_control_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Read mission control process state files.
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-17 16:59 Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: 3101fc57262e91f9e5f57a89493a32197c1ebc81
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Aug 13 15:16:10 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3101fc57
Update the pulseaudio module for usability and ORC support
Update the pulseaudio module so that it is usable (tested with
latest version pulseaudio 9.0).
This patch depends on a recent patch to update the gnome module.
Support for the OIL Runtime Compiler (OIL) optimized code
execution is added to the pulseaudio module by using a few
newly created interfaces and file contexts in the gnome
module.
Supports the execmem permission only through a boolean which
defaults to false.
Thanks to Dominick Grift for the useful suggestions that
permitted to create this new improved version of the patch.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/pulseaudio.fc | 1 +
policy/modules/contrib/pulseaudio.if | 1 +
policy/modules/contrib/pulseaudio.te | 34 ++++++++++++++++++++++++++++++----
3 files changed, 32 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/pulseaudio.fc b/policy/modules/contrib/pulseaudio.fc
index e005030..19ade57 100644
--- a/policy/modules/contrib/pulseaudio.fc
+++ b/policy/modules/contrib/pulseaudio.fc
@@ -1,6 +1,7 @@
HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.config/pulse(/.*)? -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if
index ce863b0..f057680 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -25,6 +25,7 @@ interface(`pulseaudio_role',`
pulseaudio_run($2, $1)
allow $2 pulseaudio_t:process { ptrace signal_perms };
+ allow $2 pulseaudio_t:fd use;
ps_process_pattern($2, pulseaudio_t)
allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms };
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index e7511a8..134866e 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -5,6 +5,14 @@ policy_module(pulseaudio, 1.8.3)
# Declarations
#
+## <desc>
+## <p>
+## Allow pulseaudio to execute code in
+## writable memory
+## </p>
+## </desc>
+gen_tunable(pulseaudio_execmem, false)
+
attribute pulseaudio_client;
attribute pulseaudio_tmpfsfile;
@@ -37,7 +45,8 @@ files_pid_file(pulseaudio_var_run_t)
#
allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
-allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
+allow pulseaudio_t self:process { getcap getsched setcap setrlimit setsched signal signull };
+
allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
allow pulseaudio_t self:unix_stream_socket { accept connectto listen };
allow pulseaudio_t self:unix_dgram_socket sendto;
@@ -129,9 +138,15 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
userdom_read_user_tmpfs_files(pulseaudio_t)
-
+userdom_delete_user_tmpfs_files(pulseaudio_t)
userdom_search_user_home_dirs(pulseaudio_t)
-userdom_write_user_tmp_sockets(pulseaudio_t)
+userdom_search_user_home_content(pulseaudio_t)
+
+userdom_manage_user_tmp_sockets(pulseaudio_t)
+
+tunable_policy(`pulseaudio_execmem',`
+ allow pulseaudio_t self:process execmem;
+')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(pulseaudio_t)
@@ -146,7 +161,8 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- alsa_read_rw_config(pulseaudio_t)
+ alsa_read_config(pulseaudio_t)
+ alsa_read_home_files(pulseaudio_t)
')
optional_policy(`
@@ -176,6 +192,15 @@ optional_policy(`
')
optional_policy(`
+ gnome_stream_connect_gconf(pulseaudio_t)
+
+ # OIL Runtime Compiler (ORC) optimized code execution
+ allow pulseaudio_t gstreamer_orcexec_t:file { manage_file_perms mmap_file_perms };
+ gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+ gnome_home_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+')
+
+optional_policy(`
rtkit_scheduled(pulseaudio_t)
')
@@ -186,6 +211,7 @@ optional_policy(`
')
optional_policy(`
+ udev_read_pid_files(pulseaudio_t)
udev_read_state(pulseaudio_t)
udev_read_db(pulseaudio_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2016-08-17 16:59 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: 3101fc57262e91f9e5f57a89493a32197c1ebc81
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Aug 13 15:16:10 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3101fc57
Update the pulseaudio module for usability and ORC support
Update the pulseaudio module so that it is usable (tested with
latest version pulseaudio 9.0).
This patch depends on a recent patch to update the gnome module.
Support for the OIL Runtime Compiler (OIL) optimized code
execution is added to the pulseaudio module by using a few
newly created interfaces and file contexts in the gnome
module.
Supports the execmem permission only through a boolean which
defaults to false.
Thanks to Dominick Grift for the useful suggestions that
permitted to create this new improved version of the patch.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/pulseaudio.fc | 1 +
policy/modules/contrib/pulseaudio.if | 1 +
policy/modules/contrib/pulseaudio.te | 34 ++++++++++++++++++++++++++++++----
3 files changed, 32 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/pulseaudio.fc b/policy/modules/contrib/pulseaudio.fc
index e005030..19ade57 100644
--- a/policy/modules/contrib/pulseaudio.fc
+++ b/policy/modules/contrib/pulseaudio.fc
@@ -1,6 +1,7 @@
HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.config/pulse(/.*)? -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if
index ce863b0..f057680 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -25,6 +25,7 @@ interface(`pulseaudio_role',`
pulseaudio_run($2, $1)
allow $2 pulseaudio_t:process { ptrace signal_perms };
+ allow $2 pulseaudio_t:fd use;
ps_process_pattern($2, pulseaudio_t)
allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms };
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index e7511a8..134866e 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -5,6 +5,14 @@ policy_module(pulseaudio, 1.8.3)
# Declarations
#
+## <desc>
+## <p>
+## Allow pulseaudio to execute code in
+## writable memory
+## </p>
+## </desc>
+gen_tunable(pulseaudio_execmem, false)
+
attribute pulseaudio_client;
attribute pulseaudio_tmpfsfile;
@@ -37,7 +45,8 @@ files_pid_file(pulseaudio_var_run_t)
#
allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
-allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
+allow pulseaudio_t self:process { getcap getsched setcap setrlimit setsched signal signull };
+
allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
allow pulseaudio_t self:unix_stream_socket { accept connectto listen };
allow pulseaudio_t self:unix_dgram_socket sendto;
@@ -129,9 +138,15 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
userdom_read_user_tmpfs_files(pulseaudio_t)
-
+userdom_delete_user_tmpfs_files(pulseaudio_t)
userdom_search_user_home_dirs(pulseaudio_t)
-userdom_write_user_tmp_sockets(pulseaudio_t)
+userdom_search_user_home_content(pulseaudio_t)
+
+userdom_manage_user_tmp_sockets(pulseaudio_t)
+
+tunable_policy(`pulseaudio_execmem',`
+ allow pulseaudio_t self:process execmem;
+')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(pulseaudio_t)
@@ -146,7 +161,8 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- alsa_read_rw_config(pulseaudio_t)
+ alsa_read_config(pulseaudio_t)
+ alsa_read_home_files(pulseaudio_t)
')
optional_policy(`
@@ -176,6 +192,15 @@ optional_policy(`
')
optional_policy(`
+ gnome_stream_connect_gconf(pulseaudio_t)
+
+ # OIL Runtime Compiler (ORC) optimized code execution
+ allow pulseaudio_t gstreamer_orcexec_t:file { manage_file_perms mmap_file_perms };
+ gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+ gnome_home_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+')
+
+optional_policy(`
rtkit_scheduled(pulseaudio_t)
')
@@ -186,6 +211,7 @@ optional_policy(`
')
optional_policy(`
+ udev_read_pid_files(pulseaudio_t)
udev_read_state(pulseaudio_t)
udev_read_db(pulseaudio_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-17 16:59 Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: cb339f1963ddfdfe4be42750974114b3f9f996a0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:58:08 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cb339f19
Module version bump for various patches from Guido Trentalancia.
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mplayer.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/telepathy.te | 2 +-
10 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 7a25974..dc87030 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.15.0)
+policy_module(alsa, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index e901010..dee9f93 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.15.0)
+policy_module(asterisk, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index 5068fab..e1f6d58 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.9.0)
+policy_module(entropyd, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index 2081d14..beef250 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.15.0)
+policy_module(hal, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index a44cb5a..cd1aea3 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.9.1)
+policy_module(mozilla, 2.9.2)
########################################
#
diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index f6f9195..755e1ef 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -1,4 +1,4 @@
-policy_module(mpd, 1.3.0)
+policy_module(mpd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index e70ee72..6915313 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -1,4 +1,4 @@
-policy_module(mplayer, 2.5.1)
+policy_module(mplayer, 2.5.2)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 74fba8f..215c57d 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.14.1)
+policy_module(ntp, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 134866e..32e06ac 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.3)
+policy_module(pulseaudio, 1.8.4)
########################################
#
diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te
index db2a27b..4bb3c6f 100644
--- a/policy/modules/contrib/telepathy.te
+++ b/policy/modules/contrib/telepathy.te
@@ -1,4 +1,4 @@
-policy_module(telepathy, 1.6.0)
+policy_module(telepathy, 1.6.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2016-08-17 16:59 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: cb339f1963ddfdfe4be42750974114b3f9f996a0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:58:08 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cb339f19
Module version bump for various patches from Guido Trentalancia.
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mplayer.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/telepathy.te | 2 +-
10 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 7a25974..dc87030 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.15.0)
+policy_module(alsa, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index e901010..dee9f93 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.15.0)
+policy_module(asterisk, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index 5068fab..e1f6d58 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.9.0)
+policy_module(entropyd, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index 2081d14..beef250 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.15.0)
+policy_module(hal, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index a44cb5a..cd1aea3 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.9.1)
+policy_module(mozilla, 2.9.2)
########################################
#
diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index f6f9195..755e1ef 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -1,4 +1,4 @@
-policy_module(mpd, 1.3.0)
+policy_module(mpd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index e70ee72..6915313 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -1,4 +1,4 @@
-policy_module(mplayer, 2.5.1)
+policy_module(mplayer, 2.5.2)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 74fba8f..215c57d 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.14.1)
+policy_module(ntp, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 134866e..32e06ac 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.3)
+policy_module(pulseaudio, 1.8.4)
########################################
#
diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te
index db2a27b..4bb3c6f 100644
--- a/policy/modules/contrib/telepathy.te
+++ b/policy/modules/contrib/telepathy.te
@@ -1,4 +1,4 @@
-policy_module(telepathy, 1.6.0)
+policy_module(telepathy, 1.6.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-17 16:59 Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: 79c4ff005ec876159b4143d1de3fbfa6dbf5543e
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:36:35 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79c4ff00
alsa: Add compatibility alias for alsa_etc_rw_t.
policy/modules/contrib/alsa.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index b08ab0c..7a25974 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -12,7 +12,7 @@ type alsa_exec_t;
init_system_domain(alsa_t, alsa_exec_t)
role alsa_roles types alsa_t;
-type alsa_etc_t;
+type alsa_etc_t alias alsa_etc_rw_t;
files_config_file(alsa_etc_t)
type alsa_tmp_t;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-08-17 16:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: ea395bb75ec043061dac0b8aa6b2466514425c6c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 19:51:38 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ea395bb7
pulseaudio: Fix compile errors.
policy/modules/contrib/pulseaudio.te | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 32e06ac..4be64ec 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.4)
+policy_module(pulseaudio, 1.8.5)
########################################
#
@@ -193,11 +193,6 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(pulseaudio_t)
-
- # OIL Runtime Compiler (ORC) optimized code execution
- allow pulseaudio_t gstreamer_orcexec_t:file { manage_file_perms mmap_file_perms };
- gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file)
- gnome_home_filetrans_gstreamer_orcexec(pulseaudio_t, file)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-08-17 16:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: c62aca80448084d3dd1a37ef55866a1de76e540c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:33:24 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c62aca80
Update the alsa module so that the alsa_etc_t file context (previously alsa_etc_rw_t) is widened to the whole alsa share directory, instead of just a couple of files.
The wrong and misleading _rw_ label has been deprecated in the alsa
interface definitions and in their instances throughout the whole
Reference Policy (static and system-wide configuration files are
not runtime-writable). Warning messages are printed when the user
attempts to use the old namings for the above mentioned alsa
interface definitions.
After applying this patch, the recent pulseaudio patch should also
be applied to complete the removal of the _rw_ labels on the alsa
interfaces.
This version of the patch finally removes obsolete file contexts and
grants read permissions instead of manage permissions for static
configuration files in /usr/share/alsa and system-wide configuration
files in /etc.
Thanks to Dominick Grift for pointing out redundant interface usage
in a previous version of this patch.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/alsa.fc | 9 +++----
policy/modules/contrib/alsa.if | 52 ++++++++++++++++++++++++++++++--------
policy/modules/contrib/alsa.te | 10 ++++----
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mplayer.te | 2 +-
8 files changed, 55 insertions(+), 26 deletions(-)
diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index a8c8a64..112fc62 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -6,10 +6,8 @@ ifdef(`distro_debian',`
/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
+/etc/asound\.conf gen_context(system_u:object_r:alsa_etc_t,s0)
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
@@ -25,8 +23,7 @@ ifdef(`distro_debian',`
/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index 38bbf80..9ffed04 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -102,7 +102,8 @@ interface(`alsa_rw_shared_mem',`
########################################
## <summary>
-## Read writable Alsa configuration content.
+## Read writable Alsa configuration
+## content. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -111,14 +112,29 @@ interface(`alsa_rw_shared_mem',`
## </param>
#
interface(`alsa_read_rw_config',`
+ refpolicywarn(`$0($*) has been deprecated, use alsa_read_config() instead.')
+ alsa_read_config($1)
+')
+
+########################################
+## <summary>
+## Read Alsa configuration content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_read_config',`
gen_require(`
- type alsa_etc_rw_t;
+ type alsa_etc_t;
')
files_search_etc($1)
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ allow $1 alsa_etc_t:dir list_dir_perms;
+ read_files_pattern($1, alsa_etc_t, alsa_etc_t)
+ read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
ifdef(`distro_debian',`
files_search_usr($1)
@@ -127,7 +143,8 @@ interface(`alsa_read_rw_config',`
########################################
## <summary>
-## Manage writable Alsa config files.
+## Manage writable Alsa config
+## files. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -136,14 +153,29 @@ interface(`alsa_read_rw_config',`
## </param>
#
interface(`alsa_manage_rw_config',`
+ refpolicywarn(`$0($*) has been deprecated, use alsa_manage_config() instead.')
+ alsa_manage_config($1)
+')
+
+########################################
+## <summary>
+## Manage Alsa config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_manage_config',`
gen_require(`
- type alsa_etc_rw_t;
+ type alsa_etc_t;
')
files_search_etc($1)
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ allow $1 alsa_etc_t:dir list_dir_perms;
+ manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
+ read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
ifdef(`distro_debian',`
files_search_usr($1)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 17bb145..b08ab0c 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -12,8 +12,8 @@ type alsa_exec_t;
init_system_domain(alsa_t, alsa_exec_t)
role alsa_roles types alsa_t;
-type alsa_etc_rw_t;
-files_config_file(alsa_etc_rw_t)
+type alsa_etc_t;
+files_config_file(alsa_etc_t)
type alsa_tmp_t;
files_tmp_file(alsa_tmp_t)
@@ -46,9 +46,9 @@ allow alsa_t self:unix_stream_socket { accept listen };
allow alsa_t alsa_home_t:file read_file_perms;
-manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
can_exec(alsa_t, alsa_exec_t)
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index fc25311..e901010 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -156,7 +156,7 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
- alsa_read_rw_config(asterisk_t)
+ alsa_read_config(asterisk_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index e82f4f5..5068fab 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -68,7 +68,7 @@ tunable_policy(`entropyd_use_audio',`
optional_policy(`
tunable_policy(`entropyd_use_audio',`
alsa_read_lib(entropyd_t)
- alsa_read_rw_config(entropyd_t)
+ alsa_read_config(entropyd_t)
')
')
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index bbccc79..2081d14 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -213,7 +213,7 @@ userdom_dontaudit_search_user_home_dirs(hald_t)
optional_policy(`
alsa_domtrans(hald_t)
- alsa_read_rw_config(hald_t)
+ alsa_read_config(hald_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index 01ded5d..f6f9195 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -179,7 +179,7 @@ tunable_policy(`mpd_use_nfs',`
')
optional_policy(`
- alsa_read_rw_config(mpd_t)
+ alsa_read_config(mpd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index 26ff9aa..e70ee72 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -257,7 +257,7 @@ tunable_policy(`allow_mplayer_execstack',`
')
optional_policy(`
- alsa_read_rw_config(mplayer_t)
+ alsa_read_config(mplayer_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-08-17 16:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: 0402209aa9f09e25a1283661b79445d61a0babd6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:57:29 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0402209a
Update the sysnetwork module to add some permissions needed by the dhcp client (another separate patch makes changes to the ifconfig part).
Create auxiliary interfaces in the ntp module.
The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.
Include revisions from Chris PeBenito.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/ntp.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index 192e342..f8534c6 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -101,6 +101,25 @@ interface(`ntp_initrc_domtrans',`
########################################
## <summary>
+## Read ntp conf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_read_conf_files',`
+ gen_require(`
+ type ntp_conf_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, ntp_conf_t, ntp_conf_t)
+')
+
+########################################
+## <summary>
## Read ntp drift files.
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 953f0de61ff6969382d34002fc7d4b4992e88c1a
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed Aug 10 23:29:17 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=953f0de6
Let gpg disable core dumps
Update the gpg role interface so that core dumps can be disabled
at runtime (required for successful execution of gpg).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/gpg.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index b299418..0370dd1 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -31,6 +31,7 @@ interface(`gpg_role',`
domtrans_pattern($2, gpg_exec_t, gpg_t)
domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
+ allow $2 self:process setrlimit;
allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t })
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-08-13 18:35 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2016-08-13 18:32 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:32 UTC (permalink / raw
To: gentoo-commits
commit: 953f0de61ff6969382d34002fc7d4b4992e88c1a
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed Aug 10 23:29:17 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=953f0de6
Let gpg disable core dumps
Update the gpg role interface so that core dumps can be disabled
at runtime (required for successful execution of gpg).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/gpg.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index b299418..0370dd1 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -31,6 +31,7 @@ interface(`gpg_role',`
domtrans_pattern($2, gpg_exec_t, gpg_t)
domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
+ allow $2 self:process setrlimit;
allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t })
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: a20312035fa6040148369683119ca8529edd4fac
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Aug 13 13:02:19 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a2031203
Module version bump for pulseaudio fc fix from Jason Zaman.
policy/modules/contrib/pulseaudio.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 118c86a..e011c3a 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.1)
+policy_module(pulseaudio, 1.8.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 8a3ee1b331c4066f0ce3641fb5ca886f0c479650
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Wed Aug 3 05:39:37 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8a3ee1b3
named reads vm sysctls
On Wed, 3 Aug 2016 09:43:18 AM Chris PeBenito wrote:
> > kernel_read_kernel_sysctls(named_t)
> >
> > +kernel_read_vm_sysctls(named_t)
> >
> > kernel_read_system_state(named_t)
> > kernel_read_network_state(named_t)
>
> Yes, there is a kernel_read_vm_overcommit_sysctl().
I've attached a new patch.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
policy/modules/contrib/bind.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 2a72066..0683298 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -110,6 +110,7 @@ read_files_pattern(named_t, named_zone_t, named_zone_t)
read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
kernel_read_kernel_sysctls(named_t)
+kernel_read_vm_overcommit_sysctl(named_t)
kernel_read_system_state(named_t)
kernel_read_network_state(named_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-08-13 18:35 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2016-08-13 18:32 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:32 UTC (permalink / raw
To: gentoo-commits
commit: 8a3ee1b331c4066f0ce3641fb5ca886f0c479650
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Wed Aug 3 05:39:37 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8a3ee1b3
named reads vm sysctls
On Wed, 3 Aug 2016 09:43:18 AM Chris PeBenito wrote:
> > kernel_read_kernel_sysctls(named_t)
> >
> > +kernel_read_vm_sysctls(named_t)
> >
> > kernel_read_system_state(named_t)
> > kernel_read_network_state(named_t)
>
> Yes, there is a kernel_read_vm_overcommit_sysctl().
I've attached a new patch.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
policy/modules/contrib/bind.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 2a72066..0683298 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -110,6 +110,7 @@ read_files_pattern(named_t, named_zone_t, named_zone_t)
read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
kernel_read_kernel_sysctls(named_t)
+kernel_read_vm_overcommit_sysctl(named_t)
kernel_read_system_state(named_t)
kernel_read_network_state(named_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 1e92b35184febdff52e8731acd013d61a3778265
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Aug 2 23:40:44 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1e92b351
Module version bump for watchdog pidfile option from Russell Coker.
policy/modules/contrib/watchdog.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index a7eac30..0793afa 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.10.0)
+policy_module(watchdog, 1.10.1)
#################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: dff809f64be7fe7c03e5738e2a0711bce014b370
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 8 06:21:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dff809f6
pulseaudio: fix user runtime fcontext
policy/modules/contrib/pulseaudio.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.fc b/policy/modules/contrib/pulseaudio.fc
index cde5a80..e005030 100644
--- a/policy/modules/contrib/pulseaudio.fc
+++ b/policy/modules/contrib/pulseaudio.fc
@@ -7,7 +7,7 @@ HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
-/var/run/%{USERID}/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_tmp_t,s0)
+/var/run/user/%{USERID}/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_tmp_t,s0)
ifdef(`distro_gentoo',`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-08-13 18:35 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2016-08-13 18:32 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:32 UTC (permalink / raw
To: gentoo-commits
commit: dff809f64be7fe7c03e5738e2a0711bce014b370
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 8 06:21:51 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dff809f6
pulseaudio: fix user runtime fcontext
policy/modules/contrib/pulseaudio.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.fc b/policy/modules/contrib/pulseaudio.fc
index cde5a80..e005030 100644
--- a/policy/modules/contrib/pulseaudio.fc
+++ b/policy/modules/contrib/pulseaudio.fc
@@ -7,7 +7,7 @@ HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
-/var/run/%{USERID}/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_tmp_t,s0)
+/var/run/user/%{USERID}/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_tmp_t,s0)
ifdef(`distro_gentoo',`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 15d627de48ef8cca29e31abfdcf984a808f14eb0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Aug 2 23:29:05 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=15d627de
rpcbind: Read /sys/devices/system/cpu/online from Russell Coker.
policy/modules/contrib/rpcbind.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 9ba71b5..88dbc6b 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.9.0)
+policy_module(rpcbind, 1.9.1)
########################################
#
@@ -61,6 +61,8 @@ corenet_udp_bind_all_rpc_ports(rpcbind_t)
corecmd_exec_shell(rpcbind_t)
+dev_read_cpu_online(rpcbind_t)
+
domain_use_interactive_fds(rpcbind_t)
files_read_etc_runtime_files(rpcbind_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 6e8d429d4a26f3e6c1ceccd320fe6d57b1f5c3c0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Aug 2 23:40:21 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6e8d429d
watchdog: Move line.
policy/modules/contrib/watchdog.te | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 8cb7a08..a7eac30 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -68,6 +68,7 @@ domain_kill_all_domains(watchdog_t)
files_read_etc_files(watchdog_t)
files_manage_etc_runtime_files(watchdog_t)
files_etc_filetrans_etc_runtime(watchdog_t, file)
+files_read_all_pids(watchdog_t)
fs_unmount_xattr_fs(watchdog_t)
fs_getattr_all_fs(watchdog_t)
@@ -75,8 +76,6 @@ fs_search_auto_mountpoints(watchdog_t)
auth_append_login_records(watchdog_t)
-files_read_all_pids(watchdog_t)
-
logging_send_syslog_msg(watchdog_t)
miscfiles_read_localization(watchdog_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-08-13 18:35 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2016-08-13 18:32 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:32 UTC (permalink / raw
To: gentoo-commits
commit: 6e8d429d4a26f3e6c1ceccd320fe6d57b1f5c3c0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Aug 2 23:40:21 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6e8d429d
watchdog: Move line.
policy/modules/contrib/watchdog.te | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 8cb7a08..a7eac30 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -68,6 +68,7 @@ domain_kill_all_domains(watchdog_t)
files_read_etc_files(watchdog_t)
files_manage_etc_runtime_files(watchdog_t)
files_etc_filetrans_etc_runtime(watchdog_t, file)
+files_read_all_pids(watchdog_t)
fs_unmount_xattr_fs(watchdog_t)
fs_getattr_all_fs(watchdog_t)
@@ -75,8 +76,6 @@ fs_search_auto_mountpoints(watchdog_t)
auth_append_login_records(watchdog_t)
-files_read_all_pids(watchdog_t)
-
logging_send_syslog_msg(watchdog_t)
miscfiles_read_localization(watchdog_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2016-08-13 18:35 Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
To: gentoo-commits
commit: 70531e52da1a835f82a2db952c0a408b9e9e1cfe
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Sun Jul 31 09:31:37 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70531e52
watchdog reads pid files
This patch allows watchdog to read all pid files for the "pidfile" feature.
policy/modules/contrib/watchdog.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 0f13e2b..8cb7a08 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -75,6 +75,8 @@ fs_search_auto_mountpoints(watchdog_t)
auth_append_login_records(watchdog_t)
+files_read_all_pids(watchdog_t)
+
logging_send_syslog_msg(watchdog_t)
miscfiles_read_localization(watchdog_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-08-13 18:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:32 UTC (permalink / raw
To: gentoo-commits
commit: e8e8d4ac0695c051293cc8ed94d03630df38e997
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Tue Aug 9 20:31:13 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e8e8d4ac
Policykit module: add fs_getattr_xattr_fs()
Add a single permission to the policykit module.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/policykit.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index 50f8b6a..da0187b 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -92,6 +92,7 @@ domain_read_all_domains_state(policykit_t)
files_dontaudit_search_all_mountpoints(policykit_t)
+fs_getattr_xattr_fs(policykit_t)
fs_list_inotifyfs(policykit_t)
auth_use_nsswitch(policykit_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-08-13 18:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:32 UTC (permalink / raw
To: gentoo-commits
commit: 89d1ba7ab8b4bd7188379b36d18464a912491e55
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Aug 6 23:13:32 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=89d1ba7a
Systemd units from Russell Coker.
policy/modules/contrib/apache.fc | 2 ++
policy/modules/contrib/apache.te | 5 ++++-
policy/modules/contrib/apcupsd.fc | 2 ++
policy/modules/contrib/apcupsd.te | 5 ++++-
policy/modules/contrib/apm.fc | 2 ++
policy/modules/contrib/apm.te | 5 ++++-
policy/modules/contrib/arpwatch.fc | 2 ++
policy/modules/contrib/arpwatch.te | 5 ++++-
policy/modules/contrib/automount.fc | 2 ++
policy/modules/contrib/automount.te | 5 ++++-
policy/modules/contrib/avahi.fc | 2 ++
policy/modules/contrib/avahi.te | 5 ++++-
policy/modules/contrib/bind.fc | 3 +++
policy/modules/contrib/bind.te | 5 ++++-
policy/modules/contrib/clamav.fc | 2 ++
policy/modules/contrib/clamav.te | 5 ++++-
policy/modules/contrib/consolekit.fc | 2 ++
policy/modules/contrib/consolekit.te | 5 ++++-
policy/modules/contrib/cron.fc | 3 +++
policy/modules/contrib/cron.te | 5 ++++-
policy/modules/contrib/cups.fc | 1 +
policy/modules/contrib/cups.te | 5 ++++-
policy/modules/contrib/dhcp.fc | 2 ++
policy/modules/contrib/dhcp.te | 5 ++++-
policy/modules/contrib/ftp.fc | 3 +++
policy/modules/contrib/ftp.te | 5 ++++-
policy/modules/contrib/kdump.fc | 2 ++
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/ldap.fc | 1 +
policy/modules/contrib/ldap.te | 5 ++++-
policy/modules/contrib/mysql.fc | 2 ++
policy/modules/contrib/mysql.te | 5 ++++-
policy/modules/contrib/nis.fc | 5 +++++
policy/modules/contrib/nis.te | 8 +++++++-
policy/modules/contrib/nscd.te | 5 ++++-
policy/modules/contrib/ntp.fc | 1 +
policy/modules/contrib/ppp.fc | 2 ++
policy/modules/contrib/ppp.te | 5 ++++-
policy/modules/contrib/rpc.fc | 3 +++
policy/modules/contrib/rpc.te | 8 +++++++-
policy/modules/contrib/samba.fc | 2 ++
policy/modules/contrib/samba.te | 5 ++++-
policy/modules/contrib/tor.fc | 2 ++
policy/modules/contrib/tor.te | 5 ++++-
44 files changed, 139 insertions(+), 22 deletions(-)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index 96006a0..808cc65 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -50,6 +50,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec
/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/systemd/system/httpd.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
+/usr/lib/systemd/system/jetty.*\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index d3299a2..e02fcdc 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.10.0)
+policy_module(apache, 2.10.1)
########################################
#
@@ -327,6 +327,9 @@ files_tmp_file(httpd_tmp_t)
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
+type httpd_unit_t;
+init_unit_file(httpd_unit_t)
+
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
userdom_user_home_content(httpd_user_content_t)
diff --git a/policy/modules/contrib/apcupsd.fc b/policy/modules/contrib/apcupsd.fc
index 5ec0e13..82d48b1 100644
--- a/policy/modules/contrib/apcupsd.fc
+++ b/policy/modules/contrib/apcupsd.fc
@@ -2,6 +2,8 @@
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+/usr/lib/systemd/system/apcupsd.*\.service -- gen_context(system_u:object_r:apcupsd_unit_t,s0)
+
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index d5bf5bd..586104d 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.10.0)
+policy_module(apcupsd, 1.10.1)
########################################
#
@@ -21,6 +21,9 @@ logging_log_file(apcupsd_log_t)
type apcupsd_tmp_t;
files_tmp_file(apcupsd_tmp_t)
+type apcupsd_unit_t;
+init_unit_file(apcupsd_unit_t)
+
type apcupsd_var_run_t;
files_pid_file(apcupsd_var_run_t)
diff --git a/policy/modules/contrib/apm.fc b/policy/modules/contrib/apm.fc
index ce27d2f..0b5cf18 100644
--- a/policy/modules/contrib/apm.fc
+++ b/policy/modules/contrib/apm.fc
@@ -2,6 +2,8 @@
/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
+/usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:apmd_unit_t,s0)
+
/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0)
/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0)
/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index d6344dc..3acc764 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.14.0)
+policy_module(apm, 1.14.1)
########################################
#
@@ -29,6 +29,9 @@ logging_log_file(apmd_log_t)
type apmd_tmp_t;
files_tmp_file(apmd_tmp_t)
+type apmd_unit_t;
+init_unit_file(apmd_unit_t)
+
type apmd_var_lib_t;
files_type(apmd_var_lib_t)
diff --git a/policy/modules/contrib/arpwatch.fc b/policy/modules/contrib/arpwatch.fc
index 9ca0d0f..59498be 100644
--- a/policy/modules/contrib/arpwatch.fc
+++ b/policy/modules/contrib/arpwatch.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
+/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
+
/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index 97ecc55..0cda29a 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.12.0)
+policy_module(arpwatch, 1.12.1)
########################################
#
@@ -18,6 +18,9 @@ files_type(arpwatch_data_t)
type arpwatch_tmp_t;
files_tmp_file(arpwatch_tmp_t)
+type arpwatch_unit_t;
+init_unit_file(arpwatch_unit_t)
+
type arpwatch_var_run_t;
files_pid_file(arpwatch_var_run_t)
diff --git a/policy/modules/contrib/automount.fc b/policy/modules/contrib/automount.fc
index 92adb37..989c10e 100644
--- a/policy/modules/contrib/automount.fc
+++ b/policy/modules/contrib/automount.fc
@@ -1,6 +1,8 @@
/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
+/usr/lib/systemd/system/autofs.*\.service -- gen_context(system_u:object_r:automount_unit_t,s0)
+
/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index be5adee..2f5852e 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.16.0)
+policy_module(automount, 1.16.1)
########################################
#
@@ -22,6 +22,9 @@ type automount_tmp_t;
files_tmp_file(automount_tmp_t)
files_mountpoint(automount_tmp_t)
+type automount_unit_t;
+init_unit_file(automount_unit_t)
+
type automount_var_run_t;
files_pid_file(automount_var_run_t)
diff --git a/policy/modules/contrib/avahi.fc b/policy/modules/contrib/avahi.fc
index e9fe2ca..f6604ae 100644
--- a/policy/modules/contrib/avahi.fc
+++ b/policy/modules/contrib/avahi.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+/usr/lib/systemd/system/avahi.*\.service -- gen_context(system_u:object_r:avahi_unit_t,s0)
+
/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index 461cef0..40cba10 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.16.0)
+policy_module(avahi, 1.16.1)
########################################
#
@@ -13,6 +13,9 @@ init_named_socket_activation(avahi_t, avahi_var_run_t)
type avahi_initrc_exec_t;
init_script_file(avahi_initrc_exec_t)
+type avahi_unit_t;
+init_unit_file(avahi_unit_t)
+
type avahi_var_lib_t;
files_pid_file(avahi_var_lib_t)
diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
index 2b9a3a1..d0c6d58 100644
--- a/policy/modules/contrib/bind.fc
+++ b/policy/modules/contrib/bind.fc
@@ -14,6 +14,9 @@
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/usr/lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_t,s0)
+/usr/lib/systemd/system/unbound.*\.service -- gen_context(system_u:object_r:named_unit_t,s0)
+
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 0683298..e3072c7 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.16.1)
+policy_module(bind, 1.16.2)
########################################
#
@@ -53,6 +53,9 @@ logging_log_file(named_log_t)
type named_tmp_t;
files_tmp_file(named_tmp_t)
+type named_unit_t;
+init_unit_file(named_unit_t)
+
type named_var_run_t;
files_pid_file(named_var_run_t)
init_daemon_pid_file(named_var_run_t, dir, "named")
diff --git a/policy/modules/contrib/clamav.fc b/policy/modules/contrib/clamav.fc
index d72afcc..f12497d 100644
--- a/policy/modules/contrib/clamav.fc
+++ b/policy/modules/contrib/clamav.fc
@@ -6,6 +6,8 @@
/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
+/usr/lib/systemd/system/clamd.*\.service -- gen_context(system_u:object_r:clamd_unit_t,s0)
+
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index c157b65..d733ffb 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.12.0)
+policy_module(clamav, 1.12.1)
## <desc>
## <p>
@@ -41,6 +41,9 @@ init_script_file(clamd_initrc_exec_t)
type clamd_tmp_t;
files_tmp_file(clamd_tmp_t)
+type clamd_unit_t;
+init_unit_file(clamd_unit_t)
+
type clamd_var_log_t;
logging_log_file(clamd_var_log_t)
diff --git a/policy/modules/contrib/consolekit.fc b/policy/modules/contrib/consolekit.fc
index 0ce1e53..3ce852a 100644
--- a/policy/modules/contrib/consolekit.fc
+++ b/policy/modules/contrib/consolekit.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/console-kit.*\.service -- gen_context(system_u:object_r:consolekit_unit_t,s0)
+
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index a3fd0bf..80c18fa 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -1,4 +1,4 @@
-policy_module(consolekit, 1.10.1)
+policy_module(consolekit, 1.10.2)
########################################
#
@@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t)
type consolekit_tmpfs_t;
files_tmpfs_file(consolekit_tmpfs_t)
+type consolekit_unit_t;
+init_unit_file(consolekit_unit_t)
+
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit")
diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
index cbb19b7..21ca917 100644
--- a/policy/modules/contrib/cron.fc
+++ b/policy/modules/contrib/cron.fc
@@ -6,6 +6,9 @@
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/lib/systemd/system/atd.*\.service -- gen_context(system_u:object_r:crond_unit_t,s0)
+/usr/lib/systemd/system/crond.*\.service -- gen_context(system_u:object_r:crond_unit_t,s0)
+
/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index d26bdb2..0125df0 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.9.1)
+policy_module(cron, 2.9.2)
gen_require(`
class passwd rootok;
@@ -76,6 +76,9 @@ files_tmp_file(crond_tmp_t)
files_poly_parent(crond_tmp_t)
mta_system_content(crond_tmp_t)
+type crond_unit_t;
+init_unit_file(crond_unit_t)
+
type crond_var_run_t;
files_pid_file(crond_var_run_t)
mta_system_content(crond_var_run_t)
diff --git a/policy/modules/contrib/cups.fc b/policy/modules/contrib/cups.fc
index 949011e..ecea069 100644
--- a/policy/modules/contrib/cups.fc
+++ b/policy/modules/contrib/cups.fc
@@ -34,6 +34,7 @@
/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib/systemd/system/cups.*\.service -- gen_context(system_u:object_r:cupsd_unit_t,s0)
/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 1edccbe..6fd2ee5 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.19.0)
+policy_module(cups, 1.19.1)
########################################
#
@@ -58,6 +58,9 @@ files_tmp_file(cups_pdf_tmp_t)
type cupsd_tmp_t;
files_tmp_file(cupsd_tmp_t)
+type cupsd_unit_t;
+init_unit_file(cupsd_unit_t)
+
type cupsd_var_run_t;
files_pid_file(cupsd_var_run_t)
init_daemon_pid_file(cupsd_var_run_t, dir, "cups")
diff --git a/policy/modules/contrib/dhcp.fc b/policy/modules/contrib/dhcp.fc
index 8182c48..bf65642 100644
--- a/policy/modules/contrib/dhcp.fc
+++ b/policy/modules/contrib/dhcp.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/usr/lib/systemd/system/dhcpcd.*\.service -- gen_context(system_u:object_r:dhcpd_unit_t,s0)
+
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index 2d64a81..927e1d9 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.12.0)
+policy_module(dhcp, 1.12.1)
########################################
#
@@ -26,6 +26,9 @@ files_type(dhcpd_state_t)
type dhcpd_tmp_t;
files_tmp_file(dhcpd_tmp_t)
+type dhcpd_unit_t;
+init_unit_file(dhcpd_unit_t)
+
type dhcpd_var_run_t;
files_pid_file(dhcpd_var_run_t)
diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc
index fa132af..366809a 100644
--- a/policy/modules/contrib/ftp.fc
+++ b/policy/modules/contrib/ftp.fc
@@ -9,6 +9,9 @@
/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
+/usr/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
+
/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index d143280..8b83ad7 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.18.1)
+policy_module(ftp, 1.18.2)
########################################
#
@@ -136,6 +136,9 @@ files_tmp_file(ftpd_tmp_t)
type ftpd_tmpfs_t;
files_tmpfs_file(ftpd_tmpfs_t)
+type ftpd_unit_t;
+init_unit_file(ftpd_unit_t)
+
type ftpd_var_run_t;
files_pid_file(ftpd_var_run_t)
diff --git a/policy/modules/contrib/kdump.fc b/policy/modules/contrib/kdump.fc
index a49ae4e..d5ec077 100644
--- a/policy/modules/contrib/kdump.fc
+++ b/policy/modules/contrib/kdump.fc
@@ -6,6 +6,8 @@
/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+/usr/lib/systemd/system/kdump.*\.service -- gen_context(system_u:object_r:kdump_unit_t,s0)
+
/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index ac37ce9..215a680 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.4.1)
+policy_module(kdump, 1.4.2)
#######################################
#
diff --git a/policy/modules/contrib/ldap.fc b/policy/modules/contrib/ldap.fc
index b7e5679..cafa486 100644
--- a/policy/modules/contrib/ldap.fc
+++ b/policy/modules/contrib/ldap.fc
@@ -8,6 +8,7 @@
/usr/lib/openldap/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+/usr/lib/systemd/system/slapd.*\.service -- gen_context(system_u:object_r:slapd_unit_t,s0)
/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 70bc151..5abf625 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.13.0)
+policy_module(ldap, 1.13.1)
########################################
#
@@ -39,6 +39,9 @@ files_tmp_file(slapd_tmp_t)
type slapd_tmpfs_t;
files_tmpfs_file(slapd_tmpfs_t)
+type slapd_unit_t;
+init_unit_file(slapd_unit_t)
+
type slapd_var_run_t;
files_pid_file(slapd_var_run_t)
diff --git a/policy/modules/contrib/mysql.fc b/policy/modules/contrib/mysql.fc
index 1d258c1..fb9b2d8 100644
--- a/policy/modules/contrib/mysql.fc
+++ b/policy/modules/contrib/mysql.fc
@@ -10,6 +10,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/lib/systemd/system/mysqld.*\.service -- gen_context(system_u:object_r:mysqld_unit_t,s0)
+
/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 0db8319..455fd81 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.17.0)
+policy_module(mysql, 1.17.1)
########################################
#
@@ -47,6 +47,9 @@ logging_log_file(mysqld_log_t)
type mysqld_tmp_t;
files_tmp_file(mysqld_tmp_t)
+type mysqld_unit_t;
+init_unit_file(mysqld_unit_t)
+
type mysqlmanagerd_t;
type mysqlmanagerd_exec_t;
init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t)
diff --git a/policy/modules/contrib/nis.fc b/policy/modules/contrib/nis.fc
index 8aa1bfa..b7f173c 100644
--- a/policy/modules/contrib/nis.fc
+++ b/policy/modules/contrib/nis.fc
@@ -9,6 +9,11 @@
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/lib/systemd/system/ypbind.*\.service -- gen_context(system_u:object_r:ypbind_unit_t,s0)
+/usr/lib/systemd/system/yppasswdd.*\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
+/usr/lib/systemd/system/ypserv.*\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
+/usr/lib/systemd/system/ypxfrd.*\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
+
/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index 77c8282..3d3936d 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.13.1)
+policy_module(nis, 1.13.2)
########################################
#
@@ -10,6 +10,9 @@ attribute_role ypbind_roles;
type nis_initrc_exec_t;
init_script_file(nis_initrc_exec_t)
+type nis_unit_t;
+init_unit_file(nis_unit_t)
+
type var_yp_t;
files_type(var_yp_t)
@@ -24,6 +27,9 @@ init_script_file(ypbind_initrc_exec_t)
type ypbind_tmp_t;
files_tmp_file(ypbind_tmp_t)
+type ypbind_unit_t;
+init_unit_file(ypbind_unit_t)
+
type ypbind_var_run_t;
files_pid_file(ypbind_var_run_t)
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index 998dcdd..4ba589d 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.13.0)
+policy_module(nscd, 1.13.1)
gen_require(`
class nscd all_nscd_perms;
@@ -34,6 +34,9 @@ init_script_file(nscd_initrc_exec_t)
type nscd_log_t;
logging_log_file(nscd_log_t)
+type nscd_unit_t;
+init_unit_file(nscd_unit_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index b58ce47..01ae073 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -13,6 +13,7 @@
# Systemd unit file
/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/contrib/ppp.fc b/policy/modules/contrib/ppp.fc
index efcb653..7d13ee9 100644
--- a/policy/modules/contrib/ppp.fc
+++ b/policy/modules/contrib/ppp.fc
@@ -12,6 +12,8 @@ HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0)
/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/lib/systemd/system/ppp.*\.service -- gen_context(system_u:object_r:pppd_unit_t,s0)
+
/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index 1d3079f..8473117 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.15.0)
+policy_module(ppp, 1.15.1)
########################################
#
@@ -53,6 +53,9 @@ files_lock_file(pppd_lock_t)
type pppd_tmp_t;
files_tmp_file(pppd_tmp_t)
+type pppd_unit_t;
+init_unit_file(pppd_unit_t)
+
type pppd_var_run_t;
files_pid_file(pppd_var_run_t)
diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc
index a6fb30c..c00b379 100644
--- a/policy/modules/contrib/rpc.fc
+++ b/policy/modules/contrib/rpc.fc
@@ -7,6 +7,9 @@
/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/lib/systemd/system/nfs.*\.service -- gen_context(system_u:object_r:nfsd_unit_t,s0)
+/usr/lib/systemd/system/rpc.*\.service -- gen_context(system_u:object_r:rpcd_unit_t,s0)
+
/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 8849e92..6703f96 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.17.0)
+policy_module(rpc, 1.17.1)
########################################
#
@@ -52,6 +52,9 @@ rpc_domain_template(rpcd)
type rpcd_initrc_exec_t;
init_script_file(rpcd_initrc_exec_t)
+type rpcd_unit_t;
+init_unit_file(rpcd_unit_t)
+
rpc_domain_template(nfsd)
type nfsd_initrc_exec_t;
@@ -63,6 +66,9 @@ files_type(nfsd_rw_t)
type nfsd_ro_t;
files_type(nfsd_ro_t)
+type nfsd_unit_t;
+init_unit_file(nfsd_unit_t)
+
type var_lib_nfs_t;
files_mountpoint(var_lib_nfs_t)
diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc
index b8b66ff..ef009e0 100644
--- a/policy/modules/contrib/samba.fc
+++ b/policy/modules/contrib/samba.fc
@@ -14,6 +14,8 @@
/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/lib/systemd/system/smb.*\.service -- gen_context(system_u:object_r:samba_unit_t,s0)
+
/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index f6e9be3..602be98 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.18.0)
+policy_module(samba, 1.18.1)
#################################
#
@@ -130,6 +130,9 @@ files_type(samba_secrets_t)
type samba_share_t; # customizable
files_type(samba_share_t)
+type samba_unit_t;
+init_unit_file(samba_unit_t)
+
type samba_var_t;
files_type(samba_var_t)
diff --git a/policy/modules/contrib/tor.fc b/policy/modules/contrib/tor.fc
index dce42ec..cbaaa15 100644
--- a/policy/modules/contrib/tor.fc
+++ b/policy/modules/contrib/tor.fc
@@ -5,6 +5,8 @@
/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+/usr/lib/systemd/system/tor.*\.service -- gen_context(system_u:object_r:tor_unit_t,s0)
+
/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 418eb29..3c596d8 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.11.0)
+policy_module(tor, 1.11.1)
########################################
#
@@ -23,6 +23,9 @@ files_config_file(tor_etc_t)
type tor_initrc_exec_t;
init_script_file(tor_initrc_exec_t)
+type tor_unit_t;
+init_unit_file(tor_unit_t)
+
type tor_var_lib_t;
files_type(tor_var_lib_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-08-13 18:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:32 UTC (permalink / raw
To: gentoo-commits
commit: 3c6c3b732e4d868791d86ddf777fa5d75889b168
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed Aug 10 20:44:15 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3c6c3b73
Update the policy for module apm
Update needed for the normal functioning of the acpi daemon.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/apm.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index 3acc764..e2ac3c1 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -67,6 +67,7 @@ dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrac
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
+allow apmd_t self:netlink_generic_socket create_socket_perms;
allow apmd_t self:unix_stream_socket { accept listen };
allow apmd_t apmd_lock_t:file manage_file_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-08-13 18:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:32 UTC (permalink / raw
To: gentoo-commits
commit: af12f6d8e80bc5072ca18eb1ff4162931d73f8df
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Aug 13 13:12:35 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=af12f6d8
cpucontrol: revise cpucontrol_conf_t labeling, from Guido Trentalancia.
policy/modules/contrib/cpucontrol.fc | 2 +-
policy/modules/contrib/cpucontrol.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/cpucontrol.fc b/policy/modules/contrib/cpucontrol.fc
index 3ffda4c..32bd499 100644
--- a/policy/modules/contrib/cpucontrol.fc
+++ b/policy/modules/contrib/cpucontrol.fc
@@ -1,4 +1,4 @@
-/etc/firmware/.* -- gen_context(system_u:object_r:cpucontrol_conf_t,s0)
+/lib/firmware/microcode.*\.dat -- gen_context(system_u:object_r:cpucontrol_conf_t,s0)
/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
diff --git a/policy/modules/contrib/cpucontrol.te b/policy/modules/contrib/cpucontrol.te
index af72c4e..901911b 100644
--- a/policy/modules/contrib/cpucontrol.te
+++ b/policy/modules/contrib/cpucontrol.te
@@ -1,4 +1,4 @@
-policy_module(cpucontrol, 1.4.0)
+policy_module(cpucontrol, 1.4.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-08-13 18:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-08-13 18:32 UTC (permalink / raw
To: gentoo-commits
commit: c27f6232c179a438d47547012ee3fb63d3ec320e
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Aug 13 13:26:42 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c27f6232
Update the rtkit module
Update the rtkit daemon module so that the daemon can be started.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/rtkit.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index d6390c7..2e8ac03 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -20,7 +20,7 @@ init_unit_file(rtkit_daemon_unit_t)
# Local policy
#
-allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
+allow rtkit_daemon_t self:capability { dac_read_search setgid setpcap setuid sys_chroot sys_nice sys_ptrace };
allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
kernel_read_system_state(rtkit_daemon_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-07-31 10:38 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2016-07-31 10:38 UTC (permalink / raw
To: gentoo-commits
commit: a6f544e3a81cd674dc4bbda69ac49862a0796e7e
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Jul 30 20:25:05 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 31 10:37:38 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a6f544e3
Boinc updates from Russell Coker.
policy/modules/contrib/boinc.fc | 4 ++++
policy/modules/contrib/boinc.te | 15 +++++++++++++--
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/boinc.fc b/policy/modules/contrib/boinc.fc
index 6d3ccad..e1e53a6 100644
--- a/policy/modules/contrib/boinc.fc
+++ b/policy/modules/contrib/boinc.fc
@@ -1,9 +1,13 @@
+/etc/boinc-client/global_prefs_override.xml -- gen_context(system_u:object_r:boinc_var_lib_t,s0)
/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+/usr/bin/boinc -- gen_context(system_u:object_r:boinc_exec_t,s0)
/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc-client(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
+/var/log/boincerr\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te
index c24cb7b..58468ea 100644
--- a/policy/modules/contrib/boinc.te
+++ b/policy/modules/contrib/boinc.te
@@ -1,4 +1,4 @@
-policy_module(boinc, 1.3.0)
+policy_module(boinc, 1.3.1)
########################################
#
@@ -54,6 +54,8 @@ allow boinc_t self:shm create_shm_perms;
allow boinc_t self:fifo_file rw_fifo_file_perms;
allow boinc_t self:sem create_sem_perms;
+can_exec(boinc_t, boinc_exec_t)
+
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
@@ -71,12 +73,13 @@ manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
-append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
logging_log_filetrans(boinc_t, boinc_log_t, file)
can_exec(boinc_t, boinc_var_lib_t)
+libs_exec_lib_files(boinc_t)
domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
@@ -188,8 +191,16 @@ corenet_sendrecv_boinc_client_packets(boinc_project_t)
corenet_tcp_connect_boinc_port(boinc_project_t)
corenet_tcp_sendrecv_boinc_port(boinc_project_t)
+dev_getattr_input_dev(boinc_t)
+dev_getattr_mouse_dev(boinc_t)
+
files_dontaudit_search_home(boinc_project_t)
+term_getattr_ptmx(boinc_t)
+term_getattr_generic_ptys(boinc_t)
+
+userdom_getattr_user_ttys(boinc_t)
+
optional_policy(`
java_exec(boinc_project_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-07-31 10:38 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2016-07-31 10:38 UTC (permalink / raw
To: gentoo-commits
commit: eb7f919fae509df9aa4f003cd69208e62346c92b
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Thu Jul 28 19:44:46 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 31 10:37:35 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eb7f919f
Revert "dbus: allow system, and session bus clients to answer to dbus unconfined domains"
Is considered a "security hole"
This reverts commit 6bef7a14757124c56fadc08c255e9dd6c29a15f9.
policy/modules/contrib/dbus.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 0f1d8a7..255b860 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -260,5 +260,5 @@ optional_policy(`
# Unconfined access to this module
#
-allow dbusd_unconfined { system_dbusd_t session_bus_type dbusd_session_bus_client dbusd_system_bus_client }:dbus all_dbus_perms;
-allow { dbusd_session_bus_client dbusd_system_bus_client } dbusd_unconfined:dbus send_msg;
+allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
+allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:33 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 709b6e9e94a450359fd8b9cd93e222b26a13faf3
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Tue Jun 21 13:36:04 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:32:29 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=709b6e9e
Module version bump for changes to the certmonger module by Adam Tkac
policy/modules/contrib/certmonger.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index 034ffa3..cfbb41c 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.3.0)
+policy_module(certmonger, 1.3.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:33 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 9771f955615ba799aa321147a1730dda60e99a00
Author: Adam Tkac <adam.tkac <AT> gooddata <DOT> com>
AuthorDate: Tue Jun 21 13:08:33 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:32:26 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9771f955
Grant certmonger "chown" capability
After autorenewal of the certificate, "chown" capability is needed
to change certificate user/group to daemon's user/group.
policy/modules/contrib/certmonger.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index 7c3126e..034ffa3 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -23,7 +23,7 @@ files_pid_file(certmonger_var_run_t)
# Local policy
#
-allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
+allow certmonger_t self:capability { chown dac_override dac_read_search setgid setuid kill sys_nice };
dontaudit certmonger_t self:capability sys_tty_config;
allow certmonger_t self:capability2 block_suspend;
allow certmonger_t self:process { getsched setsched sigkill signal };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-07-03 11:34 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
@ 2016-07-03 11:33 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:33 UTC (permalink / raw
To: gentoo-commits
commit: 9771f955615ba799aa321147a1730dda60e99a00
Author: Adam Tkac <adam.tkac <AT> gooddata <DOT> com>
AuthorDate: Tue Jun 21 13:08:33 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:32:26 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9771f955
Grant certmonger "chown" capability
After autorenewal of the certificate, "chown" capability is needed
to change certificate user/group to daemon's user/group.
policy/modules/contrib/certmonger.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index 7c3126e..034ffa3 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -23,7 +23,7 @@ files_pid_file(certmonger_var_run_t)
# Local policy
#
-allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
+allow certmonger_t self:capability { chown dac_override dac_read_search setgid setuid kill sys_nice };
dontaudit certmonger_t self:capability sys_tty_config;
allow certmonger_t self:capability2 block_suspend;
allow certmonger_t self:process { getsched setsched sigkill signal };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:33 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 07331fb3d60421f02d1fc698e1a92f894e4c4d2c
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Thu Jun 16 14:48:33 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:32:25 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=07331fb3
Module version bump for changes to the varnishd module by Adam Tkac
policy/modules/contrib/varnishd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index 2bdabca..9d24d0d 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -1,4 +1,4 @@
-policy_module(varnishd, 1.3.1)
+policy_module(varnishd, 1.3.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2016-07-03 11:34 Sven Vermeulen
2016-06-04 11:01 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: c4542a5345afd96cf1cb19ec5dc23fd7bfa17171
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sat Jun 4 11:00:55 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jun 4 11:00:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4542a53
Add in xdg_runtime_home_type attribute for now
policy/modules/contrib/xdg.te | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/contrib/xdg.te b/policy/modules/contrib/xdg.te
index 1cc9311..5ec1a12 100644
--- a/policy/modules/contrib/xdg.te
+++ b/policy/modules/contrib/xdg.te
@@ -11,6 +11,13 @@ attribute xdg_config_home_type;
attribute xdg_cache_home_type;
+# Not used but keep this at least two releases
+# We have noticed that the userdom_manage_home_role call to the xdg functions
+# seems to fail due to this attribute type not existing anymore while the
+# build seems to still require it. By waiting a couple of releases we can be more
+# confident that no calls to xdg_runtime_* are used anymore.
+attribute xdg_runtime_home_type;
+
type xdg_data_home_t;
xdg_data_home_content(xdg_data_home_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2016-07-03 11:34 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
@ 2016-06-04 11:01 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2016-06-04 11:01 UTC (permalink / raw
To: gentoo-commits
commit: c4542a5345afd96cf1cb19ec5dc23fd7bfa17171
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sat Jun 4 11:00:55 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jun 4 11:00:55 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4542a53
Add in xdg_runtime_home_type attribute for now
policy/modules/contrib/xdg.te | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/contrib/xdg.te b/policy/modules/contrib/xdg.te
index 1cc9311..5ec1a12 100644
--- a/policy/modules/contrib/xdg.te
+++ b/policy/modules/contrib/xdg.te
@@ -11,6 +11,13 @@ attribute xdg_config_home_type;
attribute xdg_cache_home_type;
+# Not used but keep this at least two releases
+# We have noticed that the userdom_manage_home_role call to the xdg functions
+# seems to fail due to this attribute type not existing anymore while the
+# build seems to still require it. By waiting a couple of releases we can be more
+# confident that no calls to xdg_runtime_* are used anymore.
+attribute xdg_runtime_home_type;
+
type xdg_data_home_t;
xdg_data_home_content(xdg_data_home_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-07-03 11:33 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:33 UTC (permalink / raw
To: gentoo-commits
commit: 668f0a09ac93f5791925ec3d52d5e3831911f6c0
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Tue Jun 14 11:14:37 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:32:21 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=668f0a09
Module version bump for changes to the puppet module by Thomas Mueller
Move optional block as per style guide
policy/modules/contrib/puppet.te | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index adda09f..4516018 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.6.0)
+policy_module(puppet, 1.6.1)
########################################
#
@@ -192,16 +192,16 @@ optional_policy(`
')
optional_policy(`
- unconfined_domain(puppet_t)
+ shorewall_domtrans(puppet_t)
')
optional_policy(`
- usermanage_domtrans_groupadd(puppet_t)
- usermanage_domtrans_useradd(puppet_t)
+ unconfined_domain(puppet_t)
')
optional_policy(`
- shorewall_domtrans(puppet_t)
+ usermanage_domtrans_groupadd(puppet_t)
+ usermanage_domtrans_useradd(puppet_t)
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-07-03 11:33 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:33 UTC (permalink / raw
To: gentoo-commits
commit: f8f9f2766a60566938e58cdb0fbd292a6c26be2b
Author: Adam Tkac <adam.tkac <AT> gooddata <DOT> com>
AuthorDate: Thu Jun 16 14:34:57 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:32:23 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f8f9f276
varnishncsa (varnishlog_t) reads localization files
policy/modules/contrib/varnishd.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index c928b0c..2bdabca 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -138,3 +138,5 @@ logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir })
read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t)
files_search_var_lib(varnishlog_t)
+
+miscfiles_read_localization(varnishlog_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-07-03 11:33 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:33 UTC (permalink / raw
To: gentoo-commits
commit: 82c3d44842260d9dc33d3ef3e813220d798e09a1
Author: Thomas Mueller <thomas <AT> chaschperli <DOT> ch>
AuthorDate: Thu Jun 9 11:14:05 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:32:17 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=82c3d448
Allow puppet_t transtition to shorewall_t
If puppet executes /sbin/shorewall it won't transition to
shorewall_t and create log files with puppet_log_t context
instead of shorewall_log_t. If service is then managed by
init (sysv/systemd) it will fail to start.
If puppet_t is allowed to transtition to shorewall_t the
logfile will get the correct shorewall_log_t type.
policy/modules/contrib/puppet.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 5fd4c8b..adda09f 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -200,6 +200,10 @@ optional_policy(`
usermanage_domtrans_useradd(puppet_t)
')
+optional_policy(`
+ shorewall_domtrans(puppet_t)
+')
+
########################################
#
# Ca local policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-06-02 8:43 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-06-02 8:43 UTC (permalink / raw
To: gentoo-commits
commit: 26b2b23e8495e24a12fb6e997567e52a8276d820
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jun 2 08:41:34 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jun 2 08:42:06 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26b2b23e
pulseaudio: quote in comment throws a warning
Compiling mcs pulseaudio module
/usr/bin/checkmodule: loading policy configuration from tmp/pulseaudio.tmp
pulseaudio.te:264:WARNING 'unrecognized character' at token ''' on line 14411:
line 264
'
pulseaudio.te:264:WARNING 'unrecognized character' at token ''' on line 14411:
'
line 264
policy/modules/contrib/pulseaudio.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 28dc672..118c86a 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -283,7 +283,7 @@ ifdef(`distro_gentoo',`
# /tmp/pulse-* gets created by the clients usually as user_tmp_t, bug 556526
userdom_list_user_tmp(pulseaudio_client)
- # pulse 7 uses fd's
+ # pulse 7 uses fds
allow pulseaudio_client pulseaudio_t:fd use;
allow pulseaudio_client pulseaudio_tmpfs_t:file rw_file_perms;
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-06-02 6:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-06-02 6:32 UTC (permalink / raw
To: gentoo-commits
commit: 255513c25cb98f86dafc7c5ed9f18a8fe77cffdd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun 1 16:12:43 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:33:54 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=255513c2
userhelper: Add filetrans from user_runtime
policy/modules/contrib/userhelper.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index 8dadb4b..661f841 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -68,6 +68,7 @@ userdom_use_user_terminals(consolehelper_type)
userdom_manage_user_tmp_dirs(consolehelper_type)
userdom_manage_user_tmp_files(consolehelper_type)
userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file })
+userdom_user_runtime_filetrans_user_tmp(consolehelper_type, { dir file })
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(consolehelper_type)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-06-02 6:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-06-02 6:32 UTC (permalink / raw
To: gentoo-commits
commit: 535e8c89d35bbf6812f73377a771348b99c2d2f6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun 1 16:12:40 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:32:45 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=535e8c89
ftp: Add filetrans from user_runtime
policy/modules/contrib/ftp.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 774bc9e..ed82117 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -318,9 +318,11 @@ tunable_policy(`ftp_home_dir',`
userdom_manage_user_tmp_dirs(ftpd_t)
userdom_manage_user_tmp_files(ftpd_t)
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
+ userdom_user_runtime_filetrans_user_tmp(ftpd_t, { dir file })
',`
userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
+ userdom_user_runtime_filetrans_user_tmp(ftpd_t, { dir file })
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -457,9 +459,11 @@ tunable_policy(`sftpd_enable_homedirs',`
userdom_manage_user_tmp_dirs(sftpd_t)
userdom_manage_user_tmp_files(sftpd_t)
userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
+ userdom_user_runtime_filetrans_user_tmp(sftpd_t, { dir file })
',`
userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
+ userdom_user_runtime_filetrans_user_tmp(sftpd_t, { dir file })
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-06-02 6:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-06-02 6:32 UTC (permalink / raw
To: gentoo-commits
commit: 36f1ab96596386a988fbb35f992132ca32d4cb10
Author: Robert Moucha <robert.moucha <AT> gooddata <DOT> com>
AuthorDate: Fri May 27 07:11:04 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:31:01 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=36f1ab96
Fix trivial typo in varnishncsa name
policy/modules/contrib/varnishd.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/varnishd.fc b/policy/modules/contrib/varnishd.fc
index 19bdce3..f8bcce9 100644
--- a/policy/modules/contrib/varnishd.fc
+++ b/policy/modules/contrib/varnishd.fc
@@ -5,7 +5,7 @@
/etc/varnish(/.*)? gen_context(system_u:object_r:varnishd_etc_t,s0)
/usr/bin/varnishlog -- gen_context(system_u:object_r:varnishlog_exec_t,s0)
-/usr/bin/varnisncsa -- gen_context(system_u:object_r:varnishlog_exec_t,s0)
+/usr/bin/varnishncsa -- gen_context(system_u:object_r:varnishlog_exec_t,s0)
/usr/sbin/varnishd -- gen_context(system_u:object_r:varnishd_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-06-02 6:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-06-02 6:32 UTC (permalink / raw
To: gentoo-commits
commit: b7e2a4f799c46cfe27dbeb3111e18c3186a2a61c
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Jun 1 17:33:33 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:33:54 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b7e2a4f7
Module version bumps for user runtime fixes from Jason Zaman.
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/mplayer.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/userhelper.te | 2 +-
policy/modules/contrib/wm.te | 2 +-
7 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index e02e105..a3fd0bf 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -1,4 +1,4 @@
-policy_module(consolekit, 1.10.0)
+policy_module(consolekit, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index ed82117..d143280 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.18.0)
+policy_module(ftp, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 503fc7f..dd6ac04 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.5.0)
+policy_module(gnome, 2.5.1)
##############################
#
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index 20e449e..26ff9aa 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -1,4 +1,4 @@
-policy_module(mplayer, 2.5.0)
+policy_module(mplayer, 2.5.1)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 94b7ef4..28dc672 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.8.0)
+policy_module(pulseaudio, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index 661f841..8a0dc1d 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -1,4 +1,4 @@
-policy_module(userhelper, 1.9.0)
+policy_module(userhelper, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index a477a16..02329e0 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.4.0)
+policy_module(wm, 1.4.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-06-02 6:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-06-02 6:32 UTC (permalink / raw
To: gentoo-commits
commit: e830cfda08709f50e13176b45de8c801cb155cff
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun 1 16:12:38 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:31:01 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e830cfda
consolekit: allow managing user runtime
policy/modules/contrib/consolekit.te | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index cd02890..e02e105 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -24,8 +24,8 @@ init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit")
# Local policy
#
-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
-allow consolekit_t self:process { getsched signal };
+allow consolekit_t self:capability { chown fowner setuid setgid sys_admin sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:process { getsched signal setfscreate };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
@@ -61,9 +61,15 @@ files_read_var_lib_files(consolekit_t)
files_search_all_mountpoints(consolekit_t)
fs_list_inotifyfs(consolekit_t)
+fs_mount_tmpfs(consolekit_t)
+fs_unmount_tmpfs(consolekit_t)
+fs_relabelfrom_tmpfs(consolekit_t)
mcs_ptrace_all(consolekit_t)
+seutil_libselinux_linked(consolekit_t)
+seutil_read_file_contexts(consolekit_t)
+
term_use_all_terms(consolekit_t)
auth_use_nsswitch(consolekit_t)
@@ -79,6 +85,12 @@ miscfiles_read_localization(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
+userdom_manage_user_runtime_root_dirs(consolekit_t)
+userdom_manage_user_runtime_dirs(consolekit_t)
+userdom_mounton_user_runtime_dirs(consolekit_t)
+userdom_relabelto_user_runtime_dirs(consolekit_t)
+userdom_pid_filetrans_user_runtime_root(consolekit_t, dir, "user")
+userdom_user_runtime_root_filetrans_user_runtime(consolekit_t, dir)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(consolekit_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-06-02 6:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-06-02 6:32 UTC (permalink / raw
To: gentoo-commits
commit: 922ba515cf8c8c362fb2206e60720821850ba434
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun 1 16:12:41 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:32:45 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=922ba515
gnome: Add filetrans from user_runtime
policy/modules/contrib/gnome.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index cd9fcd7..503fc7f 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -89,6 +89,7 @@ userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
optional_policy(`
dbus_all_session_domain(gconfd_t, gconfd_exec_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-06-02 6:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-06-02 6:32 UTC (permalink / raw
To: gentoo-commits
commit: ce114e3bf1cfed985e1ce2c22156a7c4c9957fa8
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Fri May 27 07:19:43 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:31:01 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ce114e3b
Module version bump for changes to the varnishd module by Robert Moucha
policy/modules/contrib/varnishd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index 05f1042..c928b0c 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -1,4 +1,4 @@
-policy_module(varnishd, 1.3.0)
+policy_module(varnishd, 1.3.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-06-02 6:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-06-02 6:32 UTC (permalink / raw
To: gentoo-commits
commit: ccd334f66ed8b61c6fc43223ff504a9511eab158
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun 1 16:12:39 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:32:45 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ccd334f6
pulseaudio: fcontext and filetrans for runtime
policy/modules/contrib/pulseaudio.fc | 1 +
policy/modules/contrib/pulseaudio.te | 7 ++++++-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.fc b/policy/modules/contrib/pulseaudio.fc
index 9cc63f6..cde5a80 100644
--- a/policy/modules/contrib/pulseaudio.fc
+++ b/policy/modules/contrib/pulseaudio.fc
@@ -7,6 +7,7 @@ HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+/var/run/%{USERID}/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_tmp_t,s0)
ifdef(`distro_gentoo',`
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 9b8d84e..94b7ef4 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
+userdom_user_runtime_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
@@ -203,8 +204,11 @@ optional_policy(`
#
allow pulseaudio_client self:unix_dgram_socket sendto;
+allow pulseaudio_client self:process signull;
-allow pulseaudio_client pulseaudio_client:process signull;
+allow pulseaudio_client pulseaudio_tmp_t:dir manage_dir_perms;
+allow pulseaudio_client pulseaudio_tmp_t:file manage_file_perms;
+allow pulseaudio_client pulseaudio_tmp_t:sock_file manage_sock_file_perms;
read_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t })
delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile)
@@ -228,6 +232,7 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cooki
pulseaudio_signull(pulseaudio_client)
userdom_read_user_tmpfs_files(pulseaudio_client)
+userdom_user_runtime_filetrans(pulseaudio_client, pulseaudio_tmp_t, dir, "pulse")
# userdom_delete_user_tmpfs_files(pulseaudio_client)
tunable_policy(`use_nfs_home_dirs',`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-06-02 6:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-06-02 6:32 UTC (permalink / raw
To: gentoo-commits
commit: 0833adc9776e69a4e5305b0e92f35c0bee9aff67
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun 1 16:12:44 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:33:54 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0833adc9
wm: Add filetrans from user_runtime
policy/modules/contrib/wm.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index a3861e9..a477a16 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -40,6 +40,7 @@ miscfiles_read_localization(wm_domain)
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
+userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-06-02 6:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-06-02 6:32 UTC (permalink / raw
To: gentoo-commits
commit: 9301c1e54d143b570060e515d9fbf7e290de9eae
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun 1 16:12:42 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:33:54 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9301c1e5
mplayer: Add filetrans from user_runtime
policy/modules/contrib/mplayer.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index 5ebba47..20e449e 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -95,6 +95,7 @@ userdom_use_user_terminals(mencoder_t)
userdom_manage_user_tmp_dirs(mencoder_t)
userdom_manage_user_tmp_files(mencoder_t)
userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
+userdom_user_runtime_filetrans_user_tmp(mplayer_t, { dir file })
userdom_manage_user_home_content_dirs(mencoder_t)
userdom_manage_user_home_content_files(mencoder_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-06-02 6:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-06-02 6:32 UTC (permalink / raw
To: gentoo-commits
commit: 5dfc639be3e5d743bde058870d79f0b811d57111
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon May 16 13:13:20 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:31:01 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5dfc639b
Module version bump for collectd update from Jason Zaman.
policy/modules/contrib/collectd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/collectd.te b/policy/modules/contrib/collectd.te
index 245ccb8..cb20d84 100644
--- a/policy/modules/contrib/collectd.te
+++ b/policy/modules/contrib/collectd.te
@@ -1,4 +1,4 @@
-policy_module(collectd, 1.1.0)
+policy_module(collectd, 1.1.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-06-02 6:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-06-02 6:32 UTC (permalink / raw
To: gentoo-commits
commit: f12de0b19c036031fc7492d133af928d86be1913
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 13 13:08:17 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:31:01 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f12de0b1
collectd: update policy for 5.5
The ping module can use cap_net_raw instead of being suid.
Has a pid dir instead of file now.
A few accesses so that it can collect stats.
policy/modules/contrib/collectd.fc | 1 +
policy/modules/contrib/collectd.te | 9 +++++++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/collectd.fc b/policy/modules/contrib/collectd.fc
index 79a3abe..58ac4e8 100644
--- a/policy/modules/contrib/collectd.fc
+++ b/policy/modules/contrib/collectd.fc
@@ -5,5 +5,6 @@
/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
/var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0)
+/var/run/collectd(/.*)? gen_context(system_u:object_r:collectd_var_run_t,s0)
/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
diff --git a/policy/modules/contrib/collectd.te b/policy/modules/contrib/collectd.te
index 0dfb1c5..245ccb8 100644
--- a/policy/modules/contrib/collectd.te
+++ b/policy/modules/contrib/collectd.te
@@ -33,10 +33,11 @@ apache_content_template(collectd)
# Local policy
#
-allow collectd_t self:capability { ipc_lock sys_nice };
+allow collectd_t self:capability { ipc_lock net_raw sys_nice };
allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
+allow collectd_t self:rawip_socket create_socket_perms;
allow collectd_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
@@ -44,10 +45,12 @@ manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
-files_pid_filetrans(collectd_t, collectd_var_run_t, file)
+manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
+files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file })
domain_use_interactive_fds(collectd_t)
+kernel_read_kernel_sysctls(collectd_t)
kernel_read_network_state(collectd_t)
kernel_read_net_sysctls(collectd_t)
kernel_read_system_state(collectd_t)
@@ -62,6 +65,8 @@ files_read_usr_files(collectd_t)
fs_getattr_all_fs(collectd_t)
+init_read_utmp(collectd_t)
+
miscfiles_read_localization(collectd_t)
logging_send_syslog_msg(collectd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-05-13 5:37 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-05-13 5:37 UTC (permalink / raw
To: gentoo-commits
commit: 7d05690ceeb7213d6854fa1b4f5599f7c76b335a
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Thu Apr 28 10:02:04 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 13 04:50:47 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7d05690c
Add hwloc-dump-hwdata SELinux policy
The Portable Hardware Locality (hwloc) software package
provides a portable abstraction (across OS, versions, architectures, ...)
of the hierarchical topology of modern architectures,
including NUMA memory nodes, sockets, shared caches,
cores and simultaneous multithreading.
It also gathers various system attributes such as cache and memory information
as well as the locality of I/O devices such as network interfaces,
InfiniBand HCAs or GPUs.
New hwloc utility (hwloc-dump-hwdata) reads firmware entries and generates
intermediate files to be used later by hwloc utils.
This cannot be done when MLS is in enforicing mode because SELinux blocks
access to var_run_t for user_t.
The policy does the following:
- adds hwloc_dhwd_exec_t type for hwloc-dump-hwdata executable
- adds hwloc_dhwd_t system domain with entry point in
hwloc_dhwd_exec_t
- allows hwloc_dhwd_exec_t to be run as application
- allows hwloc_dhwd_t access sysfs
- allows hwloc_dhwd_t to create dir and file in /var/run
- makes transition for hwloc-dump-hwdata output file from var_run_t to
var_t.
The data is derived from proprietary SMBIOS entries containing MCDRAM memory
side cache configuration : cache size, associativity, inclusiveness and
line size.
V3:
Add hwloc_admin()
Remove hwloc_manage_runtime()
Add hwloc_dhwd_unit_t
Rename run, domtrans and exec interfaces
Signed-off-by: Dominick Grift <dac.override <AT> gmail.com>
policy/modules/contrib/hwloc.fc | 5 ++
policy/modules/contrib/hwloc.if | 106 ++++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/hwloc.te | 31 ++++++++++++
3 files changed, 142 insertions(+)
diff --git a/policy/modules/contrib/hwloc.fc b/policy/modules/contrib/hwloc.fc
new file mode 100644
index 0000000..d0c5a15
--- /dev/null
+++ b/policy/modules/contrib/hwloc.fc
@@ -0,0 +1,5 @@
+/usr/sbin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
+
+/usr/lib/systemd/system/hwloc-dump-hwdata.* -- gen_context(system_u:object_r:hwloc_dhwd_unit_t,s0)
+
+/var/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0)
diff --git a/policy/modules/contrib/hwloc.if b/policy/modules/contrib/hwloc.if
new file mode 100644
index 0000000..c2349ec
--- /dev/null
+++ b/policy/modules/contrib/hwloc.if
@@ -0,0 +1,106 @@
+## <summary>Dump topology and locality information from hardware tables.</summary>
+
+########################################
+## <summary>
+## Execute hwloc dhwd in the hwloc dhwd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hwloc_domtrans_dhwd',`
+ gen_require(`
+ type hwloc_dhwd_t, hwloc_dhwd_exec_t;
+ ')
+
+ domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t)
+')
+
+########################################
+## <summary>
+## Execute hwloc dhwd in the hwloc dhwd domain, and
+## allow the specified role the hwloc dhwd domain,
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`hwloc_run_dhwd',`
+ gen_require(`
+ attribute_role hwloc_dhwd_roles;
+ ')
+
+ hwloc_domtrans_dhwd($1)
+ roleattribute $2 hwloc_dhwd_roles;
+')
+
+########################################
+## <summary>
+## Execute hwloc dhwd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hwloc_exec_dhwd',`
+ gen_require(`
+ type hwloc_dhwd_exec_t;
+ ')
+
+ can_exec($1, hwloc_dhwd_exec_t)
+')
+
+########################################
+## <summary>
+## Read hwloc runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hwloc_read_runtime_files',`
+ gen_require(`
+ type hwloc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an hwloc environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`hwloc_admin',`
+ gen_require(`
+ type hwloc_dhwd_t, hwloc_var_run_t;
+ ')
+
+ allow $1 hwloc_dhwd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, hwloc_dhwd_t)
+
+ admin_pattern($1, hwloc_var_run_t)
+ files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc")
+')
diff --git a/policy/modules/contrib/hwloc.te b/policy/modules/contrib/hwloc.te
new file mode 100644
index 0000000..afe13cc
--- /dev/null
+++ b/policy/modules/contrib/hwloc.te
@@ -0,0 +1,31 @@
+policy_module(hwloc, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role hwloc_dhwd_roles;
+roleattribute system_r hwloc_dhwd_roles;
+
+type hwloc_dhwd_t;
+type hwloc_dhwd_exec_t;
+init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
+role hwloc_dhwd_roles types hwloc_dhwd_t;
+
+type hwloc_var_run_t;
+files_pid_file(hwloc_var_run_t)
+
+type hwloc_dhwd_unit_t;
+init_unit_file(hwloc_dhwd_unit_t)
+
+########################################
+#
+# Local policy
+#
+
+allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms;
+allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms;
+files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
+
+dev_read_sysfs(hwloc_dhwd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-04-01 17:48 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2016-04-01 17:48 UTC (permalink / raw
To: gentoo-commits
commit: 515dd31c34c9d6eb1742297e6497748feeb4d68c
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Fri Apr 1 17:47:20 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Apr 1 17:47:20 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=515dd31c
Add hg-src as portage_srcrepo_t
Enable /usr/portage/hg-src as portage_srcrepo_t for the mercurial
version control system.
X-Gentoo-Bug: #578358
policy/modules/contrib/portage.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/portage.fc b/policy/modules/contrib/portage.fc
index 655f986..e5479b3 100644
--- a/policy/modules/contrib/portage.fc
+++ b/policy/modules/contrib/portage.fc
@@ -24,6 +24,7 @@
/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage/distfiles/git.?-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/hg-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-03-23 18:36 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-03-23 18:36 UTC (permalink / raw
To: gentoo-commits
commit: 159e75dbd7bcbbe01a622b9e05389e2db9b95755
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Sat Mar 19 13:53:30 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 23 17:48:49 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=159e75db
Module version bump for changes to the geoclue module by Nicolas Iooss.
policy/modules/contrib/geoclue.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te
index 3fbe063..9edb92c 100644
--- a/policy/modules/contrib/geoclue.te
+++ b/policy/modules/contrib/geoclue.te
@@ -1,4 +1,4 @@
-policy_module(geoclue, 1.0.3)
+policy_module(geoclue, 1.0.4)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-03-23 18:36 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-03-23 18:36 UTC (permalink / raw
To: gentoo-commits
commit: 0ffffbe1485ea40ba4031c6466fed20208e85fdf
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Mar 19 09:42:33 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 23 17:48:49 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0ffffbe1
Add Arch Linux path for geoclue module
policy/modules/contrib/geoclue.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/geoclue.fc b/policy/modules/contrib/geoclue.fc
index e7de9e8..d460e44 100644
--- a/policy/modules/contrib/geoclue.fc
+++ b/policy/modules/contrib/geoclue.fc
@@ -1,5 +1,6 @@
/etc/geoclue(/.*)? gen_context(system_u:object_r:geoclue_etc_t,s0)
+/usr/lib/geoclue2/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
/usr/lib/geoclue-2\.0/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
/usr/libexec/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-03-23 17:45 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-03-23 17:45 UTC (permalink / raw
To: gentoo-commits
commit: 75431af72b4bea647161c131fc916d1a5383d15e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 23 17:19:48 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 23 17:19:48 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=75431af7
chromium: add fcontexts for prebuilt google-chrome
policy/modules/contrib/chromium.fc | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/chromium.fc b/policy/modules/contrib/chromium.fc
index 86bac46..534235d 100644
--- a/policy/modules/contrib/chromium.fc
+++ b/policy/modules/contrib/chromium.fc
@@ -1,3 +1,24 @@
+/opt/google/chrome/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+/opt/google/chrome/libudev.so.0 gen_context(system_u:object_r:lib_t,s0)
+
+/opt/google/chrome-beta/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-beta/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-beta/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-beta/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-beta/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+/opt/google/chrome-beta/libudev.so.0 gen_context(system_u:object_r:lib_t,s0)
+
+/opt/google/chrome-unstable/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-unstable/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-unstable/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-unstable/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-unstable/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+/opt/google/chrome-unstable/libudev.so.0 gen_context(system_u:object_r:lib_t,s0)
+
/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
/usr/lib/chromium-browser/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
@@ -5,5 +26,6 @@
/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
+HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_config_t,s0)
-
+HOME_DIR/\.config/google-chrome(/.*)? gen_context(system_u:object_r:chromium_xdg_config_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-03-11 18:50 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-03-11 18:50 UTC (permalink / raw
To: gentoo-commits
commit: 9cc0e315b6885d14e3b21a73c098b00afb8c1563
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri Mar 11 17:36:54 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Mar 11 17:36:54 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9cc0e315
android: rules for the emulator
policy/modules/contrib/android.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
index ff1fcac..9b3d010 100644
--- a/policy/modules/contrib/android.te
+++ b/policy/modules/contrib/android.te
@@ -101,12 +101,18 @@ corenet_tcp_connect_adb_port(android_java_t)
corenet_tcp_connect_http_port(android_java_t)
corenet_udp_bind_generic_node(android_java_t)
+dev_rw_kvm(android_java_t)
+dev_rw_dri(android_java_t)
+dev_read_sysfs(android_java_t)
+
domain_dontaudit_getattr_all_domains(android_java_t)
domain_dontaudit_search_all_domains_state(android_java_t)
miscfiles_read_fonts(android_java_t)
miscfiles_read_localization(android_java_t)
+udev_read_db(android_java_t)
+
userdom_use_user_terminals(android_java_t)
userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".android")
userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudioBeta")
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-03-11 18:50 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-03-11 18:50 UTC (permalink / raw
To: gentoo-commits
commit: f91a762a20650fa883a012334c573079cffa14e8
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri Mar 11 17:37:28 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Mar 11 17:37:28 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f91a762a
uwsgi: allow reading net sysctls and ldconfig for python apps
policy/modules/contrib/uwsgi.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/uwsgi.te b/policy/modules/contrib/uwsgi.te
index 02b29e8..2ba18a0 100644
--- a/policy/modules/contrib/uwsgi.te
+++ b/policy/modules/contrib/uwsgi.te
@@ -71,11 +71,14 @@ corecmd_exec_bin(uwsgi_t)
corecmd_exec_shell(uwsgi_t)
kernel_read_system_state(uwsgi_t)
+kernel_read_net_sysctls(uwsgi_t)
+
+libs_exec_ldconfig(uwsgi_t)
miscfiles_read_localization(uwsgi_t)
optional_policy(`
- apache_search_sys_content(uwsgi_t)
+ apache_read_all_content(uwsgi_t)
apache_manage_all_rw_content(uwsgi_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-03-11 17:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-03-11 17:20 UTC (permalink / raw
To: gentoo-commits
commit: 04ebf78c2f42dbdbb4cc5c79c10af95878a1438a
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Mar 7 15:33:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Mar 11 17:16:17 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04ebf78c
New policy for tboot utilities
tboot is an OSS project for using the features of Intel TXT. Some of its
included utilities (might) need special permissions. For now, there's
only a policy for txt-stat (it needs access to /dev/mem).
policy/modules/contrib/tboot.fc | 1 +
policy/modules/contrib/tboot.if | 46 +++++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/tboot.te | 24 +++++++++++++++++++++
3 files changed, 71 insertions(+)
diff --git a/policy/modules/contrib/tboot.fc b/policy/modules/contrib/tboot.fc
new file mode 100644
index 0000000..437e1d5
--- /dev/null
+++ b/policy/modules/contrib/tboot.fc
@@ -0,0 +1 @@
+/usr/sbin/txt-stat -- gen_context(system_u:object_r:txtstat_exec_t,s0)
diff --git a/policy/modules/contrib/tboot.if b/policy/modules/contrib/tboot.if
new file mode 100644
index 0000000..0ffe6d8
--- /dev/null
+++ b/policy/modules/contrib/tboot.if
@@ -0,0 +1,46 @@
+## <summary>Utilities for the tboot TXT module.</summary>
+
+########################################
+## <summary>
+## Execute txt-stat in the txtstat domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tboot_domtrans_txtstat',`
+ gen_require(`
+ type txtstat_t, txtstat_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, txtstat_exec_t, txtstat_t)
+')
+
+########################################
+## <summary>
+## Execute txt-stat in the txtstat domain, and
+## allow the specified role the txtstat domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the txtstat domain.
+## </summary>
+## </param>
+#
+interface(`tboot_run_txtstat',`
+ gen_require(`
+ type txtstat_t;
+ attribute_role txtstat_roles;
+ ')
+
+ tboot_domtrans_txtstat($1)
+ roleattribute $2 txtstat_roles;
+')
diff --git a/policy/modules/contrib/tboot.te b/policy/modules/contrib/tboot.te
new file mode 100644
index 0000000..4961a36
--- /dev/null
+++ b/policy/modules/contrib/tboot.te
@@ -0,0 +1,24 @@
+policy_module(tboot, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role txtstat_roles;
+roleattribute system_r txtstat_roles;
+
+type txtstat_t;
+type txtstat_exec_t;
+application_domain(txtstat_t, txtstat_exec_t)
+role txtstat_roles types txtstat_t;
+
+########################################
+#
+# Local policy
+#
+
+dev_read_raw_memory(txtstat_t)
+
+domain_use_interactive_fds(txtstat_t)
+userdom_use_user_terminals(txtstat_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-03-11 17:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-03-11 17:20 UTC (permalink / raw
To: gentoo-commits
commit: 9a6bf4d82a81d2c2dac686d72826cc70ba95af19
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Sat Feb 13 17:06:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Mar 11 17:16:17 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9a6bf4d8
Module version bump for changes to the networkmanager module by Laurent Bigonville.
policy/modules/contrib/networkmanager.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 178986e..1ae3fde 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.18.2)
+policy_module(networkmanager, 1.18.3)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-03-11 17:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-03-11 17:20 UTC (permalink / raw
To: gentoo-commits
commit: 1a466eaa3bd92c5a3107d7bb53e5672768dfb20c
Author: Grant Ridder <shortdudey123 <AT> gmail <DOT> com>
AuthorDate: Wed Feb 17 22:28:25 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Mar 11 17:16:17 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1a466eaa
Allow tcp_connect to redis_port_t for redis_t
This fixes the following:
```
type=AVC msg=audit(1455747105.487:947088): avc: denied { name_connect } for pid=2390 comm="redis-server" dest=26379 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket
```
The `redis-server` process must be allowed to make outbound connections when running in a master-slave configuration.
policy/modules/contrib/redis.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index 00a7fc4..9ba0310 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -58,6 +58,7 @@ corenet_tcp_bind_generic_node(redis_t)
corenet_sendrecv_redis_server_packets(redis_t)
corenet_tcp_bind_redis_port(redis_t)
+corenet_tcp_connect_redis_port(redis_t)
corenet_tcp_sendrecv_redis_port(redis_t)
dev_read_sysfs(redis_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-03-11 17:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-03-11 17:20 UTC (permalink / raw
To: gentoo-commits
commit: 2b0818457eb72ba6687d66c5e2d0ac2292347435
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sat Feb 13 12:26:39 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Mar 11 17:16:17 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2b081845
Allow NM to execute arping
policy/modules/contrib/networkmanager.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index ebcfca4..178986e 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -276,6 +276,7 @@ optional_policy(`
')
optional_policy(`
+ netutils_exec(NetworkManager_t)
netutils_exec_ping(NetworkManager_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-03-11 17:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-03-11 17:20 UTC (permalink / raw
To: gentoo-commits
commit: dd7a02198a905340eed6e0a97b2d95568a1bb1f6
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri Mar 11 14:06:21 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Mar 11 17:18:12 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dd7a0219
Debian now ships firefox-esr, properly label the executable
Firefox-esr is the extended support release of Firefox
policy/modules/contrib/mozilla.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/mozilla.fc b/policy/modules/contrib/mozilla.fc
index c614f8c..ef31766 100644
--- a/policy/modules/contrib/mozilla.fc
+++ b/policy/modules/contrib/mozilla.fc
@@ -23,6 +23,7 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/iceweasel/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/firefox-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-03-11 17:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-03-11 17:20 UTC (permalink / raw
To: gentoo-commits
commit: 38540e45a3068e1b7991c9127484d5fa9ffefc50
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Thu Feb 18 07:59:30 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Mar 11 17:16:17 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=38540e45
Module version bump for changes to the redis module by Grant Ridder.
policy/modules/contrib/redis.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index 9ba0310..25cf846 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.2.1)
+policy_module(redis, 1.2.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-03-11 17:20 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-03-11 17:20 UTC (permalink / raw
To: gentoo-commits
commit: 22d40ebda032149386dca42c4cf16ff26d545d24
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Fri Mar 11 14:59:28 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Mar 11 17:18:12 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=22d40ebd
Module version bump for changes to the mozilla module by Laurent Bigonville.
policy/modules/contrib/mozilla.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index ac76d19..a44cb5a 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.9.0)
+policy_module(mozilla, 2.9.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-02-13 7:23 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-02-13 7:23 UTC (permalink / raw
To: gentoo-commits
commit: f0ee538ea5bd88e178185d63aa33155490bec72b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Feb 13 07:02:21 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 13 07:02:21 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f0ee538e
Dropbox: rules for 3.12.6
it needs execmem now and ldconfig to load its sharedlibs
policy/modules/contrib/dropbox.te | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dropbox.te b/policy/modules/contrib/dropbox.te
index f3d01e9..f7f6125 100644
--- a/policy/modules/contrib/dropbox.te
+++ b/policy/modules/contrib/dropbox.te
@@ -38,7 +38,7 @@ userdom_user_tmpfs_file(dropbox_tmpfs_t)
# Local Policy Rules
#
-allow dropbox_t self:process signal_perms;
+allow dropbox_t self:process { execmem signal_perms };
allow dropbox_t self:fifo_file rw_fifo_file_perms;
allow dropbox_t dropbox_home_t:file mmap_file_perms;
@@ -71,6 +71,7 @@ fs_tmpfs_filetrans(dropbox_t, dropbox_tmpfs_t, { file dir })
fs_getattr_xattr_fs(dropbox_t)
fs_getattr_tmpfs(dropbox_t)
+kernel_read_system_state(dropbox_t)
kernel_read_vm_sysctls(dropbox_t)
kernel_dontaudit_read_system_state(dropbox_t)
@@ -79,9 +80,14 @@ kernel_dontaudit_list_proc(dropbox_t)
corecmd_exec_bin(dropbox_t)
corecmd_exec_shell(dropbox_t)
+domain_dontaudit_getattr_all_domains(dropbox_t)
+domain_dontaudit_search_all_domains_state(dropbox_t)
+
dev_read_rand(dropbox_t)
dev_read_urand(dropbox_t)
+libs_exec_ldconfig(dropbox_t)
+
files_read_usr_files(dropbox_t)
auth_use_nsswitch(dropbox_t)
miscfiles_read_localization(dropbox_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-02-12 3:51 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-02-12 3:51 UTC (permalink / raw
To: gentoo-commits
commit: c5006a58204273dc6a48bf8e6c1087f4c99ed3c6
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Feb 8 23:04:53 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 02:54:52 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c5006a58
dontaudit firewalld attempt to relabel its own config files
firewalld create a backup of its config files before modifying them by
using shutil.copy2() python function. This function tries to copy the
xattr of the source file, this should explain why we see this.
policy/modules/contrib/firewalld.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 7696395..c1cd252 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -37,6 +37,7 @@ allow firewalld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+dontaudit firewalld_t firewalld_etc_rw_t:file { relabelfrom relabelto };
allow firewalld_t firewalld_var_log_t:file append_file_perms;
allow firewalld_t firewalld_var_log_t:file create_file_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-02-12 3:51 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-02-12 3:51 UTC (permalink / raw
To: gentoo-commits
commit: 22b708e62e784bc408c31ea733c409bb5aef2052
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Feb 10 17:58:19 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 02:54:53 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=22b708e6
Module version bump for firewalld updates from Laurent Bigonville.
policy/modules/contrib/firewalld.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index c1cd252..aa0d713 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.3.0)
+policy_module(firewalld, 1.3.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-02-12 3:51 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-02-12 3:51 UTC (permalink / raw
To: gentoo-commits
commit: 76ec29f6df99418e3e1039484fd723ad3dc133b0
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Mon Feb 1 13:23:54 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 02:54:52 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=76ec29f6
Module version bump for changes to the cron module by Jason Zaman
policy/modules/contrib/cron.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 9b86f67..d26bdb2 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.9.0)
+policy_module(cron, 2.9.1)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-02-12 3:51 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-02-12 3:51 UTC (permalink / raw
To: gentoo-commits
commit: 2c5cc83d06d429bfe3b78c0dc7ff6ef3b4858c9d
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Feb 8 22:52:41 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 02:54:52 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2c5cc83d
Allow firewalld to create firewalld_var_run_t directory.
policy/modules/contrib/firewalld.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 732558c..7696395 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -48,6 +48,7 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
+manage_dirs_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
files_pid_filetrans(firewalld_t, firewalld_var_run_t, { dir file })
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-02-12 3:51 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-02-12 3:51 UTC (permalink / raw
To: gentoo-commits
commit: 228bebc26ec0612c42feb8e3a7bce4a0064543c8
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Tue Feb 2 21:03:17 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 02:54:52 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=228bebc2
Module version bump for changes to the redis module by Grant Ridder
policy/modules/contrib/redis.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index 83a78ce..00a7fc4 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.2.0)
+policy_module(redis, 1.2.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-02-12 3:51 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-02-12 3:51 UTC (permalink / raw
To: gentoo-commits
commit: b526f68311e1efff28672d5e59e3c1aeb169c6f0
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Feb 3 13:44:32 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 02:54:52 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b526f683
Allow mdadm read efivarfs files
policy/modules/contrib/raid.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index f4b2b38..6546eae 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -64,6 +64,7 @@ files_dontaudit_getattr_all_files(mdadm_t)
fs_getattr_all_fs(mdadm_t)
fs_list_auto_mountpoints(mdadm_t)
fs_list_hugetlbfs(mdadm_t)
+fs_read_efivarfs_files(mdadm_t)
fs_rw_cgroup_files(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-02-12 3:51 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-02-12 3:51 UTC (permalink / raw
To: gentoo-commits
commit: 9ce367ee6624a28ea34fc54f71f5490aef71dccf
Author: Grant Ridder <shortdudey123 <AT> gmail <DOT> com>
AuthorDate: Mon Feb 1 18:42:36 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 02:54:52 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ce367ee
Add read/write perms for redis-sentinel
Fixes
```
type=AVC msg=audit(1454110519.451:77): avc: denied { read } for pid=2863 comm="redis-sentinel" name="redis-sentinel.conf" dev="dm-0" ino=69275142 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=AVC msg=audit(1454110519.451:77): avc: denied { open } for pid=2863 comm="redis-sentinel" path="/etc/redis-sentinel.conf" dev="dm-0" ino=69275142 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=AVC msg=audit(1454110519.451:78): avc: denied { getattr } for pid=2863 comm="redis-sentinel" path="/etc/redis-sentinel.conf" dev="dm-0" ino=69275142 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=AVC msg=audit(1454110519.457:80): avc: denied { write } for pid=2863 comm="redis-sentinel" name="redis-sentinel.conf" dev="dm-0" ino=69275142 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
```
policy/modules/contrib/redis.fc | 2 ++
policy/modules/contrib/redis.if | 5 ++++-
policy/modules/contrib/redis.te | 5 +++++
3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/redis.fc b/policy/modules/contrib/redis.fc
index e240ac9..9f9c0c4 100644
--- a/policy/modules/contrib/redis.fc
+++ b/policy/modules/contrib/redis.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
+/etc/redis.*\.conf -- gen_context(system_u:object_r:redis_conf_t,s0)
+
/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
diff --git a/policy/modules/contrib/redis.if b/policy/modules/contrib/redis.if
index 6d86dbf..276309a 100644
--- a/policy/modules/contrib/redis.if
+++ b/policy/modules/contrib/redis.if
@@ -20,7 +20,7 @@
interface(`redis_admin',`
gen_require(`
type redis_t, redis_initrc_exec_t, redis_var_lib_t;
- type redis_log_t, redis_var_run_t;
+ type redis_log_t, redis_var_run_t, redis_conf_t;
')
allow $1 redis_t:process { ptrace signal_perms };
@@ -28,6 +28,9 @@ interface(`redis_admin',`
init_startstop_service($1, $2, redis_t, redis_initrc_exec_t)
+ files_search_etc($1)
+ admin_pattern($1, redis_conf_t)
+
logging_search_logs($1)
admin_pattern($1, redis_log_t)
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index c116691..83a78ce 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -21,6 +21,9 @@ files_type(redis_var_lib_t)
type redis_var_run_t;
files_pid_file(redis_var_run_t)
+type redis_conf_t;
+files_config_file(redis_conf_t)
+
########################################
#
# Local policy
@@ -31,6 +34,8 @@ allow redis_t self:fifo_file rw_fifo_file_perms;
allow redis_t self:unix_stream_socket create_stream_socket_perms;
allow redis_t self:tcp_socket create_stream_socket_perms;
+allow redis_t redis_conf_t:file rw_file_perms;
+
manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
manage_files_pattern(redis_t, redis_log_t, redis_log_t)
manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-02-12 3:51 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-02-12 3:51 UTC (permalink / raw
To: gentoo-commits
commit: 7cb334bf96d8063b118479980e52da97cc24a9bd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb 1 09:17:29 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 02:54:52 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7cb334bf
cron: Allow locks to be lnk_files
The run-crons script now uses symlinks to pids as the locks instead of
just a plain file.
avc: denied { create } for pid=5844 comm="ln" name="cron.hourly"
scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file permissive=0
type=PATH msg=audit(1454175001.341:80669): item=2
name="/var/lock/cron.hourly" nametype=CREATE
policy/modules/contrib/cron.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 523b8cb..9b86f67 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -440,7 +440,8 @@ files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
+allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms;
+files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, { file lnk_file })
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-02-12 3:51 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-02-12 3:51 UTC (permalink / raw
To: gentoo-commits
commit: 56bb41501530668d9c82041851f00d59bc90fbee
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Feb 8 22:22:58 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 02:54:52 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=56bb4150
Add an interface to allow a domain to read firewalld_var_run_t files
policy/modules/contrib/firewalld.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/contrib/firewalld.if b/policy/modules/contrib/firewalld.if
index a16179b..dd89afa 100644
--- a/policy/modules/contrib/firewalld.if
+++ b/policy/modules/contrib/firewalld.if
@@ -61,6 +61,25 @@ interface(`firewalld_dontaudit_rw_tmp_files',`
########################################
## <summary>
+## Read firewalld runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`firewalld_read_var_run_files',`
+ gen_require(`
+ type firewalld_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, firewalld_var_run_t, firewalld_var_run_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an firewalld environment.
## </summary>
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-02-12 3:51 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-02-12 3:51 UTC (permalink / raw
To: gentoo-commits
commit: 2cff7d628cf6ad6f6710095acd951c686b03c68a
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Feb 8 22:07:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 02:54:52 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2cff7d62
Allow /var/run/firewalld/ directory to transition to firewalld_var_run_t
policy/modules/contrib/firewalld.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 742a951..732558c 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -49,7 +49,7 @@ files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
-files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
+files_pid_filetrans(firewalld_t, firewalld_var_run_t, { dir file })
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-02-12 3:51 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-02-12 3:51 UTC (permalink / raw
To: gentoo-commits
commit: 4e287310509e2eda9f7090475786c8e0143ab0d1
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Wed Feb 3 18:42:40 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 02:54:52 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4e287310
Module version bump for changes to the raid module by Laurent Bigonville
policy/modules/contrib/raid.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index 6546eae..ec54379 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.15.0)
+policy_module(raid, 1.15.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-01-30 17:21 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-01-30 17:21 UTC (permalink / raw
To: gentoo-commits
commit: cc11d23a2c1a1e9d0dddd686cfefc357334e2b05
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Mon Jan 18 23:46:04 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 16:43:36 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cc11d23a
Fix typos in several interfaces
This aims to make every interface description unique.
policy/modules/contrib/amanda.if | 2 +-
policy/modules/contrib/ntp.if | 2 +-
policy/modules/contrib/shorewall.if | 3 ++-
policy/modules/contrib/virt.if | 5 ++---
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/amanda.if b/policy/modules/contrib/amanda.if
index ea4cdc7..1de1788 100644
--- a/policy/modules/contrib/amanda.if
+++ b/policy/modules/contrib/amanda.if
@@ -105,7 +105,7 @@ interface(`amanda_rw_dumpdates_files',`
########################################
## <summary>
-## Search Amanda library directories.
+## Manage Amanda library directories.
## </summary>
## <param name="domain">
## <summary>
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index a0f1691..192e342 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -63,7 +63,7 @@ interface(`ntp_run',`
########################################
## <summary>
-## Execute ntp server in the ntpd domain.
+## Execute ntpdate server in the ntpd domain.
## </summary>
## <param name="domain">
## <summary>
diff --git a/policy/modules/contrib/shorewall.if b/policy/modules/contrib/shorewall.if
index 7bd4593..108ce75 100644
--- a/policy/modules/contrib/shorewall.if
+++ b/policy/modules/contrib/shorewall.if
@@ -21,7 +21,8 @@ interface(`shorewall_domtrans',`
######################################
## <summary>
-## Execute a domain transition to run shorewall.
+## Execute a domain transition to run shorewall
+## using executables from /var/lib.
## </summary>
## <param name="domain">
## <summary>
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
index 5b57d50..8016ccc 100644
--- a/policy/modules/contrib/virt.if
+++ b/policy/modules/contrib/virt.if
@@ -194,7 +194,7 @@ interface(`virt_domtrans_bridgehelper',`
########################################
## <summary>
## Execute a domain transition to
-## run virt bridgehelper.
+## run virt leaseshelper.
## </summary>
## <param name="domain">
## <summary>
@@ -439,8 +439,7 @@ interface(`virt_manage_config',`
########################################
## <summary>
-## Create, read, write, and delete
-## virt image files.
+## Read virt content.
## </summary>
## <param name="domain">
## <summary>
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2016-01-30 17:21 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2016-01-30 17:21 UTC (permalink / raw
To: gentoo-commits
commit: c2e377998ec4e40c4e0593162c3a4641b101dd96
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Tue Jan 19 14:44:57 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 16:43:36 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c2e37799
Module version bumps for changes to various modules by Nicolas Iooss
policy/modules/contrib/amanda.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/cgroup.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/nis.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
8 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te
index 519051c..5f579aa 100644
--- a/policy/modules/contrib/amanda.te
+++ b/policy/modules/contrib/amanda.te
@@ -1,4 +1,4 @@
-policy_module(amanda, 1.15.0)
+policy_module(amanda, 1.15.1)
#######################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 6991aeb..2a72066 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.16.0)
+policy_module(bind, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index d96a8f6..736856f 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.3.0)
+policy_module(cgroup, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 3749ddf..ac37ce9 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.4.0)
+policy_module(kdump, 1.4.1)
#######################################
#
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index 71a2e6f..77c8282 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.13.0)
+policy_module(nis, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index e60149a..74fba8f 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.14.0)
+policy_module(ntp, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index d82e7a2..c4f6477 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.5.0)
+policy_module(shorewall, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 700323c..38aa474 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.9.2)
+policy_module(virt, 1.9.3)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-12-19 3:15 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-12-19 3:15 UTC (permalink / raw
To: gentoo-commits
commit: 07e4b0512b2184ad03b2800e2d3478427768ef06
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Nov 23 15:23:32 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Dec 19 03:11:08 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=07e4b051
portage: allow portage to rw all MLS levels
Without this, portage cannot merge packages that are trusted.
eg. sys-process/audit fails to merge /etc/audit/ because it is s15.
policy/modules/contrib/portage.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 2f62eb6..19bd8c8 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -449,6 +449,11 @@ gen_tunable(portage_enable_test, false)
corecmd_relabel_bin_files(portage_t)
corecmd_relabel_bin_lnk_files(portage_t)
+ mls_file_read_all_levels(portage_t)
+ mls_file_write_all_levels(portage_t)
+ mls_file_upgrade(portage_t)
+ mls_file_downgrade(portage_t)
+
auth_use_nsswitch(portage_t)
# Support cgroup FEATURES
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: 3378c1fbe95ec4fad1c986204510804436559cf0
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Dec 14 01:03:35 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 16:03:28 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3378c1fb
networkmanager.fc: nm-dispatcher.action has been renamed to nm-dispatcher
policy/modules/contrib/networkmanager.fc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index c192c7f..5bab4ba 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -13,8 +13,8 @@
/etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/lib/NetworkManager/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/lib/networkmanager/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
# Systemd unit files
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-12-17 16:10 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 16:10 UTC (permalink / raw
To: gentoo-commits
commit: 3378c1fbe95ec4fad1c986204510804436559cf0
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Dec 14 01:03:35 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 16:03:28 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3378c1fb
networkmanager.fc: nm-dispatcher.action has been renamed to nm-dispatcher
policy/modules/contrib/networkmanager.fc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index c192c7f..5bab4ba 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -13,8 +13,8 @@
/etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/lib/NetworkManager/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/lib/networkmanager/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
# Systemd unit files
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: d97f7b9dddbe44fbc16878a137266c312acd6dd7
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Dec 14 00:37:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d97f7b9d
virt.fc: Add some debian contexts
policy/modules/contrib/virt.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index ea197d0..f7e0ce8 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -16,6 +16,10 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/usr/lib/libvirt/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
+/usr/lib/libvirt/libvirt_leaseshelper -- gen_context(system_u:object_r:virt_leaseshelper_exec_t,s0)
+/usr/lib/qemu/qemu-bridge-helper -- gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
+
/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
/usr/libexec/libvirt_leaseshelper -- gen_context(system_u:object_r:virt_leaseshelper_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-12-17 16:10 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 16:10 UTC (permalink / raw
To: gentoo-commits
commit: d97f7b9dddbe44fbc16878a137266c312acd6dd7
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Dec 14 00:37:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d97f7b9d
virt.fc: Add some debian contexts
policy/modules/contrib/virt.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index ea197d0..f7e0ce8 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -16,6 +16,10 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/usr/lib/libvirt/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
+/usr/lib/libvirt/libvirt_leaseshelper -- gen_context(system_u:object_r:virt_leaseshelper_exec_t,s0)
+/usr/lib/qemu/qemu-bridge-helper -- gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
+
/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
/usr/libexec/libvirt_leaseshelper -- gen_context(system_u:object_r:virt_leaseshelper_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: f5c7f2bfa8430aa707ac0966750e05d1b81ae40a
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Nov 4 12:28:52 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f5c7f2bf
Label iceweasel plugin-container executable as mozilla_plugin_exec_t
policy/modules/contrib/mozilla.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/mozilla.fc b/policy/modules/contrib/mozilla.fc
index 54e1ba4..c614f8c 100644
--- a/policy/modules/contrib/mozilla.fc
+++ b/policy/modules/contrib/mozilla.fc
@@ -21,6 +21,7 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/iceweasel/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-12-17 16:10 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 16:10 UTC (permalink / raw
To: gentoo-commits
commit: f5c7f2bfa8430aa707ac0966750e05d1b81ae40a
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Nov 4 12:28:52 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f5c7f2bf
Label iceweasel plugin-container executable as mozilla_plugin_exec_t
policy/modules/contrib/mozilla.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/mozilla.fc b/policy/modules/contrib/mozilla.fc
index 54e1ba4..c614f8c 100644
--- a/policy/modules/contrib/mozilla.fc
+++ b/policy/modules/contrib/mozilla.fc
@@ -21,6 +21,7 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/iceweasel/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: b2c793dfb6d4fc880e041cede280683df0244263
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Tue Nov 17 08:17:56 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2c793df
Module version bump for changes to the wine module by Nicolas Iooss
policy/modules/contrib/wine.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
index 491b87b..8efd659 100644
--- a/policy/modules/contrib/wine.te
+++ b/policy/modules/contrib/wine.te
@@ -1,4 +1,4 @@
-policy_module(wine, 1.11.0)
+policy_module(wine, 1.11.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: b73110702bd037d2d2ab10d90a278e4e0afdaa31
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Mon Nov 16 22:14:59 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b7311070
wine: remove use of nonexisting interface
wine_role_template uses userdom_unpriv_usertype, which is not defined
anywhere in the policy.
policy/modules/contrib/wine.if | 1 -
1 file changed, 1 deletion(-)
diff --git a/policy/modules/contrib/wine.if b/policy/modules/contrib/wine.if
index fd2b6cc..2dba621 100644
--- a/policy/modules/contrib/wine.if
+++ b/policy/modules/contrib/wine.if
@@ -88,7 +88,6 @@ template(`wine_role_template',`
corecmd_bin_domtrans($1_wine_t, $3)
- userdom_unpriv_usertype($1, $1_wine_t)
userdom_manage_user_tmpfs_files($1_wine_t)
domain_mmap_low($1_wine_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: 574b23826b265be34284368cea90fa8185413a91
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Oct 26 12:26:06 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:32:11 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=574b2382
Transition D-Bus system service out of the init_t domain when PID1 is systemd
D-Bus is not starting the activated system services anymore when PID1 is
systemd, but it delegate the job to systemd.
policy/modules/contrib/dbus.if | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index 077dabc..89bbb25 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -573,6 +573,10 @@ interface(`dbus_system_domain',`
userdom_read_all_users_state($1)
+ ifdef(`init_systemd',`
+ init_daemon_domain($1, $2)
+ ')
+
ifdef(`hide_broken_symptoms', `
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: 6291ea2e53987b71c967dd941be65c6eb58cb18b
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Oct 29 11:27:27 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:32:11 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6291ea2e
Module version bump for dbus systemd patch from Laurent Bigonville.
policy/modules/contrib/dbus.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index bc3999f..7677478 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.20.1)
+policy_module(dbus, 1.20.2)
gen_require(`
class dbus all_dbus_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: bff223743be8e5b29ef36125aa0b3734da4f5f34
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Thu Dec 10 10:38:34 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bff22374
Properly escape dot in the path to the geoclue daemon
policy/modules/contrib/geoclue.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/geoclue.fc b/policy/modules/contrib/geoclue.fc
index faca546..e7de9e8 100644
--- a/policy/modules/contrib/geoclue.fc
+++ b/policy/modules/contrib/geoclue.fc
@@ -1,6 +1,6 @@
/etc/geoclue(/.*)? gen_context(system_u:object_r:geoclue_etc_t,s0)
-/usr/lib/geoclue-2.0/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
+/usr/lib/geoclue-2\.0/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
/usr/libexec/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: 5594149bf7f62722500151aedf29711bf607105a
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Dec 9 13:26:24 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5594149b
Add initial geoclue 2 module
This has been tested with geoclue 2.4.0 on Debian
policy/modules/contrib/geoclue.fc | 7 +++++++
policy/modules/contrib/geoclue.if | 1 +
policy/modules/contrib/geoclue.te | 37 +++++++++++++++++++++++++++++++++++++
3 files changed, 45 insertions(+)
diff --git a/policy/modules/contrib/geoclue.fc b/policy/modules/contrib/geoclue.fc
new file mode 100644
index 0000000..faca546
--- /dev/null
+++ b/policy/modules/contrib/geoclue.fc
@@ -0,0 +1,7 @@
+/etc/geoclue(/.*)? gen_context(system_u:object_r:geoclue_etc_t,s0)
+
+/usr/lib/geoclue-2.0/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
+
+/usr/libexec/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
+
+/var/lib/geoclue(/.*)? gen_context(system_u:object_r:geoclue_var_lib_t,s0)
diff --git a/policy/modules/contrib/geoclue.if b/policy/modules/contrib/geoclue.if
new file mode 100644
index 0000000..9df3608
--- /dev/null
+++ b/policy/modules/contrib/geoclue.if
@@ -0,0 +1 @@
+## <summary>Geoclue is a D-Bus service that provides location information.</summary>
diff --git a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te
new file mode 100644
index 0000000..fc72974
--- /dev/null
+++ b/policy/modules/contrib/geoclue.te
@@ -0,0 +1,37 @@
+policy_module(geoclue, 1.0.0)
+
+type geoclue_t;
+type geoclue_exec_t;
+dbus_system_domain(geoclue_t, geoclue_exec_t)
+
+type geoclue_etc_t;
+files_config_file(geoclue_etc_t)
+
+type geoclue_var_lib_t;
+files_type(geoclue_var_lib_t)
+
+read_files_pattern(geoclue_t, geoclue_etc_t, geoclue_etc_t)
+
+corenet_tcp_connect_http_port(geoclue_t)
+
+dev_read_urand(geoclue_t)
+
+# Reads /etc/nsswitch.conf
+files_read_etc_files(geoclue_t)
+
+miscfiles_read_generic_certs(geoclue_t)
+miscfiles_read_localization(geoclue_t)
+
+sysnet_dns_name_resolve(geoclue_t)
+
+optional_policy(`
+ avahi_dbus_chat(geoclue_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(geoclue_t)
+')
+
+optional_policy(`
+ modemmanager_dbus_chat(geoclue_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-12-17 16:10 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 16:10 UTC (permalink / raw
To: gentoo-commits
commit: 5594149bf7f62722500151aedf29711bf607105a
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Dec 9 13:26:24 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5594149b
Add initial geoclue 2 module
This has been tested with geoclue 2.4.0 on Debian
policy/modules/contrib/geoclue.fc | 7 +++++++
policy/modules/contrib/geoclue.if | 1 +
policy/modules/contrib/geoclue.te | 37 +++++++++++++++++++++++++++++++++++++
3 files changed, 45 insertions(+)
diff --git a/policy/modules/contrib/geoclue.fc b/policy/modules/contrib/geoclue.fc
new file mode 100644
index 0000000..faca546
--- /dev/null
+++ b/policy/modules/contrib/geoclue.fc
@@ -0,0 +1,7 @@
+/etc/geoclue(/.*)? gen_context(system_u:object_r:geoclue_etc_t,s0)
+
+/usr/lib/geoclue-2.0/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
+
+/usr/libexec/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0)
+
+/var/lib/geoclue(/.*)? gen_context(system_u:object_r:geoclue_var_lib_t,s0)
diff --git a/policy/modules/contrib/geoclue.if b/policy/modules/contrib/geoclue.if
new file mode 100644
index 0000000..9df3608
--- /dev/null
+++ b/policy/modules/contrib/geoclue.if
@@ -0,0 +1 @@
+## <summary>Geoclue is a D-Bus service that provides location information.</summary>
diff --git a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te
new file mode 100644
index 0000000..fc72974
--- /dev/null
+++ b/policy/modules/contrib/geoclue.te
@@ -0,0 +1,37 @@
+policy_module(geoclue, 1.0.0)
+
+type geoclue_t;
+type geoclue_exec_t;
+dbus_system_domain(geoclue_t, geoclue_exec_t)
+
+type geoclue_etc_t;
+files_config_file(geoclue_etc_t)
+
+type geoclue_var_lib_t;
+files_type(geoclue_var_lib_t)
+
+read_files_pattern(geoclue_t, geoclue_etc_t, geoclue_etc_t)
+
+corenet_tcp_connect_http_port(geoclue_t)
+
+dev_read_urand(geoclue_t)
+
+# Reads /etc/nsswitch.conf
+files_read_etc_files(geoclue_t)
+
+miscfiles_read_generic_certs(geoclue_t)
+miscfiles_read_localization(geoclue_t)
+
+sysnet_dns_name_resolve(geoclue_t)
+
+optional_policy(`
+ avahi_dbus_chat(geoclue_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(geoclue_t)
+')
+
+optional_policy(`
+ modemmanager_dbus_chat(geoclue_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-12-17 18:49 Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: ca03f8aa14fec8faf06c9d9b56c1273b175ce0e4
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Dec 8 14:53:02 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca03f8aa
Update Changelog for release.
policy/modules/contrib/Changelog | 93 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 93 insertions(+)
diff --git a/policy/modules/contrib/Changelog b/policy/modules/contrib/Changelog
index 66e7d7c..63c8ea9 100644
--- a/policy/modules/contrib/Changelog
+++ b/policy/modules/contrib/Changelog
@@ -1,3 +1,96 @@
+* Tue Dec 08 2015 Chris PeBenito <selinux@tresys.com> - 2.20151208
+Alexander Wetzel (1):
+ add vfio support for libvirt
+
+Chas Williams - CONTRACTOR (1):
+ afs: update labels, file contexts and allow access to urandom
+
+Chris PeBenito (14):
+ Module version bump for hadoop_admin() fix from Jazon Zaman.
+ Module version bump for fc typo in radius from Sven Vermeulen.
+ Module version bump for patches from Jason Zaman.
+ Module version bump for init_startstop_service from Jason Zaman.
+ Module version bump for cron_admin interface from Jason Zaman.
+ Comment/whitespace fix in virt.te.
+ Module version bump for vfio support for libvirt from Alexander Wetzel.
+ Add systemd unit types.
+ Add systemd socket activations.
+ Merge branch 'pebenito-master'
+ Module version bump for systemd additions.
+ Merge branch 'bigon-systemd'
+ Module version bump for dbus systemd patch from Laurent Bigonville.
+ Bump module versions for release.
+
+Dominick Grift (16):
+ Module version bump for courier fixes from Sven Vermeulen.
+ Module version bump for afs fixes from Chas Williams.
+ Redundant rules and afs_files_t is not a filesystem type
+ Various samhain fixes
+ Cachefilesd module updates
+ Module version bump for changes to the dnsmasq policy module by Jason
+ Zaman
+ Module version bump for changes to the snmp policy module by Jason Zaman
+ Module version bump for changes to the pulseaudio policy module by Jason
+ Zaman
+ cachefiles: It is cachefilesd_cache_t
+ Module version bump for update to the networkmanager policy module by
+ Stephen Smalley.
+ Module version bumps for "Remove run interface calls from admin
+ interfaces" changes by Jason Zaman.
+ Module version bump for changes to the pulseaudio module by Niklas Haas.
+ Changes to the git, hadoop and rsync modules by Jason Zaman.
+ Module version bump for changes to the virt module by Jason Zaman
+ Module version bump for changes to the mozilla module from Laurent
+ Bigonville.
+ Module version bump for changes to the wine module by Nicolas Iooss
+
+Jason Zaman (19):
+ hadoop: remove _role from _admin interface
+ rpcbind: typo fix
+ git: make inetd interface optional
+ rpc: introduce allow_gssd_write_tmp boolean
+ rpc: allow setgid capability
+ virt: add virt_tmpfs_t type and permissions
+ introduce virt_leaseshelper_t
+ dnsmasq: allow exec shell for scripts
+ snmp: missing fcontext for snmpd
+ pulseaudio: filetrans for autospawn.lock
+ Use init_startstop_service in admin interfaces A-M
+ Use init_startstop_service in admin interfaces N-Z
+ Remove _run() interfaces from _admin()
+ Introduce cron_admin interface
+ rsync: remove rsync_run from admin interface
+ git: allow git_system_t to listen on tcp_sockets
+ hadoop: init_startstop_service() can not take attributes
+ virt: Allow creating qemu guest agent socket
+ virt: Add policy for virtlockd the Virtual machine lock manager
+
+Laurent Bigonville (2):
+ Transition D-Bus system service out of the init_t domain when PID1 is
+ systemd
+ Label iceweasel plugin-container executable as mozilla_plugin_exec_t
+
+Nicolas Iooss (1):
+ wine: remove use of nonexisting interface
+
+Niklas Haas (1):
+ pulse: don't give pulseaudio_client full access to user_home_t
+
+Stephen Smalley (1):
+ contrib: networkmanager: allow netlink_generic_socket access
+
+Sven Vermeulen (6):
+ Locate authdaemon socket and communicate with authdaemon
+ Allow authdaemon to access selinux fs to check SELinux state
+ Grant setuid/setgid to courier_pop_t
+ Execute courier helper script after authentication
+ Courier IMAP needs to manage the users' maildir
+ Fix typo for radiusd /var/lib location
+
+doverride (2):
+ Merge pull request #3 from haasn/pulse-nohome
+ Merge pull request #6 from bigon/mozilla-1
+
* Wed Dec 03 2014 Chris PeBenito <selinux@tresys.com> - 2.20141203
Chris PeBenito (26):
Whitespace fix in ntp.fc.
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-12-17 16:10 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 16:10 UTC (permalink / raw
To: gentoo-commits
commit: ca03f8aa14fec8faf06c9d9b56c1273b175ce0e4
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Dec 8 14:53:02 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca03f8aa
Update Changelog for release.
policy/modules/contrib/Changelog | 93 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 93 insertions(+)
diff --git a/policy/modules/contrib/Changelog b/policy/modules/contrib/Changelog
index 66e7d7c..63c8ea9 100644
--- a/policy/modules/contrib/Changelog
+++ b/policy/modules/contrib/Changelog
@@ -1,3 +1,96 @@
+* Tue Dec 08 2015 Chris PeBenito <selinux@tresys.com> - 2.20151208
+Alexander Wetzel (1):
+ add vfio support for libvirt
+
+Chas Williams - CONTRACTOR (1):
+ afs: update labels, file contexts and allow access to urandom
+
+Chris PeBenito (14):
+ Module version bump for hadoop_admin() fix from Jazon Zaman.
+ Module version bump for fc typo in radius from Sven Vermeulen.
+ Module version bump for patches from Jason Zaman.
+ Module version bump for init_startstop_service from Jason Zaman.
+ Module version bump for cron_admin interface from Jason Zaman.
+ Comment/whitespace fix in virt.te.
+ Module version bump for vfio support for libvirt from Alexander Wetzel.
+ Add systemd unit types.
+ Add systemd socket activations.
+ Merge branch 'pebenito-master'
+ Module version bump for systemd additions.
+ Merge branch 'bigon-systemd'
+ Module version bump for dbus systemd patch from Laurent Bigonville.
+ Bump module versions for release.
+
+Dominick Grift (16):
+ Module version bump for courier fixes from Sven Vermeulen.
+ Module version bump for afs fixes from Chas Williams.
+ Redundant rules and afs_files_t is not a filesystem type
+ Various samhain fixes
+ Cachefilesd module updates
+ Module version bump for changes to the dnsmasq policy module by Jason
+ Zaman
+ Module version bump for changes to the snmp policy module by Jason Zaman
+ Module version bump for changes to the pulseaudio policy module by Jason
+ Zaman
+ cachefiles: It is cachefilesd_cache_t
+ Module version bump for update to the networkmanager policy module by
+ Stephen Smalley.
+ Module version bumps for "Remove run interface calls from admin
+ interfaces" changes by Jason Zaman.
+ Module version bump for changes to the pulseaudio module by Niklas Haas.
+ Changes to the git, hadoop and rsync modules by Jason Zaman.
+ Module version bump for changes to the virt module by Jason Zaman
+ Module version bump for changes to the mozilla module from Laurent
+ Bigonville.
+ Module version bump for changes to the wine module by Nicolas Iooss
+
+Jason Zaman (19):
+ hadoop: remove _role from _admin interface
+ rpcbind: typo fix
+ git: make inetd interface optional
+ rpc: introduce allow_gssd_write_tmp boolean
+ rpc: allow setgid capability
+ virt: add virt_tmpfs_t type and permissions
+ introduce virt_leaseshelper_t
+ dnsmasq: allow exec shell for scripts
+ snmp: missing fcontext for snmpd
+ pulseaudio: filetrans for autospawn.lock
+ Use init_startstop_service in admin interfaces A-M
+ Use init_startstop_service in admin interfaces N-Z
+ Remove _run() interfaces from _admin()
+ Introduce cron_admin interface
+ rsync: remove rsync_run from admin interface
+ git: allow git_system_t to listen on tcp_sockets
+ hadoop: init_startstop_service() can not take attributes
+ virt: Allow creating qemu guest agent socket
+ virt: Add policy for virtlockd the Virtual machine lock manager
+
+Laurent Bigonville (2):
+ Transition D-Bus system service out of the init_t domain when PID1 is
+ systemd
+ Label iceweasel plugin-container executable as mozilla_plugin_exec_t
+
+Nicolas Iooss (1):
+ wine: remove use of nonexisting interface
+
+Niklas Haas (1):
+ pulse: don't give pulseaudio_client full access to user_home_t
+
+Stephen Smalley (1):
+ contrib: networkmanager: allow netlink_generic_socket access
+
+Sven Vermeulen (6):
+ Locate authdaemon socket and communicate with authdaemon
+ Allow authdaemon to access selinux fs to check SELinux state
+ Grant setuid/setgid to courier_pop_t
+ Execute courier helper script after authentication
+ Courier IMAP needs to manage the users' maildir
+ Fix typo for radiusd /var/lib location
+
+doverride (2):
+ Merge pull request #3 from haasn/pulse-nohome
+ Merge pull request #6 from bigon/mozilla-1
+
* Wed Dec 03 2014 Chris PeBenito <selinux@tresys.com> - 2.20141203
Chris PeBenito (26):
Whitespace fix in ntp.fc.
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-12-17 16:10 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 16:10 UTC (permalink / raw
To: gentoo-commits
commit: 0f33943959c1bdf50ecd42ca5112c776ca6f141c
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Dec 9 14:45:29 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0f339439
Add additional comments in geoclue.
policy/modules/contrib/geoclue.te | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te
index fc72974..68e6a16 100644
--- a/policy/modules/contrib/geoclue.te
+++ b/policy/modules/contrib/geoclue.te
@@ -1,5 +1,10 @@
policy_module(geoclue, 1.0.0)
+########################################
+#
+# Declarations
+#
+
type geoclue_t;
type geoclue_exec_t;
dbus_system_domain(geoclue_t, geoclue_exec_t)
@@ -10,6 +15,11 @@ files_config_file(geoclue_etc_t)
type geoclue_var_lib_t;
files_type(geoclue_var_lib_t)
+########################################
+#
+# Local policy
+#
+
read_files_pattern(geoclue_t, geoclue_etc_t, geoclue_etc_t)
corenet_tcp_connect_http_port(geoclue_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-12-17 16:10 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 16:10 UTC (permalink / raw
To: gentoo-commits
commit: 3c56e38a5546282f9a72830af1bca9ea7bd4f043
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Dec 14 15:36:44 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 16:03:28 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3c56e38a
Module version bump for virt and networkmanager patches from Laurent Bigonville.
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index d4bcc16..6f3f895 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.18.0)
+policy_module(networkmanager, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index c689d2f..36f46a2 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.9.0)
+policy_module(virt, 1.9.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-12-17 16:10 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 16:10 UTC (permalink / raw
To: gentoo-commits
commit: b5f2d0dd7c3c533bd0cac83d19ca52e2e3e00342
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Thu Dec 10 10:47:41 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b5f2d0dd
Use auth_use_nsswitch() as we need DNS resolving and access nsswitch.conf
Use auth_use_nsswitch() instead of files_read_etc_files() and
sysnet_dns_name_resolve()
policy/modules/contrib/geoclue.te | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te
index 68e6a16..34ed075 100644
--- a/policy/modules/contrib/geoclue.te
+++ b/policy/modules/contrib/geoclue.te
@@ -22,18 +22,15 @@ files_type(geoclue_var_lib_t)
read_files_pattern(geoclue_t, geoclue_etc_t, geoclue_etc_t)
+auth_use_nsswitch(geoclue_t)
+
corenet_tcp_connect_http_port(geoclue_t)
dev_read_urand(geoclue_t)
-# Reads /etc/nsswitch.conf
-files_read_etc_files(geoclue_t)
-
miscfiles_read_generic_certs(geoclue_t)
miscfiles_read_localization(geoclue_t)
-sysnet_dns_name_resolve(geoclue_t)
-
optional_policy(`
avahi_dbus_chat(geoclue_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-12-17 16:10 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 16:10 UTC (permalink / raw
To: gentoo-commits
commit: f30bc6343d09e2f08a97d6428b6c1c020892fe05
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Thu Dec 10 11:02:06 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f30bc634
Module version bump for changes to the geoclue module by Laurent Bigonville.
Moved auth_use_nsswitch() call to the proper location.
policy/modules/contrib/geoclue.te | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te
index 34ed075..b8413a5 100644
--- a/policy/modules/contrib/geoclue.te
+++ b/policy/modules/contrib/geoclue.te
@@ -1,4 +1,4 @@
-policy_module(geoclue, 1.0.0)
+policy_module(geoclue, 1.0.1)
########################################
#
@@ -22,12 +22,12 @@ files_type(geoclue_var_lib_t)
read_files_pattern(geoclue_t, geoclue_etc_t, geoclue_etc_t)
-auth_use_nsswitch(geoclue_t)
-
corenet_tcp_connect_http_port(geoclue_t)
dev_read_urand(geoclue_t)
+auth_use_nsswitch(geoclue_t)
+
miscfiles_read_generic_certs(geoclue_t)
miscfiles_read_localization(geoclue_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-12-17 16:10 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 16:10 UTC (permalink / raw
To: gentoo-commits
commit: 8ae92d308e0631194085b08f3d9db7ba948ca641
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Wed Nov 4 13:54:37 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8ae92d30
Module version bump for changes to the mozilla module from Laurent Bigonville.
policy/modules/contrib/mozilla.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 6d7bac7..43b5087 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.8.0)
+policy_module(mozilla, 2.8.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-12-17 16:10 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-12-17 16:10 UTC (permalink / raw
To: gentoo-commits
commit: 5ffb6f47ebd043d333f603d3dbf9d81119c7133e
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Dec 8 14:53:02 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:57:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5ffb6f47
Bump module versions for release.
policy/modules/contrib/abrt.te | 2 +-
policy/modules/contrib/acct.te | 2 +-
policy/modules/contrib/afs.te | 2 +-
policy/modules/contrib/aiccu.te | 2 +-
policy/modules/contrib/aisexec.te | 2 +-
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/amavis.te | 2 +-
policy/modules/contrib/amtu.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apcupsd.te | 2 +-
policy/modules/contrib/apm.te | 2 +-
policy/modules/contrib/arpwatch.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bacula.te | 2 +-
policy/modules/contrib/bcfg2.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/bird.te | 2 +-
policy/modules/contrib/bitlbee.te | 2 +-
policy/modules/contrib/bluetooth.te | 2 +-
policy/modules/contrib/boinc.te | 2 +-
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/callweaver.te | 2 +-
policy/modules/contrib/canna.te | 2 +-
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/certmaster.te | 2 +-
policy/modules/contrib/certmonger.te | 2 +-
policy/modules/contrib/cfengine.te | 2 +-
policy/modules/contrib/cgroup.te | 2 +-
policy/modules/contrib/chronyd.te | 2 +-
policy/modules/contrib/cipe.te | 2 +-
policy/modules/contrib/clamav.te | 2 +-
policy/modules/contrib/cmirrord.te | 2 +-
policy/modules/contrib/cobbler.te | 2 +-
policy/modules/contrib/collectd.te | 2 +-
policy/modules/contrib/condor.te | 2 +-
policy/modules/contrib/corosync.te | 2 +-
policy/modules/contrib/couchdb.te | 2 +-
policy/modules/contrib/courier.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/ctdb.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/cvs.te | 2 +-
policy/modules/contrib/cyphesis.te | 2 +-
policy/modules/contrib/cyrus.te | 2 +-
policy/modules/contrib/dante.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/ddclient.te | 2 +-
policy/modules/contrib/denyhosts.te | 2 +-
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/dictd.te | 2 +-
policy/modules/contrib/dirmngr.te | 2 +-
policy/modules/contrib/distcc.te | 2 +-
policy/modules/contrib/dkim.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/dnssectrigger.te | 2 +-
policy/modules/contrib/dovecot.te | 2 +-
policy/modules/contrib/drbd.te | 2 +-
policy/modules/contrib/dspam.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/fail2ban.te | 2 +-
policy/modules/contrib/fcoe.te | 2 +-
policy/modules/contrib/fetchmail.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/gatekeeper.te | 2 +-
policy/modules/contrib/gdomap.te | 2 +-
policy/modules/contrib/git.te | 2 +-
policy/modules/contrib/glance.te | 2 +-
policy/modules/contrib/glusterfs.te | 2 +-
policy/modules/contrib/gpm.te | 2 +-
policy/modules/contrib/gpsd.te | 2 +-
policy/modules/contrib/hadoop.te | 2 +-
policy/modules/contrib/hddtemp.te | 2 +-
policy/modules/contrib/howl.te | 2 +-
policy/modules/contrib/hypervkvp.te | 2 +-
policy/modules/contrib/i18n_input.te | 2 +-
policy/modules/contrib/icecast.te | 2 +-
policy/modules/contrib/ifplugd.te | 2 +-
policy/modules/contrib/inn.te | 2 +-
policy/modules/contrib/iodine.te | 2 +-
policy/modules/contrib/ircd.te | 2 +-
policy/modules/contrib/irqbalance.te | 2 +-
policy/modules/contrib/iscsi.te | 2 +-
policy/modules/contrib/isns.te | 2 +-
policy/modules/contrib/jabber.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/kerberos.te | 2 +-
policy/modules/contrib/kerneloops.te | 2 +-
policy/modules/contrib/keystone.te | 2 +-
policy/modules/contrib/kismet.te | 2 +-
policy/modules/contrib/ksmtuned.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/l2tp.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/likewise.te | 2 +-
policy/modules/contrib/lircd.te | 2 +-
policy/modules/contrib/lldpad.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/mailscanner.te | 2 +-
policy/modules/contrib/mandb.te | 2 +-
policy/modules/contrib/mcelog.te | 2 +-
policy/modules/contrib/memcached.te | 2 +-
policy/modules/contrib/minissdpd.te | 2 +-
policy/modules/contrib/mongodb.te | 2 +-
policy/modules/contrib/monop.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mrtg.te | 2 +-
policy/modules/contrib/munin.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/nagios.te | 2 +-
policy/modules/contrib/nessus.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nis.te | 2 +-
policy/modules/contrib/nscd.te | 2 +-
policy/modules/contrib/nsd.te | 2 +-
policy/modules/contrib/nslcd.te | 2 +-
policy/modules/contrib/ntop.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/numad.te | 2 +-
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/oident.te | 2 +-
policy/modules/contrib/openct.te | 2 +-
policy/modules/contrib/openhpi.te | 2 +-
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/openvswitch.te | 2 +-
policy/modules/contrib/pacemaker.te | 2 +-
policy/modules/contrib/pads.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
policy/modules/contrib/pegasus.te | 2 +-
policy/modules/contrib/perdition.te | 2 +-
policy/modules/contrib/pingd.te | 2 +-
policy/modules/contrib/pkcs.te | 2 +-
policy/modules/contrib/plymouthd.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
policy/modules/contrib/polipo.te | 2 +-
policy/modules/contrib/portmap.te | 2 +-
policy/modules/contrib/portreserve.te | 2 +-
policy/modules/contrib/postfix.te | 2 +-
policy/modules/contrib/postfixpolicyd.te | 2 +-
policy/modules/contrib/postgrey.te | 2 +-
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/prelude.te | 2 +-
policy/modules/contrib/privoxy.te | 2 +-
policy/modules/contrib/psad.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/puppet.te | 2 +-
policy/modules/contrib/pxe.te | 2 +-
policy/modules/contrib/pyicqt.te | 2 +-
policy/modules/contrib/pyzor.te | 2 +-
policy/modules/contrib/qemu.te | 2 +-
policy/modules/contrib/qpid.te | 2 +-
policy/modules/contrib/quantum.te | 2 +-
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/rabbitmq.te | 2 +-
policy/modules/contrib/radius.te | 2 +-
policy/modules/contrib/radvd.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/redis.te | 2 +-
policy/modules/contrib/resmgr.te | 2 +-
policy/modules/contrib/rgmanager.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/rhsmcertd.te | 2 +-
policy/modules/contrib/ricci.te | 2 +-
policy/modules/contrib/rngd.te | 2 +-
policy/modules/contrib/roundup.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/rsync.te | 2 +-
policy/modules/contrib/rtkit.te | 2 +-
policy/modules/contrib/rwho.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/samhain.te | 2 +-
policy/modules/contrib/sanlock.te | 2 +-
policy/modules/contrib/sasl.te | 2 +-
policy/modules/contrib/sblim.te | 2 +-
policy/modules/contrib/sendmail.te | 2 +-
policy/modules/contrib/sensord.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/shutdown.te | 2 +-
policy/modules/contrib/slpd.te | 2 +-
policy/modules/contrib/smartmon.te | 2 +-
policy/modules/contrib/smokeping.te | 2 +-
policy/modules/contrib/smstools.te | 2 +-
policy/modules/contrib/snmp.te | 2 +-
policy/modules/contrib/snort.te | 2 +-
policy/modules/contrib/soundserver.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/sssd.te | 2 +-
policy/modules/contrib/svnserve.te | 2 +-
policy/modules/contrib/sysstat.te | 2 +-
policy/modules/contrib/systemtap.te | 2 +-
policy/modules/contrib/tcsd.te | 2 +-
policy/modules/contrib/tgtd.te | 2 +-
policy/modules/contrib/tor.te | 2 +-
policy/modules/contrib/transproxy.te | 2 +-
policy/modules/contrib/tuned.te | 2 +-
policy/modules/contrib/ulogd.te | 2 +-
policy/modules/contrib/uptime.te | 2 +-
policy/modules/contrib/uucp.te | 2 +-
policy/modules/contrib/uuidd.te | 2 +-
policy/modules/contrib/varnishd.te | 2 +-
policy/modules/contrib/vdagent.te | 2 +-
policy/modules/contrib/vhostmd.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
policy/modules/contrib/vnstatd.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/wdmd.te | 2 +-
policy/modules/contrib/wine.te | 2 +-
policy/modules/contrib/xfs.te | 2 +-
policy/modules/contrib/zabbix.te | 2 +-
policy/modules/contrib/zarafa.te | 2 +-
policy/modules/contrib/zebra.te | 2 +-
218 files changed, 218 insertions(+), 218 deletions(-)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index dedf055..c83fba6 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.5.1)
+policy_module(abrt, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/acct.te b/policy/modules/contrib/acct.te
index 7d6e06d..6f6fd13 100644
--- a/policy/modules/contrib/acct.te
+++ b/policy/modules/contrib/acct.te
@@ -1,4 +1,4 @@
-policy_module(acct, 1.6.1)
+policy_module(acct, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
index c2840ba..e685b5d 100644
--- a/policy/modules/contrib/afs.te
+++ b/policy/modules/contrib/afs.te
@@ -1,4 +1,4 @@
-policy_module(afs, 1.9.3)
+policy_module(afs, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/aiccu.te b/policy/modules/contrib/aiccu.te
index 44a23e6..de1c465 100644
--- a/policy/modules/contrib/aiccu.te
+++ b/policy/modules/contrib/aiccu.te
@@ -1,4 +1,4 @@
-policy_module(aiccu, 1.1.1)
+policy_module(aiccu, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te
index 73e7382..6270b44 100644
--- a/policy/modules/contrib/aisexec.te
+++ b/policy/modules/contrib/aisexec.te
@@ -1,4 +1,4 @@
-policy_module(aisexec, 1.2.1)
+policy_module(aisexec, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index d325af4..17bb145 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.14.1)
+policy_module(alsa, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te
index 1214ac1..2c9313e 100644
--- a/policy/modules/contrib/amavis.te
+++ b/policy/modules/contrib/amavis.te
@@ -1,4 +1,4 @@
-policy_module(amavis, 1.15.1)
+policy_module(amavis, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/amtu.te b/policy/modules/contrib/amtu.te
index 918580d..9342d56 100644
--- a/policy/modules/contrib/amtu.te
+++ b/policy/modules/contrib/amtu.te
@@ -1,4 +1,4 @@
-policy_module(amtu, 1.3.1)
+policy_module(amtu, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index a7fd097..d3299a2 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.9.1)
+policy_module(apache, 2.10.0)
########################################
#
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index 407ca94..d5bf5bd 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.9.1)
+policy_module(apcupsd, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index b6e5447..d6344dc 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.13.1)
+policy_module(apm, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index f52071c..97ecc55 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.11.1)
+policy_module(arpwatch, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index f51e183..fc25311 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.14.1)
+policy_module(asterisk, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index 6c5e7ed..be5adee 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.15.1)
+policy_module(automount, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index bb06564..461cef0 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.15.2)
+policy_module(avahi, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te
index a69da67..16b89e7 100644
--- a/policy/modules/contrib/bacula.te
+++ b/policy/modules/contrib/bacula.te
@@ -1,4 +1,4 @@
-policy_module(bacula, 1.2.2)
+policy_module(bacula, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/bcfg2.te b/policy/modules/contrib/bcfg2.te
index 8709020..d723140 100644
--- a/policy/modules/contrib/bcfg2.te
+++ b/policy/modules/contrib/bcfg2.te
@@ -1,4 +1,4 @@
-policy_module(bcfg2, 1.1.1)
+policy_module(bcfg2, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index dd8f70d..6991aeb 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.15.2)
+policy_module(bind, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/bird.te b/policy/modules/contrib/bird.te
index 2f6c545..eac303e 100644
--- a/policy/modules/contrib/bird.te
+++ b/policy/modules/contrib/bird.te
@@ -1,4 +1,4 @@
-policy_module(bird, 1.1.1)
+policy_module(bird, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te
index 45d8a4b..8f95e0c 100644
--- a/policy/modules/contrib/bitlbee.te
+++ b/policy/modules/contrib/bitlbee.te
@@ -1,4 +1,4 @@
-policy_module(bitlbee, 1.5.1)
+policy_module(bitlbee, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index 0c99cd9..f44a616 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -1,4 +1,4 @@
-policy_module(bluetooth, 3.5.2)
+policy_module(bluetooth, 3.6.0)
########################################
#
diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te
index 4ada99d..c24cb7b 100644
--- a/policy/modules/contrib/boinc.te
+++ b/policy/modules/contrib/boinc.te
@@ -1,4 +1,4 @@
-policy_module(boinc, 1.2.1)
+policy_module(boinc, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index 4e5a1a1..cf07bb4 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.1.3)
+policy_module(cachefilesd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te
index 9218e45..93486b9 100644
--- a/policy/modules/contrib/callweaver.te
+++ b/policy/modules/contrib/callweaver.te
@@ -1,4 +1,4 @@
-policy_module(callweaver, 1.1.1)
+policy_module(callweaver, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te
index 9ee10b6..a35f192 100644
--- a/policy/modules/contrib/canna.te
+++ b/policy/modules/contrib/canna.te
@@ -1,4 +1,4 @@
-policy_module(canna, 1.12.1)
+policy_module(canna, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index 88cc4ad..1d02e63 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.8.1)
+policy_module(ccs, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/certmaster.te b/policy/modules/contrib/certmaster.te
index 5ab985b..79b8ffc 100644
--- a/policy/modules/contrib/certmaster.te
+++ b/policy/modules/contrib/certmaster.te
@@ -1,4 +1,4 @@
-policy_module(certmaster, 1.3.1)
+policy_module(certmaster, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index 2d5ecbc..7c3126e 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.2.1)
+policy_module(certmonger, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/cfengine.te b/policy/modules/contrib/cfengine.te
index 2fff324..c888ff2 100644
--- a/policy/modules/contrib/cfengine.te
+++ b/policy/modules/contrib/cfengine.te
@@ -1,4 +1,4 @@
-policy_module(cfengine, 1.1.1)
+policy_module(cfengine, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index 82c0c0c..d96a8f6 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.2.1)
+policy_module(cgroup, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index c0d266e..845b9c4 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.2.2)
+policy_module(chronyd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/cipe.te b/policy/modules/contrib/cipe.te
index 76c1954..e2a5c13 100644
--- a/policy/modules/contrib/cipe.te
+++ b/policy/modules/contrib/cipe.te
@@ -1,4 +1,4 @@
-policy_module(cipe, 1.6.1)
+policy_module(cipe, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index cdb3492..c157b65 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.11.1)
+policy_module(clamav, 1.12.0)
## <desc>
## <p>
diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te
index 45bdca7..6caace1 100644
--- a/policy/modules/contrib/cmirrord.te
+++ b/policy/modules/contrib/cmirrord.te
@@ -1,4 +1,4 @@
-policy_module(cmirrord, 1.1.1)
+policy_module(cmirrord, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/cobbler.te b/policy/modules/contrib/cobbler.te
index e81dcc4..6177ef4 100644
--- a/policy/modules/contrib/cobbler.te
+++ b/policy/modules/contrib/cobbler.te
@@ -1,4 +1,4 @@
-policy_module(cobbler, 1.2.1)
+policy_module(cobbler, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/collectd.te b/policy/modules/contrib/collectd.te
index 07fb350..0dfb1c5 100644
--- a/policy/modules/contrib/collectd.te
+++ b/policy/modules/contrib/collectd.te
@@ -1,4 +1,4 @@
-policy_module(collectd, 1.0.1)
+policy_module(collectd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 7b0092e..c642e06 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -1,4 +1,4 @@
-policy_module(condor, 1.2.1)
+policy_module(condor, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te
index fa18d76..7ee058f 100644
--- a/policy/modules/contrib/corosync.te
+++ b/policy/modules/contrib/corosync.te
@@ -1,4 +1,4 @@
-policy_module(corosync, 1.1.1)
+policy_module(corosync, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/couchdb.te b/policy/modules/contrib/couchdb.te
index cd5f079..c0f68c2 100644
--- a/policy/modules/contrib/couchdb.te
+++ b/policy/modules/contrib/couchdb.te
@@ -1,4 +1,4 @@
-policy_module(couchdb, 1.3.1)
+policy_module(couchdb, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index dd23992..3db053f 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -1,4 +1,4 @@
-policy_module(courier, 1.14.1)
+policy_module(courier, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index d22885f..523b8cb 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.8.1)
+policy_module(cron, 2.9.0)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/ctdb.te b/policy/modules/contrib/ctdb.te
index d1fad83..e4cc9dc 100644
--- a/policy/modules/contrib/ctdb.te
+++ b/policy/modules/contrib/ctdb.te
@@ -1,4 +1,4 @@
-policy_module(ctdb, 1.2.1)
+policy_module(ctdb, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index b5ff529..1edccbe 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.18.2)
+policy_module(cups, 1.19.0)
########################################
#
diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
index 47a4822..6b8f836 100644
--- a/policy/modules/contrib/cvs.te
+++ b/policy/modules/contrib/cvs.te
@@ -1,4 +1,4 @@
-policy_module(cvs, 1.11.1)
+policy_module(cvs, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/cyphesis.te b/policy/modules/contrib/cyphesis.te
index 956a7ab..0262cf1 100644
--- a/policy/modules/contrib/cyphesis.te
+++ b/policy/modules/contrib/cyphesis.te
@@ -1,4 +1,4 @@
-policy_module(cyphesis, 1.3.1)
+policy_module(cyphesis, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
index c43ee11..9707c7e 100644
--- a/policy/modules/contrib/cyrus.te
+++ b/policy/modules/contrib/cyrus.te
@@ -1,4 +1,4 @@
-policy_module(cyrus, 1.14.1)
+policy_module(cyrus, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te
index 4c86835..67c9ad7 100644
--- a/policy/modules/contrib/dante.te
+++ b/policy/modules/contrib/dante.te
@@ -1,4 +1,4 @@
-policy_module(dante, 1.9.1)
+policy_module(dante, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 7677478..0f1d8a7 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.20.2)
+policy_module(dbus, 1.21.0)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/ddclient.te b/policy/modules/contrib/ddclient.te
index b4fc53f..396b3fb 100644
--- a/policy/modules/contrib/ddclient.te
+++ b/policy/modules/contrib/ddclient.te
@@ -1,4 +1,4 @@
-policy_module(ddclient, 1.10.1)
+policy_module(ddclient, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/denyhosts.te b/policy/modules/contrib/denyhosts.te
index 9d3ca70..342e623 100644
--- a/policy/modules/contrib/denyhosts.te
+++ b/policy/modules/contrib/denyhosts.te
@@ -1,4 +1,4 @@
-policy_module(denyhosts, 1.1.1)
+policy_module(denyhosts, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index c7d00ed..2d64a81 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.11.1)
+policy_module(dhcp, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te
index 15582e2..f475605 100644
--- a/policy/modules/contrib/dictd.te
+++ b/policy/modules/contrib/dictd.te
@@ -1,4 +1,4 @@
-policy_module(dictd, 1.8.1)
+policy_module(dictd, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index d0d9241..7f03616 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -1,4 +1,4 @@
-policy_module(dirmngr, 1.0.1)
+policy_module(dirmngr, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/distcc.te b/policy/modules/contrib/distcc.te
index 2378d0c..44c3eed 100644
--- a/policy/modules/contrib/distcc.te
+++ b/policy/modules/contrib/distcc.te
@@ -1,4 +1,4 @@
-policy_module(distcc, 1.10.1)
+policy_module(distcc, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 925ca6f..e2e44eb 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.3.1)
+policy_module(dkim, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 601831b..5a9f0fe 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.12.4)
+policy_module(dnsmasq, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/dnssectrigger.te b/policy/modules/contrib/dnssectrigger.te
index 181540f..c0e01a5 100644
--- a/policy/modules/contrib/dnssectrigger.te
+++ b/policy/modules/contrib/dnssectrigger.te
@@ -1,4 +1,4 @@
-policy_module(dnssectrigger, 1.1.1)
+policy_module(dnssectrigger, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index 8e6b35e..19e32af 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.17.1)
+policy_module(dovecot, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/drbd.te b/policy/modules/contrib/drbd.te
index d89520c..0d8ed27 100644
--- a/policy/modules/contrib/drbd.te
+++ b/policy/modules/contrib/drbd.te
@@ -1,4 +1,4 @@
-policy_module(drbd, 1.1.1)
+policy_module(drbd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/dspam.te b/policy/modules/contrib/dspam.te
index 0a36018..4259fbc 100644
--- a/policy/modules/contrib/dspam.te
+++ b/policy/modules/contrib/dspam.te
@@ -1,4 +1,4 @@
-policy_module(dspam, 1.1.1)
+policy_module(dspam, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index 2f71ed6..e82f4f5 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.8.1)
+policy_module(entropyd, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index b3c7066..ce4336d 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.8.1)
+policy_module(exim, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
index bc6bd8e..5654c4e 100644
--- a/policy/modules/contrib/fail2ban.te
+++ b/policy/modules/contrib/fail2ban.te
@@ -1,4 +1,4 @@
-policy_module(fail2ban, 1.5.1)
+policy_module(fail2ban, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/fcoe.te b/policy/modules/contrib/fcoe.te
index 9719a51..384ac0e 100644
--- a/policy/modules/contrib/fcoe.te
+++ b/policy/modules/contrib/fcoe.te
@@ -1,4 +1,4 @@
-policy_module(fcoe, 1.1.1)
+policy_module(fcoe, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te
index 0c1c51a..580548d 100644
--- a/policy/modules/contrib/fetchmail.te
+++ b/policy/modules/contrib/fetchmail.te
@@ -1,4 +1,4 @@
-policy_module(fetchmail, 1.14.1)
+policy_module(fetchmail, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 781295c..742a951 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.2.1)
+policy_module(firewalld, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 7a1ec37..774bc9e 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.17.1)
+policy_module(ftp, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/gatekeeper.te b/policy/modules/contrib/gatekeeper.te
index 25093fd..ad84ce6 100644
--- a/policy/modules/contrib/gatekeeper.te
+++ b/policy/modules/contrib/gatekeeper.te
@@ -1,4 +1,4 @@
-policy_module(gatekeeper, 1.8.1)
+policy_module(gatekeeper, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/gdomap.te b/policy/modules/contrib/gdomap.te
index 2f2df8c..1e6bd25 100644
--- a/policy/modules/contrib/gdomap.te
+++ b/policy/modules/contrib/gdomap.te
@@ -1,4 +1,4 @@
-policy_module(gdomap, 1.1.1)
+policy_module(gdomap, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 27e68f3..45b25f0 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -1,4 +1,4 @@
-policy_module(git, 1.5.2)
+policy_module(git, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/glance.te b/policy/modules/contrib/glance.te
index 7bfd3a8..75d7ef2 100644
--- a/policy/modules/contrib/glance.te
+++ b/policy/modules/contrib/glance.te
@@ -1,4 +1,4 @@
-policy_module(glance, 1.1.1)
+policy_module(glance, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index 49e52ce..5584606 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -1,4 +1,4 @@
-policy_module(glusterfs, 1.2.1)
+policy_module(glusterfs, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
index ef16279..ebd73b3 100644
--- a/policy/modules/contrib/gpm.te
+++ b/policy/modules/contrib/gpm.te
@@ -1,4 +1,4 @@
-policy_module(gpm, 1.9.1)
+policy_module(gpm, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te
index d57a144..d925ff1 100644
--- a/policy/modules/contrib/gpsd.te
+++ b/policy/modules/contrib/gpsd.te
@@ -1,4 +1,4 @@
-policy_module(gpsd, 1.2.1)
+policy_module(gpsd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te
index b9ffe96..d98fd27 100644
--- a/policy/modules/contrib/hadoop.te
+++ b/policy/modules/contrib/hadoop.te
@@ -1,4 +1,4 @@
-policy_module(hadoop, 1.3.3)
+policy_module(hadoop, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/hddtemp.te b/policy/modules/contrib/hddtemp.te
index 23f5a54..90b148e 100644
--- a/policy/modules/contrib/hddtemp.te
+++ b/policy/modules/contrib/hddtemp.te
@@ -1,4 +1,4 @@
-policy_module(hddtemp, 1.2.1)
+policy_module(hddtemp, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/howl.te b/policy/modules/contrib/howl.te
index 626a92c..f1023b3 100644
--- a/policy/modules/contrib/howl.te
+++ b/policy/modules/contrib/howl.te
@@ -1,4 +1,4 @@
-policy_module(howl, 1.10.1)
+policy_module(howl, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/hypervkvp.te b/policy/modules/contrib/hypervkvp.te
index 1359b2a..5f3e48d 100644
--- a/policy/modules/contrib/hypervkvp.te
+++ b/policy/modules/contrib/hypervkvp.te
@@ -1,4 +1,4 @@
-policy_module(hypervkvp, 1.0.1)
+policy_module(hypervkvp, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/i18n_input.te b/policy/modules/contrib/i18n_input.te
index 069305c..3c8bd53 100644
--- a/policy/modules/contrib/i18n_input.te
+++ b/policy/modules/contrib/i18n_input.te
@@ -1,4 +1,4 @@
-policy_module(i18n_input, 1.9.1)
+policy_module(i18n_input, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/icecast.te b/policy/modules/contrib/icecast.te
index b44b952..13ed013 100644
--- a/policy/modules/contrib/icecast.te
+++ b/policy/modules/contrib/icecast.te
@@ -1,4 +1,4 @@
-policy_module(icecast, 1.2.1)
+policy_module(icecast, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te
index 8154360..85ce6de 100644
--- a/policy/modules/contrib/ifplugd.te
+++ b/policy/modules/contrib/ifplugd.te
@@ -1,4 +1,4 @@
-policy_module(ifplugd, 1.1.1)
+policy_module(ifplugd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/inn.te b/policy/modules/contrib/inn.te
index bf33eb4..c32275e 100644
--- a/policy/modules/contrib/inn.te
+++ b/policy/modules/contrib/inn.te
@@ -1,4 +1,4 @@
-policy_module(inn, 1.11.1)
+policy_module(inn, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index 61572da..6eb8409 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -1,4 +1,4 @@
-policy_module(iodine, 1.1.1)
+policy_module(iodine, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/ircd.te b/policy/modules/contrib/ircd.te
index 1682d5c..3f1f63e 100644
--- a/policy/modules/contrib/ircd.te
+++ b/policy/modules/contrib/ircd.te
@@ -1,4 +1,4 @@
-policy_module(ircd, 1.8.1)
+policy_module(ircd, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te
index 089e6d7..414ad21 100644
--- a/policy/modules/contrib/irqbalance.te
+++ b/policy/modules/contrib/irqbalance.te
@@ -1,4 +1,4 @@
-policy_module(irqbalance, 1.7.1)
+policy_module(irqbalance, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index 502a1bb..60b95c2 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -1,4 +1,4 @@
-policy_module(iscsi, 1.9.2)
+policy_module(iscsi, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/isns.te b/policy/modules/contrib/isns.te
index 5b82de7..ede3c05 100644
--- a/policy/modules/contrib/isns.te
+++ b/policy/modules/contrib/isns.te
@@ -1,4 +1,4 @@
-policy_module(isns, 1.0.1)
+policy_module(isns, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te
index 8f71642..cdca29d 100644
--- a/policy/modules/contrib/jabber.te
+++ b/policy/modules/contrib/jabber.te
@@ -1,4 +1,4 @@
-policy_module(jabber, 1.10.1)
+policy_module(jabber, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index fb31bbf..3749ddf 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.3.2)
+policy_module(kdump, 1.4.0)
#######################################
#
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
index 43df956..38532d3 100644
--- a/policy/modules/contrib/kerberos.te
+++ b/policy/modules/contrib/kerberos.te
@@ -1,4 +1,4 @@
-policy_module(kerberos, 1.13.1)
+policy_module(kerberos, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/kerneloops.te b/policy/modules/contrib/kerneloops.te
index 9360bde..f6083e5 100644
--- a/policy/modules/contrib/kerneloops.te
+++ b/policy/modules/contrib/kerneloops.te
@@ -1,4 +1,4 @@
-policy_module(kerneloops, 1.5.1)
+policy_module(kerneloops, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/keystone.te b/policy/modules/contrib/keystone.te
index b832ee1..9e051ad 100644
--- a/policy/modules/contrib/keystone.te
+++ b/policy/modules/contrib/keystone.te
@@ -1,4 +1,4 @@
-policy_module(keystone, 1.1.1)
+policy_module(keystone, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te
index 9b8fedf..eb4e233 100644
--- a/policy/modules/contrib/kismet.te
+++ b/policy/modules/contrib/kismet.te
@@ -1,4 +1,4 @@
-policy_module(kismet, 1.8.1)
+policy_module(kismet, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/ksmtuned.te b/policy/modules/contrib/ksmtuned.te
index a799535..c5ca5b1 100644
--- a/policy/modules/contrib/ksmtuned.te
+++ b/policy/modules/contrib/ksmtuned.te
@@ -1,4 +1,4 @@
-policy_module(ksmtuned, 1.2.1)
+policy_module(ksmtuned, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index 915a88a..13a3005 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -1,4 +1,4 @@
-policy_module(kudzu, 1.10.2)
+policy_module(kudzu, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/l2tp.te b/policy/modules/contrib/l2tp.te
index f1de38f..e5ebed5 100644
--- a/policy/modules/contrib/l2tp.te
+++ b/policy/modules/contrib/l2tp.te
@@ -1,4 +1,4 @@
-policy_module(l2tp, 1.1.1)
+policy_module(l2tp, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 1adbf03..70bc151 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.12.1)
+policy_module(ldap, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te
index e33495b..5f5b47c 100644
--- a/policy/modules/contrib/likewise.te
+++ b/policy/modules/contrib/likewise.te
@@ -1,4 +1,4 @@
-policy_module(likewise, 1.3.1)
+policy_module(likewise, 1.4.0)
#################################
#
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index bfdd92e..e38c4d3 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -1,4 +1,4 @@
-policy_module(lircd, 1.2.2)
+policy_module(lircd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te
index 7d580f2..9e875d6 100644
--- a/policy/modules/contrib/lldpad.te
+++ b/policy/modules/contrib/lldpad.te
@@ -1,4 +1,4 @@
-policy_module(lldpad, 1.1.1)
+policy_module(lldpad, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index a256564..a1670d0 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.16.1)
+policy_module(logrotate, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/mailscanner.te b/policy/modules/contrib/mailscanner.te
index 509de59..f2f0aad 100644
--- a/policy/modules/contrib/mailscanner.te
+++ b/policy/modules/contrib/mailscanner.te
@@ -1,4 +1,4 @@
-policy_module(mailscanner, 1.1.1)
+policy_module(mailscanner, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 8336559..ce0ac3c 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.2.1)
+policy_module(mandb, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te
index 3fd0dc5..73b2d81 100644
--- a/policy/modules/contrib/mcelog.te
+++ b/policy/modules/contrib/mcelog.te
@@ -1,4 +1,4 @@
-policy_module(mcelog, 1.3.1)
+policy_module(mcelog, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/memcached.te b/policy/modules/contrib/memcached.te
index 54738e9..5c76e2d 100644
--- a/policy/modules/contrib/memcached.te
+++ b/policy/modules/contrib/memcached.te
@@ -1,4 +1,4 @@
-policy_module(memcached, 1.4.1)
+policy_module(memcached, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te
index fdfa9a0..aa0f214 100644
--- a/policy/modules/contrib/minissdpd.te
+++ b/policy/modules/contrib/minissdpd.te
@@ -1,4 +1,4 @@
-policy_module(minissdpd, 1.1.1)
+policy_module(minissdpd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/mongodb.te b/policy/modules/contrib/mongodb.te
index 29b0ab5..cdee03c 100644
--- a/policy/modules/contrib/mongodb.te
+++ b/policy/modules/contrib/mongodb.te
@@ -1,4 +1,4 @@
-policy_module(mongodb, 1.1.1)
+policy_module(mongodb, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/monop.te b/policy/modules/contrib/monop.te
index fe78c10..e079049 100644
--- a/policy/modules/contrib/monop.te
+++ b/policy/modules/contrib/monop.te
@@ -1,4 +1,4 @@
-policy_module(monop, 1.8.1)
+policy_module(monop, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 43b5087..ac76d19 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.8.1)
+policy_module(mozilla, 2.9.0)
########################################
#
diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index e37c363..01ded5d 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -1,4 +1,4 @@
-policy_module(mpd, 1.2.1)
+policy_module(mpd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
index 1730669..f32641a 100644
--- a/policy/modules/contrib/mrtg.te
+++ b/policy/modules/contrib/mrtg.te
@@ -1,4 +1,4 @@
-policy_module(mrtg, 1.9.1)
+policy_module(mrtg, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/munin.te b/policy/modules/contrib/munin.te
index 2a8152f..e444b63 100644
--- a/policy/modules/contrib/munin.te
+++ b/policy/modules/contrib/munin.te
@@ -1,4 +1,4 @@
-policy_module(munin, 1.10.1)
+policy_module(munin, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 60a7763..0db8319 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.16.1)
+policy_module(mysql, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
index dbdfbeb..b62181c 100644
--- a/policy/modules/contrib/nagios.te
+++ b/policy/modules/contrib/nagios.te
@@ -1,4 +1,4 @@
-policy_module(nagios, 1.13.1)
+policy_module(nagios, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/nessus.te b/policy/modules/contrib/nessus.te
index 13f24c1..398d408 100644
--- a/policy/modules/contrib/nessus.te
+++ b/policy/modules/contrib/nessus.te
@@ -1,4 +1,4 @@
-policy_module(nessus, 1.9.1)
+policy_module(nessus, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 83088ca..d4bcc16 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.17.3)
+policy_module(networkmanager, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index 6e13b92..71a2e6f 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.12.1)
+policy_module(nis, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index aee77dc..998dcdd 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.12.1)
+policy_module(nscd, 1.13.0)
gen_require(`
class nscd all_nscd_perms;
diff --git a/policy/modules/contrib/nsd.te b/policy/modules/contrib/nsd.te
index 28ed38f..1f79e50 100644
--- a/policy/modules/contrib/nsd.te
+++ b/policy/modules/contrib/nsd.te
@@ -1,4 +1,4 @@
-policy_module(nsd, 1.8.1)
+policy_module(nsd, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te
index ad09d51..9b78828 100644
--- a/policy/modules/contrib/nslcd.te
+++ b/policy/modules/contrib/nslcd.te
@@ -1,4 +1,4 @@
-policy_module(nslcd, 1.5.1)
+policy_module(nslcd, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te
index 43171f4..e526b40 100644
--- a/policy/modules/contrib/ntop.te
+++ b/policy/modules/contrib/ntop.te
@@ -1,4 +1,4 @@
-policy_module(ntop, 1.10.1)
+policy_module(ntop, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 7af3a6d..e60149a 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.13.2)
+policy_module(ntp, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/numad.te b/policy/modules/contrib/numad.te
index cecc64a..d65d670 100644
--- a/policy/modules/contrib/numad.te
+++ b/policy/modules/contrib/numad.te
@@ -1,4 +1,4 @@
-policy_module(numad, 1.1.1)
+policy_module(numad, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index 1a4907d..745c6c9 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -1,4 +1,4 @@
-policy_module(nut, 1.4.1)
+policy_module(nut, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/oident.te b/policy/modules/contrib/oident.te
index e72ffea..0cf6cfe 100644
--- a/policy/modules/contrib/oident.te
+++ b/policy/modules/contrib/oident.te
@@ -1,4 +1,4 @@
-policy_module(oident, 2.3.1)
+policy_module(oident, 2.4.0)
########################################
#
diff --git a/policy/modules/contrib/openct.te b/policy/modules/contrib/openct.te
index a001328..696b86e 100644
--- a/policy/modules/contrib/openct.te
+++ b/policy/modules/contrib/openct.te
@@ -1,4 +1,4 @@
-policy_module(openct, 1.7.1)
+policy_module(openct, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/openhpi.te b/policy/modules/contrib/openhpi.te
index d0c61ba..1334924 100644
--- a/policy/modules/contrib/openhpi.te
+++ b/policy/modules/contrib/openhpi.te
@@ -1,4 +1,4 @@
-policy_module(openhpi, 1.1.1)
+policy_module(openhpi, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index bdb689e..fb30050 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.13.1)
+policy_module(openvpn, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te
index 84d7e60..3c3450c 100644
--- a/policy/modules/contrib/openvswitch.te
+++ b/policy/modules/contrib/openvswitch.te
@@ -1,4 +1,4 @@
-policy_module(openvswitch, 1.2.1)
+policy_module(openvswitch, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/pacemaker.te b/policy/modules/contrib/pacemaker.te
index 8db2c1f..c3b60db 100644
--- a/policy/modules/contrib/pacemaker.te
+++ b/policy/modules/contrib/pacemaker.te
@@ -1,4 +1,4 @@
-policy_module(pacemaker, 1.1.1)
+policy_module(pacemaker, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/pads.te b/policy/modules/contrib/pads.te
index 4992358..7a4d282 100644
--- a/policy/modules/contrib/pads.te
+++ b/policy/modules/contrib/pads.te
@@ -1,4 +1,4 @@
-policy_module(pads, 1.1.1)
+policy_module(pads, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index d1cdf9f..1828900 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.10.2)
+policy_module(pcscd, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te
index 3e66bb7..0f4d0a7 100644
--- a/policy/modules/contrib/pegasus.te
+++ b/policy/modules/contrib/pegasus.te
@@ -1,4 +1,4 @@
-policy_module(pegasus, 1.10.1)
+policy_module(pegasus, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te
index 1887d96..bb1a16b 100644
--- a/policy/modules/contrib/perdition.te
+++ b/policy/modules/contrib/perdition.te
@@ -1,4 +1,4 @@
-policy_module(perdition, 1.8.1)
+policy_module(perdition, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/pingd.te b/policy/modules/contrib/pingd.te
index 5a91a3c..fbe7291 100644
--- a/policy/modules/contrib/pingd.te
+++ b/policy/modules/contrib/pingd.te
@@ -1,4 +1,4 @@
-policy_module(pingd, 1.1.1)
+policy_module(pingd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index 0e583e1..2bc3060 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -1,4 +1,4 @@
-policy_module(pkcs, 1.1.1)
+policy_module(pkcs, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index c235706..635c962 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.2.1)
+policy_module(plymouthd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index 6bb283f..50f8b6a 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.3.1)
+policy_module(policykit, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/polipo.te b/policy/modules/contrib/polipo.te
index 5189e55..a964e1b 100644
--- a/policy/modules/contrib/polipo.te
+++ b/policy/modules/contrib/polipo.te
@@ -1,4 +1,4 @@
-policy_module(polipo, 1.2.1)
+policy_module(polipo, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
index 94500e6..d498b49 100644
--- a/policy/modules/contrib/portmap.te
+++ b/policy/modules/contrib/portmap.te
@@ -1,4 +1,4 @@
-policy_module(portmap, 1.11.2)
+policy_module(portmap, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te
index 162fe08..cf075de 100644
--- a/policy/modules/contrib/portreserve.te
+++ b/policy/modules/contrib/portreserve.te
@@ -1,4 +1,4 @@
-policy_module(portreserve, 1.4.1)
+policy_module(portreserve, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 1c0e8a6..1f1a396 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.16.1)
+policy_module(postfix, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
index 20e9b79..7022a81 100644
--- a/policy/modules/contrib/postfixpolicyd.te
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -1,4 +1,4 @@
-policy_module(postfixpolicyd, 1.3.1)
+policy_module(postfixpolicyd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te
index 705a5b6..59c8630 100644
--- a/policy/modules/contrib/postgrey.te
+++ b/policy/modules/contrib/postgrey.te
@@ -1,4 +1,4 @@
-policy_module(postgrey, 1.9.1)
+policy_module(postgrey, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index dc115b1..1d3079f 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.14.1)
+policy_module(ppp, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te
index 6effe7f..69e4b2c 100644
--- a/policy/modules/contrib/prelude.te
+++ b/policy/modules/contrib/prelude.te
@@ -1,4 +1,4 @@
-policy_module(prelude, 1.5.1)
+policy_module(prelude, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/privoxy.te b/policy/modules/contrib/privoxy.te
index b2873f6..4a89c52 100644
--- a/policy/modules/contrib/privoxy.te
+++ b/policy/modules/contrib/privoxy.te
@@ -1,4 +1,4 @@
-policy_module(privoxy, 1.12.1)
+policy_module(privoxy, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te
index ee61046..f59e9b4 100644
--- a/policy/modules/contrib/psad.te
+++ b/policy/modules/contrib/psad.te
@@ -1,4 +1,4 @@
-policy_module(psad, 1.2.1)
+policy_module(psad, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 4dc75b1..9b8d84e 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.7.2)
+policy_module(pulseaudio, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index f7f95b0..5fd4c8b 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.5.1)
+policy_module(puppet, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/pxe.te b/policy/modules/contrib/pxe.te
index d3b0e6d..d82cf03 100644
--- a/policy/modules/contrib/pxe.te
+++ b/policy/modules/contrib/pxe.te
@@ -1,4 +1,4 @@
-policy_module(pxe, 1.5.1)
+policy_module(pxe, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/pyicqt.te b/policy/modules/contrib/pyicqt.te
index 45cccaf..aa74d38 100644
--- a/policy/modules/contrib/pyicqt.te
+++ b/policy/modules/contrib/pyicqt.te
@@ -1,4 +1,4 @@
-policy_module(pyicqt, 1.1.1)
+policy_module(pyicqt, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/pyzor.te b/policy/modules/contrib/pyzor.te
index 8462ee0..2a8772a 100644
--- a/policy/modules/contrib/pyzor.te
+++ b/policy/modules/contrib/pyzor.te
@@ -1,4 +1,4 @@
-policy_module(pyzor, 2.4.1)
+policy_module(pyzor, 2.5.0)
########################################
#
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 9714860..9dc0997 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.8.1)
+policy_module(qemu, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/qpid.te b/policy/modules/contrib/qpid.te
index 0ecfe15..fc4de2f 100644
--- a/policy/modules/contrib/qpid.te
+++ b/policy/modules/contrib/qpid.te
@@ -1,4 +1,4 @@
-policy_module(qpid, 1.1.1)
+policy_module(qpid, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/quantum.te b/policy/modules/contrib/quantum.te
index 32c1379..f4d304a 100644
--- a/policy/modules/contrib/quantum.te
+++ b/policy/modules/contrib/quantum.te
@@ -1,4 +1,4 @@
-policy_module(quantum, 1.1.1)
+policy_module(quantum, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index 45d9ca7..4847589 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -1,4 +1,4 @@
-policy_module(quota, 1.7.2)
+policy_module(quota, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/rabbitmq.te b/policy/modules/contrib/rabbitmq.te
index 5bdde4c..326a811 100644
--- a/policy/modules/contrib/rabbitmq.te
+++ b/policy/modules/contrib/rabbitmq.te
@@ -1,4 +1,4 @@
-policy_module(rabbitmq, 1.1.1)
+policy_module(rabbitmq, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
index 52c05da..1239a2e 100644
--- a/policy/modules/contrib/radius.te
+++ b/policy/modules/contrib/radius.te
@@ -1,4 +1,4 @@
-policy_module(radius, 1.13.2)
+policy_module(radius, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te
index 76bba12..6cf0944 100644
--- a/policy/modules/contrib/radvd.te
+++ b/policy/modules/contrib/radvd.te
@@ -1,4 +1,4 @@
-policy_module(radvd, 1.14.1)
+policy_module(radvd, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index f561fdd..f4b2b38 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.14.3)
+policy_module(raid, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index bf6e4e9..c116691 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.1.1)
+policy_module(redis, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/resmgr.te b/policy/modules/contrib/resmgr.te
index a5b9878..6fb9a23 100644
--- a/policy/modules/contrib/resmgr.te
+++ b/policy/modules/contrib/resmgr.te
@@ -1,4 +1,4 @@
-policy_module(resmgr, 1.3.1)
+policy_module(resmgr, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te
index 4ef5d59..0cf43ec 100644
--- a/policy/modules/contrib/rgmanager.te
+++ b/policy/modules/contrib/rgmanager.te
@@ -1,4 +1,4 @@
-policy_module(rgmanager, 1.4.1)
+policy_module(rgmanager, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index ef7c72b..90a19c9 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -1,4 +1,4 @@
-policy_module(rhcs, 1.4.1)
+policy_module(rhcs, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/rhsmcertd.te b/policy/modules/contrib/rhsmcertd.te
index 3fb1e18..8371a2c 100644
--- a/policy/modules/contrib/rhsmcertd.te
+++ b/policy/modules/contrib/rhsmcertd.te
@@ -1,4 +1,4 @@
-policy_module(rhsmcertd, 1.2.1)
+policy_module(rhsmcertd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te
index dd763c4..cc0514f 100644
--- a/policy/modules/contrib/ricci.te
+++ b/policy/modules/contrib/ricci.te
@@ -1,4 +1,4 @@
-policy_module(ricci, 1.8.1)
+policy_module(ricci, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
index 17b9504..5f97a72 100644
--- a/policy/modules/contrib/rngd.te
+++ b/policy/modules/contrib/rngd.te
@@ -1,4 +1,4 @@
-policy_module(rngd, 1.2.1)
+policy_module(rngd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/roundup.te b/policy/modules/contrib/roundup.te
index 11a013f..015c344 100644
--- a/policy/modules/contrib/roundup.te
+++ b/policy/modules/contrib/roundup.te
@@ -1,4 +1,4 @@
-policy_module(roundup, 1.8.1)
+policy_module(roundup, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index a150dc2..8849e92 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.16.2)
+policy_module(rpc, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 8c3575c..9ba71b5 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.8.3)
+policy_module(rpcbind, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 3da1c61..3b786b8 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.17.3)
+policy_module(rpm, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index eae1b4c..1599d93 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -1,4 +1,4 @@
-policy_module(rsync, 1.13.1)
+policy_module(rsync, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index e9baab6..d6390c7 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.2.2)
+policy_module(rtkit, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/rwho.te b/policy/modules/contrib/rwho.te
index 24a685a..0cd90ac 100644
--- a/policy/modules/contrib/rwho.te
+++ b/policy/modules/contrib/rwho.te
@@ -1,4 +1,4 @@
-policy_module(rwho, 1.7.1)
+policy_module(rwho, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 45f2b36..f6e9be3 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.17.2)
+policy_module(samba, 1.18.0)
#################################
#
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index f2e4eaf..ac6a0f0 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -1,4 +1,4 @@
-policy_module(samhain, 1.2.2)
+policy_module(samhain, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/sanlock.te b/policy/modules/contrib/sanlock.te
index af72f44..c05edec 100644
--- a/policy/modules/contrib/sanlock.te
+++ b/policy/modules/contrib/sanlock.te
@@ -1,4 +1,4 @@
-policy_module(sanlock, 1.1.1)
+policy_module(sanlock, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te
index d1028b7..d4b3a35 100644
--- a/policy/modules/contrib/sasl.te
+++ b/policy/modules/contrib/sasl.te
@@ -1,4 +1,4 @@
-policy_module(sasl, 1.16.1)
+policy_module(sasl, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/sblim.te b/policy/modules/contrib/sblim.te
index 0834784..04c5f61 100644
--- a/policy/modules/contrib/sblim.te
+++ b/policy/modules/contrib/sblim.te
@@ -1,4 +1,4 @@
-policy_module(sblim, 1.1.1)
+policy_module(sblim, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
index 52a6efa..04aa439 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -1,4 +1,4 @@
-policy_module(sendmail, 1.13.1)
+policy_module(sendmail, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/sensord.te b/policy/modules/contrib/sensord.te
index f9bed73..bc97a09 100644
--- a/policy/modules/contrib/sensord.te
+++ b/policy/modules/contrib/sensord.te
@@ -1,4 +1,4 @@
-policy_module(sensord, 1.0.1)
+policy_module(sensord, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index 107bd15..d82e7a2 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.4.1)
+policy_module(shorewall, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index 88a1436..d8b655b 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -1,4 +1,4 @@
-policy_module(shutdown, 1.2.1)
+policy_module(shutdown, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/slpd.te b/policy/modules/contrib/slpd.te
index 65a999d..a5f6fa5 100644
--- a/policy/modules/contrib/slpd.te
+++ b/policy/modules/contrib/slpd.te
@@ -1,4 +1,4 @@
-policy_module(slpd, 1.1.1)
+policy_module(slpd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te
index e29affa..3792501 100644
--- a/policy/modules/contrib/smartmon.te
+++ b/policy/modules/contrib/smartmon.te
@@ -1,4 +1,4 @@
-policy_module(smartmon, 1.12.1)
+policy_module(smartmon, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te
index b2dafb4..b64ddfe 100644
--- a/policy/modules/contrib/smokeping.te
+++ b/policy/modules/contrib/smokeping.te
@@ -1,4 +1,4 @@
-policy_module(smokeping, 1.2.1)
+policy_module(smokeping, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/smstools.te b/policy/modules/contrib/smstools.te
index 1edf97d..6dbacf4 100644
--- a/policy/modules/contrib/smstools.te
+++ b/policy/modules/contrib/smstools.te
@@ -1,4 +1,4 @@
-policy_module(smstools, 1.0.1)
+policy_module(smstools, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te
index afa86ff..3f20eba 100644
--- a/policy/modules/contrib/snmp.te
+++ b/policy/modules/contrib/snmp.te
@@ -1,4 +1,4 @@
-policy_module(snmp, 1.14.2)
+policy_module(snmp, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 2cc5761..c4d6a4a 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -1,4 +1,4 @@
-policy_module(snort, 1.12.1)
+policy_module(snort, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/soundserver.te b/policy/modules/contrib/soundserver.te
index b9d3104..29c9659 100644
--- a/policy/modules/contrib/soundserver.te
+++ b/policy/modules/contrib/soundserver.te
@@ -1,4 +1,4 @@
-policy_module(soundserver, 1.9.1)
+policy_module(soundserver, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 22c3fd4..06ce8b7 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.8.1)
+policy_module(spamassassin, 2.9.0)
########################################
#
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index deb497a..950ade1 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.13.1)
+policy_module(squid, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index 17218c2..1c28648 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -1,4 +1,4 @@
-policy_module(sssd, 1.2.1)
+policy_module(sssd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/svnserve.te b/policy/modules/contrib/svnserve.te
index 48e5704..f949c32 100644
--- a/policy/modules/contrib/svnserve.te
+++ b/policy/modules/contrib/svnserve.te
@@ -1,4 +1,4 @@
-policy_module(svnserve, 1.2.1)
+policy_module(svnserve, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te
index c4af8d9..ac249ac 100644
--- a/policy/modules/contrib/sysstat.te
+++ b/policy/modules/contrib/sysstat.te
@@ -1,4 +1,4 @@
-policy_module(sysstat, 1.8.1)
+policy_module(sysstat, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/systemtap.te b/policy/modules/contrib/systemtap.te
index b368f33..1b2eef3 100644
--- a/policy/modules/contrib/systemtap.te
+++ b/policy/modules/contrib/systemtap.te
@@ -1,4 +1,4 @@
-policy_module(systemtap, 1.2.1)
+policy_module(systemtap, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index 6c56bba..ca98bf8 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -1,4 +1,4 @@
-policy_module(tcsd, 1.2.2)
+policy_module(tcsd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/tgtd.te b/policy/modules/contrib/tgtd.te
index ecd3bfb..d2d964f 100644
--- a/policy/modules/contrib/tgtd.te
+++ b/policy/modules/contrib/tgtd.te
@@ -1,4 +1,4 @@
-policy_module(tgtd, 1.4.1)
+policy_module(tgtd, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 519f9bf..418eb29 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.10.1)
+policy_module(tor, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/transproxy.te b/policy/modules/contrib/transproxy.te
index 44dc6c0..a32a869 100644
--- a/policy/modules/contrib/transproxy.te
+++ b/policy/modules/contrib/transproxy.te
@@ -1,4 +1,4 @@
-policy_module(transproxy, 1.8.1)
+policy_module(transproxy, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/tuned.te b/policy/modules/contrib/tuned.te
index 5b16bda..5431724 100644
--- a/policy/modules/contrib/tuned.te
+++ b/policy/modules/contrib/tuned.te
@@ -1,4 +1,4 @@
-policy_module(tuned, 1.2.1)
+policy_module(tuned, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
index e244c11..6c3a3ea 100644
--- a/policy/modules/contrib/ulogd.te
+++ b/policy/modules/contrib/ulogd.te
@@ -1,4 +1,4 @@
-policy_module(ulogd, 1.3.1)
+policy_module(ulogd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/uptime.te b/policy/modules/contrib/uptime.te
index c0fe79b..8658f9a 100644
--- a/policy/modules/contrib/uptime.te
+++ b/policy/modules/contrib/uptime.te
@@ -1,4 +1,4 @@
-policy_module(uptime, 1.6.1)
+policy_module(uptime, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/uucp.te b/policy/modules/contrib/uucp.te
index b6666a5..9c884c4 100644
--- a/policy/modules/contrib/uucp.te
+++ b/policy/modules/contrib/uucp.te
@@ -1,4 +1,4 @@
-policy_module(uucp, 1.13.1)
+policy_module(uucp, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/uuidd.te b/policy/modules/contrib/uuidd.te
index 52f8a7a..b9dd990 100644
--- a/policy/modules/contrib/uuidd.te
+++ b/policy/modules/contrib/uuidd.te
@@ -1,4 +1,4 @@
-policy_module(uuidd, 1.1.1)
+policy_module(uuidd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index 77fb5b6..05f1042 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -1,4 +1,4 @@
-policy_module(varnishd, 1.2.1)
+policy_module(varnishd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te
index 01403ab..af99feb 100644
--- a/policy/modules/contrib/vdagent.te
+++ b/policy/modules/contrib/vdagent.te
@@ -1,4 +1,4 @@
-policy_module(vdagent, 1.2.1)
+policy_module(vdagent, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te
index dabfe40..0157afb 100644
--- a/policy/modules/contrib/vhostmd.te
+++ b/policy/modules/contrib/vhostmd.te
@@ -1,4 +1,4 @@
-policy_module(vhostmd, 1.1.1)
+policy_module(vhostmd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index ec81a76..c689d2f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.8.4)
+policy_module(virt, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index 9630fe9..dc0d66b 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -1,4 +1,4 @@
-policy_module(vnstatd, 1.1.1)
+policy_module(vnstatd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 25b17a0..0f13e2b 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.9.1)
+policy_module(watchdog, 1.10.0)
#################################
#
diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te
index 823f289..fb5c40f 100644
--- a/policy/modules/contrib/wdmd.te
+++ b/policy/modules/contrib/wdmd.te
@@ -1,4 +1,4 @@
-policy_module(wdmd, 1.1.1)
+policy_module(wdmd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
index 8efd659..391d59e 100644
--- a/policy/modules/contrib/wine.te
+++ b/policy/modules/contrib/wine.te
@@ -1,4 +1,4 @@
-policy_module(wine, 1.11.1)
+policy_module(wine, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/xfs.te b/policy/modules/contrib/xfs.te
index 46ab354..1e76478 100644
--- a/policy/modules/contrib/xfs.te
+++ b/policy/modules/contrib/xfs.te
@@ -1,4 +1,4 @@
-policy_module(xfs, 1.7.1)
+policy_module(xfs, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index f297da0..50c94c1 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.8.1)
+policy_module(zabbix, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/zarafa.te b/policy/modules/contrib/zarafa.te
index f03331e..82f5fcb 100644
--- a/policy/modules/contrib/zarafa.te
+++ b/policy/modules/contrib/zarafa.te
@@ -1,4 +1,4 @@
-policy_module(zarafa, 1.2.1)
+policy_module(zarafa, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
index 0f726fc..f169722 100644
--- a/policy/modules/contrib/zebra.te
+++ b/policy/modules/contrib/zebra.te
@@ -1,4 +1,4 @@
-policy_module(zebra, 1.13.1)
+policy_module(zebra, 1.14.0)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-11-23 13:42 Jason Zaman
2015-11-23 13:41 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-11-23 13:42 UTC (permalink / raw
To: gentoo-commits
commit: 476723f5d02b3222109358f99c9d76ede915e71b
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sun Nov 22 12:28:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Nov 23 13:40:51 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=476723f5
Use fowner for salt_minion_t
Enable the fowner capability for the salt minion so that directory
metadata can be updated (such as the mode).
For instance, when trying to set mode 755 on a directory, the following
came up in the salt minion log (and the operation failed):
2015-11-22 13:18:01,242 [salt.state ][ERROR ][3290] Failed to
change mode to 0775
In the audit logs, the following occurred:
type=AVC msg=audit(1448194681.239:118): avc: denied { fowner } for
pid=3290 comm="salt-minion" capability=3
scontext=system_u:system_r:salt_minion_t:s0
tcontext=system_u:system_r:salt_minion_t:s0 tclass=capability
permissive=0
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 2a4e84d..9a8a4ad 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -218,7 +218,7 @@ tunable_policy(`salt_master_read_nfs',`
# salt_minion_t policy
#
-allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
+allow salt_minion_t self:capability { fowner fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
allow salt_minion_t self:capability2 block_suspend;
allow salt_minion_t self:process { getsched setsched signal signull };
allow salt_minion_t self:tcp_socket create_stream_socket_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-11-23 13:42 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-11-23 13:41 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-11-23 13:41 UTC (permalink / raw
To: gentoo-commits
commit: 476723f5d02b3222109358f99c9d76ede915e71b
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sun Nov 22 12:28:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Nov 23 13:40:51 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=476723f5
Use fowner for salt_minion_t
Enable the fowner capability for the salt minion so that directory
metadata can be updated (such as the mode).
For instance, when trying to set mode 755 on a directory, the following
came up in the salt minion log (and the operation failed):
2015-11-22 13:18:01,242 [salt.state ][ERROR ][3290] Failed to
change mode to 0775
In the audit logs, the following occurred:
type=AVC msg=audit(1448194681.239:118): avc: denied { fowner } for
pid=3290 comm="salt-minion" capability=3
scontext=system_u:system_r:salt_minion_t:s0
tcontext=system_u:system_r:salt_minion_t:s0 tclass=capability
permissive=0
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 2a4e84d..9a8a4ad 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -218,7 +218,7 @@ tunable_policy(`salt_master_read_nfs',`
# salt_minion_t policy
#
-allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
+allow salt_minion_t self:capability { fowner fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
allow salt_minion_t self:capability2 block_suspend;
allow salt_minion_t self:process { getsched setsched signal signull };
allow salt_minion_t self:tcp_socket create_stream_socket_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-11-22 12:31 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-11-22 12:31 UTC (permalink / raw
To: gentoo-commits
commit: c98b0fbe320e0bd4aafee943a083b324f197f024
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sun Nov 22 12:28:43 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 22 12:28:56 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c98b0fbe
Use fowner for salt_minion_t
Enable the fowner capability for the salt minion so that directory
metadata can be updated (such as the mode).
For instance, when trying to set mode 755 on a directory, the following
came up in the salt minion log (and the operation failed):
2015-11-22 13:18:01,242 [salt.state ][ERROR ][3290] Failed to
change mode to 0775
In the audit logs, the following occurred:
type=AVC msg=audit(1448194681.239:118): avc: denied { fowner } for
pid=3290 comm="salt-minion" capability=3
scontext=system_u:system_r:salt_minion_t:s0
tcontext=system_u:system_r:salt_minion_t:s0 tclass=capability
permissive=0
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 2a4e84d..9a8a4ad 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -218,7 +218,7 @@ tunable_policy(`salt_master_read_nfs',`
# salt_minion_t policy
#
-allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
+allow salt_minion_t self:capability { fowner fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
allow salt_minion_t self:capability2 block_suspend;
allow salt_minion_t self:process { getsched setsched signal signull };
allow salt_minion_t self:tcp_socket create_stream_socket_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-11-22 10:14 Jason Zaman
2015-11-23 13:41 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-11-22 10:14 UTC (permalink / raw
To: gentoo-commits
commit: 9ce39c14756e16c12ef1f09e9e0e063e14fb18d4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 18 06:10:02 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Nov 18 06:10:02 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ce39c14
pulseaudio: add fd perms for v7
avc: denied { use } for pid=19660 comm="threaded-ml"
path="anon_inode:[eventfd]" dev="anon_inodefs" ino=7523
scontext=staff_u:staff_r:mplayer_t:s0-s0:c0.c511
tcontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c511 tclass=fd
permissive=0
avc: denied { write } for pid=19792 comm="threaded-ml"
name="pulse-shm-1853902321" dev="tmpfs" ino=183175232
scontext=staff_u:staff_r:mplayer_t:s0-s0:c0.c511
tcontext=staff_u:object_r:pulseaudio_tmpfs_t:s0 tclass=file permissive=0
policy/modules/contrib/pulseaudio.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 1a25024..4dc75b1 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -277,4 +277,8 @@ ifdef(`distro_gentoo',`
# /tmp/pulse-* gets created by the clients usually as user_tmp_t, bug 556526
userdom_list_user_tmp(pulseaudio_client)
+
+ # pulse 7 uses fd's
+ allow pulseaudio_client pulseaudio_t:fd use;
+ allow pulseaudio_client pulseaudio_tmpfs_t:file rw_file_perms;
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-11-22 10:14 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-11-23 13:41 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-11-23 13:41 UTC (permalink / raw
To: gentoo-commits
commit: 9ce39c14756e16c12ef1f09e9e0e063e14fb18d4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 18 06:10:02 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Nov 18 06:10:02 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ce39c14
pulseaudio: add fd perms for v7
avc: denied { use } for pid=19660 comm="threaded-ml"
path="anon_inode:[eventfd]" dev="anon_inodefs" ino=7523
scontext=staff_u:staff_r:mplayer_t:s0-s0:c0.c511
tcontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c511 tclass=fd
permissive=0
avc: denied { write } for pid=19792 comm="threaded-ml"
name="pulse-shm-1853902321" dev="tmpfs" ino=183175232
scontext=staff_u:staff_r:mplayer_t:s0-s0:c0.c511
tcontext=staff_u:object_r:pulseaudio_tmpfs_t:s0 tclass=file permissive=0
policy/modules/contrib/pulseaudio.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 1a25024..4dc75b1 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -277,4 +277,8 @@ ifdef(`distro_gentoo',`
# /tmp/pulse-* gets created by the clients usually as user_tmp_t, bug 556526
userdom_list_user_tmp(pulseaudio_client)
+
+ # pulse 7 uses fd's
+ allow pulseaudio_client pulseaudio_t:fd use;
+ allow pulseaudio_client pulseaudio_tmpfs_t:file rw_file_perms;
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-11-22 10:14 Jason Zaman
2015-11-23 13:41 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-11-22 10:14 UTC (permalink / raw
To: gentoo-commits
commit: e848a95c2e0d96123aead79676beaf7084ac8d31
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 18 06:05:29 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Nov 18 06:06:06 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e848a95c
ntp: add perms for socket /run/ntpd.sock for openntpd
policy/modules/contrib/ntp.fc | 1 +
policy/modules/contrib/ntp.te | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index c01eb54..b58ce47 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -27,6 +27,7 @@
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+/var/run/ntpd\.sock -s gen_context(system_u:object_r:ntpd_var_run_t,s0)
ifdef(`distro_gentoo',`
/usr/bin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 2425edc..7af3a6d 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -78,7 +78,8 @@ manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
+manage_sock_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
+files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file sock_file })
can_exec(ntpd_t, ntpd_exec_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-11-22 10:14 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-11-23 13:41 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-11-23 13:41 UTC (permalink / raw
To: gentoo-commits
commit: e848a95c2e0d96123aead79676beaf7084ac8d31
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 18 06:05:29 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Nov 18 06:06:06 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e848a95c
ntp: add perms for socket /run/ntpd.sock for openntpd
policy/modules/contrib/ntp.fc | 1 +
policy/modules/contrib/ntp.te | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index c01eb54..b58ce47 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -27,6 +27,7 @@
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+/var/run/ntpd\.sock -s gen_context(system_u:object_r:ntpd_var_run_t,s0)
ifdef(`distro_gentoo',`
/usr/bin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 2425edc..7af3a6d 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -78,7 +78,8 @@ manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
+manage_sock_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
+files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file sock_file })
can_exec(ntpd_t, ntpd_exec_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-10-26 5:48 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-10-26 5:48 UTC (permalink / raw
To: gentoo-commits
commit: 4f1ef29d168da11699a2dd5dcf9d7242bf5d1515
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 23 18:35:45 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:10:16 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4f1ef29d
Add systemd socket activations.
policy/modules/contrib/avahi.te | 1 +
policy/modules/contrib/cups.te | 1 +
policy/modules/contrib/dbus.te | 1 +
policy/modules/contrib/iscsi.te | 1 +
policy/modules/contrib/rpcbind.te | 1 +
5 files changed, 5 insertions(+)
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index 46d5aba..161763f 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -8,6 +8,7 @@ policy_module(avahi, 1.15.1)
type avahi_t;
type avahi_exec_t;
init_daemon_domain(avahi_t, avahi_exec_t)
+init_named_socket_activation(avahi_t, avahi_var_run_t)
type avahi_initrc_exec_t;
init_script_file(avahi_initrc_exec_t)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 662b991..261dc06 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
type cupsd_t;
type cupsd_exec_t;
init_daemon_domain(cupsd_t, cupsd_exec_t)
+init_named_socket_activation(cupsd_t, cupsd_var_run_t)
mls_trusted_object(cupsd_t)
type cupsd_etc_t;
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index e79a81a..e32b70a 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -35,6 +35,7 @@ userdom_user_tmp_file(session_dbusd_tmp_t)
type system_dbusd_t;
init_system_domain(system_dbusd_t, dbusd_exec_t)
+init_named_socket_activation(system_dbusd_t, system_dbusd_var_run_t)
type system_dbusd_tmp_t;
files_tmp_file(system_dbusd_tmp_t)
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index 070f8e3..43f85f3 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -8,6 +8,7 @@ policy_module(iscsi, 1.9.1)
type iscsid_t;
type iscsid_exec_t;
init_daemon_domain(iscsid_t, iscsid_exec_t)
+init_abstract_socket_activation(iscsid_t)
type iscsi_initrc_exec_t;
init_script_file(iscsi_initrc_exec_t)
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 9cdb548..fab6184 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -8,6 +8,7 @@ policy_module(rpcbind, 1.8.2)
type rpcbind_t;
type rpcbind_exec_t;
init_daemon_domain(rpcbind_t, rpcbind_exec_t)
+init_named_socket_activation(rpcbind_t, rpcbind_var_run_t)
type rpcbind_initrc_exec_t;
init_script_file(rpcbind_initrc_exec_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-10-26 5:48 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-10-26 5:48 UTC (permalink / raw
To: gentoo-commits
commit: 69a218d604593c1a3c459b3935bc03e86b08b765
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 23 18:50:08 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:10:16 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=69a218d6
Module version bump for systemd additions.
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bluetooth.te | 2 +-
policy/modules/contrib/chronyd.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/iscsi.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/lircd.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/mandb.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
policy/modules/contrib/plymouthd.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
policy/modules/contrib/qemu.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/rtkit.te | 2 +-
policy/modules/contrib/shutdown.te | 2 +-
policy/modules/contrib/tcsd.te | 2 +-
24 files changed, 24 insertions(+), 24 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 24d5287..d325af4 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.14.0)
+policy_module(alsa, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index 161763f..bb06564 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.15.1)
+policy_module(avahi, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index d69c283..0c99cd9 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -1,4 +1,4 @@
-policy_module(bluetooth, 3.5.1)
+policy_module(bluetooth, 3.5.2)
########################################
#
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 3167bae..c0d266e 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.2.1)
+policy_module(chronyd, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 261dc06..b5ff529 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.18.1)
+policy_module(cups, 1.18.2)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index e32b70a..bc3999f 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.20.0)
+policy_module(dbus, 1.20.1)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index c71ace8..601831b 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.12.3)
+policy_module(dnsmasq, 1.12.4)
########################################
#
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index 43f85f3..502a1bb 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -1,4 +1,4 @@
-policy_module(iscsi, 1.9.1)
+policy_module(iscsi, 1.9.2)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 57e24e6..fb31bbf 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.3.1)
+policy_module(kdump, 1.3.2)
#######################################
#
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index 26690f2..bfdd92e 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -1,4 +1,4 @@
-policy_module(lircd, 1.2.1)
+policy_module(lircd, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 33f534b..a256564 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.16.0)
+policy_module(logrotate, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 46860dd..8336559 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.2.0)
+policy_module(mandb, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index a977b9a..83088ca 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.17.2)
+policy_module(networkmanager, 1.17.3)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 1f24dab..2425edc 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.13.1)
+policy_module(ntp, 1.13.2)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index f863ba2..d1cdf9f 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.10.1)
+policy_module(pcscd, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index 8dadb33..c235706 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.2.0)
+policy_module(plymouthd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index 108007e..6bb283f 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.3.0)
+policy_module(policykit, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index a17ed0c..9714860 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.8.0)
+policy_module(qemu, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index b6aea09..f561fdd 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.14.2)
+policy_module(raid, 1.14.3)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index fab6184..8c3575c 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.8.2)
+policy_module(rpcbind, 1.8.3)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 5cac092..3da1c61 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.17.2)
+policy_module(rpm, 1.17.3)
########################################
#
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 1aa52c4..e9baab6 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.2.1)
+policy_module(rtkit, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index e2544e1..88a1436 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -1,4 +1,4 @@
-policy_module(shutdown, 1.2.0)
+policy_module(shutdown, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index 439cf27..6c56bba 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -1,4 +1,4 @@
-policy_module(tcsd, 1.2.1)
+policy_module(tcsd, 1.2.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-10-26 5:36 Jason Zaman
2015-10-26 5:48 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-10-26 5:36 UTC (permalink / raw
To: gentoo-commits
commit: cc84af253feefbacb7155575e1126a7abf0227ca
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 23 18:35:33 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:10:16 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cc84af25
Add systemd unit types.
Primarily contributed by the Tresys CLIP team.
policy/modules/contrib/alsa.fc | 5 +++++
policy/modules/contrib/alsa.te | 3 +++
policy/modules/contrib/bluetooth.fc | 3 +++
policy/modules/contrib/bluetooth.te | 3 +++
policy/modules/contrib/chronyd.fc | 5 +++++
policy/modules/contrib/chronyd.te | 3 +++
policy/modules/contrib/dbus.fc | 3 +++
policy/modules/contrib/dbus.te | 3 +++
policy/modules/contrib/dnsmasq.fc | 3 +++
policy/modules/contrib/dnsmasq.te | 3 +++
policy/modules/contrib/kdump.te | 3 +++
policy/modules/contrib/lircd.fc | 3 +++
policy/modules/contrib/lircd.te | 3 +++
policy/modules/contrib/logrotate.fc | 3 +++
policy/modules/contrib/logrotate.te | 3 +++
policy/modules/contrib/mandb.fc | 3 +++
policy/modules/contrib/mandb.te | 3 +++
policy/modules/contrib/networkmanager.fc | 4 ++++
policy/modules/contrib/networkmanager.te | 3 +++
policy/modules/contrib/ntp.fc | 3 +++
policy/modules/contrib/ntp.te | 3 +++
policy/modules/contrib/pcscd.fc | 3 +++
policy/modules/contrib/pcscd.te | 3 +++
policy/modules/contrib/plymouthd.fc | 3 +++
policy/modules/contrib/plymouthd.te | 3 +++
policy/modules/contrib/policykit.fc | 3 +++
policy/modules/contrib/policykit.te | 3 +++
policy/modules/contrib/qemu.fc | 2 ++
policy/modules/contrib/qemu.te | 3 +++
policy/modules/contrib/raid.fc | 4 ++++
policy/modules/contrib/raid.te | 3 +++
policy/modules/contrib/rpm.fc | 4 ++++
policy/modules/contrib/rpm.te | 3 +++
policy/modules/contrib/rtkit.fc | 3 +++
policy/modules/contrib/rtkit.te | 3 +++
policy/modules/contrib/shutdown.if | 18 ++++++++++++++++++
policy/modules/contrib/tcsd.fc | 3 +++
policy/modules/contrib/tcsd.te | 3 +++
38 files changed, 135 insertions(+)
diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index 6c3c0ba..a8c8a64 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -14,6 +14,11 @@ ifdef(`distro_debian',`
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*alsa-restore.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-state.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-store.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 46d12e8..24d5287 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -21,6 +21,9 @@ files_tmp_file(alsa_tmp_t)
type alsa_tmpfs_t;
files_tmpfs_file(alsa_tmpfs_t)
+type alsa_unit_t;
+init_unit_file(alsa_unit_t)
+
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
diff --git a/policy/modules/contrib/bluetooth.fc b/policy/modules/contrib/bluetooth.fc
index a28101f..bcce998 100644
--- a/policy/modules/contrib/bluetooth.fc
+++ b/policy/modules/contrib/bluetooth.fc
@@ -10,6 +10,9 @@
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_t,s0)
+
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index 08f3c20..d69c283 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -43,6 +43,9 @@ files_lock_file(bluetooth_lock_t)
type bluetooth_tmp_t;
files_tmp_file(bluetooth_tmp_t)
+type bluetooth_unit_t;
+init_unit_file(bluetooth_unit_t)
+
type bluetooth_var_lib_t;
files_type(bluetooth_var_lib_t)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index fd5fbbb..a4a42ea 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -2,6 +2,11 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+# Systend unit files
+/usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
+/usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
+
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 7a16731..3167bae 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
type chronyd_tmpfs_t;
files_tmpfs_file(chronyd_tmpfs_t)
+type chronyd_unit_t;
+init_unit_file(chronyd_unit_t)
+
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index dda905b..309a462 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -10,6 +10,9 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*dbus.* -- gen_context(system_u:object_r:dbusd_unit_t,s0)
+
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 6f2b890..e79a81a 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -22,6 +22,9 @@ type dbusd_exec_t;
corecmd_executable_file(dbusd_exec_t)
typealias dbusd_exec_t alias system_dbusd_exec_t;
+type dbusd_unit_t;
+init_unit_file(dbusd_unit_t)
+
type session_dbusd_home_t;
userdom_user_home_content(session_dbusd_home_t)
diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc
index 8ca133c..89edbaa 100644
--- a/policy/modules/contrib/dnsmasq.fc
+++ b/policy/modules/contrib/dnsmasq.fc
@@ -3,6 +3,9 @@
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_t,s0)
+
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 15b29cb..c71ace8 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -18,6 +18,9 @@ files_config_file(dnsmasq_etc_t)
type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)
+type dnsmasq_unit_t;
+init_unit_file(dnsmasq_unit_t)
+
type dnsmasq_var_log_t;
logging_log_file(dnsmasq_var_log_t)
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 7c4e3f1..57e24e6 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -15,6 +15,9 @@ files_config_file(kdump_etc_t)
type kdump_initrc_exec_t;
init_script_file(kdump_initrc_exec_t)
+type kdump_unit_t;
+init_unit_file(kdump_unit_t)
+
type kdumpctl_t;
type kdumpctl_exec_t;
init_daemon_domain(kdumpctl_t, kdumpctl_exec_t)
diff --git a/policy/modules/contrib/lircd.fc b/policy/modules/contrib/lircd.fc
index c7a726a..76e497e 100644
--- a/policy/modules/contrib/lircd.fc
+++ b/policy/modules/contrib/lircd.fc
@@ -5,6 +5,9 @@
/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*lircd.* -- gen_context(system_u:object_r:lircd_unit_t,s0)
+
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index 0064b06..26690f2 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -15,6 +15,9 @@ init_script_file(lircd_initrc_exec_t)
type lircd_etc_t;
files_type(lircd_etc_t)
+type lircd_unit_t;
+init_unit_file(lircd_unit_t)
+
type lircd_var_run_t alias lircd_sock_t;
files_pid_file(lircd_var_run_t)
diff --git a/policy/modules/contrib/logrotate.fc b/policy/modules/contrib/logrotate.fc
index 207ec10..ad21596 100644
--- a/policy/modules/contrib/logrotate.fc
+++ b/policy/modules/contrib/logrotate.fc
@@ -1,6 +1,9 @@
/etc/cron\.(daily|weekly)/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*logrotate.* -- gen_context(system_u:object_r:logrotate_unit_t,s0)
+
/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 311defd..33f534b 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -25,6 +25,9 @@ files_tmp_file(logrotate_tmp_t)
type logrotate_var_lib_t;
files_type(logrotate_var_lib_t)
+type logrotate_unit_t;
+init_unit_file(logrotate_unit_t)
+
mta_base_mail_template(logrotate)
role system_r types logrotate_mail_t;
diff --git a/policy/modules/contrib/mandb.fc b/policy/modules/contrib/mandb.fc
index 8ae78b5..9f2825e 100644
--- a/policy/modules/contrib/mandb.fc
+++ b/policy/modules/contrib/mandb.fc
@@ -1 +1,4 @@
/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_u:object_r:mandb_unit_t,s0)
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index e29882f..46860dd 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -13,6 +13,9 @@ type mandb_exec_t;
application_domain(mandb_t, mandb_exec_t)
role mandb_roles types mandb_t;
+type mandb_unit_t;
+init_unit_file(mandb_unit_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index 5ffd285..c192c7f 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -17,6 +17,10 @@
/usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
+/usr/lib/systemd/system/[^/]*wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
+
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 427dfe4..a977b9a 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -24,6 +24,9 @@ logging_log_file(NetworkManager_log_t)
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
+type NetworkManager_unit_t;
+init_unit_file(NetworkManager_unit_t)
+
type NetworkManager_var_lib_t;
files_type(NetworkManager_var_lib_t)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index c74d996..c01eb54 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -11,6 +11,9 @@
/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 7600674..1f24dab 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -33,6 +33,9 @@ files_tmp_file(ntpd_tmp_t)
type ntpd_tmpfs_t;
files_tmpfs_file(ntpd_tmpfs_t)
+type ntpd_unit_t;
+init_unit_file(ntpd_unit_t)
+
type ntpd_var_run_t;
files_pid_file(ntpd_var_run_t)
diff --git a/policy/modules/contrib/pcscd.fc b/policy/modules/contrib/pcscd.fc
index 58363c7..5d1beba 100644
--- a/policy/modules/contrib/pcscd.fc
+++ b/policy/modules/contrib/pcscd.fc
@@ -2,6 +2,9 @@
/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*pcscd.* -- gen_context(system_u:object_r:pcscd_unit_t,s0)
+
/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index bf5066f..f863ba2 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -12,6 +12,9 @@ init_daemon_domain(pcscd_t, pcscd_exec_t)
type pcscd_initrc_exec_t;
init_script_file(pcscd_initrc_exec_t)
+type pcscd_unit_t;
+init_unit_file(pcscd_unit_t)
+
type pcscd_var_run_t;
files_pid_file(pcscd_var_run_t)
init_daemon_pid_file(pcscd_var_run_t, dir, "pcscd")
diff --git a/policy/modules/contrib/plymouthd.fc b/policy/modules/contrib/plymouthd.fc
index 735500f..2d9b956 100644
--- a/policy/modules/contrib/plymouthd.fc
+++ b/policy/modules/contrib/plymouthd.fc
@@ -4,6 +4,9 @@
/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*plymouth-.* -- gen_context(system_u:object_r:plymouthd_unit_t,s0)
+
/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index 3078ce9..8dadb33 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -17,6 +17,9 @@ init_daemon_domain(plymouthd_t, plymouthd_exec_t)
type plymouthd_spool_t;
files_type(plymouthd_spool_t)
+type plymouthd_unit_t;
+init_unit_file(plymouthd_unit_t)
+
type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)
diff --git a/policy/modules/contrib/policykit.fc b/policy/modules/contrib/policykit.fc
index 1d76c72..774c12b 100644
--- a/policy/modules/contrib/policykit.fc
+++ b/policy/modules/contrib/policykit.fc
@@ -8,6 +8,9 @@
/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*polkit.* -- gen_context(system_u:object_r:policykit_unit_t,s0)
+
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index ee91778..108007e 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -34,6 +34,9 @@ files_type(policykit_reload_t)
type policykit_tmp_t;
files_tmp_file(policykit_tmp_t)
+type policykit_unit_t;
+init_unit_file(policykit_unit_t)
+
type policykit_var_lib_t alias polkit_var_lib_t;
files_type(policykit_var_lib_t)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index f1304fb..cfb18ec 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -3,6 +3,8 @@
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/lib/systemd/system/[^/]*qemu-guest-agent.* -- gen_context(system_u:object_r:qemu_unit_t,s0)
+
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
ifdef(`distro_gentoo',`
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 136f6f3..a17ed0c 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -22,6 +22,9 @@ application_executable_file(qemu_exec_t)
virt_domain_template(qemu)
role qemu_roles types qemu_t;
+type qemu_unit_t;
+init_unit_file(qemu_unit_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/raid.fc b/policy/modules/contrib/raid.fc
index 5806046..2ea0889 100644
--- a/policy/modules/contrib/raid.fc
+++ b/policy/modules/contrib/raid.fc
@@ -11,6 +11,10 @@
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
+/usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
+
/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index dfe62e3..b6aea09 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
+type mdadm_unit_t;
+init_unit_file(mdadm_unit_t)
+
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
index ebe91fc..1ebd4a1 100644
--- a/policy/modules/contrib/rpm.fc
+++ b/policy/modules/contrib/rpm.fc
@@ -13,6 +13,10 @@
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*dnf-makecache.* -- gen_context(system_u:object_r:rpm_unit_t,s0)
+/usr/lib/systemd/system/[^/]*yum-makecache.* -- gen_context(system_u:object_r:rpm_unit_t,s0)
+
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index de5c91f..5cac092 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -37,6 +37,9 @@ files_lock_file(rpm_lock_t)
type rpm_log_t;
logging_log_file(rpm_log_t)
+type rpm_unit_t;
+init_unit_file(rpm_unit_t)
+
type rpm_var_lib_t;
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
diff --git a/policy/modules/contrib/rtkit.fc b/policy/modules/contrib/rtkit.fc
index 75bbf38..a3021da 100644
--- a/policy/modules/contrib/rtkit.fc
+++ b/policy/modules/contrib/rtkit.fc
@@ -3,3 +3,6 @@
/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
/usr/lib/rtkit/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
+
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*rtkit-daemon.* -- gen_context(system_u:object_r:rtkit_daemon_unit_t,s0)
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 906ebb5..1aa52c4 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -12,6 +12,9 @@ init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
type rtkit_daemon_initrc_exec_t;
init_script_file(rtkit_daemon_initrc_exec_t)
+type rtkit_daemon_unit_t;
+init_unit_file(rtkit_daemon_unit_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/shutdown.if b/policy/modules/contrib/shutdown.if
index d1706bf..819d19b 100644
--- a/policy/modules/contrib/shutdown.if
+++ b/policy/modules/contrib/shutdown.if
@@ -91,6 +91,24 @@ interface(`shutdown_signal',`
########################################
## <summary>
+## Send SIGCHLD signals to shutdown.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shutdown_sigchld',`
+ gen_require(`
+ type shutdown_t;
+ ')
+
+ allow $1 shutdown_t:process sigchld;
+')
+
+########################################
+## <summary>
## Get attributes of shutdown executable files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/tcsd.fc b/policy/modules/contrib/tcsd.fc
index c2c2636..0e086e7 100644
--- a/policy/modules/contrib/tcsd.fc
+++ b/policy/modules/contrib/tcsd.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/(tcsd|trousers) -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*tcsd.* -- gen_context(system_u:object_r:tcsd_unit_t,s0)
+
/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0)
/var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0)
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index 272c114..439cf27 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -12,6 +12,9 @@ init_daemon_domain(tcsd_t, tcsd_exec_t)
type tcsd_initrc_exec_t;
init_script_file(tcsd_initrc_exec_t)
+type tcsd_unit_t;
+init_unit_file(tcsd_unit_t)
+
type tcsd_var_lib_t;
files_type(tcsd_var_lib_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-10-26 5:36 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-10-26 5:48 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-10-26 5:48 UTC (permalink / raw
To: gentoo-commits
commit: cc84af253feefbacb7155575e1126a7abf0227ca
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 23 18:35:33 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:10:16 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cc84af25
Add systemd unit types.
Primarily contributed by the Tresys CLIP team.
policy/modules/contrib/alsa.fc | 5 +++++
policy/modules/contrib/alsa.te | 3 +++
policy/modules/contrib/bluetooth.fc | 3 +++
policy/modules/contrib/bluetooth.te | 3 +++
policy/modules/contrib/chronyd.fc | 5 +++++
policy/modules/contrib/chronyd.te | 3 +++
policy/modules/contrib/dbus.fc | 3 +++
policy/modules/contrib/dbus.te | 3 +++
policy/modules/contrib/dnsmasq.fc | 3 +++
policy/modules/contrib/dnsmasq.te | 3 +++
policy/modules/contrib/kdump.te | 3 +++
policy/modules/contrib/lircd.fc | 3 +++
policy/modules/contrib/lircd.te | 3 +++
policy/modules/contrib/logrotate.fc | 3 +++
policy/modules/contrib/logrotate.te | 3 +++
policy/modules/contrib/mandb.fc | 3 +++
policy/modules/contrib/mandb.te | 3 +++
policy/modules/contrib/networkmanager.fc | 4 ++++
policy/modules/contrib/networkmanager.te | 3 +++
policy/modules/contrib/ntp.fc | 3 +++
policy/modules/contrib/ntp.te | 3 +++
policy/modules/contrib/pcscd.fc | 3 +++
policy/modules/contrib/pcscd.te | 3 +++
policy/modules/contrib/plymouthd.fc | 3 +++
policy/modules/contrib/plymouthd.te | 3 +++
policy/modules/contrib/policykit.fc | 3 +++
policy/modules/contrib/policykit.te | 3 +++
policy/modules/contrib/qemu.fc | 2 ++
policy/modules/contrib/qemu.te | 3 +++
policy/modules/contrib/raid.fc | 4 ++++
policy/modules/contrib/raid.te | 3 +++
policy/modules/contrib/rpm.fc | 4 ++++
policy/modules/contrib/rpm.te | 3 +++
policy/modules/contrib/rtkit.fc | 3 +++
policy/modules/contrib/rtkit.te | 3 +++
policy/modules/contrib/shutdown.if | 18 ++++++++++++++++++
policy/modules/contrib/tcsd.fc | 3 +++
policy/modules/contrib/tcsd.te | 3 +++
38 files changed, 135 insertions(+)
diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index 6c3c0ba..a8c8a64 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -14,6 +14,11 @@ ifdef(`distro_debian',`
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*alsa-restore.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-state.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-store.* -- gen_context(system_u:object_r:alsa_unit_t,s0)
+
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 46d12e8..24d5287 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -21,6 +21,9 @@ files_tmp_file(alsa_tmp_t)
type alsa_tmpfs_t;
files_tmpfs_file(alsa_tmpfs_t)
+type alsa_unit_t;
+init_unit_file(alsa_unit_t)
+
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
diff --git a/policy/modules/contrib/bluetooth.fc b/policy/modules/contrib/bluetooth.fc
index a28101f..bcce998 100644
--- a/policy/modules/contrib/bluetooth.fc
+++ b/policy/modules/contrib/bluetooth.fc
@@ -10,6 +10,9 @@
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_t,s0)
+
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index 08f3c20..d69c283 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -43,6 +43,9 @@ files_lock_file(bluetooth_lock_t)
type bluetooth_tmp_t;
files_tmp_file(bluetooth_tmp_t)
+type bluetooth_unit_t;
+init_unit_file(bluetooth_unit_t)
+
type bluetooth_var_lib_t;
files_type(bluetooth_var_lib_t)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index fd5fbbb..a4a42ea 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -2,6 +2,11 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+# Systend unit files
+/usr/lib/systemd/system/[^/]*chrony-wait.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
+/usr/lib/systemd/system/[^/]*chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
+
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 7a16731..3167bae 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
type chronyd_tmpfs_t;
files_tmpfs_file(chronyd_tmpfs_t)
+type chronyd_unit_t;
+init_unit_file(chronyd_unit_t)
+
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
diff --git a/policy/modules/contrib/dbus.fc b/policy/modules/contrib/dbus.fc
index dda905b..309a462 100644
--- a/policy/modules/contrib/dbus.fc
+++ b/policy/modules/contrib/dbus.fc
@@ -10,6 +10,9 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*dbus.* -- gen_context(system_u:object_r:dbusd_unit_t,s0)
+
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 6f2b890..e79a81a 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -22,6 +22,9 @@ type dbusd_exec_t;
corecmd_executable_file(dbusd_exec_t)
typealias dbusd_exec_t alias system_dbusd_exec_t;
+type dbusd_unit_t;
+init_unit_file(dbusd_unit_t)
+
type session_dbusd_home_t;
userdom_user_home_content(session_dbusd_home_t)
diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc
index 8ca133c..89edbaa 100644
--- a/policy/modules/contrib/dnsmasq.fc
+++ b/policy/modules/contrib/dnsmasq.fc
@@ -3,6 +3,9 @@
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_t,s0)
+
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 15b29cb..c71ace8 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -18,6 +18,9 @@ files_config_file(dnsmasq_etc_t)
type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)
+type dnsmasq_unit_t;
+init_unit_file(dnsmasq_unit_t)
+
type dnsmasq_var_log_t;
logging_log_file(dnsmasq_var_log_t)
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 7c4e3f1..57e24e6 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -15,6 +15,9 @@ files_config_file(kdump_etc_t)
type kdump_initrc_exec_t;
init_script_file(kdump_initrc_exec_t)
+type kdump_unit_t;
+init_unit_file(kdump_unit_t)
+
type kdumpctl_t;
type kdumpctl_exec_t;
init_daemon_domain(kdumpctl_t, kdumpctl_exec_t)
diff --git a/policy/modules/contrib/lircd.fc b/policy/modules/contrib/lircd.fc
index c7a726a..76e497e 100644
--- a/policy/modules/contrib/lircd.fc
+++ b/policy/modules/contrib/lircd.fc
@@ -5,6 +5,9 @@
/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*lircd.* -- gen_context(system_u:object_r:lircd_unit_t,s0)
+
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index 0064b06..26690f2 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -15,6 +15,9 @@ init_script_file(lircd_initrc_exec_t)
type lircd_etc_t;
files_type(lircd_etc_t)
+type lircd_unit_t;
+init_unit_file(lircd_unit_t)
+
type lircd_var_run_t alias lircd_sock_t;
files_pid_file(lircd_var_run_t)
diff --git a/policy/modules/contrib/logrotate.fc b/policy/modules/contrib/logrotate.fc
index 207ec10..ad21596 100644
--- a/policy/modules/contrib/logrotate.fc
+++ b/policy/modules/contrib/logrotate.fc
@@ -1,6 +1,9 @@
/etc/cron\.(daily|weekly)/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*logrotate.* -- gen_context(system_u:object_r:logrotate_unit_t,s0)
+
/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 311defd..33f534b 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -25,6 +25,9 @@ files_tmp_file(logrotate_tmp_t)
type logrotate_var_lib_t;
files_type(logrotate_var_lib_t)
+type logrotate_unit_t;
+init_unit_file(logrotate_unit_t)
+
mta_base_mail_template(logrotate)
role system_r types logrotate_mail_t;
diff --git a/policy/modules/contrib/mandb.fc b/policy/modules/contrib/mandb.fc
index 8ae78b5..9f2825e 100644
--- a/policy/modules/contrib/mandb.fc
+++ b/policy/modules/contrib/mandb.fc
@@ -1 +1,4 @@
/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_u:object_r:mandb_unit_t,s0)
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index e29882f..46860dd 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -13,6 +13,9 @@ type mandb_exec_t;
application_domain(mandb_t, mandb_exec_t)
role mandb_roles types mandb_t;
+type mandb_unit_t;
+init_unit_file(mandb_unit_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index 5ffd285..c192c7f 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -17,6 +17,10 @@
/usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
+/usr/lib/systemd/system/[^/]*wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_unit_t,s0)
+
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 427dfe4..a977b9a 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -24,6 +24,9 @@ logging_log_file(NetworkManager_log_t)
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
+type NetworkManager_unit_t;
+init_unit_file(NetworkManager_unit_t)
+
type NetworkManager_var_lib_t;
files_type(NetworkManager_var_lib_t)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index c74d996..c01eb54 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -11,6 +11,9 @@
/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 7600674..1f24dab 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -33,6 +33,9 @@ files_tmp_file(ntpd_tmp_t)
type ntpd_tmpfs_t;
files_tmpfs_file(ntpd_tmpfs_t)
+type ntpd_unit_t;
+init_unit_file(ntpd_unit_t)
+
type ntpd_var_run_t;
files_pid_file(ntpd_var_run_t)
diff --git a/policy/modules/contrib/pcscd.fc b/policy/modules/contrib/pcscd.fc
index 58363c7..5d1beba 100644
--- a/policy/modules/contrib/pcscd.fc
+++ b/policy/modules/contrib/pcscd.fc
@@ -2,6 +2,9 @@
/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*pcscd.* -- gen_context(system_u:object_r:pcscd_unit_t,s0)
+
/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index bf5066f..f863ba2 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -12,6 +12,9 @@ init_daemon_domain(pcscd_t, pcscd_exec_t)
type pcscd_initrc_exec_t;
init_script_file(pcscd_initrc_exec_t)
+type pcscd_unit_t;
+init_unit_file(pcscd_unit_t)
+
type pcscd_var_run_t;
files_pid_file(pcscd_var_run_t)
init_daemon_pid_file(pcscd_var_run_t, dir, "pcscd")
diff --git a/policy/modules/contrib/plymouthd.fc b/policy/modules/contrib/plymouthd.fc
index 735500f..2d9b956 100644
--- a/policy/modules/contrib/plymouthd.fc
+++ b/policy/modules/contrib/plymouthd.fc
@@ -4,6 +4,9 @@
/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*plymouth-.* -- gen_context(system_u:object_r:plymouthd_unit_t,s0)
+
/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index 3078ce9..8dadb33 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -17,6 +17,9 @@ init_daemon_domain(plymouthd_t, plymouthd_exec_t)
type plymouthd_spool_t;
files_type(plymouthd_spool_t)
+type plymouthd_unit_t;
+init_unit_file(plymouthd_unit_t)
+
type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)
diff --git a/policy/modules/contrib/policykit.fc b/policy/modules/contrib/policykit.fc
index 1d76c72..774c12b 100644
--- a/policy/modules/contrib/policykit.fc
+++ b/policy/modules/contrib/policykit.fc
@@ -8,6 +8,9 @@
/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*polkit.* -- gen_context(system_u:object_r:policykit_unit_t,s0)
+
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index ee91778..108007e 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -34,6 +34,9 @@ files_type(policykit_reload_t)
type policykit_tmp_t;
files_tmp_file(policykit_tmp_t)
+type policykit_unit_t;
+init_unit_file(policykit_unit_t)
+
type policykit_var_lib_t alias polkit_var_lib_t;
files_type(policykit_var_lib_t)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index f1304fb..cfb18ec 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -3,6 +3,8 @@
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/lib/systemd/system/[^/]*qemu-guest-agent.* -- gen_context(system_u:object_r:qemu_unit_t,s0)
+
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
ifdef(`distro_gentoo',`
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 136f6f3..a17ed0c 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -22,6 +22,9 @@ application_executable_file(qemu_exec_t)
virt_domain_template(qemu)
role qemu_roles types qemu_t;
+type qemu_unit_t;
+init_unit_file(qemu_unit_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/raid.fc b/policy/modules/contrib/raid.fc
index 5806046..2ea0889 100644
--- a/policy/modules/contrib/raid.fc
+++ b/policy/modules/contrib/raid.fc
@@ -11,6 +11,10 @@
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
+/usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
+
/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index dfe62e3..b6aea09 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
+type mdadm_unit_t;
+init_unit_file(mdadm_unit_t)
+
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
index ebe91fc..1ebd4a1 100644
--- a/policy/modules/contrib/rpm.fc
+++ b/policy/modules/contrib/rpm.fc
@@ -13,6 +13,10 @@
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*dnf-makecache.* -- gen_context(system_u:object_r:rpm_unit_t,s0)
+/usr/lib/systemd/system/[^/]*yum-makecache.* -- gen_context(system_u:object_r:rpm_unit_t,s0)
+
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index de5c91f..5cac092 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -37,6 +37,9 @@ files_lock_file(rpm_lock_t)
type rpm_log_t;
logging_log_file(rpm_log_t)
+type rpm_unit_t;
+init_unit_file(rpm_unit_t)
+
type rpm_var_lib_t;
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
diff --git a/policy/modules/contrib/rtkit.fc b/policy/modules/contrib/rtkit.fc
index 75bbf38..a3021da 100644
--- a/policy/modules/contrib/rtkit.fc
+++ b/policy/modules/contrib/rtkit.fc
@@ -3,3 +3,6 @@
/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
/usr/lib/rtkit/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
+
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*rtkit-daemon.* -- gen_context(system_u:object_r:rtkit_daemon_unit_t,s0)
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 906ebb5..1aa52c4 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -12,6 +12,9 @@ init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
type rtkit_daemon_initrc_exec_t;
init_script_file(rtkit_daemon_initrc_exec_t)
+type rtkit_daemon_unit_t;
+init_unit_file(rtkit_daemon_unit_t)
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/shutdown.if b/policy/modules/contrib/shutdown.if
index d1706bf..819d19b 100644
--- a/policy/modules/contrib/shutdown.if
+++ b/policy/modules/contrib/shutdown.if
@@ -91,6 +91,24 @@ interface(`shutdown_signal',`
########################################
## <summary>
+## Send SIGCHLD signals to shutdown.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shutdown_sigchld',`
+ gen_require(`
+ type shutdown_t;
+ ')
+
+ allow $1 shutdown_t:process sigchld;
+')
+
+########################################
+## <summary>
## Get attributes of shutdown executable files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/tcsd.fc b/policy/modules/contrib/tcsd.fc
index c2c2636..0e086e7 100644
--- a/policy/modules/contrib/tcsd.fc
+++ b/policy/modules/contrib/tcsd.fc
@@ -1,5 +1,8 @@
/etc/rc\.d/init\.d/(tcsd|trousers) -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
+# Systemd unit file
+/usr/lib/systemd/system/[^/]*tcsd.* -- gen_context(system_u:object_r:tcsd_unit_t,s0)
+
/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0)
/var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0)
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index 272c114..439cf27 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -12,6 +12,9 @@ init_daemon_domain(tcsd_t, tcsd_exec_t)
type tcsd_initrc_exec_t;
init_script_file(tcsd_initrc_exec_t)
+type tcsd_unit_t;
+init_unit_file(tcsd_unit_t)
+
type tcsd_var_lib_t;
files_type(tcsd_var_lib_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-10-22 13:44 Jason Zaman
2015-10-22 13:44 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-10-22 13:44 UTC (permalink / raw
To: gentoo-commits
commit: 56782f09e37e1fbd0868f38084563d9f1aa0f8c7
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Oct 19 12:04:06 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Oct 22 13:40:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=56782f09
contrib/portage: Fix portage_ro_role interface
According to its documentation, portage_ro_role expects a role for $1
and a type for $2, just like other _role interfaces. However, the policy
directives inside the interface don't match its documentation and expect
$1 to be a type.
This interface isn't used anywhere in the policy, so no other fixes are
neccessary.
policy/modules/contrib/portage.if | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index e9de28e..14c4fb6 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -406,13 +406,13 @@ interface(`portage_eselect_module',`
## </param>
#
interface(`portage_ro_role',`
- portage_read_cache($1)
- portage_read_config($1)
- portage_read_db($1)
- portage_read_ebuild($1)
- portage_read_log($1)
- portage_read_srcrepo($1)
- portage_dontaudit_write_cache($1)
+ portage_read_cache($2)
+ portage_read_config($2)
+ portage_read_db($2)
+ portage_read_ebuild($2)
+ portage_read_log($2)
+ portage_read_srcrepo($2)
+ portage_dontaudit_write_cache($2)
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-10-22 13:44 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-10-22 13:44 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-10-22 13:44 UTC (permalink / raw
To: gentoo-commits
commit: 56782f09e37e1fbd0868f38084563d9f1aa0f8c7
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Oct 19 12:04:06 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Oct 22 13:40:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=56782f09
contrib/portage: Fix portage_ro_role interface
According to its documentation, portage_ro_role expects a role for $1
and a type for $2, just like other _role interfaces. However, the policy
directives inside the interface don't match its documentation and expect
$1 to be a type.
This interface isn't used anywhere in the policy, so no other fixes are
neccessary.
policy/modules/contrib/portage.if | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index e9de28e..14c4fb6 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -406,13 +406,13 @@ interface(`portage_eselect_module',`
## </param>
#
interface(`portage_ro_role',`
- portage_read_cache($1)
- portage_read_config($1)
- portage_read_db($1)
- portage_read_ebuild($1)
- portage_read_log($1)
- portage_read_srcrepo($1)
- portage_dontaudit_write_cache($1)
+ portage_read_cache($2)
+ portage_read_config($2)
+ portage_read_db($2)
+ portage_read_ebuild($2)
+ portage_read_log($2)
+ portage_read_srcrepo($2)
+ portage_dontaudit_write_cache($2)
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-10-17 17:02 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-10-17 17:02 UTC (permalink / raw
To: gentoo-commits
commit: ef3895b29d224ba5c64e12242b5fb85fc1e9405d
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Thu Oct 15 10:44:41 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Oct 17 16:47:50 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef3895b2
portage: Fix the gen_require of the portage_compile_domain interface
The portage_compile_domain interface used portage_sandbox_t without
requiring it.
policy/modules/contrib/portage.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index c98a763..4652319 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -68,8 +68,8 @@ interface(`portage_run',`
interface(`portage_compile_domain',`
gen_require(`
class dbus send_msg;
- type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
- type portage_tmpfs_t;
+ type portage_devpts_t, portage_log_t, portage_sandbox_t, portage_srcrepo_t;
+ type portage_tmp_t, portage_tmpfs_t;
')
allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-10-17 17:02 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-10-17 17:02 UTC (permalink / raw
To: gentoo-commits
commit: 26930c8978e8ae49829ee8b13e9da9ca05e024ce
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Thu Oct 15 10:44:42 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Oct 17 16:47:50 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26930c89
portage: New read-only interfaces for srcrepo and logs
Create portage_read_srcrepo and portage_read_log interfaces.
policy/modules/contrib/portage.if | 40 +++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 4652319..962dcca 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -498,6 +498,46 @@ interface(`portage_read_ebuild',`
########################################
## <summary>
+## Read portage log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_read_log',`
+ gen_require(`
+ type portage_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, portage_log_t, portage_log_t)
+')
+
+########################################
+## <summary>
+## Read portage src repository files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_read_srcrepo',`
+ gen_require(`
+ type portage_ebuild_t, portage_srcrepo_t;
+ ')
+
+ files_search_usr($1)
+ list_dirs_pattern($1, portage_ebuild_t, portage_srcrepo_t)
+ read_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+ read_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+')
+
+########################################
+## <summary>
## Do not audit writing portage cache files
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-10-17 17:02 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-10-17 17:02 UTC (permalink / raw
To: gentoo-commits
commit: 061bd420d98e138a44a5fc328738b2ea1dd562ff
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Thu Oct 15 10:44:40 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Oct 17 16:47:50 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=061bd420
portage: Dontaudit setattr in portage_dontaudit_write_cache
policy/modules/contrib/portage.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 640a63b..c98a763 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -511,6 +511,6 @@ interface(`portage_dontaudit_write_cache',`
type portage_cache_t;
')
- dontaudit $1 portage_cache_t:dir { write };
+ dontaudit $1 portage_cache_t:dir { setattr write };
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-10-17 17:02 Jason Zaman
2015-10-17 17:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-10-17 17:02 UTC (permalink / raw
To: gentoo-commits
commit: 854f95bf84612c79037dbe83dd06223d4cf3154c
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Thu Oct 15 10:44:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Oct 17 16:47:50 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=854f95bf
portage: Add new interfaces to portage_ro_role
policy/modules/contrib/portage.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 962dcca..e9de28e 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -410,6 +410,8 @@ interface(`portage_ro_role',`
portage_read_config($1)
portage_read_db($1)
portage_read_ebuild($1)
+ portage_read_log($1)
+ portage_read_srcrepo($1)
portage_dontaudit_write_cache($1)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-10-11 10:48 Jason Zaman
2015-09-20 7:00 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-10-11 10:48 UTC (permalink / raw
To: gentoo-commits
commit: 1b899c0409bfc59f0ff4c03259d658578902b9b3
Author: Alexander Wetzel <alexander.wetzel <AT> web <DOT> de>
AuthorDate: Sat Sep 5 07:41:47 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:52:58 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1b899c04
add vfio support for libvirt
Signed-off-by: Alexander Wetzel <alexander.wetzel <AT> web.de>
policy/modules/contrib/virt.te | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 2966d29..881560f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -70,6 +70,14 @@ gen_tunable(virt_use_usb, false)
## </desc>
gen_tunable(virt_use_xserver, false)
+## <desc>
+### <p>
+### Determine whether confined virtual guests
+### can use vfio for pci device pass through (vt-d).
+### </p>
+### </desc>
+gen_tunable(virt_use_vfio, false)
+
attribute virt_ptynode;
attribute virt_domain;
attribute virt_image_type;
@@ -438,6 +446,10 @@ corenet_tcp_bind_all_ports(svirt_t)
corenet_sendrecv_all_client_packets(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
+tunable_policy(`virt_use_vfio',`
+ dev_rw_vfio_dev(svirt_t)
+')
+
########################################
#
# virtd local policy
@@ -682,6 +694,13 @@ tunable_policy(`virt_use_samba',`
fs_read_cifs_symlinks(virtd_t)
')
+tunable_policy(`virt_use_vfio',`
+ allow virtd_t self:capability sys_resource;
+ allow virtd_t self:process setrlimit;
+ allow virtd_t svirt_t:process rlimitinh;
+ dev_relabelfrom_vfio_dev(virtd_t)
+')
+
optional_policy(`
brctl_domtrans(virtd_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-10-11 10:48 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-09-20 7:00 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-09-20 7:00 UTC (permalink / raw
To: gentoo-commits
commit: 1b899c0409bfc59f0ff4c03259d658578902b9b3
Author: Alexander Wetzel <alexander.wetzel <AT> web <DOT> de>
AuthorDate: Sat Sep 5 07:41:47 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:52:58 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1b899c04
add vfio support for libvirt
Signed-off-by: Alexander Wetzel <alexander.wetzel <AT> web.de>
policy/modules/contrib/virt.te | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 2966d29..881560f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -70,6 +70,14 @@ gen_tunable(virt_use_usb, false)
## </desc>
gen_tunable(virt_use_xserver, false)
+## <desc>
+### <p>
+### Determine whether confined virtual guests
+### can use vfio for pci device pass through (vt-d).
+### </p>
+### </desc>
+gen_tunable(virt_use_vfio, false)
+
attribute virt_ptynode;
attribute virt_domain;
attribute virt_image_type;
@@ -438,6 +446,10 @@ corenet_tcp_bind_all_ports(svirt_t)
corenet_sendrecv_all_client_packets(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
+tunable_policy(`virt_use_vfio',`
+ dev_rw_vfio_dev(svirt_t)
+')
+
########################################
#
# virtd local policy
@@ -682,6 +694,13 @@ tunable_policy(`virt_use_samba',`
fs_read_cifs_symlinks(virtd_t)
')
+tunable_policy(`virt_use_vfio',`
+ allow virtd_t self:capability sys_resource;
+ allow virtd_t self:process setrlimit;
+ allow virtd_t svirt_t:process rlimitinh;
+ dev_relabelfrom_vfio_dev(virtd_t)
+')
+
optional_policy(`
brctl_domtrans(virtd_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-10-11 10:48 Jason Zaman
2015-09-20 7:00 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-10-11 10:48 UTC (permalink / raw
To: gentoo-commits
commit: 27f6d9af783c744d3f420f5cc20abf8eff5c6c38
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Sep 15 12:38:26 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:52:58 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=27f6d9af
Module version bump for vfio support for libvirt from Alexander Wetzel.
policy/modules/contrib/virt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 8fa2a5b..ec81a76 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.8.3)
+policy_module(virt, 1.8.4)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-09-20 7:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-09-20 7:00 UTC (permalink / raw
To: gentoo-commits
commit: 1247c3940b065599bf0eaa57005bc3b927acc420
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Sep 15 12:27:07 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:52:58 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1247c394
Comment/whitespace fix in virt.te.
policy/modules/contrib/virt.te | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 881560f..8fa2a5b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -71,11 +71,11 @@ gen_tunable(virt_use_usb, false)
gen_tunable(virt_use_xserver, false)
## <desc>
-### <p>
-### Determine whether confined virtual guests
-### can use vfio for pci device pass through (vt-d).
-### </p>
-### </desc>
+## <p>
+## Determine whether confined virtual guests
+## can use vfio for pci device pass through (vt-d).
+## </p>
+## </desc>
gen_tunable(virt_use_vfio, false)
attribute virt_ptynode;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-09-06 11:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-09-06 11:25 UTC (permalink / raw
To: gentoo-commits
commit: c4421326f5b50b190ea67e01721ca32a1a175c77
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Sep 5 13:43:49 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 6 11:10:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4421326
virt: Allow creating qemu guest agent socket
This is needed for the host side guest agent socket for qemu.
type=AVC msg=audit(1441210375.086:110241): avc: denied { create } for
pid=25153 comm="libvirtd"
scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:svirt_t:s0:c110,c185
tclass=unix_stream_socket permissive=0
policy/modules/contrib/virt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 42cb462..ec84b5b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -438,7 +438,7 @@ allow virtd_t self:netlink_route_socket nlmsg_write;
allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
-allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-09-06 11:25 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-09-06 11:25 UTC (permalink / raw
To: gentoo-commits
commit: b99a22fc6960896dcf82a02e92b1b913732bc774
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Sep 5 14:43:34 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 6 11:10:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b99a22fc
virt: Add policy for virtlockd the Virtual machine lock manager
policy/modules/contrib/virt.fc | 4 +++
policy/modules/contrib/virt.te | 56 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 60 insertions(+)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index b38007b..ea197d0 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -27,6 +27,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0)
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
@@ -35,6 +36,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
+/var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virtlockd_var_lib_t,s0)
/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
@@ -48,5 +50,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
+/var/run/libvirt/virtlockd-sock -s gen_context(system_u:object_r:virtlockd_run_t,s0)
/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/virtlockd.pid -- gen_context(system_u:object_r:virtlockd_run_t,s0)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index ec84b5b..5648e9d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -190,6 +190,24 @@ type virsh_t;
type virsh_exec_t;
init_system_domain(virsh_t, virsh_exec_t)
+type virtlockd_t;
+type virtlockd_exec_t;
+init_daemon_domain(virtlockd_t, virtlockd_exec_t)
+
+type virtlockd_run_t;
+files_pid_file(virtlockd_run_t)
+
+type virtlockd_var_lib_t;
+files_type(virtlockd_var_lib_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+')
+
########################################
#
# Common virt domain local policy
@@ -221,6 +239,7 @@ manage_lnk_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
files_pid_filetrans(virt_domain, svirt_var_run_t, { dir file })
stream_connect_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t, virtd_t)
+stream_connect_pattern(virt_domain, virt_var_run_t, virtlockd_run_t, virtlockd_t)
dontaudit virt_domain virt_tmpfs_type:file { read write };
@@ -526,6 +545,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1243,3 +1263,39 @@ manage_files_pattern(virt_leaseshelper_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virt_leaseshelper_t, virt_var_run_t, file)
kernel_dontaudit_read_system_state(virt_leaseshelper_t)
+
+########################################
+#
+# Virtlockd local policy
+#
+
+allow virtlockd_t self:capability dac_override;
+allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlockd_t virt_image_type:dir list_dir_perms;
+allow virtlockd_t virt_image_type:file rw_file_perms;
+
+create_files_pattern(virtlockd_t, virt_log_t, virt_log_t)
+
+list_dirs_pattern(virtlockd_t, virt_var_lib_t, virt_var_lib_t)
+
+manage_dirs_pattern(virtlockd_t, { virt_var_lib_t virtlockd_var_lib_t }, virtlockd_var_lib_t)
+manage_files_pattern(virtlockd_t, virtlockd_var_lib_t, virtlockd_var_lib_t)
+filetrans_pattern(virtlockd_t, virt_var_lib_t, virtlockd_var_lib_t, dir)
+
+manage_files_pattern(virtlockd_t, virt_var_run_t, virtlockd_run_t)
+manage_sock_files_pattern(virtlockd_t, virt_var_run_t, virtlockd_run_t)
+filetrans_pattern(virtlockd_t, virt_var_run_t, virtlockd_run_t, sock_file)
+files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
+
+can_exec(virtlockd_t, virtlockd_exec_t)
+
+ps_process_pattern(virtlockd_t, virtd_t)
+
+files_read_etc_files(virtlockd_t)
+files_list_var_lib(virtlockd_t)
+
+miscfiles_read_localization(virtlockd_t)
+
+virt_append_log(virtlockd_t)
+virt_read_config(virtlockd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-09-06 11:23 Jason Zaman
2015-09-06 11:25 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-09-06 11:23 UTC (permalink / raw
To: gentoo-commits
commit: 2a26ba597c47fe006e1c18cdd9224e74aba02bf8
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 6 10:58:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 6 10:58:43 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a26ba59
chromium: v45 needs setcap perms
type=AVC msg=audit(1441536942.937:329): avc: denied { setcap } for
pid=4857 comm="chrome" scontext=staff_u:staff_r:chromium_t:s0-s0:c0.c511
tcontext=staff_u:staff_r:chromium_t:s0-s0:c0.c511 tclass=process
permissive=0
type=SYSCALL msg=audit(1441536942.937:329): arch=c000003e syscall=126
success=no exit=-13 a0=3f40091b950 a1=3f40091b960 a2=3ce87534090
a3=3ce87530010 items=0 ppid=4772 pid=4857 auid=1000 uid=1000 gid=100
euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=pts4
ses=3 comm="chrome" exe="/usr/lib64/chromium-browser/chrome"
subj=staff_u:staff_r:chromium_t:s0-s0:c0.c511 key=(null)
type=ANOM_ABEND msg=audit(1441536942.937:330): auid=1000 uid=1000
gid=100 ses=3 subj=staff_u:staff_r:chromium_t:s0-s0:c0.c511 pid=4857
comm="chrome" exe="/usr/lib64/chromium-browser/chrome" sig=6
[4:4:0906/185542:FATAL:credentials.cc(306)] Check failed:
DropAllCapabilitiesOnCurrentThread(). : Permission denied
[4765:4783:0906/185542:ERROR:zygote_host_impl_linux.cc(374)] Did not
receive ping from zygote child
[3:3:0906/185542:ERROR:zygote_linux.cc(573)] Zygote could not fork:
process_type renderer numfds 5 child_pid -1
policy/modules/contrib/chromium.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index b2c9ccc..3185640 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -88,7 +88,7 @@ xdg_cache_home_content(chromium_xdg_cache_t)
# chromium local policy
#
-allow chromium_t self:process { getsched setrlimit setsched sigkill signal };
+allow chromium_t self:process { getsched setcap setrlimit setsched sigkill signal };
allow chromium_t self:fifo_file rw_fifo_file_perms;;
allow chromium_t self:sem create_sem_perms;
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-09-06 11:23 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-09-06 11:25 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-09-06 11:25 UTC (permalink / raw
To: gentoo-commits
commit: 2a26ba597c47fe006e1c18cdd9224e74aba02bf8
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 6 10:58:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 6 10:58:43 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a26ba59
chromium: v45 needs setcap perms
type=AVC msg=audit(1441536942.937:329): avc: denied { setcap } for
pid=4857 comm="chrome" scontext=staff_u:staff_r:chromium_t:s0-s0:c0.c511
tcontext=staff_u:staff_r:chromium_t:s0-s0:c0.c511 tclass=process
permissive=0
type=SYSCALL msg=audit(1441536942.937:329): arch=c000003e syscall=126
success=no exit=-13 a0=3f40091b950 a1=3f40091b960 a2=3ce87534090
a3=3ce87530010 items=0 ppid=4772 pid=4857 auid=1000 uid=1000 gid=100
euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=pts4
ses=3 comm="chrome" exe="/usr/lib64/chromium-browser/chrome"
subj=staff_u:staff_r:chromium_t:s0-s0:c0.c511 key=(null)
type=ANOM_ABEND msg=audit(1441536942.937:330): auid=1000 uid=1000
gid=100 ses=3 subj=staff_u:staff_r:chromium_t:s0-s0:c0.c511 pid=4857
comm="chrome" exe="/usr/lib64/chromium-browser/chrome" sig=6
[4:4:0906/185542:FATAL:credentials.cc(306)] Check failed:
DropAllCapabilitiesOnCurrentThread(). : Permission denied
[4765:4783:0906/185542:ERROR:zygote_host_impl_linux.cc(374)] Did not
receive ping from zygote child
[3:3:0906/185542:ERROR:zygote_linux.cc(573)] Zygote could not fork:
process_type renderer numfds 5 child_pid -1
policy/modules/contrib/chromium.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index b2c9ccc..3185640 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -88,7 +88,7 @@ xdg_cache_home_content(chromium_xdg_cache_t)
# chromium local policy
#
-allow chromium_t self:process { getsched setrlimit setsched sigkill signal };
+allow chromium_t self:process { getsched setcap setrlimit setsched sigkill signal };
allow chromium_t self:fifo_file rw_fifo_file_perms;;
allow chromium_t self:sem create_sem_perms;
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-09-06 11:23 Jason Zaman
2015-09-06 11:25 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-09-06 11:23 UTC (permalink / raw
To: gentoo-commits
commit: 468b82617272cc7b23364f1d0ce2aa153ebbb3fc
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Sat Sep 5 15:24:35 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 6 11:10:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=468b8261
Module version bump for changes to the virt module by Jason Zaman
policy/modules/contrib/virt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 5648e9d..2966d29 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.8.2)
+policy_module(virt, 1.8.3)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-09-02 14:41 Jason Zaman
2015-09-02 14:41 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-09-02 14:41 UTC (permalink / raw
To: gentoo-commits
commit: 9371d4a13dad0af981681a631591f8c0f7d85203
Author: Niklas Haas <git <AT> nand <DOT> wakku <DOT> to>
AuthorDate: Tue Sep 1 07:10:52 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Sep 2 03:47:46 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9371d4a1
vnstat: fix context on /usr/bin/vnstatd
policy/modules/contrib/vnstatd.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc
index 52f8f68..0252ce4 100644
--- a/policy/modules/contrib/vnstatd.fc
+++ b/policy/modules/contrib/vnstatd.fc
@@ -11,5 +11,5 @@
ifdef(`distro_gentoo',`
# Fix bug 528602 - name is vnstatd in Gentoo
/etc/rc\.d/init\.d/vnstatd -- gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0)
-/usr/bin/vnstatd -- gen_context(system_u:object_r:vnstat_exec_t,s0)
+/usr/bin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-09-02 14:41 Jason Zaman
2015-09-02 3:46 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-09-02 14:41 UTC (permalink / raw
To: gentoo-commits
commit: f52d0d3cdd127ac6a824b4724448aa985c6e102a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Sep 2 03:44:36 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Sep 2 03:44:36 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f52d0d3c
cgmanager: add fcontexts for /run and cgroupfs sock
policy/modules/contrib/cgmanager.fc | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/cgmanager.fc b/policy/modules/contrib/cgmanager.fc
index 8ea4a46..17c6f88 100644
--- a/policy/modules/contrib/cgmanager.fc
+++ b/policy/modules/contrib/cgmanager.fc
@@ -1,3 +1,9 @@
-/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
-/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
-/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+
+/sys/fs/cgroup/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
+
+/var/run/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_run_t,s0)
+/var/run/cgmanager.pid gen_context(system_u:object_r:cgmanager_run_t,s0)
+/var/run/cgmanager/fs(/.*)? <<none>>
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-09-02 14:41 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-09-02 3:46 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-09-02 3:46 UTC (permalink / raw
To: gentoo-commits
commit: f52d0d3cdd127ac6a824b4724448aa985c6e102a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Sep 2 03:44:36 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Sep 2 03:44:36 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f52d0d3c
cgmanager: add fcontexts for /run and cgroupfs sock
policy/modules/contrib/cgmanager.fc | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/cgmanager.fc b/policy/modules/contrib/cgmanager.fc
index 8ea4a46..17c6f88 100644
--- a/policy/modules/contrib/cgmanager.fc
+++ b/policy/modules/contrib/cgmanager.fc
@@ -1,3 +1,9 @@
-/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
-/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
-/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+
+/sys/fs/cgroup/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
+
+/var/run/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_run_t,s0)
+/var/run/cgmanager.pid gen_context(system_u:object_r:cgmanager_run_t,s0)
+/var/run/cgmanager/fs(/.*)? <<none>>
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-08-27 19:52 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-08-27 19:52 UTC (permalink / raw
To: gentoo-commits
commit: dfdefb495631b52c859d13bc047924743e1b4ef2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug 27 19:51:44 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:51:44 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dfdefb49
apache: remove gentoo-specific fcontext
Has been upstreamed in commit
4cdea0f683f332134f3f93d79099f71d79d5f718
policy/modules/contrib/apache.fc | 4 ----
1 file changed, 4 deletions(-)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index 4222f2e..96006a0 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -172,7 +172,3 @@ ifdef(`distro_suse',`
/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-
-ifdef(`distro_gentoo',`
-/usr/share/build-1/libtool -- gen_context(system_u:object_r:bin_t,s0)
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-27 19:11 Jason Zaman
2015-08-27 19:11 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-08-27 19:11 UTC (permalink / raw
To: gentoo-commits
commit: 7f5ece84232e3a6704b7e781203f4038a45417c3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 24 15:10:09 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7f5ece84
hadoop: init_startstop_service() can not take attributes
policy/modules/contrib/hadoop.if | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/hadoop.if b/policy/modules/contrib/hadoop.if
index a0a819f..5908119 100644
--- a/policy/modules/contrib/hadoop.if
+++ b/policy/modules/contrib/hadoop.if
@@ -426,7 +426,6 @@ interface(`hadoop_admin',`
attribute hadoop_domain;
attribute hadoop_initrc_domain;
- attribute hadoop_init_script_file;
attribute hadoop_pid_file;
attribute hadoop_lock_file;
attribute hadoop_log_file;
@@ -436,12 +435,22 @@ interface(`hadoop_admin',`
type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t;
type zookeeper_t, zookeeper_etc_t, zookeeper_server_t;
type zookeeper_server_var_t;
+
+ type hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t;
+ type hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t;
+ type hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t;
+ type hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t;
+ type hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t;
')
allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms };
ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t })
- init_startstop_service($1, $2, hadoop_domain, hadoop_init_script_file)
+ init_startstop_service($1, $2, hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, { hadoop_etc_t zookeeper_etc_t })
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-08-27 19:11 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-08-27 19:11 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-08-27 19:11 UTC (permalink / raw
To: gentoo-commits
commit: 7f5ece84232e3a6704b7e781203f4038a45417c3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 24 15:10:09 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7f5ece84
hadoop: init_startstop_service() can not take attributes
policy/modules/contrib/hadoop.if | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/hadoop.if b/policy/modules/contrib/hadoop.if
index a0a819f..5908119 100644
--- a/policy/modules/contrib/hadoop.if
+++ b/policy/modules/contrib/hadoop.if
@@ -426,7 +426,6 @@ interface(`hadoop_admin',`
attribute hadoop_domain;
attribute hadoop_initrc_domain;
- attribute hadoop_init_script_file;
attribute hadoop_pid_file;
attribute hadoop_lock_file;
attribute hadoop_log_file;
@@ -436,12 +435,22 @@ interface(`hadoop_admin',`
type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t;
type zookeeper_t, zookeeper_etc_t, zookeeper_server_t;
type zookeeper_server_var_t;
+
+ type hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t;
+ type hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t;
+ type hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t;
+ type hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t;
+ type hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t;
')
allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms };
ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t })
- init_startstop_service($1, $2, hadoop_domain, hadoop_init_script_file)
+ init_startstop_service($1, $2, hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t)
+ init_startstop_service($1, $2, hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, { hadoop_etc_t zookeeper_etc_t })
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-08-27 19:11 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-08-27 19:11 UTC (permalink / raw
To: gentoo-commits
commit: 4896ffe78b0ad5ce485f252084c40853323945dd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 24 15:10:08 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4896ffe7
git: allow git_system_t to listen on tcp_sockets
git_session_t already has these permissions but they are missing on
git_system_t. Instead add the perms on the git_daemon attribute which
covers both system and session daemons.
policy/modules/contrib/git.te | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 1ca8c24..517d513 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -103,8 +103,6 @@ userdom_user_home_content(git_user_content_t)
# Session policy
#
-allow git_session_t self:tcp_socket { accept listen };
-
userdom_search_user_home_dirs(git_session_t)
corenet_all_recvfrom_netlabel(git_session_t)
@@ -266,6 +264,7 @@ tunable_policy(`git_cgi_use_nfs',`
#
allow git_daemon self:fifo_file rw_fifo_file_perms;
+allow git_daemon self:tcp_socket { accept listen };
list_dirs_pattern(git_daemon, git_user_content_t, git_user_content_t)
read_files_pattern(git_daemon, git_user_content_t, git_user_content_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-08-27 19:11 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-08-27 19:11 UTC (permalink / raw
To: gentoo-commits
commit: 1f34097ea332cf9cc6c07a997afa2ab56d772f01
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Mon Aug 24 17:00:05 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1f34097e
Changes to the git, hadoop and rsync modules by Jason Zaman.
policy/modules/contrib/git.te | 2 +-
policy/modules/contrib/hadoop.te | 2 +-
policy/modules/contrib/rsync.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 517d513..27e68f3 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -1,4 +1,4 @@
-policy_module(git, 1.5.1)
+policy_module(git, 1.5.2)
########################################
#
diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te
index a40e85b..b9ffe96 100644
--- a/policy/modules/contrib/hadoop.te
+++ b/policy/modules/contrib/hadoop.te
@@ -1,4 +1,4 @@
-policy_module(hadoop, 1.3.2)
+policy_module(hadoop, 1.3.3)
########################################
#
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index abeb302..eae1b4c 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -1,4 +1,4 @@
-policy_module(rsync, 1.13.0)
+policy_module(rsync, 1.13.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-08-27 19:11 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-08-27 19:11 UTC (permalink / raw
To: gentoo-commits
commit: 258ba5c6c223988749d75bd11087b43dc1443462
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Sat Aug 15 14:31:34 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=258ba5c6
Module version bump for changes to the pulseaudio module by Niklas Haas.
policy/modules/contrib/pulseaudio.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index af4779d..1a25024 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.7.1)
+policy_module(pulseaudio, 1.7.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-27 19:11 Jason Zaman
2015-08-27 19:11 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-08-27 19:11 UTC (permalink / raw
To: gentoo-commits
commit: 5431a073ad8aa918d7e7e0dbfdb208a033971a8d
Author: Niklas Haas <git <AT> nand <DOT> wakku <DOT> to>
AuthorDate: Sat Aug 15 14:17:58 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5431a073
pulse: don't give pulseaudio_client full access to user_home_t
This doesn't seem to be necessary at all, and the comment immediately
above it doesn't make things any less mysterious, as pulseaudio clients
don't even need access to ~/.cache. I cannot observe any breakage on my
machine due to this change, and the permission being present was causing
unexpected behavior (eg. Skype could freely read the contents of my home
dir even with the boolean supposedly toggling that permission disabled,
because skype_t was marked as pulseaudio_client and thus had full access
regardless).
The original source seems to be 5851ec54, which doesn't really help
explaining the original purpose of the lines.
policy/modules/contrib/pulseaudio.te | 3 ---
1 file changed, 3 deletions(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index ea5b2a9..af4779d 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -227,9 +227,6 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth")
pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie")
pulseaudio_signull(pulseaudio_client)
-# TODO: ~/.cache
-userdom_manage_user_home_content_files(pulseaudio_client)
-
userdom_read_user_tmpfs_files(pulseaudio_client)
# userdom_delete_user_tmpfs_files(pulseaudio_client)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-08-27 19:11 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-08-27 19:11 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-08-27 19:11 UTC (permalink / raw
To: gentoo-commits
commit: 5431a073ad8aa918d7e7e0dbfdb208a033971a8d
Author: Niklas Haas <git <AT> nand <DOT> wakku <DOT> to>
AuthorDate: Sat Aug 15 14:17:58 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5431a073
pulse: don't give pulseaudio_client full access to user_home_t
This doesn't seem to be necessary at all, and the comment immediately
above it doesn't make things any less mysterious, as pulseaudio clients
don't even need access to ~/.cache. I cannot observe any breakage on my
machine due to this change, and the permission being present was causing
unexpected behavior (eg. Skype could freely read the contents of my home
dir even with the boolean supposedly toggling that permission disabled,
because skype_t was marked as pulseaudio_client and thus had full access
regardless).
The original source seems to be 5851ec54, which doesn't really help
explaining the original purpose of the lines.
policy/modules/contrib/pulseaudio.te | 3 ---
1 file changed, 3 deletions(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index ea5b2a9..af4779d 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -227,9 +227,6 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth")
pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie")
pulseaudio_signull(pulseaudio_client)
-# TODO: ~/.cache
-userdom_manage_user_home_content_files(pulseaudio_client)
-
userdom_read_user_tmpfs_files(pulseaudio_client)
# userdom_delete_user_tmpfs_files(pulseaudio_client)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-08-27 19:11 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-08-27 19:11 UTC (permalink / raw
To: gentoo-commits
commit: 7107daec01a595033aa8d356226b7220d150115b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 24 15:10:07 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:08:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7107daec
rsync: remove rsync_run from admin interface
Admining rsync does not require running it in the rsync_t domain and
this causes problems for backups and the like which would originally run
in the user's domain now run in rsync_t.
policy/modules/contrib/rsync.if | 2 --
1 file changed, 2 deletions(-)
diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if
index e916de8..c7b19aa 100644
--- a/policy/modules/contrib/rsync.if
+++ b/policy/modules/contrib/rsync.if
@@ -276,6 +276,4 @@ interface(`rsync_admin',`
files_search_pids($1)
admin_pattern($1, rsync_var_run_t)
-
- rsync_run($1, $2)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-08-27 18:58 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-08-27 18:58 UTC (permalink / raw
To: gentoo-commits
commit: fa28033a97aca727f711c19a5198a8566f13f627
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 24 17:37:52 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Aug 24 17:37:52 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fa28033a
android: dontaudit the /proc dir accesses
commit dfac21413962d786be190c1cc9063ee00ea76001 dontaudited the process
class but that is not enough to quiet it down. Add in a dontaudit rule
for domain:dir too.
policy/modules/contrib/android.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
index 6d6c94b..ff1fcac 100644
--- a/policy/modules/contrib/android.te
+++ b/policy/modules/contrib/android.te
@@ -102,6 +102,7 @@ corenet_tcp_connect_http_port(android_java_t)
corenet_udp_bind_generic_node(android_java_t)
domain_dontaudit_getattr_all_domains(android_java_t)
+domain_dontaudit_search_all_domains_state(android_java_t)
miscfiles_read_fonts(android_java_t)
miscfiles_read_localization(android_java_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-27 18:00 Jason Zaman
2015-08-27 18:58 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-08-27 18:00 UTC (permalink / raw
To: gentoo-commits
commit: 0e45905f66e4db5450838600491521a25fbcb3fb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 26 06:19:58 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 17:59:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0e45905f
Add policy for cgmanager
policy/modules/contrib/cgmanager.fc | 3 ++
policy/modules/contrib/cgmanager.if | 22 +++++++++++++
policy/modules/contrib/cgmanager.te | 66 +++++++++++++++++++++++++++++++++++++
3 files changed, 91 insertions(+)
diff --git a/policy/modules/contrib/cgmanager.fc b/policy/modules/contrib/cgmanager.fc
new file mode 100644
index 0000000..8ea4a46
--- /dev/null
+++ b/policy/modules/contrib/cgmanager.fc
@@ -0,0 +1,3 @@
+/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
diff --git a/policy/modules/contrib/cgmanager.if b/policy/modules/contrib/cgmanager.if
new file mode 100644
index 0000000..ad459a6
--- /dev/null
+++ b/policy/modules/contrib/cgmanager.if
@@ -0,0 +1,22 @@
+## <summary>Control Group manager daemon.</summary>
+
+########################################
+## <summary>
+## Connect to cgmanager with a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgmanager_stream_connect',`
+ gen_require(`
+ type cgmanager_t, cgmanager_cgroup_t;
+ ')
+
+ fs_search_cgroup_dirs($1)
+ list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t)
+ stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
+')
diff --git a/policy/modules/contrib/cgmanager.te b/policy/modules/contrib/cgmanager.te
new file mode 100644
index 0000000..5c32295
--- /dev/null
+++ b/policy/modules/contrib/cgmanager.te
@@ -0,0 +1,66 @@
+policy_module(cgmanager, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cgmanager_t;
+type cgmanager_exec_t;
+init_daemon_domain(cgmanager_t, cgmanager_exec_t)
+
+type cgmanager_run_t;
+files_pid_file(cgmanager_run_t)
+
+type cgmanager_cgroup_t;
+files_type(cgmanager_cgroup_t)
+
+########################################
+#
+# CGManager local policy
+#
+
+allow cgmanager_t self:capability { sys_admin dac_override };
+allow cgmanager_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
+allow cgmanager_t cgmanager_run_t:dir mounton;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
+
+kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
+kernel_read_system_state(cgmanager_t)
+
+corecmd_exec_bin(cgmanager_t)
+can_exec(cgmanager_t, cgmanager_exec_t)
+
+domain_read_all_domains_state(cgmanager_t)
+
+files_read_etc_files(cgmanager_t)
+
+# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
+files_mounton_all_mountpoints(cgmanager_t)
+files_unmount_all_file_type_fs(cgmanager_t)
+fs_unmount_xattr_fs(cgmanager_t)
+
+fs_manage_cgroup_dirs(cgmanager_t)
+fs_manage_cgroup_files(cgmanager_t)
+
+fs_getattr_tmpfs(cgmanager_t)
+
+fs_manage_tmpfs_dirs(cgmanager_t)
+fs_manage_tmpfs_files(cgmanager_t)
+
+fs_mount_cgroup(cgmanager_t)
+fs_mount_tmpfs(cgmanager_t)
+fs_mounton_tmpfs(cgmanager_t)
+fs_remount_cgroup(cgmanager_t)
+fs_remount_tmpfs(cgmanager_t)
+fs_unmount_cgroup(cgmanager_t)
+fs_unmount_tmpfs(cgmanager_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-08-27 18:00 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-08-27 18:58 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-08-27 18:58 UTC (permalink / raw
To: gentoo-commits
commit: 0e45905f66e4db5450838600491521a25fbcb3fb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 26 06:19:58 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 17:59:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0e45905f
Add policy for cgmanager
policy/modules/contrib/cgmanager.fc | 3 ++
policy/modules/contrib/cgmanager.if | 22 +++++++++++++
policy/modules/contrib/cgmanager.te | 66 +++++++++++++++++++++++++++++++++++++
3 files changed, 91 insertions(+)
diff --git a/policy/modules/contrib/cgmanager.fc b/policy/modules/contrib/cgmanager.fc
new file mode 100644
index 0000000..8ea4a46
--- /dev/null
+++ b/policy/modules/contrib/cgmanager.fc
@@ -0,0 +1,3 @@
+/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
diff --git a/policy/modules/contrib/cgmanager.if b/policy/modules/contrib/cgmanager.if
new file mode 100644
index 0000000..ad459a6
--- /dev/null
+++ b/policy/modules/contrib/cgmanager.if
@@ -0,0 +1,22 @@
+## <summary>Control Group manager daemon.</summary>
+
+########################################
+## <summary>
+## Connect to cgmanager with a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgmanager_stream_connect',`
+ gen_require(`
+ type cgmanager_t, cgmanager_cgroup_t;
+ ')
+
+ fs_search_cgroup_dirs($1)
+ list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t)
+ stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
+')
diff --git a/policy/modules/contrib/cgmanager.te b/policy/modules/contrib/cgmanager.te
new file mode 100644
index 0000000..5c32295
--- /dev/null
+++ b/policy/modules/contrib/cgmanager.te
@@ -0,0 +1,66 @@
+policy_module(cgmanager, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cgmanager_t;
+type cgmanager_exec_t;
+init_daemon_domain(cgmanager_t, cgmanager_exec_t)
+
+type cgmanager_run_t;
+files_pid_file(cgmanager_run_t)
+
+type cgmanager_cgroup_t;
+files_type(cgmanager_cgroup_t)
+
+########################################
+#
+# CGManager local policy
+#
+
+allow cgmanager_t self:capability { sys_admin dac_override };
+allow cgmanager_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
+allow cgmanager_t cgmanager_run_t:dir mounton;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
+
+kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
+kernel_read_system_state(cgmanager_t)
+
+corecmd_exec_bin(cgmanager_t)
+can_exec(cgmanager_t, cgmanager_exec_t)
+
+domain_read_all_domains_state(cgmanager_t)
+
+files_read_etc_files(cgmanager_t)
+
+# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
+files_mounton_all_mountpoints(cgmanager_t)
+files_unmount_all_file_type_fs(cgmanager_t)
+fs_unmount_xattr_fs(cgmanager_t)
+
+fs_manage_cgroup_dirs(cgmanager_t)
+fs_manage_cgroup_files(cgmanager_t)
+
+fs_getattr_tmpfs(cgmanager_t)
+
+fs_manage_tmpfs_dirs(cgmanager_t)
+fs_manage_tmpfs_files(cgmanager_t)
+
+fs_mount_cgroup(cgmanager_t)
+fs_mount_tmpfs(cgmanager_t)
+fs_mounton_tmpfs(cgmanager_t)
+fs_remount_cgroup(cgmanager_t)
+fs_remount_tmpfs(cgmanager_t)
+fs_unmount_cgroup(cgmanager_t)
+fs_unmount_tmpfs(cgmanager_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-26 6:46 Jason Zaman
2015-08-23 4:13 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-08-26 6:46 UTC (permalink / raw
To: gentoo-commits
commit: 74d30592c6783e80a8fab93628563cdba1536773
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 22 16:11:22 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 22 16:11:22 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=74d30592
pulseaudio: allow clients to list user tmp dirs
/tmp/pulse-* gets created by the clients usually as user_tmp_t
bug 556526
policy/modules/contrib/pulseaudio.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index d7f48be..ea5b2a9 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -277,4 +277,7 @@ ifdef(`distro_gentoo',`
manage_lnk_files_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
manage_dirs_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
xdg_config_home_filetrans(pulseaudio_client, pulseaudio_xdg_config_t, dir, "pulse")
+
+ # /tmp/pulse-* gets created by the clients usually as user_tmp_t, bug 556526
+ userdom_list_user_tmp(pulseaudio_client)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-08-26 6:46 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-08-23 4:13 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-08-23 4:13 UTC (permalink / raw
To: gentoo-commits
commit: 74d30592c6783e80a8fab93628563cdba1536773
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 22 16:11:22 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 22 16:11:22 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=74d30592
pulseaudio: allow clients to list user tmp dirs
/tmp/pulse-* gets created by the clients usually as user_tmp_t
bug 556526
policy/modules/contrib/pulseaudio.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index d7f48be..ea5b2a9 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -277,4 +277,7 @@ ifdef(`distro_gentoo',`
manage_lnk_files_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
manage_dirs_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
xdg_config_home_filetrans(pulseaudio_client, pulseaudio_xdg_config_t, dir, "pulse")
+
+ # /tmp/pulse-* gets created by the clients usually as user_tmp_t, bug 556526
+ userdom_list_user_tmp(pulseaudio_client)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-08-23 4:13 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-08-23 4:13 UTC (permalink / raw
To: gentoo-commits
commit: dcc726fd493cae4e694163d0fd303b7e36c0ffa6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Aug 22 16:20:23 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 22 16:20:23 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dcc726fd
android: android_tools needs to be able to read the sdk
policy/modules/contrib/android.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
index 930c6b3..6d6c94b 100644
--- a/policy/modules/contrib/android.te
+++ b/policy/modules/contrib/android.te
@@ -49,6 +49,9 @@ can_exec(android_tools_t, android_tools_exec_t)
manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+list_dirs_pattern(android_tools_t, android_sdk_t, android_sdk_t)
+read_files_pattern(android_tools_t, android_sdk_t, android_sdk_t)
+
files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-08-10 20:46 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-08-10 20:46 UTC (permalink / raw
To: gentoo-commits
commit: 39053e06affa1f85a487412b2ec6bf6ba2aa12b8
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 2 19:06:19 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Aug 10 20:46:21 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=39053e06
Allow salt minion to read software raid state
policy/modules/contrib/salt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 0f3dba4..0a3d45a 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -277,6 +277,7 @@ files_pid_filetrans(salt_minion_t, salt_var_run_t, dir)
files_pid_filetrans(salt_minion_t, salt_minion_var_run_t, file, "salt-minion.pid")
kernel_read_network_state(salt_minion_t)
+kernel_read_software_raid_state(salt_minion_t)
kernel_read_system_state(salt_minion_t)
kernel_rw_all_sysctls(salt_minion_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-08-10 20:46 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-08-10 20:46 UTC (permalink / raw
To: gentoo-commits
commit: 1573307619ff359843b960f808459e2ab51df340
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 2 19:13:04 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Aug 10 20:46:21 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=15733076
Comment on init_exec use case for salt_master_t
policy/modules/contrib/salt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 0a3d45a..2a4e84d 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -190,6 +190,7 @@ fs_getattr_tmpfs(salt_master_t)
getty_use_fds(salt_master_t)
+# Actually seems to require getattr read execute on init_exec_t
init_exec(salt_master_t)
init_read_state(salt_master_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-02 19:06 Jason Zaman
2015-07-31 14:18 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-08-02 19:06 UTC (permalink / raw
To: gentoo-commits
commit: 0e8ef804e3c6409094334dda3b320bcfd5bf29b8
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jul 28 14:46:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jul 31 08:09:03 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0e8ef804
android: add sdk in /opt and sysfs
adb needs to be able to read sysfs to find the USB device
policy/modules/contrib/android.fc | 4 ++++
policy/modules/contrib/android.if | 5 +++++
policy/modules/contrib/android.te | 11 +++++++++--
3 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
index a16fc47..af98311 100644
--- a/policy/modules/contrib/android.fc
+++ b/policy/modules/contrib/android.fc
@@ -4,3 +4,7 @@ HOME_DIR/\.gradle(/.*)? gen_context(system_u:object_r:android_home_t,s0)
/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0)
+/opt/android-sdk-update-manager/platform-tools/adb -- gen_context(system_u:object_r:android_tools_exec_t,s0)
+/opt/android-sdk-update-manager/platform-tools/fastboot -- gen_context(system_u:object_r:android_tools_exec_t,s0)
+/opt/android-sdk-update-manager/tools/android -- gen_context(system_u:object_r:android_java_exec_t,s0)
+/opt/android-sdk-update-manager(/.*)? gen_context(system_u:object_r:android_sdk_t,s0)
diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
index f0173d5..a50093a 100644
--- a/policy/modules/contrib/android.if
+++ b/policy/modules/contrib/android.if
@@ -23,6 +23,7 @@ interface(`android_role',`
type android_tmp_t;
type android_java_t;
type android_java_exec_t;
+ type android_sdk_t;
')
role $1 types android_tools_t;
@@ -38,6 +39,10 @@ interface(`android_role',`
manage_files_pattern($2, android_home_t, android_home_t)
manage_lnk_files_pattern($2, android_home_t, android_home_t)
+ list_dirs_pattern($2, android_sdk_t, android_sdk_t)
+ read_files_pattern($2, android_sdk_t, android_sdk_t)
+ read_lnk_files_pattern($2, android_sdk_t, android_sdk_t)
+
userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
index a76061f..930c6b3 100644
--- a/policy/modules/contrib/android.te
+++ b/policy/modules/contrib/android.te
@@ -28,6 +28,8 @@ type android_home_t; # customizable
userdom_user_home_content(android_home_t)
userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+type android_sdk_t;
+files_type(android_sdk_t)
############################
#
@@ -55,6 +57,7 @@ corenet_tcp_bind_adb_port(android_tools_t)
corenet_tcp_bind_generic_node(android_tools_t)
corenet_tcp_connect_adb_port(android_tools_t)
+dev_read_sysfs(android_tools_t)
dev_rw_generic_usb_dev(android_tools_t)
userdom_manage_user_home_content_dirs(android_tools_t)
@@ -75,10 +78,14 @@ allow android_java_t self:tcp_socket { accept listen };
can_exec(android_java_t, android_home_t)
can_exec(android_java_t, android_java_exec_t)
+can_exec(android_java_t, android_sdk_t)
manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
manage_files_pattern(android_java_t, android_home_t, android_home_t)
+manage_dirs_pattern(android_java_t, android_sdk_t, android_sdk_t)
+manage_files_pattern(android_java_t, android_sdk_t, android_sdk_t)
+
manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
@@ -87,8 +94,8 @@ corecmd_exec_shell(android_java_t)
corenet_tcp_bind_all_unreserved_ports(android_java_t)
corenet_tcp_bind_generic_node(android_java_t)
-corenet_tcp_connect_adb_port(android_tools_t)
-corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_connect_adb_port(android_java_t)
+corenet_tcp_connect_http_port(android_java_t)
corenet_udp_bind_generic_node(android_java_t)
domain_dontaudit_getattr_all_domains(android_java_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-08-02 19:06 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-07-31 14:18 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-07-31 14:18 UTC (permalink / raw
To: gentoo-commits
commit: 0e8ef804e3c6409094334dda3b320bcfd5bf29b8
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jul 28 14:46:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jul 31 08:09:03 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0e8ef804
android: add sdk in /opt and sysfs
adb needs to be able to read sysfs to find the USB device
policy/modules/contrib/android.fc | 4 ++++
policy/modules/contrib/android.if | 5 +++++
policy/modules/contrib/android.te | 11 +++++++++--
3 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
index a16fc47..af98311 100644
--- a/policy/modules/contrib/android.fc
+++ b/policy/modules/contrib/android.fc
@@ -4,3 +4,7 @@ HOME_DIR/\.gradle(/.*)? gen_context(system_u:object_r:android_home_t,s0)
/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0)
+/opt/android-sdk-update-manager/platform-tools/adb -- gen_context(system_u:object_r:android_tools_exec_t,s0)
+/opt/android-sdk-update-manager/platform-tools/fastboot -- gen_context(system_u:object_r:android_tools_exec_t,s0)
+/opt/android-sdk-update-manager/tools/android -- gen_context(system_u:object_r:android_java_exec_t,s0)
+/opt/android-sdk-update-manager(/.*)? gen_context(system_u:object_r:android_sdk_t,s0)
diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
index f0173d5..a50093a 100644
--- a/policy/modules/contrib/android.if
+++ b/policy/modules/contrib/android.if
@@ -23,6 +23,7 @@ interface(`android_role',`
type android_tmp_t;
type android_java_t;
type android_java_exec_t;
+ type android_sdk_t;
')
role $1 types android_tools_t;
@@ -38,6 +39,10 @@ interface(`android_role',`
manage_files_pattern($2, android_home_t, android_home_t)
manage_lnk_files_pattern($2, android_home_t, android_home_t)
+ list_dirs_pattern($2, android_sdk_t, android_sdk_t)
+ read_files_pattern($2, android_sdk_t, android_sdk_t)
+ read_lnk_files_pattern($2, android_sdk_t, android_sdk_t)
+
userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
index a76061f..930c6b3 100644
--- a/policy/modules/contrib/android.te
+++ b/policy/modules/contrib/android.te
@@ -28,6 +28,8 @@ type android_home_t; # customizable
userdom_user_home_content(android_home_t)
userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+type android_sdk_t;
+files_type(android_sdk_t)
############################
#
@@ -55,6 +57,7 @@ corenet_tcp_bind_adb_port(android_tools_t)
corenet_tcp_bind_generic_node(android_tools_t)
corenet_tcp_connect_adb_port(android_tools_t)
+dev_read_sysfs(android_tools_t)
dev_rw_generic_usb_dev(android_tools_t)
userdom_manage_user_home_content_dirs(android_tools_t)
@@ -75,10 +78,14 @@ allow android_java_t self:tcp_socket { accept listen };
can_exec(android_java_t, android_home_t)
can_exec(android_java_t, android_java_exec_t)
+can_exec(android_java_t, android_sdk_t)
manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
manage_files_pattern(android_java_t, android_home_t, android_home_t)
+manage_dirs_pattern(android_java_t, android_sdk_t, android_sdk_t)
+manage_files_pattern(android_java_t, android_sdk_t, android_sdk_t)
+
manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
@@ -87,8 +94,8 @@ corecmd_exec_shell(android_java_t)
corenet_tcp_bind_all_unreserved_ports(android_java_t)
corenet_tcp_bind_generic_node(android_java_t)
-corenet_tcp_connect_adb_port(android_tools_t)
-corenet_tcp_connect_http_port(android_tools_t)
+corenet_tcp_connect_adb_port(android_java_t)
+corenet_tcp_connect_http_port(android_java_t)
corenet_udp_bind_generic_node(android_java_t)
domain_dontaudit_getattr_all_domains(android_java_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-02 19:06 Jason Zaman
2015-07-31 14:18 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-08-02 19:06 UTC (permalink / raw
To: gentoo-commits
commit: 539bbc9b693447bf2dadb0031b318eb4049ada9b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jul 2 18:36:39 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 16:44:43 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=539bbc9b
qemu: add policy for qemu-guest-agent
policy/modules/contrib/qemu.fc | 9 +++++++++
policy/modules/contrib/qemu.te | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index 86ea53c..f1304fb 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -4,3 +4,12 @@
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0)
+
+/var/log/qemu-ga.log -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+
+/var/run/qemu-ga.pid -- gen_context(system_u:object_r:qemu_ga_run_t,s0)
+')
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index cf647bb..136f6f3 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -77,4 +77,39 @@ ifdef(`distro_gentoo',`
optional_policy(`
vde_connect(qemu_t)
')
+
+ #################################
+ #
+ # QEMU Guest Agent policy
+ #
+ type qemu_ga_t;
+ type qemu_ga_exec_t;
+ init_system_domain(qemu_ga_t, qemu_ga_exec_t)
+
+ type qemu_ga_log_t;
+ logging_log_file(qemu_ga_log_t)
+
+ type qemu_ga_run_t;
+ files_pid_file(qemu_ga_run_t)
+
+ allow qemu_ga_t self:capability sys_admin;
+ allow qemu_ga_t self:unix_dgram_socket create_socket_perms;
+
+ manage_dirs_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ append_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ create_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ setattr_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ logging_log_filetrans(qemu_ga_t, qemu_ga_log_t, { dir file })
+
+ allow qemu_ga_t qemu_ga_run_t:file manage_file_perms;
+ files_pid_filetrans(qemu_ga_t, qemu_ga_run_t, file)
+
+ corecmd_exec_bin(qemu_ga_t)
+ corecmd_exec_shell(qemu_ga_t)
+
+ miscfiles_read_localization(qemu_ga_t)
+
+ userdom_use_user_terminals(qemu_ga_t)
+
+ term_use_virtio_console(qemu_ga_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-08-02 19:06 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-07-31 14:18 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-07-31 14:18 UTC (permalink / raw
To: gentoo-commits
commit: 539bbc9b693447bf2dadb0031b318eb4049ada9b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jul 2 18:36:39 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 16:44:43 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=539bbc9b
qemu: add policy for qemu-guest-agent
policy/modules/contrib/qemu.fc | 9 +++++++++
policy/modules/contrib/qemu.te | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index 86ea53c..f1304fb 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -4,3 +4,12 @@
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0)
+
+/var/log/qemu-ga.log -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+
+/var/run/qemu-ga.pid -- gen_context(system_u:object_r:qemu_ga_run_t,s0)
+')
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index cf647bb..136f6f3 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -77,4 +77,39 @@ ifdef(`distro_gentoo',`
optional_policy(`
vde_connect(qemu_t)
')
+
+ #################################
+ #
+ # QEMU Guest Agent policy
+ #
+ type qemu_ga_t;
+ type qemu_ga_exec_t;
+ init_system_domain(qemu_ga_t, qemu_ga_exec_t)
+
+ type qemu_ga_log_t;
+ logging_log_file(qemu_ga_log_t)
+
+ type qemu_ga_run_t;
+ files_pid_file(qemu_ga_run_t)
+
+ allow qemu_ga_t self:capability sys_admin;
+ allow qemu_ga_t self:unix_dgram_socket create_socket_perms;
+
+ manage_dirs_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ append_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ create_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ setattr_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ logging_log_filetrans(qemu_ga_t, qemu_ga_log_t, { dir file })
+
+ allow qemu_ga_t qemu_ga_run_t:file manage_file_perms;
+ files_pid_filetrans(qemu_ga_t, qemu_ga_run_t, file)
+
+ corecmd_exec_bin(qemu_ga_t)
+ corecmd_exec_shell(qemu_ga_t)
+
+ miscfiles_read_localization(qemu_ga_t)
+
+ userdom_use_user_terminals(qemu_ga_t)
+
+ term_use_virtio_console(qemu_ga_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-02 19:06 Jason Zaman
2015-08-02 19:05 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-08-02 19:06 UTC (permalink / raw
To: gentoo-commits
commit: 017cc90bb5f7acd0d5497b17b24c537d96b5400b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Aug 2 18:21:15 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Aug 2 19:04:45 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=017cc90b
subsonic: also needs accept perms on the tcp_socket
otherwise it can bind and listen but not accept
policy/modules/contrib/subsonic.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/subsonic.te b/policy/modules/contrib/subsonic.te
index cb0c5ac..a64a814 100644
--- a/policy/modules/contrib/subsonic.te
+++ b/policy/modules/contrib/subsonic.te
@@ -20,7 +20,7 @@ files_pid_file(subsonic_run_t)
# Subsonic local policy
#
-allow subsonic_t self:tcp_socket listen;
+allow subsonic_t self:tcp_socket { listen accept };
java_domain_type(subsonic_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-08-02 19:06 Jason Zaman
2015-07-31 14:15 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-08-02 19:06 UTC (permalink / raw
To: gentoo-commits
commit: ff5aa0ddb82327c352fa3b83586dd790b0bca09c
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Jul 17 12:13:28 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 16:41:33 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff5aa0dd
Module version bump for cron_admin interface from Jason Zaman.
policy/modules/contrib/cron.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 45cce5f..d22885f 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.8.0)
+policy_module(cron, 2.8.1)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-08-02 19:02 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-08-02 19:02 UTC (permalink / raw
To: gentoo-commits
commit: e37615c40f756dcaf85c7d5f2d1bd904f898f721
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 2 19:01:11 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Aug 2 19:01:11 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e37615c4
A whole slew before master is started correctly
Without these changes, subprocesses of the salt master keep
crashing/exiting without any sign. Although the denials are extremely
frequent (as the main salt master restarts those processes over and over
again) there is no information in the salt logs that points to anything.
After allowing these operations (which is mainly reading information)
the salt master starts fine.
policy/modules/contrib/salt.te | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index c00aa50..0f3dba4 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -99,7 +99,7 @@ files_pid_file(salt_var_run_t)
# salt_master_t policy
#
-allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_master_t self:capability { net_admin sys_admin sys_nice sys_tty_config };
allow salt_master_t self:capability2 block_suspend;
allow salt_master_t self:process { getsched setsched signal };
allow salt_master_t self:tcp_socket create_stream_socket_perms;
@@ -167,6 +167,7 @@ files_pid_filetrans(salt_master_t, salt_var_run_t, dir)
files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, "salt-master.pid")
kernel_read_network_state(salt_master_t)
+kernel_read_software_raid_state(salt_master_t)
kernel_read_system_state(salt_master_t)
corecmd_exec_bin(salt_master_t)
@@ -189,7 +190,16 @@ fs_getattr_tmpfs(salt_master_t)
getty_use_fds(salt_master_t)
+init_exec(salt_master_t)
+init_read_state(salt_master_t)
+
+libs_exec_ldconfig(salt_master_t)
+
miscfiles_read_localization(salt_master_t)
+miscfiles_read_generic_certs(salt_master_t)
+
+selinux_get_enforce_mode(salt_master_t)
+selinux_getattr_fs(salt_master_t)
sysnet_exec_ifconfig(salt_master_t)
sysnet_read_config(salt_master_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-08-02 18:07 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-08-02 18:07 UTC (permalink / raw
To: gentoo-commits
commit: bf421d08e93e0e098620587655d9326d826f4a5d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 2 18:05:49 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Aug 2 18:05:49 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bf421d08
Salt minion requires execute rights on init to start
Without execute rights, the salt minion continuously restarts with the
following in the log:
2015-08-02 20:02:57,671 [salt.scripts ][INFO ][30383] Sleeping random_reauth_delay of 6 seconds
2015-08-02 20:03:13,558 [salt.cli.daemons ][INFO ][30833] Setting up the Salt Minion "salt.internal.genfic.local"
2015-08-02 20:03:13,913 [salt.utils.process][DEBUG ][30833] Created pidfile: /var/run/salt-minion.pid
2015-08-02 20:03:13,914 [salt.config ][DEBUG ][30833] Reading configuration from /etc/salt/minion
2015-08-02 20:03:13,915 [salt.config ][DEBUG ][30833] Including configuration from '/etc/salt/minion.d/_schedule.conf'
2015-08-02 20:03:13,915 [salt.config ][DEBUG ][30833] Reading configuration from /etc/salt/minion.d/_schedule.conf
2015-08-02 20:03:14,188 [salt.utils ][TRACE ][30833] 'init' could not be found in the following search path: ['/bin', '/sbin', '/bin', '/sbin', '/usr/bin', '/usr/sbin', '/usr/bin', '/usr/sbin', '/usr/local/bin', '/usr/local/sbin', '/opt/bin', '/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.4']
2015-08-02 20:03:14,189 [salt.cli.daemons ][INFO ][30833] The salt minion is shut down
2015-08-02 20:03:14,190 [salt.scripts ][ERROR ][30833] coercing to Unicode: need string or buffer, NoneType found
2015-08-02 20:03:14,190 [salt.scripts ][WARNING ][30833] ** Restarting minion **
The denial:
type=AVC msg=audit(1438538594.186:99014): avc: denied { execute } for pid=30833 comm="salt-minion" name="init" dev="vda3" ino=2900377 scontext=system_u:system_r:salt_minion_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
policy/modules/contrib/salt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index ab19bf7..c00aa50 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -288,6 +288,7 @@ fstools_domtrans(salt_minion_t)
getty_use_fds(salt_minion_t)
+init_exec(salt_minion_t)
init_exec_rc(salt_minion_t)
miscfiles_read_localization(salt_minion_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-07-31 14:15 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-07-31 14:15 UTC (permalink / raw
To: gentoo-commits
commit: 668db9970fcfe4c20ba9619272799c3dd258fce0
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jul 16 13:09:44 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 16:41:33 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=668db997
Introduce cron_admin interface
policy/modules/contrib/cron.if | 53 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 53 insertions(+)
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 868d89f..3925811 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -835,3 +835,56 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate a cron environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cron_admin',`
+ gen_require(`
+ type crond_t, cronjob_t, crond_initrc_exec_t;
+ type cron_var_lib_t, system_cronjob_var_lib_t;
+ type crond_tmp_t, admin_crontab_tmp_t;
+ type crontab_tmp_t, system_cronjob_tmp_t;
+ type cron_var_run_t, system_cronjob_var_run_t, crond_var_run_t;
+ type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t;
+ attribute cron_spool_type;
+ ')
+
+ allow $1 { crond_t cronjob_t }:process { ptrace signal_perms };
+ ps_process_pattern($1, { crond_t cronjob_t })
+
+ init_startstop_service($1, $2, crond_t, crond_initrc_exec_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, { cron_var_lib_t system_cronjob_var_lib_t })
+
+ files_search_tmp($1)
+ admin_pattern($1, { crond_tmp_t admin_crontab_tmp_t })
+ admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t })
+
+ files_search_pids($1)
+ admin_pattern($1, { cron_var_run_t crond_var_run_t system_cronjob_var_run_t })
+
+ files_search_locks($1)
+ admin_pattern($1, system_cronjob_lock_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, { cron_log_t user_cron_spool_log_t })
+
+ files_search_spool($1)
+ admin_pattern($1, cron_spool_type)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-13 21:45 Jason Zaman
2015-07-13 21:45 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-07-13 21:45 UTC (permalink / raw
To: gentoo-commits
commit: 0f47d840e764a60842d65f2e641283936946d2c7
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 19:44:51 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 21:43:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0f47d840
vnstatd: allow user terminals and sysfs
needs to read sysfs to enumerate the network interfaces to update
and needs to use user terminals to output.
type=AVC msg=audit(1436643487.611:833572): avc: denied { read } for
pid=13632 comm="vnstat" name="bond0" dev="sysfs" ino=18625
scontext=staff_u:sysadm_r:vnstat_t tcontext=system_u:object_r:sysfs_t
tclass=lnk_file
type=AVC msg=audit(1436643691.358:833596): avc: denied { read write }
for pid=13802 comm="vnstat" path="/dev/pts/5" dev="devpts" ino=8
scontext=staff_u:sysadm_r:vnstat_t
tcontext=staff_u:object_r:user_devpts_t tclass=chr_file
policy/modules/contrib/vnstatd.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index 79351c4..9630fe9 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -84,3 +84,8 @@ miscfiles_read_localization(vnstat_t)
optional_policy(`
cron_system_entry(vnstat_t, vnstat_exec_t)
')
+
+ifdef(`distro_gentoo',`
+ dev_read_sysfs(vnstat_t)
+ userdom_use_user_terminals(vnstat_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-07-13 21:45 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-07-13 21:45 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-07-13 21:45 UTC (permalink / raw
To: gentoo-commits
commit: 0f47d840e764a60842d65f2e641283936946d2c7
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 19:44:51 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 21:43:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0f47d840
vnstatd: allow user terminals and sysfs
needs to read sysfs to enumerate the network interfaces to update
and needs to use user terminals to output.
type=AVC msg=audit(1436643487.611:833572): avc: denied { read } for
pid=13632 comm="vnstat" name="bond0" dev="sysfs" ino=18625
scontext=staff_u:sysadm_r:vnstat_t tcontext=system_u:object_r:sysfs_t
tclass=lnk_file
type=AVC msg=audit(1436643691.358:833596): avc: denied { read write }
for pid=13802 comm="vnstat" path="/dev/pts/5" dev="devpts" ino=8
scontext=staff_u:sysadm_r:vnstat_t
tcontext=staff_u:object_r:user_devpts_t tclass=chr_file
policy/modules/contrib/vnstatd.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index 79351c4..9630fe9 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -84,3 +84,8 @@ miscfiles_read_localization(vnstat_t)
optional_policy(`
cron_system_entry(vnstat_t, vnstat_exec_t)
')
+
+ifdef(`distro_gentoo',`
+ dev_read_sysfs(vnstat_t)
+ userdom_use_user_terminals(vnstat_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-13 21:45 Jason Zaman
2015-07-13 13:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-07-13 21:45 UTC (permalink / raw
To: gentoo-commits
commit: ff13e7e4cbbeddbc298d5d94e16ad8afddc614fa
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jul 13 13:00:21 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 13:00:21 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff13e7e4
portage: add fcontext for emaint
Thanks to Matthias Dahl for reporting
policy/modules/contrib/portage.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/portage.fc b/policy/modules/contrib/portage.fc
index 5f07098..655f986 100644
--- a/policy/modules/contrib/portage.fc
+++ b/policy/modules/contrib/portage.fc
@@ -42,6 +42,7 @@ ifdef(`distro_gentoo',`
/usr/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/usr/lib/python-exec/python[0-9]\.[0-9]*/glsa-check -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib/python-exec/python[0-9]\.[0-9]*/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
+/usr/lib/python-exec/python[0-9]\.[0-9]*/emaint -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib/python-exec/python[0-9]\.[0-9]*/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
/var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-07-13 21:45 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-07-13 13:02 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-07-13 13:02 UTC (permalink / raw
To: gentoo-commits
commit: ff13e7e4cbbeddbc298d5d94e16ad8afddc614fa
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jul 13 13:00:21 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 13:00:21 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff13e7e4
portage: add fcontext for emaint
Thanks to Matthias Dahl for reporting
policy/modules/contrib/portage.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/portage.fc b/policy/modules/contrib/portage.fc
index 5f07098..655f986 100644
--- a/policy/modules/contrib/portage.fc
+++ b/policy/modules/contrib/portage.fc
@@ -42,6 +42,7 @@ ifdef(`distro_gentoo',`
/usr/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/usr/lib/python-exec/python[0-9]\.[0-9]*/glsa-check -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib/python-exec/python[0-9]\.[0-9]*/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
+/usr/lib/python-exec/python[0-9]\.[0-9]*/emaint -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib/python-exec/python[0-9]\.[0-9]*/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
/var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-13 21:45 Jason Zaman
2015-07-13 21:45 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-07-13 21:45 UTC (permalink / raw
To: gentoo-commits
commit: 8d39472678948b838904f31d1b3467b1fa427668
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jul 13 19:47:28 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 20:59:50 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8d394726
Add portage_enable_test boolean for FEATURES=test
policy/modules/contrib/portage.te | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 2e8ab9e..2f62eb6 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -375,6 +375,13 @@ ifdef(`distro_gentoo',`
## </desc>
gen_tunable(portage_mount_fs, false)
+## <desc>
+## <p>
+## Extra rules which are sometimes needed when FEATURES=test is enabled
+## </p>
+## </desc>
+gen_tunable(portage_enable_test, false)
+
##########################################
#
@@ -388,7 +395,7 @@ gen_tunable(portage_mount_fs, false)
attribute portage_eselect_domain;
##########################################
- #
+ #
# Portage fetch local policy
#
@@ -476,6 +483,13 @@ gen_tunable(portage_mount_fs, false)
# install-xattr does listxattr() which throws a lot of this
dontaudit portage_sandbox_t self:capability sys_admin;
+ tunable_policy(`portage_enable_test',`
+ # lots of tests connect over loopback
+ corenet_tcp_bind_generic_node(portage_sandbox_t)
+ corenet_tcp_bind_all_unreserved_ports(portage_sandbox_t)
+ corenet_tcp_connect_all_unreserved_ports(portage_sandbox_t)
+ ')
+
##########################################
#
# Portage eselect module domain
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-07-13 21:45 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-07-13 21:45 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-07-13 21:45 UTC (permalink / raw
To: gentoo-commits
commit: 8d39472678948b838904f31d1b3467b1fa427668
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jul 13 19:47:28 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 20:59:50 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8d394726
Add portage_enable_test boolean for FEATURES=test
policy/modules/contrib/portage.te | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 2e8ab9e..2f62eb6 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -375,6 +375,13 @@ ifdef(`distro_gentoo',`
## </desc>
gen_tunable(portage_mount_fs, false)
+## <desc>
+## <p>
+## Extra rules which are sometimes needed when FEATURES=test is enabled
+## </p>
+## </desc>
+gen_tunable(portage_enable_test, false)
+
##########################################
#
@@ -388,7 +395,7 @@ gen_tunable(portage_mount_fs, false)
attribute portage_eselect_domain;
##########################################
- #
+ #
# Portage fetch local policy
#
@@ -476,6 +483,13 @@ gen_tunable(portage_mount_fs, false)
# install-xattr does listxattr() which throws a lot of this
dontaudit portage_sandbox_t self:capability sys_admin;
+ tunable_policy(`portage_enable_test',`
+ # lots of tests connect over loopback
+ corenet_tcp_bind_generic_node(portage_sandbox_t)
+ corenet_tcp_bind_all_unreserved_ports(portage_sandbox_t)
+ corenet_tcp_connect_all_unreserved_ports(portage_sandbox_t)
+ ')
+
##########################################
#
# Portage eselect module domain
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-07-13 21:45 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-07-13 21:45 UTC (permalink / raw
To: gentoo-commits
commit: c4b26faf064b20ca42e230b0192fcf08430a5fe5
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 14:56:08 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 21:43:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4b26faf
Introduce policy for subsonic music server
policy/modules/contrib/subsonic.fc | 6 +++++
policy/modules/contrib/subsonic.if | 1 +
policy/modules/contrib/subsonic.te | 48 ++++++++++++++++++++++++++++++++++++++
3 files changed, 55 insertions(+)
diff --git a/policy/modules/contrib/subsonic.fc b/policy/modules/contrib/subsonic.fc
new file mode 100644
index 0000000..b1d2550
--- /dev/null
+++ b/policy/modules/contrib/subsonic.fc
@@ -0,0 +1,6 @@
+
+/usr/bin/subsonic -- gen_context(system_u:object_r:subsonic_exec_t,s0)
+
+/var/lib/subsonic(/.*)? gen_context(system_u:object_r:subsonic_var_lib_t,s0)
+
+/var/run/subsonic(/.*)? gen_context(system_u:object_r:subsonic_run_t,s0)
diff --git a/policy/modules/contrib/subsonic.if b/policy/modules/contrib/subsonic.if
new file mode 100644
index 0000000..97e7342
--- /dev/null
+++ b/policy/modules/contrib/subsonic.if
@@ -0,0 +1 @@
+## <summary>Subsonic Music Streaming Server</summary>
diff --git a/policy/modules/contrib/subsonic.te b/policy/modules/contrib/subsonic.te
new file mode 100644
index 0000000..cb0c5ac
--- /dev/null
+++ b/policy/modules/contrib/subsonic.te
@@ -0,0 +1,48 @@
+policy_module(subsonic, 0.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type subsonic_t;
+type subsonic_exec_t;
+init_daemon_domain(subsonic_t, subsonic_exec_t)
+
+type subsonic_var_lib_t;
+files_type(subsonic_var_lib_t)
+
+type subsonic_run_t;
+files_pid_file(subsonic_run_t)
+
+##############################
+#
+# Subsonic local policy
+#
+
+allow subsonic_t self:tcp_socket listen;
+
+java_domain_type(subsonic_t)
+
+kernel_dontaudit_list_all_proc(subsonic_t)
+
+manage_dirs_pattern(subsonic_t, subsonic_run_t, subsonic_run_t)
+manage_files_pattern(subsonic_t, subsonic_run_t, subsonic_run_t)
+files_pid_filetrans(subsonic_t, subsonic_run_t, dir)
+
+manage_dirs_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t)
+manage_files_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t)
+files_var_lib_filetrans(subsonic_t, subsonic_var_lib_t, dir)
+
+corecmd_exec_bin(subsonic_t)
+corecmd_exec_shell(subsonic_t)
+
+corenet_tcp_bind_all_unreserved_ports(subsonic_t)
+corenet_tcp_bind_generic_node(subsonic_t)
+corenet_tcp_connect_http_port(subsonic_t)
+
+domain_use_interactive_fds(subsonic_t)
+
+optional_policy(`
+ miscfiles_read_public_files(subsonic_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-07-13 21:45 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-07-13 21:45 UTC (permalink / raw
To: gentoo-commits
commit: 430ece6c0478072338d29aaff7f9d842c77b35b6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 18:41:39 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 21:43:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=430ece6c
sysstat: exec shell and read logs
The cron entry runs a shell script and needs to be able to manage its
logs
type=AVC msg=audit(1436639401.545:833311): avc: denied { read } for pid=10340 comm="sa1" path="/bin/bash" dev="md3" ino=14263160 scontext=system_u:system_r:sysstat_t tcontext=system_u:object_r:shell_exec_t tclass=file
type=AVC msg=audit(1436639401.549:833312): avc: denied { read } for pid=10340 comm="sadc" name="sa12" dev="md3" ino=9183233 scontext=system_u:system_r:sysstat_t tcontext=system_u:object_r:sysstat_log_t tclass=file
type=AVC msg=audit(1436716381.830:836456): avc: denied { write } for pid=31504 comm="sa2" path="/var/log/sa/sar12" dev="md3" ino=9183238 scontext=system_u:system_r:sysstat_t tcontext=system_u:object_r:sysstat_log_t tclass=file
type=AVC msg=audit(1436716381.909:836457): avc: denied { unlink } for pid=31506 comm="rm" name="sar20" dev="md3" ino=9183237 scontext=system_u:system_r:sysstat_t tcontext=system_u:object_r:sysstat_log_t tclass=file
policy/modules/contrib/sysstat.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te
index fd167ee..c4af8d9 100644
--- a/policy/modules/contrib/sysstat.te
+++ b/policy/modules/contrib/sysstat.te
@@ -67,3 +67,8 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
optional_policy(`
cron_system_entry(sysstat_t, sysstat_exec_t)
')
+
+ifdef(`distro_gentoo',`
+ corecmd_exec_shell(sysstat_t)
+ manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-07-13 20:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-07-13 20:59 UTC (permalink / raw
To: gentoo-commits
commit: 503297a9b5e11f5b898dfffc6194f95abe755b65
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jul 13 20:57:26 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 20:57:26 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=503297a9
ceph: fix require in ceph_admin()
policy/modules/contrib/ceph.if | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/ceph.if b/policy/modules/contrib/ceph.if
index 26db16f..c922531 100644
--- a/policy/modules/contrib/ceph.if
+++ b/policy/modules/contrib/ceph.if
@@ -64,9 +64,9 @@ template(`ceph_domain_template',`
#
interface(`ceph_admin',`
gen_require(`
- attribute cephdomain;
- attribute cephdata;
- type ceph_initrc_exec_t;
+ attribute cephdomain, cephdata;
+ type ceph_initrc_exec_t, ceph_log_t;
+ type ceph_conf_t, ceph_key_t;
')
allow $1 cephdomain:process { ptrace signal_perms };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-07-13 17:42 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-07-13 17:42 UTC (permalink / raw
To: gentoo-commits
commit: e030706d32967b72aca1937437c3d81636f97f08
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Jul 13 17:40:59 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 17:40:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e030706d
Introduce Ceph policy
policy/modules/contrib/ceph.fc | 30 ++++++++++++
policy/modules/contrib/ceph.if | 104 +++++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/ceph.te | 92 ++++++++++++++++++++++++++++++++++++
3 files changed, 226 insertions(+)
diff --git a/policy/modules/contrib/ceph.fc b/policy/modules/contrib/ceph.fc
new file mode 100644
index 0000000..1548b1e
--- /dev/null
+++ b/policy/modules/contrib/ceph.fc
@@ -0,0 +1,30 @@
+#
+# /etc
+#
+/etc/ceph(/.*)? gen_context(system_u:object_r:ceph_conf_t,s0)
+/etc/ceph/.*\.secret -- gen_context(system_u:object_r:ceph_key_t,s0)
+/etc/ceph/.*\.keyring -- gen_context(system_u:object_r:ceph_key_t,s0)
+/etc/rc\.d/init\.d/ceph.* gen_context(system_u:object_r:ceph_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/ceph-mds -- gen_context(system_u:object_r:ceph_mds_exec_t,s0)
+/usr/bin/ceph-mon -- gen_context(system_u:object_r:ceph_mon_exec_t,s0)
+/usr/bin/ceph-osd -- gen_context(system_u:object_r:ceph_osd_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/ceph(/.*)? gen_context(system_u:object_r:ceph_var_lib_t,s0)
+/var/lib/ceph/mds(/.*)? gen_context(system_u:object_r:ceph_mds_data_t,s0)
+/var/lib/ceph/mon(/.*)? gen_context(system_u:object_r:ceph_mon_data_t,s0)
+/var/lib/ceph/osd(/.*)? gen_context(system_u:object_r:ceph_osd_data_t,s0)
+
+/var/log/ceph(/.*)? gen_context(system_u:object_r:ceph_log_t,s0)
+
+/var/run/ceph -d gen_context(system_u:object_r:ceph_var_run_t,s0)
+/var/run/ceph/ceph-osd.* gen_context(system_u:object_r:ceph_osd_var_run_t,s0)
+/var/run/ceph/ceph-mon.* gen_context(system_u:object_r:ceph_mon_var_run_t,s0)
+/var/run/ceph/ceph-mds.* gen_context(system_u:object_r:ceph_mds_var_run_t,s0)
+/var/run/ceph/mds.* -- gen_context(system_u:object_r:ceph_mds_var_run_t,s0)
diff --git a/policy/modules/contrib/ceph.if b/policy/modules/contrib/ceph.if
new file mode 100644
index 0000000..26db16f
--- /dev/null
+++ b/policy/modules/contrib/ceph.if
@@ -0,0 +1,104 @@
+## <summary>Ceph distributed object storage</summary>
+
+#########################################
+## <summary>
+## Create the individual Ceph domains
+## </summary>
+## <param name="cephdaemon">
+## <summary>
+## The daemon (osd, mds or mon) for which the rules are created
+## </summary>
+## </param>
+#
+template(`ceph_domain_template',`
+ gen_require(`
+ attribute cephdomain;
+ attribute cephdata;
+ attribute cephpidfile;
+ attribute_role ceph_roles;
+
+ type ceph_var_run_t;
+ ')
+
+ type ceph_$1_t, cephdomain;
+ type ceph_$1_exec_t;
+ init_system_domain(ceph_$1_t, ceph_$1_exec_t)
+ role ceph_roles types ceph_$1_t;
+
+ type ceph_$1_data_t, cephdata;
+ files_type(ceph_$1_data_t)
+
+ type ceph_$1_var_run_t, cephpidfile;
+ files_pid_file(ceph_$1_var_run_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+ # Rules which cannot be made part of the domain
+
+ allow ceph_$1_t ceph_$1_var_run_t:file manage_file_perms;
+ allow ceph_$1_t ceph_$1_var_run_t:sock_file manage_file_perms;
+ allow ceph_$1_t ceph_$1_data_t:dir manage_dir_perms;
+ allow ceph_$1_t ceph_$1_data_t:file manage_file_perms;
+
+ filetrans_pattern(ceph_$1_t, ceph_var_run_t, ceph_$1_var_run_t, { file sock_file })
+
+ files_var_lib_filetrans(ceph_$1_t, ceph_$1_data_t, { file dir })
+')
+
+#########################################
+## <summary>
+## Administrative access for Ceph
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`ceph_admin',`
+ gen_require(`
+ attribute cephdomain;
+ attribute cephdata;
+ type ceph_initrc_exec_t;
+ ')
+
+ allow $1 cephdomain:process { ptrace signal_perms };
+ ps_process_pattern($1, cephdomain)
+
+ init_startstop_service($1, $2, cephdomain, ceph_initrc_exec_t)
+ allow $1 ceph_initrc_exec_t:lnk_file read_lnk_file_perms;
+ allow $1 ceph_initrc_exec_t:file read_file_perms;
+
+ files_list_etc($1)
+ admin_pattern($1, ceph_conf_t)
+ admin_pattern($1, ceph_key_t)
+
+ admin_pattern($1, cephdata)
+
+ admin_pattern($1, ceph_log_t)
+')
+
+#########################################
+## <summary>
+## Read Ceph key files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`ceph_read_key',`
+ gen_require(`
+ type ceph_key_t;
+ ')
+
+ allow $1 ceph_key_t:file read_file_perms;
+')
diff --git a/policy/modules/contrib/ceph.te b/policy/modules/contrib/ceph.te
new file mode 100644
index 0000000..9704dd4
--- /dev/null
+++ b/policy/modules/contrib/ceph.te
@@ -0,0 +1,92 @@
+policy_module(ceph, 1.0)
+
+attribute_role ceph_roles;
+
+# Attribute for all ceph runtime domains (not clients)
+attribute cephdomain;
+
+# Attribute for the ceph runtime daemon data
+attribute cephdata;
+
+# Attribute for the ceph pidfile data
+attribute cephpidfile;
+
+# Init support
+type ceph_initrc_exec_t;
+init_script_file(ceph_initrc_exec_t)
+
+type ceph_conf_t;
+files_config_file(ceph_conf_t)
+
+# Private / shared keys for cephx support
+type ceph_key_t;
+files_type(ceph_key_t)
+
+type ceph_log_t;
+logging_log_file(ceph_log_t)
+
+type ceph_var_lib_t;
+files_type(ceph_var_lib_t)
+
+type ceph_var_run_t;
+files_pid_file(ceph_var_run_t)
+
+#########################################
+#
+# General Ceph domain rules
+#
+
+ceph_domain_template(osd)
+ceph_domain_template(mds)
+ceph_domain_template(mon)
+
+allow cephdomain self:fifo_file rw_file_perms;
+
+read_files_pattern(cephdomain, ceph_conf_t, { ceph_conf_t ceph_key_t })
+allow cephdomain ceph_log_t:dir manage_dir_perms;
+allow cephdomain ceph_log_t:file { create_file_perms rw_file_perms };
+allow cephdomain ceph_var_lib_t:dir search_dir_perms;
+allow cephdomain self:netlink_route_socket { rw_netlink_socket_perms };
+allow cephdomain self:tcp_socket { create_socket_perms listen accept };
+allow cephdomain ceph_var_run_t:file manage_file_perms;
+allow cephdomain ceph_var_run_t:dir manage_dir_perms;
+
+kernel_read_system_state(cephdomain)
+
+corenet_tcp_bind_generic_node(cephdomain)
+corenet_tcp_bind_all_unreserved_ports(cephdomain)
+corenet_tcp_connect_all_unreserved_ports(cephdomain)
+
+files_read_etc_files(cephdomain)
+files_search_pids(cephdomain)
+files_search_var_lib(cephdomain)
+files_pid_filetrans(cephdomain, ceph_var_run_t, dir)
+
+fs_getattr_all_fs(cephdomain)
+
+logging_search_logs(cephdomain)
+
+miscfiles_read_localization(cephdomain)
+
+init_use_script_ptys(cephdomain)
+
+
+#########################################
+#
+# Local OSD policy
+#
+
+corecmd_exec_shell(ceph_osd_t)
+
+
+#########################################
+#
+# Local MDS policy
+#
+
+
+#########################################
+#
+# Local MON policy
+#
+
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-07-11 14:09 Sven Vermeulen
2015-07-01 17:11 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2015-07-11 14:09 UTC (permalink / raw
To: gentoo-commits
commit: 66e018165d78d4128923e5211b7d63137ac121e6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul 1 17:11:05 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jul 1 17:11:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=66e01816
Recent salt-minion require setsched/getsched and sys_nice, otherwise process just stalls and cannot be connected to by the master
policy/modules/contrib/salt.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 554e927..89995ce 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -207,9 +207,9 @@ tunable_policy(`salt_master_read_nfs',`
# salt_minion_t policy
#
-allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_tty_config };
+allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
allow salt_minion_t self:capability2 block_suspend;
-allow salt_minion_t self:process { signal signull };
+allow salt_minion_t self:process { getsched setsched signal signull };
allow salt_minion_t self:tcp_socket create_stream_socket_perms;
allow salt_minion_t self:udp_socket create_socket_perms;
allow salt_minion_t self:unix_dgram_socket create_socket_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-07-11 14:09 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
@ 2015-07-01 17:11 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-07-01 17:11 UTC (permalink / raw
To: gentoo-commits
commit: 66e018165d78d4128923e5211b7d63137ac121e6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul 1 17:11:05 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jul 1 17:11:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=66e01816
Recent salt-minion require setsched/getsched and sys_nice, otherwise process just stalls and cannot be connected to by the master
policy/modules/contrib/salt.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 554e927..89995ce 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -207,9 +207,9 @@ tunable_policy(`salt_master_read_nfs',`
# salt_minion_t policy
#
-allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_tty_config };
+allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
allow salt_minion_t self:capability2 block_suspend;
-allow salt_minion_t self:process { signal signull };
+allow salt_minion_t self:process { getsched setsched signal signull };
allow salt_minion_t self:tcp_socket create_stream_socket_perms;
allow salt_minion_t self:udp_socket create_socket_perms;
allow salt_minion_t self:unix_dgram_socket create_socket_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-07-11 14:09 Sven Vermeulen
2015-07-11 13:43 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2015-07-11 14:09 UTC (permalink / raw
To: gentoo-commits
commit: e65a2857d90b4c7be249a89b7571e3a2215d9111
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 11 13:43:52 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 13:43:52 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e65a2857
Fix typo
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 00d1931..ab19bf7 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -101,7 +101,7 @@ files_pid_file(salt_var_run_t)
allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
allow salt_master_t self:capability2 block_suspend;
-allow salt_master_t self:process { getsched setschd signal };
+allow salt_master_t self:process { getsched setsched signal };
allow salt_master_t self:tcp_socket create_stream_socket_perms;
allow salt_master_t self:udp_socket create_socket_perms;
allow salt_master_t self:fifo_file rw_fifo_file_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-07-11 14:09 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
@ 2015-07-11 13:43 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-07-11 13:43 UTC (permalink / raw
To: gentoo-commits
commit: e65a2857d90b4c7be249a89b7571e3a2215d9111
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 11 13:43:52 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 13:43:52 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e65a2857
Fix typo
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 00d1931..ab19bf7 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -101,7 +101,7 @@ files_pid_file(salt_var_run_t)
allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
allow salt_master_t self:capability2 block_suspend;
-allow salt_master_t self:process { getsched setschd signal };
+allow salt_master_t self:process { getsched setsched signal };
allow salt_master_t self:tcp_socket create_stream_socket_perms;
allow salt_master_t self:udp_socket create_socket_perms;
allow salt_master_t self:fifo_file rw_fifo_file_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-07-11 14:09 Sven Vermeulen
2015-07-07 14:39 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2015-07-11 14:09 UTC (permalink / raw
To: gentoo-commits
commit: 1fe4a68fc6e8a979fb6db744109500bf32f8283b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jul 7 14:38:57 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jul 7 14:38:57 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1fe4a68f
Salt minion uses blkid for mount info
To view the mount state information, salt minion calls the blkid binary.
policy/modules/contrib/salt.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 576d424..00d1931 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -284,6 +284,8 @@ files_manage_all_non_security_file_types(salt_minion_t)
fs_getattr_all_fs(salt_minion_t)
+fstools_domtrans(salt_minion_t)
+
getty_use_fds(salt_minion_t)
init_exec_rc(salt_minion_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-07-07 14:12 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-07-07 14:12 UTC (permalink / raw
To: gentoo-commits
commit: 68f348699a16ed79e25f29fc78a6e6a14c02b275
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jul 7 14:11:38 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jul 7 14:11:38 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68f34869
Add setsched/getsched to salt_master_t
The salt master daemon also requires the getsched/setsched permissions
(like added for salt_minion_t in the past) as otherwise the master
daemon is defunct and all connections to it are stalled.
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 89995ce..576d424 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -101,7 +101,7 @@ files_pid_file(salt_var_run_t)
allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
allow salt_master_t self:capability2 block_suspend;
-allow salt_master_t self:process signal;
+allow salt_master_t self:process { getsched setschd signal };
allow salt_master_t self:tcp_socket create_stream_socket_perms;
allow salt_master_t self:udp_socket create_socket_perms;
allow salt_master_t self:fifo_file rw_fifo_file_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-02 18:07 Jason Zaman
2015-07-02 17:07 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-07-02 18:07 UTC (permalink / raw
To: gentoo-commits
commit: dfac21413962d786be190c1cc9063ee00ea76001
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jul 2 17:05:54 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 2 17:07:04 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dfac2141
android: dontaudit because it is noisy in /proc
policy/modules/contrib/android.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
index 08f3c83..a76061f 100644
--- a/policy/modules/contrib/android.te
+++ b/policy/modules/contrib/android.te
@@ -91,6 +91,8 @@ corenet_tcp_connect_adb_port(android_tools_t)
corenet_tcp_connect_http_port(android_tools_t)
corenet_udp_bind_generic_node(android_java_t)
+domain_dontaudit_getattr_all_domains(android_java_t)
+
miscfiles_read_fonts(android_java_t)
miscfiles_read_localization(android_java_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-07-02 18:07 Jason Zaman
2015-07-02 17:07 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-07-02 18:07 UTC (permalink / raw
To: gentoo-commits
commit: ebfa09de178fd10f0b853b65548a255aaa3a777f
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jun 20 12:11:18 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 2 17:07:04 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ebfa09de
consolekit: needs to be able to chown dev nodes
policy/modules/contrib/consolekit.te | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 050c5c5..a7506c1 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -147,3 +147,12 @@ optional_policy(`
optional_policy(`
unconfined_stream_connect(consolekit_t)
')
+
+ifdef(`distro_gentoo',`
+ # consolekit needs to be able to chown /dev nodes when logging in
+ dev_setattr_all_chr_files(consolekit_t)
+
+ optional_policy(`
+ udev_read_pid_files(consolekit_t)
+ ')
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-07-02 17:07 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-07-02 17:07 UTC (permalink / raw
To: gentoo-commits
commit: c9df4e6221b8f12d1683350b6a729837e3f22ddc
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jun 20 13:01:05 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 2 17:07:04 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c9df4e62
consolekit: add suspend perms for ConsoleKit2
policy/modules/contrib/consolekit.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index a7506c1..1adb72e 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -155,4 +155,10 @@ ifdef(`distro_gentoo',`
optional_policy(`
udev_read_pid_files(consolekit_t)
')
+
+ # needs to write to sys for suspend
+ dev_rw_sysfs(consolekit_t)
+ optional_policy(`
+ devicekit_manage_log_files(consolekit_t)
+ ')
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-06-27 15:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-06-27 15:03 UTC (permalink / raw
To: gentoo-commits
commit: ffab4e60223f7e4c8a8fbb2995a4c468e902a278
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jun 27 15:02:57 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jun 27 15:02:57 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ffab4e60
Gentoo has chronyd keyfile by default in /etc/chrony/
policy/modules/contrib/chronyd.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/chronyd.fc b/policy/modules/contrib/chronyd.fc
index 4e4143e..fd5fbbb 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -11,3 +11,7 @@
/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
/var/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/etc/chrony/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-06-11 16:08 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-06-11 16:08 UTC (permalink / raw
To: gentoo-commits
commit: 6315a80f5f47dda2fd6427b68db062b838e954c9
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jun 11 16:04:06 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jun 11 16:04:06 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6315a80f
Add manage interfaces for XDG documents, pictures and music
policy/modules/contrib/xdg.if | 57 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 57 insertions(+)
diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if
index 2bf63c9..55747d3 100644
--- a/policy/modules/contrib/xdg.if
+++ b/policy/modules/contrib/xdg.if
@@ -1141,6 +1141,63 @@ interface(`xdg_relabel_all_runtime_home',`
#########################################
## <summary>
+## Manage documents content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_manage_documents_home',`
+ gen_require(`
+ type xdg_documents_home_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_documents_home_t, xdg_documents_home_t)
+ manage_files_pattern($1, xdg_documents_home_t, xdg_documents_home_t)
+')
+
+#########################################
+## <summary>
+## Manage music content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_manage_music_home',`
+ gen_require(`
+ type xdg_music_home_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_music_home_t, xdg_music_home_t)
+ manage_files_pattern($1, xdg_music_home_t, xdg_music_home_t)
+')
+
+#########################################
+## <summary>
+## Manage pictures content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_manage_pictures_home',`
+ gen_require(`
+ type xdg_pictures_home_t;
+ ')
+
+ manage_dirs_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
+ manage_files_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
+')
+
+#########################################
+## <summary>
## Manage video content
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-06-11 16:04 Sven Vermeulen
2015-06-09 14:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2015-06-11 16:04 UTC (permalink / raw
To: gentoo-commits
commit: 0f123fb70ecdda06fdd36db9471b2f3fb9f0d2e6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jun 9 14:03:54 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 9 14:03:54 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0f123fb7
Allow logrotate to call fail2ban-client (as installed by fail2ban package)
policy/modules/contrib/logrotate.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 62b05af..7b302cc 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -251,3 +251,8 @@ allow logrotate_mail_t logrotate_t:process sigchld;
manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
logging_read_all_logs(logrotate_mail_t)
+
+ifdef(`distro_gentoo',`
+ # Fix bug 534256 - fail2ban installs a logrotate file that calls fail2ban-client so allow transition
+ fail2ban_domtrans_client(logrotate_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-06-09 14:25 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-06-09 14:25 UTC (permalink / raw
To: gentoo-commits
commit: 746aaebf667236d83d3c427392b2d97c06fc8c59
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jun 9 14:25:38 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 9 14:25:38 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=746aaebf
Make fail2ban call an optional one
policy/modules/contrib/logrotate.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 7b302cc..311defd 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -254,5 +254,7 @@ logging_read_all_logs(logrotate_mail_t)
ifdef(`distro_gentoo',`
# Fix bug 534256 - fail2ban installs a logrotate file that calls fail2ban-client so allow transition
- fail2ban_domtrans_client(logrotate_t)
+ optional_policy(`
+ fail2ban_domtrans_client(logrotate_t)
+ ')
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-06-09 13:59 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:59 UTC (permalink / raw
To: gentoo-commits
commit: 282c67cd689d85ddd0f9f0496a2411b67bb50527
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jun 9 13:26:55 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 9 13:34:30 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=282c67cd
Fail2ban smoketest fixes
This partially fixes some of the reported issues in bug #534256. More
specifically, fail2ban fails to start because
- fail2ban-client is invoked from the service and checks if it has write
privileges on /run/fail2ban (although it does not by itself use it
further).
- fail2ban init script creates /run/fail2ban so a file transition is
needed
- output should be captured when an init script is used, hence allow
fail2ban_client_t access to the initrc script ptys.
X-Gentoo-Bug: 534256
policy/modules/contrib/fail2ban.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
index 6b9fb7e..bc6bd8e 100644
--- a/policy/modules/contrib/fail2ban.te
+++ b/policy/modules/contrib/fail2ban.te
@@ -159,6 +159,12 @@ ifdef(`distro_gentoo',`
# Python compilation
files_dontaudit_write_usr_dirs(fail2ban_t)
+
+ # Fix bug 534256 - Startup fails without these
+ allow fail2ban_client_t fail2ban_var_run_t:dir write;
+
+ init_daemon_pid_file(fail2ban_var_run_t, dir, "fail2ban")
+ init_use_script_ptys(fail2ban_client_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-06-09 13:33 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-06-09 13:33 UTC (permalink / raw
To: gentoo-commits
commit: a5810838a5c032385f8231cd9942f808a0ccf36c
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Mon Jun 8 19:59:07 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 9 13:06:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a5810838
Module version bumps for "Remove run interface calls from admin interfaces" changes by Jason Zaman.
policy/modules/contrib/bacula.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/portmap.te | 2 +-
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
8 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te
index 5c9e2d9..a69da67 100644
--- a/policy/modules/contrib/bacula.te
+++ b/policy/modules/contrib/bacula.te
@@ -1,4 +1,4 @@
-policy_module(bacula, 1.2.1)
+policy_module(bacula, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 45ed04f..dd8f70d 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.15.1)
+policy_module(bind, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index 107f652..915a88a 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -1,4 +1,4 @@
-policy_module(kudzu, 1.10.1)
+policy_module(kudzu, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
index 3ba2179..94500e6 100644
--- a/policy/modules/contrib/portmap.te
+++ b/policy/modules/contrib/portmap.te
@@ -1,4 +1,4 @@
-policy_module(portmap, 1.11.1)
+policy_module(portmap, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index 5a92a2c..45d9ca7 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -1,4 +1,4 @@
-policy_module(quota, 1.7.1)
+policy_module(quota, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index 6f96e98..dfe62e3 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.14.1)
+policy_module(raid, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index e56f892..de5c91f 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.17.1)
+policy_module(rpm, 1.17.2)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 2e782c5..45f2b36 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.17.1)
+policy_module(samba, 1.17.2)
#################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-06-09 13:33 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-06-09 13:33 UTC (permalink / raw
To: gentoo-commits
commit: 049db179d5652a69cc90ee89fec2a6d6f2899f95
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jun 8 19:14:24 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 9 13:06:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=049db179
Remove _run() interfaces from _admin()
Both cannot be applied to a type so removing _run from _admin
means things are a lot more flexible.
policy/modules/contrib/bacula.if | 2 --
policy/modules/contrib/bind.if | 2 --
policy/modules/contrib/kudzu.if | 2 --
policy/modules/contrib/portmap.if | 2 --
policy/modules/contrib/quota.if | 2 --
policy/modules/contrib/raid.if | 2 --
policy/modules/contrib/rpm.if | 2 --
policy/modules/contrib/samba.if | 5 -----
8 files changed, 19 deletions(-)
diff --git a/policy/modules/contrib/bacula.if b/policy/modules/contrib/bacula.if
index 18ad480..eba3f1c 100644
--- a/policy/modules/contrib/bacula.if
+++ b/policy/modules/contrib/bacula.if
@@ -90,6 +90,4 @@ interface(`bacula_admin',`
files_search_pids($1)
admin_pattern($1, bacula_var_run_t)
-
- bacula_run_admin($1, $2)
')
diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if
index 9654435..1e974ca 100644
--- a/policy/modules/contrib/bind.if
+++ b/policy/modules/contrib/bind.if
@@ -386,6 +386,4 @@ interface(`bind_admin',`
files_list_pids($1)
admin_pattern($1, named_var_run_t)
-
- bind_run_ndc($1, $2)
')
diff --git a/policy/modules/contrib/kudzu.if b/policy/modules/contrib/kudzu.if
index 993e152..85214c5 100644
--- a/policy/modules/contrib/kudzu.if
+++ b/policy/modules/contrib/kudzu.if
@@ -96,6 +96,4 @@ interface(`kudzu_admin',`
files_search_pids($1)
admin_pattern($1, kudzu_var_run_t)
-
- kudzu_run($1, $2)
')
diff --git a/policy/modules/contrib/portmap.if b/policy/modules/contrib/portmap.if
index 61e1a12..f0af3fe 100644
--- a/policy/modules/contrib/portmap.if
+++ b/policy/modules/contrib/portmap.if
@@ -121,6 +121,4 @@ interface(`portmap_admin',`
files_search_tmp($1)
admin_pattern($1, portmap_tmp_t)
-
- portmap_run_helper($1, $2)
')
diff --git a/policy/modules/contrib/quota.if b/policy/modules/contrib/quota.if
index c2a5ef4..6f8a925 100644
--- a/policy/modules/contrib/quota.if
+++ b/policy/modules/contrib/quota.if
@@ -188,6 +188,4 @@ interface(`quota_admin',`
files_list_all($1)
admin_pattern($1, { quota_db_t quota_flag_t quota_nld_var_run_t })
-
- quota_run($1, $2)
')
diff --git a/policy/modules/contrib/raid.if b/policy/modules/contrib/raid.if
index 6d98a94..091c805 100644
--- a/policy/modules/contrib/raid.if
+++ b/policy/modules/contrib/raid.if
@@ -95,6 +95,4 @@ interface(`raid_admin_mdadm',`
files_search_pids($1)
admin_pattern($1, mdadm_var_run_t)
-
- raid_run_mdadm($2, $1)
')
diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index 3ff41b3..2344edd 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -658,6 +658,4 @@ interface(`rpm_admin',`
fs_search_tmpfs($1)
admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t })
-
- rpm_run($1, $2)
')
diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
index dfc606e..f30e31d 100644
--- a/policy/modules/contrib/samba.if
+++ b/policy/modules/contrib/samba.if
@@ -714,9 +714,4 @@ interface(`samba_admin',`
files_list_tmp($1)
admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
-
- samba_run_smbcontrol($1, $2)
- samba_run_winbind_helper($1, $2)
- samba_run_smbmount($1, $2)
- samba_run_net($1, $2)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-05-30 16:15 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-05-30 16:15 UTC (permalink / raw
To: gentoo-commits
commit: d4afeed432628ed87eb86e305d80b982751edcab
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat May 30 15:52:25 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat May 30 16:00:29 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4afeed4
Add KDEConnect policy
Thanks to Dan O. and a few minor fixups.
Gentoo bug 536672
policy/modules/contrib/kdeconnect.fc | 1 +
policy/modules/contrib/kdeconnect.if | 97 +++++++++++++++++++++++++++++
policy/modules/contrib/kdeconnect.te | 114 +++++++++++++++++++++++++++++++++++
3 files changed, 212 insertions(+)
diff --git a/policy/modules/contrib/kdeconnect.fc b/policy/modules/contrib/kdeconnect.fc
new file mode 100644
index 0000000..797a7a0
--- /dev/null
+++ b/policy/modules/contrib/kdeconnect.fc
@@ -0,0 +1 @@
+/usr/lib/libexec/kdeconnectd -- gen_context(system_u:object_r:kdeconnect_exec_t,s0)
diff --git a/policy/modules/contrib/kdeconnect.if b/policy/modules/contrib/kdeconnect.if
new file mode 100644
index 0000000..f07be14
--- /dev/null
+++ b/policy/modules/contrib/kdeconnect.if
@@ -0,0 +1,97 @@
+## <summary>policy for kdeconnect</summary>
+
+########################################
+## <summary>
+## Execute kdeconnect in the kdeconnect domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kdeconnect_domtrans',`
+ gen_require(`
+ type kdeconnect_t, kdeconnect_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, kdeconnect_exec_t, kdeconnect_t)
+')
+
+########################################
+## <summary>
+## Execute kdeconnect in the kdeconnect domain, and
+## allow the specified role the kdeconnect domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the kdeconnect domain.
+## </summary>
+## </param>
+#
+interface(`kdeconnect_run',`
+ gen_require(`
+ type kdeconnect_t;
+ ')
+
+ kdeconnect_domtrans($1)
+ role $2 types kdeconnect_t;
+')
+
+########################################
+## <summary>
+## Role access for kdeconnect
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`kdeconnect_role',`
+ gen_require(`
+ type kdeconnect_t;
+ ')
+
+ role $1 types kdeconnect_t;
+
+ kdeconnect_domtrans($2)
+
+ allow $2 kdeconnect_t:unix_stream_socket connectto;
+ allow kdeconnect_t $2:unix_stream_socket { read write connectto };
+
+ ps_process_pattern($2, kdeconnect_t)
+ allow $2 kdeconnect_t:process { signull signal sigkill };
+')
+
+#########################################
+## <summary>
+## Send and receive messages from the kdeconnect daemon
+## over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kdeconnect_dbus_chat',`
+ gen_require(`
+ type kdeconnect_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 kdeconnect_t:dbus send_msg;
+ allow kdeconnect_t $1:dbus send_msg;
+')
diff --git a/policy/modules/contrib/kdeconnect.te b/policy/modules/contrib/kdeconnect.te
new file mode 100644
index 0000000..92be330
--- /dev/null
+++ b/policy/modules/contrib/kdeconnect.te
@@ -0,0 +1,114 @@
+policy_module(kdeconnect, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow KDEConnect to read user home files
+## </p>
+## </desc>
+gen_tunable(kdeconnect_read_user_files, true)
+
+type kdeconnect_t;
+type kdeconnect_exec_t;
+application_domain(kdeconnect_t, kdeconnect_exec_t)
+
+type kdeconnect_xdg_cache_home_t;
+xdg_cache_home_content(kdeconnect_xdg_cache_home_t)
+
+type kdeconnect_tmp_t;
+userdom_user_tmp_file(kdeconnect_tmp_t)
+
+type kdeconnect_xdg_config_home_t;
+xdg_config_home_content(kdeconnect_xdg_config_home_t)
+
+type kdeconnect_xdg_data_home_t;
+xdg_data_home_content(kdeconnect_xdg_data_home_t)
+
+type kdeconnect_tmpfs_t;
+userdom_user_tmpfs_file(kdeconnect_tmpfs_t)
+
+########################################
+#
+# kdeconnect local policy
+#
+
+allow kdeconnect_t self:fifo_file manage_fifo_file_perms;
+allow kdeconnect_t self:unix_stream_socket create_stream_socket_perms;
+allow kdeconnect_t self:unix_dgram_socket { write getopt create setopt };
+allow kdeconnect_t self:netlink_route_socket create_netlink_socket_perms;
+allow kdeconnect_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow kdeconnect_t self:tcp_socket create_stream_socket_perms;
+allow kdeconnect_t self:udp_socket create_stream_socket_perms;
+allow kdeconnect_t self:process { execmem signal };
+
+kernel_read_system_state(kdeconnect_t)
+
+manage_dirs_pattern(kdeconnect_t, kdeconnect_tmp_t, kdeconnect_tmp_t)
+manage_files_pattern(kdeconnect_t, kdeconnect_tmp_t, kdeconnect_tmp_t)
+files_tmp_filetrans(kdeconnect_t, kdeconnect_tmp_t, { dir file })
+
+manage_files_pattern(kdeconnect_t, kdeconnect_xdg_cache_home_t, kdeconnect_xdg_cache_home_t)
+manage_dirs_pattern(kdeconnect_t, kdeconnect_xdg_cache_home_t, kdeconnect_xdg_cache_home_t)
+xdg_cache_home_filetrans(kdeconnect_t, kdeconnect_xdg_cache_home_t, dir)
+
+manage_files_pattern(kdeconnect_t, kdeconnect_xdg_config_home_t, kdeconnect_xdg_config_home_t)
+manage_dirs_pattern(kdeconnect_t, kdeconnect_xdg_config_home_t, kdeconnect_xdg_config_home_t)
+xdg_config_home_filetrans(kdeconnect_t, kdeconnect_xdg_config_home_t, { dir file })
+
+manage_files_pattern(kdeconnect_t, kdeconnect_xdg_data_home_t, kdeconnect_xdg_data_home_t)
+manage_dirs_pattern(kdeconnect_t, kdeconnect_xdg_data_home_t, kdeconnect_xdg_data_home_t)
+xdg_data_home_filetrans(kdeconnect_t, kdeconnect_xdg_data_home_t, { dir file })
+
+manage_dirs_pattern(kdeconnect_t, kdeconnect_tmpfs_t, kdeconnect_tmpfs_t)
+manage_files_pattern(kdeconnect_t, kdeconnect_tmpfs_t, kdeconnect_tmpfs_t)
+fs_tmpfs_filetrans(kdeconnect_t, kdeconnect_tmpfs_t, { dir file })
+
+corenet_sendrecv_kdeconnect_client_packets(kdeconnect_t)
+corenet_sendrecv_kdeconnect_server_packets(kdeconnect_t)
+corenet_tcp_bind_kdeconnect_port(kdeconnect_t)
+corenet_tcp_bind_generic_node(kdeconnect_t)
+corenet_tcp_connect_kdeconnect_port(kdeconnect_t)
+corenet_tcp_sendrecv_kdeconnect_port(kdeconnect_t)
+corenet_udp_bind_kdeconnect_port(kdeconnect_t)
+corenet_udp_sendrecv_kdeconnect_port(kdeconnect_t)
+corenet_udp_bind_generic_node(kdeconnect_t)
+
+dev_read_sysfs(kdeconnect_t)
+domain_use_interactive_fds(kdeconnect_t)
+
+files_manage_generic_tmp_files(kdeconnect_t)
+files_read_etc_files(kdeconnect_t)
+files_read_usr_files(kdeconnect_t)
+fs_getattr_xattr_fs(kdeconnect_t)
+
+miscfiles_read_localization(kdeconnect_t)
+udev_read_db(kdeconnect_t)
+
+userdom_manage_user_tmp_files(kdeconnect_t)
+userdom_manage_user_tmp_sockets(kdeconnect_t)
+userdom_use_user_ptys(kdeconnect_t)
+# KDEConnect needs access to some global config/cache/data files
+xdg_manage_cache_home(kdeconnect_t)
+xdg_manage_config_home(kdeconnect_t)
+xdg_manage_data_home(kdeconnect_t)
+
+xserver_stream_connect(kdeconnect_t)
+xserver_user_x_domain_template(kdeconnect, kdeconnect_t, kdeconnect_tmpfs_t)
+
+tunable_policy(`kdeconnect_read_user_files',`
+ userdom_read_user_home_content_files(kdeconnect_t)
+')
+
+#######################################
+#
+# Allow KDEConnect to talk to DBUS
+#
+
+dbus_all_session_bus_client(kdeconnect_t)
+dbus_connect_all_session_bus(kdeconnect_t)
+dbus_connect_system_bus(kdeconnect_t)
+dbus_system_bus_client(kdeconnect_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-05-30 13:07 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-05-30 13:07 UTC (permalink / raw
To: gentoo-commits
commit: 23a0cb85e78deca55835b7e4964a8c19d6aa508e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat May 30 12:42:54 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat May 30 12:42:54 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=23a0cb85
portage: connect all unreserved for FTP PASV mode.
FTP PASV mode does not use specific ports, so the only way is to allow
all unreserved.
avc: denied { name_connect } for pid=5274 comm="wget" dest=26213
scontext=root:sysadm_r:portage_fetch_t
tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket
permissive=0
Gentoo bug 540056
policy/modules/contrib/portage.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 83d6ab4..2e8ab9e 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -295,6 +295,8 @@ corenet_sendrecv_rsync_client_packets(portage_fetch_t)
# it occasionally comes up
corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
corenet_tcp_connect_generic_port(portage_fetch_t)
+# bug 540056
+corenet_tcp_connect_all_unreserved_ports(portage_fetch_t)
dev_dontaudit_read_rand(portage_fetch_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-05-27 20:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-05-27 20:00 UTC (permalink / raw
To: gentoo-commits
commit: 1943815a94454b541f37128cec20da4ed015970b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 24 12:04:00 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed May 27 19:01:18 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1943815a
bitcoin: use init_startstop_service interface in _admin
The bitcoin_admin interfaces had rules for RedHat sysvinit. This
replaces them with the interface init_startstop_service which can
easily be changed for other init systems.
policy/modules/contrib/bitcoin.if | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
index 922bc7c..9c7ca8d 100644
--- a/policy/modules/contrib/bitcoin.if
+++ b/policy/modules/contrib/bitcoin.if
@@ -26,10 +26,7 @@ interface(`bitcoin_admin',`
allow $1 bitcoin_t:process { ptrace signal_perms };
ps_process_pattern($1, bitcoin_t)
- init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bitcoin_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, bitcoin_t, bitcoin_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, bitcoin_tmp_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-05-27 20:00 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-05-27 20:00 UTC (permalink / raw
To: gentoo-commits
commit: 62f241df91ddddeee30ef0d5c18d498f8641f9f0
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 24 12:05:48 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed May 27 19:01:31 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=62f241df
salt: use init_startstop_service interface in _admin
The salt_admin interfaces had rules for RedHat sysvinit. This
replaces them with the interface init_startstop_service which can
easily be changed for other init systems.
policy/modules/contrib/salt.if | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if
index 7ab9e6b..27fefae 100644
--- a/policy/modules/contrib/salt.if
+++ b/policy/modules/contrib/salt.if
@@ -29,9 +29,7 @@ interface(`salt_admin_master',`
allow $1 salt_master_t:process { ptrace signal_perms };
ps_process_pattern($1, salt_master_t)
- init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 salt_master_initrc_exec_t system_r;
+ init_startstop_service($1, $2, salt_master_t, salt_master_initrc_exec_t)
# for debugging?
role_transition $2 salt_master_exec_t system_r;
@@ -73,9 +71,7 @@ interface(`salt_admin_minion',`
allow $1 salt_minion_t:process { ptrace signal_perms };
ps_process_pattern($1, salt_minion_t)
- init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 salt_minion_initrc_exec_t system_r;
+ init_startstop_service($1, $2, salt_minion_t, salt_minion_initrc_exec_t)
# for debugging
role_transition $2 salt_minion_exec_t system_r;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-05-25 16:15 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-05-25 16:15 UTC (permalink / raw
To: gentoo-commits
commit: ad02fc9b27a7e4510b5c66a4910c5ad97e7da11c
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon May 25 16:14:54 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon May 25 16:14:54 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ad02fc9b
Maven (mvn) needs read access to m2.conf
policy/modules/contrib/java.fc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/java.fc b/policy/modules/contrib/java.fc
index cc4f515..7958f81 100644
--- a/policy/modules/contrib/java.fc
+++ b/policy/modules/contrib/java.fc
@@ -30,3 +30,8 @@ HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:java_home_t,s0)
/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+# Running maven (mvn) command needs read access to this, yet the file is marked as bin_t otherwise
+/usr/share/maven-bin-[^/]*/bin/m2.conf -- gen_context(system_u:object_r:usr_t,s0)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-05-22 19:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-05-22 19:32 UTC (permalink / raw
To: gentoo-commits
commit: 0e289ab8f74c478433de2a755082464a740d537b
Author: Stephen Smalley <sds <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Fri May 22 12:49:50 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:19:23 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0e289ab8
contrib: networkmanager: allow netlink_generic_socket access
refpolicy commit 58b302957652322288618ceda0771d39e74a9e46
defined the new netlink socket security classes introduced by
kernel commit 223ae516404a7a65f09e79a1c0291521c233336e.
NetworkManager requires netlink_generic_socket access when
running on a kernel with this change. Add an allow rule for it,
while retaining the existing :netlink_socket rule for compatibility
on older kernels.
Signed-off-by: Stephen Smalley <sds <AT> tycho.nsa.gov>
policy/modules/contrib/networkmanager.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index c29e773..820cc5b 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -52,6 +52,7 @@ allow NetworkManager_t self:unix_dgram_socket sendto;
allow NetworkManager_t self:unix_stream_socket { accept listen };
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
allow NetworkManager_t self:netlink_socket create_socket_perms;
+allow NetworkManager_t self:netlink_generic_socket create_socket_perms;
allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
allow NetworkManager_t self:tcp_socket { accept listen };
allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-05-22 19:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-05-22 19:32 UTC (permalink / raw
To: gentoo-commits
commit: 0b86dd6784975e36e51eec9b37a18c731adb0bd3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 22 14:08:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:19:23 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0b86dd67
Use init_startstop_service in admin interfaces N-Z
Most foo_admin interfaces have transitions on the
foo_initrc_exec_t to system_r. These are only applicable
for RedHat <6. This replaces them with the interface
init_startstop_service which can easily be changed for
other init systems.
make validate passes for all combinations of distros,
standard/mcs/mls, monolithic y/n and direct_initrc y/n
This patch is for files starting with N-Z.
policy/modules/contrib/nagios.if | 5 +----
policy/modules/contrib/nessus.if | 5 +----
policy/modules/contrib/networkmanager.if | 5 +----
policy/modules/contrib/nis.if | 7 ++-----
policy/modules/contrib/nscd.if | 5 +----
policy/modules/contrib/nsd.if | 5 +----
policy/modules/contrib/nslcd.if | 5 +----
policy/modules/contrib/ntop.if | 5 +----
policy/modules/contrib/ntp.if | 5 +----
policy/modules/contrib/numad.if | 5 +----
policy/modules/contrib/nut.if | 5 +----
policy/modules/contrib/oident.if | 5 +----
policy/modules/contrib/openct.if | 5 +----
policy/modules/contrib/openhpi.if | 5 +----
policy/modules/contrib/openvpn.if | 5 +----
policy/modules/contrib/openvswitch.if | 5 +----
policy/modules/contrib/pacemaker.if | 5 +----
policy/modules/contrib/pads.if | 5 +----
policy/modules/contrib/pcscd.if | 5 +----
policy/modules/contrib/pegasus.if | 5 +----
policy/modules/contrib/perdition.if | 5 +----
policy/modules/contrib/pingd.if | 5 +----
policy/modules/contrib/pkcs.if | 5 +----
policy/modules/contrib/polipo.if | 5 +----
policy/modules/contrib/portmap.if | 5 +----
policy/modules/contrib/portreserve.if | 5 +----
policy/modules/contrib/postfix.if | 5 +----
policy/modules/contrib/postfixpolicyd.if | 5 +----
policy/modules/contrib/postgrey.if | 5 +----
policy/modules/contrib/ppp.if | 5 +----
policy/modules/contrib/prelude.if | 5 +----
policy/modules/contrib/privoxy.if | 5 +----
policy/modules/contrib/psad.if | 5 +----
policy/modules/contrib/puppet.if | 6 ++----
policy/modules/contrib/pxe.if | 5 +----
policy/modules/contrib/pyicqt.if | 5 +----
policy/modules/contrib/pyzor.if | 5 +----
policy/modules/contrib/qpid.if | 5 +----
policy/modules/contrib/quantum.if | 5 +----
policy/modules/contrib/quota.if | 5 +----
policy/modules/contrib/rabbitmq.if | 5 +----
policy/modules/contrib/radius.if | 5 +----
policy/modules/contrib/radvd.if | 5 +----
policy/modules/contrib/raid.if | 5 +----
policy/modules/contrib/redis.if | 5 +----
policy/modules/contrib/resmgr.if | 5 +----
policy/modules/contrib/rgmanager.if | 5 +----
policy/modules/contrib/rhcs.if | 7 +++----
policy/modules/contrib/rhsmcertd.if | 5 +----
policy/modules/contrib/ricci.if | 5 +----
policy/modules/contrib/rngd.if | 5 +----
policy/modules/contrib/roundup.if | 5 +----
policy/modules/contrib/rpc.if | 7 +++----
policy/modules/contrib/rpcbind.if | 5 +----
policy/modules/contrib/rpm.if | 5 +----
policy/modules/contrib/rtkit.if | 5 +----
policy/modules/contrib/rwho.if | 5 +----
policy/modules/contrib/samba.if | 5 +----
policy/modules/contrib/samhain.if | 5 +----
policy/modules/contrib/sanlock.if | 5 +----
policy/modules/contrib/sasl.if | 5 +----
policy/modules/contrib/sblim.if | 5 +----
policy/modules/contrib/sendmail.if | 4 +---
policy/modules/contrib/sensord.if | 5 +----
policy/modules/contrib/shorewall.if | 5 +----
policy/modules/contrib/slpd.if | 5 +----
policy/modules/contrib/smartmon.if | 5 +----
policy/modules/contrib/smokeping.if | 5 +----
policy/modules/contrib/smstools.if | 5 +----
policy/modules/contrib/snmp.if | 5 +----
policy/modules/contrib/snort.if | 5 +----
policy/modules/contrib/soundserver.if | 5 +----
policy/modules/contrib/spamassassin.if | 5 +----
policy/modules/contrib/squid.if | 5 +----
policy/modules/contrib/sssd.if | 5 +----
policy/modules/contrib/svnserve.if | 5 +----
policy/modules/contrib/sysstat.if | 5 +----
policy/modules/contrib/systemtap.if | 5 +----
policy/modules/contrib/tcsd.if | 5 +----
policy/modules/contrib/tgtd.if | 5 +----
policy/modules/contrib/tor.if | 5 +----
policy/modules/contrib/transproxy.if | 5 +----
policy/modules/contrib/tuned.if | 5 +----
policy/modules/contrib/ulogd.if | 5 +----
policy/modules/contrib/uptime.if | 5 +----
policy/modules/contrib/uucp.if | 5 +----
policy/modules/contrib/uuidd.if | 5 +----
policy/modules/contrib/varnishd.if | 10 ++--------
policy/modules/contrib/vdagent.if | 5 +----
policy/modules/contrib/vhostmd.if | 5 +----
policy/modules/contrib/virt.if | 5 +----
policy/modules/contrib/vnstatd.if | 5 +----
policy/modules/contrib/watchdog.if | 5 +----
policy/modules/contrib/wdmd.if | 5 +----
policy/modules/contrib/xfs.if | 5 +----
policy/modules/contrib/zabbix.if | 6 ++----
policy/modules/contrib/zarafa.if | 5 +----
policy/modules/contrib/zebra.if | 5 +----
98 files changed, 106 insertions(+), 396 deletions(-)
diff --git a/policy/modules/contrib/nagios.if b/policy/modules/contrib/nagios.if
index 0641e97..b73a47b 100644
--- a/policy/modules/contrib/nagios.if
+++ b/policy/modules/contrib/nagios.if
@@ -204,10 +204,7 @@ interface(`nagios_admin',`
allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms };
ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain })
- init_labeled_script_domtrans($1, nagios_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nagios_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, nagios_t, nagios_initrc_exec_t)
files_search_tmp($1)
admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t })
diff --git a/policy/modules/contrib/nessus.if b/policy/modules/contrib/nessus.if
index 42e9ed4..f41ec5f 100644
--- a/policy/modules/contrib/nessus.if
+++ b/policy/modules/contrib/nessus.if
@@ -40,10 +40,7 @@ interface(`nessus_admin',`
allow $1 nessusd_t:process { ptrace signal_perms };
ps_process_pattern($1, nessusd_t)
- init_labeled_script_domtrans($1, nessusd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nessusd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, nessusd_t, nessusd_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, nessusd_log_t)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index b512ce0..152dc57 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -297,10 +297,7 @@ interface(`networkmanager_admin',`
allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms };
ps_process_pattern($1, { wpa_cli_t NetworkManager_t })
- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 NetworkManager_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, NetworkManager_t, NetworkManager_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t })
diff --git a/policy/modules/contrib/nis.if b/policy/modules/contrib/nis.if
index 46e55c3..5acf395 100644
--- a/policy/modules/contrib/nis.if
+++ b/policy/modules/contrib/nis.if
@@ -381,11 +381,8 @@ interface(`nis_admin',`
allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms };
ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t })
- nis_initrc_domtrans($1)
- nis_initrc_domtrans_ypbind($1)
- domain_system_change_exemption($1)
- role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ypbind_t, ypbind_initrc_exec_t)
+ init_startstop_service($1, $2, ypserv_t, nis_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t })
diff --git a/policy/modules/contrib/nscd.if b/policy/modules/contrib/nscd.if
index 8f2ab09..c83635f 100644
--- a/policy/modules/contrib/nscd.if
+++ b/policy/modules/contrib/nscd.if
@@ -299,10 +299,7 @@ interface(`nscd_admin',`
allow $1 nscd_t:process { ptrace signal_perms };
ps_process_pattern($1, nscd_t)
- init_labeled_script_domtrans($1, nscd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nscd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, nscd_t, nscd_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, nscd_log_t)
diff --git a/policy/modules/contrib/nsd.if b/policy/modules/contrib/nsd.if
index a9c60ff..8ec6ec4 100644
--- a/policy/modules/contrib/nsd.if
+++ b/policy/modules/contrib/nsd.if
@@ -54,10 +54,7 @@ interface(`nsd_admin',`
allow $1 nsd_t:process { ptrace signal_perms };
ps_process_pattern($1, nsd_t)
- init_labeled_script_domtrans($1, nsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nsd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, nsd_t, nsd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, { nsd_conf_t nsd_db_t })
diff --git a/policy/modules/contrib/nslcd.if b/policy/modules/contrib/nslcd.if
index bbd7cac..b3747da 100644
--- a/policy/modules/contrib/nslcd.if
+++ b/policy/modules/contrib/nslcd.if
@@ -102,10 +102,7 @@ interface(`nslcd_admin',`
allow $1 nslcd_t:process { ptrace signal_perms };
ps_process_pattern($1, nslcd_t)
- nslcd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 nslcd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, nslcd_t, nslcd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, nslcd_conf_t)
diff --git a/policy/modules/contrib/ntop.if b/policy/modules/contrib/ntop.if
index beaee73..60c7793 100644
--- a/policy/modules/contrib/ntop.if
+++ b/policy/modules/contrib/ntop.if
@@ -26,10 +26,7 @@ interface(`ntop_admin',`
allow $1 ntop_t:process { ptrace signal_perms };
ps_process_pattern($1, ntop_t)
- init_labeled_script_domtrans($1, ntop_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ntop_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ntop_t, ntop_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, ntop_etc_t)
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index 6a83626..251f669 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -166,10 +166,7 @@ interface(`ntp_admin',`
allow $1 ntpd_t:process { ptrace signal_perms };
ps_process_pattern($1, ntpd_t)
- init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ntpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { ntpd_key_t ntp_conf_t })
diff --git a/policy/modules/contrib/numad.if b/policy/modules/contrib/numad.if
index 0d3c270..d1c6b8f 100644
--- a/policy/modules/contrib/numad.if
+++ b/policy/modules/contrib/numad.if
@@ -26,10 +26,7 @@ interface(`numad_admin',`
allow $1 numad_t:process { ptrace signal_perms };
ps_process_pattern($1, numad_t)
- init_labeled_script_domtrans($1, numad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 numad_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, numad_t, numad_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, numad_log_t)
diff --git a/policy/modules/contrib/nut.if b/policy/modules/contrib/nut.if
index c606ae6..462c079 100644
--- a/policy/modules/contrib/nut.if
+++ b/policy/modules/contrib/nut.if
@@ -26,10 +26,7 @@ interface(`nut_admin',`
allow $1 nut_domain:process { ptrace signal_perms };
ps_process_pattern($1, nut_domain)
- init_labeled_script_domtrans($1, nut_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 nut_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, nut_domain, nut_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, nut_conf_t)
diff --git a/policy/modules/contrib/oident.if b/policy/modules/contrib/oident.if
index 513f452..c317a3a 100644
--- a/policy/modules/contrib/oident.if
+++ b/policy/modules/contrib/oident.if
@@ -131,10 +131,7 @@ interface(`oident_admin',`
allow $1 oidentd_t:process { ptrace signal_perms };
ps_process_pattern($1, oidentd_t)
- init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 oidentd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, oidentd_t, oidentd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, oidentd_config_t)
diff --git a/policy/modules/contrib/openct.if b/policy/modules/contrib/openct.if
index a55238b..61c3eb8 100644
--- a/policy/modules/contrib/openct.if
+++ b/policy/modules/contrib/openct.if
@@ -120,10 +120,7 @@ interface(`openct_admin',`
allow $1 openct_t:process { ptrace signal_perms };
ps_process_pattern($1, openct_t)
- init_labeled_script_domtrans($1, openct_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openct_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, openct_t, openct_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, openct_var_run_t)
diff --git a/policy/modules/contrib/openhpi.if b/policy/modules/contrib/openhpi.if
index 3c86958..ca1e226 100644
--- a/policy/modules/contrib/openhpi.if
+++ b/policy/modules/contrib/openhpi.if
@@ -26,10 +26,7 @@ interface(`openhpi_admin',`
allow $1 openhpid_t:process { ptrace signal_perms };
ps_process_pattern($1, openhpid_t)
- init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openhpid_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, openhpid_t, openhpid_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, openhpid_var_lib_t)
diff --git a/policy/modules/contrib/openvpn.if b/policy/modules/contrib/openvpn.if
index 6837e9a..a03c258 100644
--- a/policy/modules/contrib/openvpn.if
+++ b/policy/modules/contrib/openvpn.if
@@ -150,10 +150,7 @@ interface(`openvpn_admin',`
allow $1 openvpn_t:process { ptrace signal_perms };
ps_process_pattern($1, openvpn_t)
- init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openvpn_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, openvpn_t, openvpn_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t })
diff --git a/policy/modules/contrib/openvswitch.if b/policy/modules/contrib/openvswitch.if
index 9b15730..f0133ed 100644
--- a/policy/modules/contrib/openvswitch.if
+++ b/policy/modules/contrib/openvswitch.if
@@ -64,10 +64,7 @@ interface(`openvswitch_admin',`
allow $1 openvswitch_t:process { ptrace signal_perms };
ps_process_pattern($1, openvswitch_t)
- init_labeled_script_domtrans($1, openvswitch_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openvswitch_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, openvswitch_t, openvswitch_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, openvswitch_conf_t)
diff --git a/policy/modules/contrib/pacemaker.if b/policy/modules/contrib/pacemaker.if
index 9682d9a..44d1cf6 100644
--- a/policy/modules/contrib/pacemaker.if
+++ b/policy/modules/contrib/pacemaker.if
@@ -26,10 +26,7 @@ interface(`pacemaker_admin',`
allow $1 pacemaker_t:process { ptrace signal_perms };
ps_process_pattern($1, pacemaker_t)
- init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pacemaker_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pacemaker_t, pacemaker_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, pacemaker_var_lib_t)
diff --git a/policy/modules/contrib/pads.if b/policy/modules/contrib/pads.if
index 6e097c9..4dd3574 100644
--- a/policy/modules/contrib/pads.if
+++ b/policy/modules/contrib/pads.if
@@ -26,10 +26,7 @@ interface(`pads_admin', `
allow $1 pads_t:process { ptrace signal_perms };
ps_process_pattern($1, pads_t)
- init_labeled_script_domtrans($1, pads_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pads_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pads_t, pads_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, pads_var_run_t)
diff --git a/policy/modules/contrib/pcscd.if b/policy/modules/contrib/pcscd.if
index 7f77d32..ac7e60c 100644
--- a/policy/modules/contrib/pcscd.if
+++ b/policy/modules/contrib/pcscd.if
@@ -128,10 +128,7 @@ interface(`pcscd_admin',`
allow $1 pcscd_t:process { ptrace signal_perms };
ps_process_pattern($1, pcscd_t)
- init_labeled_script_domtrans($1, pcscd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pcscd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pcscd_t, pcscd_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, pcscd_var_run_t)
diff --git a/policy/modules/contrib/pegasus.if b/policy/modules/contrib/pegasus.if
index d2fc677..eadb012 100644
--- a/policy/modules/contrib/pegasus.if
+++ b/policy/modules/contrib/pegasus.if
@@ -27,10 +27,7 @@ interface(`pegasus_admin',`
allow $1 pegasus_t:process { ptrace signal_perms };
ps_process_pattern($1, pegasus_t)
- init_labeled_script_domtrans($1, pegasus_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pegasus_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pegasus_t, pegasus_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, pegasus_conf_t)
diff --git a/policy/modules/contrib/perdition.if b/policy/modules/contrib/perdition.if
index 47e09e1..092ac61 100644
--- a/policy/modules/contrib/perdition.if
+++ b/policy/modules/contrib/perdition.if
@@ -40,10 +40,7 @@ interface(`perdition_admin',`
allow $1 perdition_t:process { ptrace signal_perms };
ps_process_pattern($1, perdition_t)
- init_labeled_script_domtrans($1, perdition_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 perdition_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, perdition_t, perdition_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, perdition_etc_t)
diff --git a/policy/modules/contrib/pingd.if b/policy/modules/contrib/pingd.if
index 21a6ecb..fe9acb0 100644
--- a/policy/modules/contrib/pingd.if
+++ b/policy/modules/contrib/pingd.if
@@ -84,10 +84,7 @@ interface(`pingd_admin',`
allow $1 pingd_t:process { ptrace signal_perms };
ps_process_pattern($1, pingd_t)
- init_labeled_script_domtrans($1, pingd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pingd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pingd_t, pingd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, pingd_etc_t)
diff --git a/policy/modules/contrib/pkcs.if b/policy/modules/contrib/pkcs.if
index 69be2aa..9d1af4e 100644
--- a/policy/modules/contrib/pkcs.if
+++ b/policy/modules/contrib/pkcs.if
@@ -26,10 +26,7 @@ interface(`pkcs_admin_slotd',`
allow $1 pkcs_slotd_t:process { ptrace signal_perms };
ps_process_pattern($1, pkcs_slotd_t)
- init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pkcs_slotd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pkcs_slotd_t, pkcs_slotd_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, pkcs_slotd_var_lib_t)
diff --git a/policy/modules/contrib/polipo.if b/policy/modules/contrib/polipo.if
index ae27bb7..4b1988d 100644
--- a/policy/modules/contrib/polipo.if
+++ b/policy/modules/contrib/polipo.if
@@ -125,10 +125,7 @@ interface(`polipo_admin',`
allow $1 polipo_system_t:process { ptrace signal_perms };
ps_process_pattern($1, polipo_system_t)
- polipo_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 polipo_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, polipo_t, polipo_initrc_exec_t)
files_search_var($1)
admin_pattern($1, polipo_cache_t)
diff --git a/policy/modules/contrib/portmap.if b/policy/modules/contrib/portmap.if
index 9f982b5..61e1a12 100644
--- a/policy/modules/contrib/portmap.if
+++ b/policy/modules/contrib/portmap.if
@@ -114,10 +114,7 @@ interface(`portmap_admin',`
allow $1 { portmap_t portmap_helper_t }:process { ptrace signal_perms };
ps_process_pattern($1, { portmap_t portmap_helper_t })
- init_labeled_script_domtrans($1, portmap_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 portmap_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, portmap_t, portmap_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, portmap_var_run_t)
diff --git a/policy/modules/contrib/portreserve.if b/policy/modules/contrib/portreserve.if
index 5ad5291..0a90afd 100644
--- a/policy/modules/contrib/portreserve.if
+++ b/policy/modules/contrib/portreserve.if
@@ -108,10 +108,7 @@ interface(`portreserve_admin',`
allow $1 portreserve_t:process { ptrace signal_perms };
ps_process_pattern($1, portreserve_t)
- portreserve_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 portreserve_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, portreserve_t, portreserve_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, portreserve_etc_t)
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index 8bc856e..19fe613 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -720,10 +720,7 @@ interface(`postfix_admin',`
allow $1 postfix_domain:process { ptrace signal_perms };
ps_process_pattern($1, postfix_domain)
- init_labeled_script_domtrans($1, postfix_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postfix_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, postfix_t, postfix_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
diff --git a/policy/modules/contrib/postfixpolicyd.if b/policy/modules/contrib/postfixpolicyd.if
index 5de8173..e462ac0 100644
--- a/policy/modules/contrib/postfixpolicyd.if
+++ b/policy/modules/contrib/postfixpolicyd.if
@@ -26,10 +26,7 @@ interface(`postfixpolicyd_admin',`
allow $1 postfix_policyd_t:process { ptrace signal_perms };
ps_process_pattern($1, postfix_policyd_t)
- init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postfix_policyd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, postfix_policyd_t, postfix_policyd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, postfix_policyd_conf_t)
diff --git a/policy/modules/contrib/postgrey.if b/policy/modules/contrib/postgrey.if
index b9e71b5..d63198e 100644
--- a/policy/modules/contrib/postgrey.if
+++ b/policy/modules/contrib/postgrey.if
@@ -67,10 +67,7 @@ interface(`postgrey_admin',`
allow $1 postgrey_t:process { ptrace signal_perms };
ps_process_pattern($1, postgrey_t)
- init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 postgrey_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, postgrey_t, postgrey_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, postgrey_etc_t)
diff --git a/policy/modules/contrib/ppp.if b/policy/modules/contrib/ppp.if
index cd8b8b9..0376e92 100644
--- a/policy/modules/contrib/ppp.if
+++ b/policy/modules/contrib/ppp.if
@@ -487,10 +487,7 @@ interface(`ppp_admin',`
allow $1 { pptp_t pppd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { pptp_t pppd_t })
- ppp_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 pppd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pppd_t, pppd_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, pppd_tmp_t)
diff --git a/policy/modules/contrib/prelude.if b/policy/modules/contrib/prelude.if
index db8f510..ceef90f 100644
--- a/policy/modules/contrib/prelude.if
+++ b/policy/modules/contrib/prelude.if
@@ -126,10 +126,7 @@ interface(`prelude_admin',`
allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };
ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t })
- init_labeled_script_domtrans($1, prelude_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 prelude_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, prelude_t, prelude_initrc_exec_t)
files_search_spool($1)
admin_pattern($1, prelude_spool_t)
diff --git a/policy/modules/contrib/privoxy.if b/policy/modules/contrib/privoxy.if
index bdcee30..a35e6ea 100644
--- a/policy/modules/contrib/privoxy.if
+++ b/policy/modules/contrib/privoxy.if
@@ -26,10 +26,7 @@ interface(`privoxy_admin',`
allow $1 privoxy_t:process { ptrace signal_perms };
ps_process_pattern($1, privoxy_t)
- init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 privoxy_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, privoxy_t, privoxy_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, privoxy_log_t)
diff --git a/policy/modules/contrib/psad.if b/policy/modules/contrib/psad.if
index cdc83d2..6ad8703 100644
--- a/policy/modules/contrib/psad.if
+++ b/policy/modules/contrib/psad.if
@@ -242,10 +242,7 @@ interface(`psad_admin',`
allow $1 psad_t:process { ptrace signal_perms };
ps_process_pattern($1, psad_t)
- init_labeled_script_domtrans($1, psad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 psad_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, psad_t, psad_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, psad_etc_t)
diff --git a/policy/modules/contrib/puppet.if b/policy/modules/contrib/puppet.if
index 7cb8b1f..135dafb 100644
--- a/policy/modules/contrib/puppet.if
+++ b/policy/modules/contrib/puppet.if
@@ -211,10 +211,8 @@ interface(`puppet_admin',`
allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, puppet_t, puppet_initrc_exec_t)
+ init_startstop_service($1, $2, puppetmaster_t, puppetmaster_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, puppet_etc_t)
diff --git a/policy/modules/contrib/pxe.if b/policy/modules/contrib/pxe.if
index 7da286f..e0068b7 100644
--- a/policy/modules/contrib/pxe.if
+++ b/policy/modules/contrib/pxe.if
@@ -26,10 +26,7 @@ interface(`pxe_admin',`
allow $1 pxe_t:process { ptrace signal_perms };
ps_process_pattern($1, pxe_t)
- init_labeled_script_domtrans($1, pxe_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pxe_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pxe_t, pxe_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, pxe_log_t)
diff --git a/policy/modules/contrib/pyicqt.if b/policy/modules/contrib/pyicqt.if
index 0ccea82..1742d8c 100644
--- a/policy/modules/contrib/pyicqt.if
+++ b/policy/modules/contrib/pyicqt.if
@@ -26,10 +26,7 @@ interface(`pyicqt_admin',`
allow $1 pyicqt_t:process { ptrace signal_perms };
ps_process_pattern($1, pyicqt_t)
- init_labeled_script_domtrans($1, pyicqt_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pyicqt_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pyicqt_t, pyicqt_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, pyicqt_conf_t)
diff --git a/policy/modules/contrib/pyzor.if b/policy/modules/contrib/pyzor.if
index c05a504..7bc14f9 100644
--- a/policy/modules/contrib/pyzor.if
+++ b/policy/modules/contrib/pyzor.if
@@ -118,10 +118,7 @@ interface(`pyzor_admin',`
allow $1 pyzord_t:process { ptrace signal_perms };
ps_process_pattern($1, pyzord_t)
- init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pyzord_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, pyzord_t, pyzord_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, pyzor_etc_t)
diff --git a/policy/modules/contrib/qpid.if b/policy/modules/contrib/qpid.if
index fe2adf8..531bdc3 100644
--- a/policy/modules/contrib/qpid.if
+++ b/policy/modules/contrib/qpid.if
@@ -177,10 +177,7 @@ interface(`qpidd_admin',`
allow $1 qpidd_t:process { ptrace signal_perms };
ps_process_pattern($1, qpidd_t)
- qpidd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 qpidd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, qpidd_t, qpidd_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, qpidd_var_lib_t)
diff --git a/policy/modules/contrib/quantum.if b/policy/modules/contrib/quantum.if
index afc0068..31aa2d9 100644
--- a/policy/modules/contrib/quantum.if
+++ b/policy/modules/contrib/quantum.if
@@ -26,10 +26,7 @@ interface(`quantum_admin',`
allow $1 quantum_t:process { ptrace signal_perms };
ps_process_pattern($1, quantum_t)
- init_labeled_script_domtrans($1, quantum_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 quantum_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, quantum_t, quantum_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, quantum_log_t)
diff --git a/policy/modules/contrib/quota.if b/policy/modules/contrib/quota.if
index 68611e3..c2a5ef4 100644
--- a/policy/modules/contrib/quota.if
+++ b/policy/modules/contrib/quota.if
@@ -184,10 +184,7 @@ interface(`quota_admin',`
allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms };
ps_process_pattern($1, { quota_nld_t quota_t })
- init_labeled_script_domtrans($1, quota_nld_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 quota_nld_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, quota_nld_t, quota_nld_initrc_exec_t)
files_list_all($1)
admin_pattern($1, { quota_db_t quota_flag_t quota_nld_var_run_t })
diff --git a/policy/modules/contrib/rabbitmq.if b/policy/modules/contrib/rabbitmq.if
index 2c3d338..53efd0d 100644
--- a/policy/modules/contrib/rabbitmq.if
+++ b/policy/modules/contrib/rabbitmq.if
@@ -45,10 +45,7 @@ interface(`rabbitmq_admin',`
allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms };
ps_process_pattern($1, { rabbitmq_epmd_t rabbitmq_beam_t })
- init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rabbitmq_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, { rabbitmq_epmd_t rabbitmq_beam_t }, rabbitmq_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, rabbitmq_var_log_t)
diff --git a/policy/modules/contrib/radius.if b/policy/modules/contrib/radius.if
index 4460582..7703bc7 100644
--- a/policy/modules/contrib/radius.if
+++ b/policy/modules/contrib/radius.if
@@ -41,10 +41,7 @@ interface(`radius_admin',`
allow $1 radiusd_t:process { ptrace signal_perms };
ps_process_pattern($1, radiusd_t)
- init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 radiusd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, radiusd_t, radiusd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { radiusd_etc_t radiusd_etc_rw_t })
diff --git a/policy/modules/contrib/radvd.if b/policy/modules/contrib/radvd.if
index ac7058d..38e35fe 100644
--- a/policy/modules/contrib/radvd.if
+++ b/policy/modules/contrib/radvd.if
@@ -26,10 +26,7 @@ interface(`radvd_admin',`
allow $1 radvd_t:process { ptrace signal_perms };
ps_process_pattern($1, radvd_t)
- init_labeled_script_domtrans($1, radvd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 radvd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, radvd_t, radvd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, radvd_etc_t)
diff --git a/policy/modules/contrib/raid.if b/policy/modules/contrib/raid.if
index 951db7f..6d98a94 100644
--- a/policy/modules/contrib/raid.if
+++ b/policy/modules/contrib/raid.if
@@ -91,10 +91,7 @@ interface(`raid_admin_mdadm',`
allow $1 mdadm_t:process { ptrace signal_perms };
ps_process_pattern($1, mdadm_t)
- init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mdadm_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, mdadm_t, mdadm_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, mdadm_var_run_t)
diff --git a/policy/modules/contrib/redis.if b/policy/modules/contrib/redis.if
index 3969450..6d86dbf 100644
--- a/policy/modules/contrib/redis.if
+++ b/policy/modules/contrib/redis.if
@@ -26,10 +26,7 @@ interface(`redis_admin',`
allow $1 redis_t:process { ptrace signal_perms };
ps_process_pattern($1, redis_t)
- init_labeled_script_domtrans($1, redis_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 redis_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, redis_t, redis_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, redis_log_t)
diff --git a/policy/modules/contrib/resmgr.if b/policy/modules/contrib/resmgr.if
index 0d93db6..a406934 100644
--- a/policy/modules/contrib/resmgr.if
+++ b/policy/modules/contrib/resmgr.if
@@ -46,10 +46,7 @@ interface(`resmgr_admin',`
allow $1 resmgrd_t:process { ptrace signal_perms };
ps_process_pattern($1, resmgrd_t)
- init_labeled_script_domtrans($1, resmgrd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 resmgrd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, resmgrd_t, resmgrd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, resmgrd_etc_t)
diff --git a/policy/modules/contrib/rgmanager.if b/policy/modules/contrib/rgmanager.if
index 1c2f9aa..1e0ed7a 100644
--- a/policy/modules/contrib/rgmanager.if
+++ b/policy/modules/contrib/rgmanager.if
@@ -105,10 +105,7 @@ interface(`rgmanager_admin',`
allow $1 rgmanager_t:process { ptrace signal_perms };
ps_process_pattern($1, rgmanager_t)
- init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rgmanager_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, rgmanager_t, rgmanager_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, rgmanager_tmp_t)
diff --git a/policy/modules/contrib/rhcs.if b/policy/modules/contrib/rhcs.if
index c8bdea2..776c570 100644
--- a/policy/modules/contrib/rhcs.if
+++ b/policy/modules/contrib/rhcs.if
@@ -467,15 +467,14 @@ interface(`rhcs_admin',`
attribute cluster_log;
type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
type fenced_tmp_t, qdiskd_var_lib_t;
+ type dlm_controld_t, foghorn_t;
')
allow $1 cluster_domain:process { ptrace signal_perms };
ps_process_pattern($1, cluster_domain)
- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dlm_controld_t, dlm_controld_initrc_exec_t)
+ init_startstop_service($1, $2, foghorn_t, foghorn_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, cluster_pid)
diff --git a/policy/modules/contrib/rhsmcertd.if b/policy/modules/contrib/rhsmcertd.if
index 6dbc905..7bdee3c 100644
--- a/policy/modules/contrib/rhsmcertd.if
+++ b/policy/modules/contrib/rhsmcertd.if
@@ -285,10 +285,7 @@ interface(`rhsmcertd_admin',`
allow $1 rhsmcertd_t:process { ptrace signal_perms };
ps_process_pattern($1, rhsmcertd_t)
- rhsmcertd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 rhsmcertd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, rhsmcertd_t, rhsmcertd_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, rhsmcertd_log_t)
diff --git a/policy/modules/contrib/ricci.if b/policy/modules/contrib/ricci.if
index 2ab3ed1..086f434 100644
--- a/policy/modules/contrib/ricci.if
+++ b/policy/modules/contrib/ricci.if
@@ -203,10 +203,7 @@ interface(`ricci_admin',`
allow $1 ricci_t:process { ptrace signal_perms };
ps_process_pattern($1, ricci_t)
- init_labeled_script_domtrans($1, ricci_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ricci_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ricci_t, ricci_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, ricci_tmp_t)
diff --git a/policy/modules/contrib/rngd.if b/policy/modules/contrib/rngd.if
index 13f788f..7b26dc3 100644
--- a/policy/modules/contrib/rngd.if
+++ b/policy/modules/contrib/rngd.if
@@ -25,10 +25,7 @@ interface(`rngd_admin',`
allow $1 rngd_t:process { ptrace signal_perms };
ps_process_pattern($1, rngd_t)
- init_labeled_script_domtrans($1, rngd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rngd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, rngd_t, rngd_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, rngd_var_run_t)
diff --git a/policy/modules/contrib/roundup.if b/policy/modules/contrib/roundup.if
index 975bb6a..c874017 100644
--- a/policy/modules/contrib/roundup.if
+++ b/policy/modules/contrib/roundup.if
@@ -26,10 +26,7 @@ interface(`roundup_admin',`
allow $1 roundup_t:process { ptrace signal_perms };
ps_process_pattern($1, roundup_t)
- init_labeled_script_domtrans($1, roundup_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 roundup_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, roundup_t, roundup_initrc_exec_t)
files_list_var_lib($1)
admin_pattern($1, roundup_var_lib_t)
diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if
index 157afd9..fbf5995 100644
--- a/policy/modules/contrib/rpc.if
+++ b/policy/modules/contrib/rpc.if
@@ -395,15 +395,14 @@ interface(`rpc_admin',`
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t;
+ type nfsd_t, rpcd_t;
')
allow $1 rpc_domain:process { ptrace signal_perms };
ps_process_pattern($1, rpc_domain)
- init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, nfsd_t, nfsd_initrc_exec_t)
+ init_startstop_service($1, $2, rpcd_t, rpcd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { gssd_keytab_t exports_t })
diff --git a/policy/modules/contrib/rpcbind.if b/policy/modules/contrib/rpcbind.if
index f78fef0..78ca83a 100644
--- a/policy/modules/contrib/rpcbind.if
+++ b/policy/modules/contrib/rpcbind.if
@@ -160,10 +160,7 @@ interface(`rpcbind_admin',`
allow $1 rpcbind_t:process { ptrace signal_perms };
ps_process_pattern($1, rpcbind_t)
- init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rpcbind_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, rpcbind_t, rpcbind_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, rpcbind_var_run_t)
diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index fc9c8d8..3ff41b3 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -634,10 +634,7 @@ interface(`rpm_admin',`
allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
ps_process_pattern($1, { rpm_t rpm_script_t })
- init_labeled_script_domtrans($1, rpm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rpm_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, rpm_t, rpm_initrc_exec_t)
admin_pattern($1, rpm_file_t)
diff --git a/policy/modules/contrib/rtkit.if b/policy/modules/contrib/rtkit.if
index e904ec4..ed6d0cd 100644
--- a/policy/modules/contrib/rtkit.if
+++ b/policy/modules/contrib/rtkit.if
@@ -90,8 +90,5 @@ interface(`rtkit_admin',`
allow $1 rtkit_daemon_t:process { ptrace signal_perms };
ps_process_pattern($1, rtkit_daemon_t)
- init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rtkit_daemon_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, rtkit_daemon_t, rtkit_daemon_initrc_exec_t)
')
diff --git a/policy/modules/contrib/rwho.if b/policy/modules/contrib/rwho.if
index 0360ff0..05aa3f1 100644
--- a/policy/modules/contrib/rwho.if
+++ b/policy/modules/contrib/rwho.if
@@ -142,10 +142,7 @@ interface(`rwho_admin',`
allow $1 rwho_t:process { ptrace signal_perms };
ps_process_pattern($1, rwho_t)
- init_labeled_script_domtrans($1, rwho_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rwho_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, rwho_t, rwho_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, rwho_log_t)
diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
index 50d07fb..dfc606e 100644
--- a/policy/modules/contrib/samba.if
+++ b/policy/modules/contrib/samba.if
@@ -695,10 +695,7 @@ interface(`samba_admin',`
allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { nmbd_t smbd_t })
- init_labeled_script_domtrans($1, samba_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 samba_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, samba_t, samba_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { samba_etc_t smbd_keytab_t })
diff --git a/policy/modules/contrib/samhain.if b/policy/modules/contrib/samhain.if
index b1ebcee..983fee5 100644
--- a/policy/modules/contrib/samhain.if
+++ b/policy/modules/contrib/samhain.if
@@ -221,10 +221,7 @@ interface(`samhain_admin',`
ps_process_pattern($1, samhain_domain)
# duplicate role transition: remove samhain_admin(sysadm_t, sysadm_r) first
- # init_labeled_script_domtrans($1, samhain_initrc_exec_t)
- # domain_system_change_exemption($1)
- # role_transition $2 samhain_initrc_exec_t system_r;
- # allow $2 system_r;
+ # init_startstop_service($1, $2, samhain_domain, samhain_initrc_exec_t)
files_list_var_lib($1)
admin_pattern($1, samhain_db_t)
diff --git a/policy/modules/contrib/sanlock.if b/policy/modules/contrib/sanlock.if
index cd6c213..dbca6c8 100644
--- a/policy/modules/contrib/sanlock.if
+++ b/policy/modules/contrib/sanlock.if
@@ -104,10 +104,7 @@ interface(`sanlock_admin',`
allow $1 sanlock_t:process { ptrace signal_perms };
ps_process_pattern($1, sanlock_t)
- sanlock_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 sanlock_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, sanlock_t, sanlock_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, sanlock_var_run_t)
diff --git a/policy/modules/contrib/sasl.if b/policy/modules/contrib/sasl.if
index 8c3c151..edb4de2 100644
--- a/policy/modules/contrib/sasl.if
+++ b/policy/modules/contrib/sasl.if
@@ -45,10 +45,7 @@ interface(`sasl_admin',`
allow $1 saslauthd_t:process { ptrace signal_perms };
ps_process_pattern($1, saslauthd_t)
- init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 saslauthd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, saslauthd_t, saslauthd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, saslauthd_keytab_t)
diff --git a/policy/modules/contrib/sblim.if b/policy/modules/contrib/sblim.if
index 98c9e0a..00e2e69 100644
--- a/policy/modules/contrib/sblim.if
+++ b/policy/modules/contrib/sblim.if
@@ -64,10 +64,7 @@ interface(`sblim_admin',`
allow $1 sblim_domain:process { ptrace signal_perms };
ps_process_pattern($1, sblim_domain)
- init_labeled_script_domtrans($1, sblim_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sblim_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, sblim_domain, sblim_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/policy/modules/contrib/sendmail.if b/policy/modules/contrib/sendmail.if
index 35ad2a7..d60de84 100644
--- a/policy/modules/contrib/sendmail.if
+++ b/policy/modules/contrib/sendmail.if
@@ -360,9 +360,7 @@ interface(`sendmail_admin',`
allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms };
ps_process_pattern($1, { unconfined_sendmail_t sendmail_t })
- init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sendmail_initrc_exec_t system_r;
+ init_startstop_service($1, $2, sendmail_t, sendmail_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, sendmail_keytab_t)
diff --git a/policy/modules/contrib/sensord.if b/policy/modules/contrib/sensord.if
index d204752..e58af36 100644
--- a/policy/modules/contrib/sensord.if
+++ b/policy/modules/contrib/sensord.if
@@ -25,10 +25,7 @@ interface(`sensord_admin',`
allow $1 sensord_t:process { ptrace signal_perms };
ps_process_pattern($1, sensord_t)
- init_labeled_script_domtrans($1, sensord_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sensord_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, sensord_t, sensord_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, sensord_var_run_t)
diff --git a/policy/modules/contrib/shorewall.if b/policy/modules/contrib/shorewall.if
index 1aeef8a..7bd4593 100644
--- a/policy/modules/contrib/shorewall.if
+++ b/policy/modules/contrib/shorewall.if
@@ -179,10 +179,7 @@ interface(`shorewall_admin',`
allow $1 shorewall_t:process { ptrace signal_perms };
ps_process_pattern($1, shorewall_t)
- init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 shorewall_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, shorewall_t, shorewall_initrc_exec_t)
can_exec($1, shorewall_exec_t)
diff --git a/policy/modules/contrib/slpd.if b/policy/modules/contrib/slpd.if
index ca32e89..ffacc36 100644
--- a/policy/modules/contrib/slpd.if
+++ b/policy/modules/contrib/slpd.if
@@ -26,10 +26,7 @@ interface(`slpd_admin',`
allow $1 slpd_t:process { ptrace signal_perms };
ps_process_pattern($1, slpd_t)
- init_labeled_script_domtrans($1, slpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 slpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, slpd_t, slpd_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, slpd_log_t)
diff --git a/policy/modules/contrib/smartmon.if b/policy/modules/contrib/smartmon.if
index e0644b5..08f4ee2 100644
--- a/policy/modules/contrib/smartmon.if
+++ b/policy/modules/contrib/smartmon.if
@@ -45,10 +45,7 @@ interface(`smartmon_admin',`
allow $1 fsdaemon_t:process { ptrace signal_perms };
ps_process_pattern($1, fsdaemon_t)
- init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fsdaemon_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, fsdaemon_t, fsdaemon_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, fsdaemon_tmp_t)
diff --git a/policy/modules/contrib/smokeping.if b/policy/modules/contrib/smokeping.if
index 1fa51c1..4f49c99 100644
--- a/policy/modules/contrib/smokeping.if
+++ b/policy/modules/contrib/smokeping.if
@@ -161,10 +161,7 @@ interface(`smokeping_admin',`
allow $1 smokeping_t:process { ptrace signal_perms };
ps_process_pattern($1, smokeping_t)
- smokeping_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 smokeping_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, smokeping_t, smokeping_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, smokeping_var_lib_t)
diff --git a/policy/modules/contrib/smstools.if b/policy/modules/contrib/smstools.if
index 81136f0..fc420a5 100644
--- a/policy/modules/contrib/smstools.if
+++ b/policy/modules/contrib/smstools.if
@@ -27,10 +27,7 @@ interface(`smstools_admin',`
allow $1 smsd_t:process { ptrace signal_perms };
ps_process_pattern($1, smsd_t)
- init_labeled_script_domtrans($1, smsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 smsd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, smsd_t, smsd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, smsd_conf_t)
diff --git a/policy/modules/contrib/snmp.if b/policy/modules/contrib/snmp.if
index bf78fa9..9677503 100644
--- a/policy/modules/contrib/snmp.if
+++ b/policy/modules/contrib/snmp.if
@@ -182,10 +182,7 @@ interface(`snmp_admin',`
allow $1 snmpd_t:process { ptrace signal_perms };
ps_process_pattern($1, snmpd_t)
- init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 snmpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, snmpd_t, snmpd_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, snmpd_log_t)
diff --git a/policy/modules/contrib/snort.if b/policy/modules/contrib/snort.if
index 7d86b34..e6ae26e 100644
--- a/policy/modules/contrib/snort.if
+++ b/policy/modules/contrib/snort.if
@@ -45,10 +45,7 @@ interface(`snort_admin',`
allow $1 snort_t:process { ptrace signal_perms };
ps_process_pattern($1, snort_t)
- init_labeled_script_domtrans($1, snort_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 snort_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, snort_t, snort_initrc_exec_t)
admin_pattern($1, snort_etc_t)
files_search_etc($1)
diff --git a/policy/modules/contrib/soundserver.if b/policy/modules/contrib/soundserver.if
index a5abc5a..8dc1c0f 100644
--- a/policy/modules/contrib/soundserver.if
+++ b/policy/modules/contrib/soundserver.if
@@ -41,10 +41,7 @@ interface(`soundserver_admin',`
allow $1 soundd_t:process { ptrace signal_perms };
ps_process_pattern($1, soundd_t)
- init_labeled_script_domtrans($1, soundd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 soundd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, soundd_t, soundd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, soundd_etc_t)
diff --git a/policy/modules/contrib/spamassassin.if b/policy/modules/contrib/spamassassin.if
index 7f5a1cc..e915b5f 100644
--- a/policy/modules/contrib/spamassassin.if
+++ b/policy/modules/contrib/spamassassin.if
@@ -384,10 +384,7 @@ interface(`spamassassin_admin',`
allow $1 spamd_t:process { ptrace signal_perms };
ps_process_pattern($1, spamd_t)
- init_labeled_script_domtrans($1, spamd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 spamd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, spamd_tmp_t)
diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if
index 5e1f053..941cedf 100644
--- a/policy/modules/contrib/squid.if
+++ b/policy/modules/contrib/squid.if
@@ -216,10 +216,7 @@ interface(`squid_admin',`
allow $1 squid_t:process { ptrace signal_perms };
ps_process_pattern($1, squid_t)
- init_labeled_script_domtrans($1, squid_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 squid_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, squid_t, squid_initrc_exec_t)
files_list_var($1)
admin_pattern($1, squid_cache_t)
diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if
index a240455..e1b4cb0 100644
--- a/policy/modules/contrib/sssd.if
+++ b/policy/modules/contrib/sssd.if
@@ -342,10 +342,7 @@ interface(`sssd_admin',`
allow $1 sssd_t:process { ptrace signal_perms };
ps_process_pattern($1, sssd_t)
- sssd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 sssd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, sssd_t, sssd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, sssd_conf_t)
diff --git a/policy/modules/contrib/svnserve.if b/policy/modules/contrib/svnserve.if
index 5cd46e9..618dccb 100644
--- a/policy/modules/contrib/svnserve.if
+++ b/policy/modules/contrib/svnserve.if
@@ -25,10 +25,7 @@ interface(`svnserve_admin',`
allow $1 svnserve_t:process { ptrace signal_perms };
ps_process_pattern($1, svnserve_t)
- init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 svnserve_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, svnserve_t, svnserve_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, svnserve_var_run_t)
diff --git a/policy/modules/contrib/sysstat.if b/policy/modules/contrib/sysstat.if
index 14ae3f2..a00a0dd 100644
--- a/policy/modules/contrib/sysstat.if
+++ b/policy/modules/contrib/sysstat.if
@@ -46,10 +46,7 @@ interface(`sysstat_admin',`
allow $1 sysstat_t:process { ptrace signal_perms };
ps_process_pattern($1, sysstat_t)
- init_labeled_script_domtrans($1, sysstat_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 sysstat_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, sysstat_t, sysstat_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, sysstat_log_t)
diff --git a/policy/modules/contrib/systemtap.if b/policy/modules/contrib/systemtap.if
index d60a21e..62520b3 100644
--- a/policy/modules/contrib/systemtap.if
+++ b/policy/modules/contrib/systemtap.if
@@ -26,10 +26,7 @@ interface(`stapserver_admin',`
allow $1 stapserver_t:process { ptrace signal_perms };
ps_process_pattern($1, stapserver_t)
- init_labeled_script_domtrans($1, stapserver_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 stapserver_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, stapserver_t, stapserver_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, stapserver_conf_t)
diff --git a/policy/modules/contrib/tcsd.if b/policy/modules/contrib/tcsd.if
index b42ec1d..5140a7d 100644
--- a/policy/modules/contrib/tcsd.if
+++ b/policy/modules/contrib/tcsd.if
@@ -141,10 +141,7 @@ interface(`tcsd_admin',`
allow $1 tcsd_t:process { ptrace signal_perms };
ps_process_pattern($1, tcsd_t)
- tcsd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 tcsd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, tcsd_t, tcsd_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, tcsd_var_lib_t)
diff --git a/policy/modules/contrib/tgtd.if b/policy/modules/contrib/tgtd.if
index dc5b46e..3056b2e 100644
--- a/policy/modules/contrib/tgtd.if
+++ b/policy/modules/contrib/tgtd.if
@@ -83,10 +83,7 @@ interface(`tgtd_admin',`
allow $1 tgtd_t:process { ptrace signal_perms };
ps_process_pattern($1, tgtd_t)
- init_labeled_script_domtrans($1, tgtd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 tgtd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, tgtd_t, tgtd_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, tgtd_var_lib_t)
diff --git a/policy/modules/contrib/tor.if b/policy/modules/contrib/tor.if
index 61c2e07..f2fc7a7 100644
--- a/policy/modules/contrib/tor.if
+++ b/policy/modules/contrib/tor.if
@@ -45,10 +45,7 @@ interface(`tor_admin',`
allow $1 tor_t:process { ptrace signal_perms };
ps_process_pattern($1, tor_t)
- init_labeled_script_domtrans($1, tor_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 tor_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, tor_t, tor_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, tor_etc_t)
diff --git a/policy/modules/contrib/transproxy.if b/policy/modules/contrib/transproxy.if
index 81a8351..946881b 100644
--- a/policy/modules/contrib/transproxy.if
+++ b/policy/modules/contrib/transproxy.if
@@ -25,10 +25,7 @@ interface(`transproxy_admin',`
allow $1 transproxy_t:process { ptrace signal_perms };
ps_process_pattern($1, transproxy_t)
- init_labeled_script_domtrans($1, transproxy_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 transproxy_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, transproxy_t, transproxy_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, transproxy_var_run_t)
diff --git a/policy/modules/contrib/tuned.if b/policy/modules/contrib/tuned.if
index e29db63..5ca6fa5 100644
--- a/policy/modules/contrib/tuned.if
+++ b/policy/modules/contrib/tuned.if
@@ -122,10 +122,7 @@ interface(`tuned_admin',`
allow $1 tuned_t:process { ptrace signal_perms };
ps_process_pattern($1, tuned_t)
- tuned_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 tuned_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, tuned_t, tuned_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, { tuned_etc_t tuned_rw_etc_t })
diff --git a/policy/modules/contrib/ulogd.if b/policy/modules/contrib/ulogd.if
index 9b95c3e..290eb1b 100644
--- a/policy/modules/contrib/ulogd.if
+++ b/policy/modules/contrib/ulogd.if
@@ -126,10 +126,7 @@ interface(`ulogd_admin',`
allow $1 ulogd_t:process { ptrace signal_perms };
ps_process_pattern($1, ulogd_t)
- init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ulogd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ulogd_t, ulogd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, ulogd_etc_t)
diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if
index 19f4724..ce3bc3b 100644
--- a/policy/modules/contrib/uptime.if
+++ b/policy/modules/contrib/uptime.if
@@ -26,10 +26,7 @@ interface(`uptime_admin',`
allow $1 uptimed_t:process { ptrace signal_perms };
ps_process_pattern($1, uptimed_t)
- init_labeled_script_domtrans($1, uptimed_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 uptimed_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, uptimed_t, uptimed_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, uptimed_etc_t)
diff --git a/policy/modules/contrib/uucp.if b/policy/modules/contrib/uucp.if
index af9acc0..a06faaf 100644
--- a/policy/modules/contrib/uucp.if
+++ b/policy/modules/contrib/uucp.if
@@ -104,10 +104,7 @@ interface(`uucp_admin',`
type uucpd_var_run_t, uucpd_initrc_exec_t;
')
- init_labeled_script_domtrans($1, uucpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 uucpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, uucpd_t, uucpd_initrc_exec_t)
allow $1 uucpd_t:process { ptrace signal_perms };
ps_process_pattern($1, uucpd_t)
diff --git a/policy/modules/contrib/uuidd.if b/policy/modules/contrib/uuidd.if
index 6e48653..30f45eb 100644
--- a/policy/modules/contrib/uuidd.if
+++ b/policy/modules/contrib/uuidd.if
@@ -181,10 +181,7 @@ interface(`uuidd_admin',`
allow $1 uuidd_t:process signal_perms;
ps_process_pattern($1, uuidd_t)
- uuidd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 uuidd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, uuidd_t, uuidd_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, uuidd_var_lib_t)
diff --git a/policy/modules/contrib/varnishd.if b/policy/modules/contrib/varnishd.if
index 1c35171..e2dc5ea 100644
--- a/policy/modules/contrib/varnishd.if
+++ b/policy/modules/contrib/varnishd.if
@@ -160,10 +160,7 @@ interface(`varnishd_admin_varnishlog',`
allow $1 varnishlog_t:process { ptrace signal_perms };
ps_process_pattern($1, varnishlog_t)
- init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 varnishlog_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, varnishlog_t, varnishlog_initrc_exec_t)
files_list_pids($1)
admin_pattern($1, varnishlog_var_run_t)
@@ -199,10 +196,7 @@ interface(`varnishd_admin',`
allow $1 varnishd_t:process { ptrace signal_perms };
ps_process_pattern($1, varnishd_t)
- init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 varnishd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, varnishd_t, varnishd_initrc_exec_t)
files_list_var_lib($1)
admin_pattern($1, varnishd_var_lib_t)
diff --git a/policy/modules/contrib/vdagent.if b/policy/modules/contrib/vdagent.if
index 31c752e..c4a5ed7 100644
--- a/policy/modules/contrib/vdagent.if
+++ b/policy/modules/contrib/vdagent.if
@@ -121,10 +121,7 @@ interface(`vdagent_admin',`
allow $1 vdagent_t:process signal_perms;
ps_process_pattern($1, vdagent_t)
- init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 vdagentd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, vdagentd_t, vdagentd_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, vdagent_log_t)
diff --git a/policy/modules/contrib/vhostmd.if b/policy/modules/contrib/vhostmd.if
index 22edd58..3c66a92 100644
--- a/policy/modules/contrib/vhostmd.if
+++ b/policy/modules/contrib/vhostmd.if
@@ -219,10 +219,7 @@ interface(`vhostmd_admin',`
allow $1 vhostmd_t:process { ptrace signal_perms };
ps_process_pattern($1, vhostmd_t)
- vhostmd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 vhostmd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, vhostmd_t, vhostmd_initrc_exec_t)
fs_search_tmpfs($1)
admin_pattern($1, vhostmd_tmpfs_t)
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
index 7c97c87..5b57d50 100644
--- a/policy/modules/contrib/virt.if
+++ b/policy/modules/contrib/virt.if
@@ -1176,10 +1176,7 @@ interface(`virt_admin',`
ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
- init_labeled_script_domtrans($1, virtd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 virtd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, virtd_t, virtd_initrc_exec_t)
fs_search_tmpfs($1)
admin_pattern($1, virt_tmpfs_type)
diff --git a/policy/modules/contrib/vnstatd.if b/policy/modules/contrib/vnstatd.if
index 137ac44..7ec9bd0 100644
--- a/policy/modules/contrib/vnstatd.if
+++ b/policy/modules/contrib/vnstatd.if
@@ -168,10 +168,7 @@ interface(`vnstatd_admin',`
allow $1 vnstatd_t:process { ptrace signal_perms };
ps_process_pattern($1, vnstatd_t)
- init_labeled_script_domtrans($1, vnstatd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 vnstatd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, vnstatd_t, vnstatd_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, vnstatd_var_run_t)
diff --git a/policy/modules/contrib/watchdog.if b/policy/modules/contrib/watchdog.if
index 6461a77..b0fe922 100644
--- a/policy/modules/contrib/watchdog.if
+++ b/policy/modules/contrib/watchdog.if
@@ -26,10 +26,7 @@ interface(`watchdog_admin',`
allow $1 watchdog_t:process { ptrace signal_perms };
ps_process_pattern($1, watchdog_t)
- init_labeled_script_domtrans($1, watchdog_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 watchdog_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, watchdog_t, watchdog_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, watchdog_log_t)
diff --git a/policy/modules/contrib/wdmd.if b/policy/modules/contrib/wdmd.if
index 1e3aec0..53de648 100644
--- a/policy/modules/contrib/wdmd.if
+++ b/policy/modules/contrib/wdmd.if
@@ -45,10 +45,7 @@ interface(`wdmd_admin',`
allow $1 wdmd_t:process { ptrace signal_perms };
ps_process_pattern($1, wdmd_t)
- init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 wdmd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, wdmd_t, wdmd_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, wdmd_var_run_t)
diff --git a/policy/modules/contrib/xfs.if b/policy/modules/contrib/xfs.if
index 4570b86..1993406 100644
--- a/policy/modules/contrib/xfs.if
+++ b/policy/modules/contrib/xfs.if
@@ -84,10 +84,7 @@ interface(`xfs_admin',`
allow $1 xfs_t:process { ptrace signal_perms };
ps_process_pattern($1, xfs_t)
- init_labeled_script_domtrans($1, xfs_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 xfs_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, xfs_t, xfs_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, xfs_var_run_t)
diff --git a/policy/modules/contrib/zabbix.if b/policy/modules/contrib/zabbix.if
index 29d87d7..d71bce0 100644
--- a/policy/modules/contrib/zabbix.if
+++ b/policy/modules/contrib/zabbix.if
@@ -146,10 +146,8 @@ interface(`zabbix_admin',`
allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms };
ps_process_pattern($1, { zabbix_t zabbix_agent_t })
- init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, zabbix_t, zabbix_initrc_exec_t)
+ init_startstop_service($1, $2, zabbix_agent_t, zabbix_agent_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, zabbix_log_t)
diff --git a/policy/modules/contrib/zarafa.if b/policy/modules/contrib/zarafa.if
index 83b4ca5..37a7434 100644
--- a/policy/modules/contrib/zarafa.if
+++ b/policy/modules/contrib/zarafa.if
@@ -152,10 +152,7 @@ interface(`zarafa_admin',`
allow $1 zarafa_domain:process { ptrace signal_perms };
ps_process_pattern($1, zarafa_domain)
- init_labeled_script_domtrans($1, zarafa_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 zarafa_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, zarafa_t, zarafa_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, zarafa_etc_t)
diff --git a/policy/modules/contrib/zebra.if b/policy/modules/contrib/zebra.if
index 3416401..21da77a 100644
--- a/policy/modules/contrib/zebra.if
+++ b/policy/modules/contrib/zebra.if
@@ -69,10 +69,7 @@ interface(`zebra_admin',`
allow $1 zebra_t:process { ptrace signal_perms };
ps_process_pattern($1, zebra_t)
- init_labeled_script_domtrans($1, zebra_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 zebra_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, zebra_t, zebra_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, zebra_conf_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-05-22 19:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-05-22 19:32 UTC (permalink / raw
To: gentoo-commits
commit: d6a80852487e87428cb97f9d9f776bd2f7ac4348
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 22 14:08:42 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:19:23 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d6a80852
Use init_startstop_service in admin interfaces A-M
Most foo_admin interfaces have transitions on the
foo_initrc_exec_t to system_r. These are only applicable
for RedHat <6. This replaces them with the interface
init_startstop_service which can easily be changed for
other init systems.
make validate passes for all combinations of distros,
standard/mcs/mls, monolithic y/n and direct_initrc y/n
This patch is for files starting with A-M.
policy/modules/contrib/abrt.if | 5 +----
policy/modules/contrib/acct.if | 5 +----
policy/modules/contrib/afs.if | 5 +----
policy/modules/contrib/aiccu.if | 5 +----
policy/modules/contrib/aisexec.if | 5 +----
policy/modules/contrib/amavis.if | 5 +----
policy/modules/contrib/amtu.if | 5 +----
policy/modules/contrib/apache.if | 5 +----
policy/modules/contrib/apcupsd.if | 5 +----
policy/modules/contrib/apm.if | 5 +----
policy/modules/contrib/arpwatch.if | 5 +----
policy/modules/contrib/asterisk.if | 5 +----
policy/modules/contrib/automount.if | 5 +----
policy/modules/contrib/avahi.if | 5 +----
policy/modules/contrib/bacula.if | 5 +----
policy/modules/contrib/bcfg2.if | 5 +----
policy/modules/contrib/bind.if | 5 +----
policy/modules/contrib/bird.if | 5 +----
policy/modules/contrib/bitlbee.if | 5 +----
policy/modules/contrib/bluetooth.if | 5 +----
policy/modules/contrib/boinc.if | 5 +----
policy/modules/contrib/cachefilesd.if | 5 +----
policy/modules/contrib/callweaver.if | 5 +----
policy/modules/contrib/canna.if | 5 +----
policy/modules/contrib/ccs.if | 5 +----
policy/modules/contrib/certmaster.if | 5 +----
policy/modules/contrib/certmonger.if | 5 +----
policy/modules/contrib/cfengine.if | 5 +----
policy/modules/contrib/cgroup.if | 7 ++-----
policy/modules/contrib/chronyd.if | 5 +----
policy/modules/contrib/cipe.if | 5 +----
policy/modules/contrib/clamav.if | 5 +----
policy/modules/contrib/cmirrord.if | 5 +----
policy/modules/contrib/cobbler.if | 5 +----
policy/modules/contrib/collectd.if | 5 +----
policy/modules/contrib/condor.if | 5 +----
policy/modules/contrib/corosync.if | 5 +----
policy/modules/contrib/couchdb.if | 5 +----
policy/modules/contrib/ctdb.if | 5 +----
policy/modules/contrib/cups.if | 5 +----
policy/modules/contrib/cvs.if | 5 +----
policy/modules/contrib/cyphesis.if | 5 +----
policy/modules/contrib/cyrus.if | 5 +----
policy/modules/contrib/dante.if | 5 +----
policy/modules/contrib/ddclient.if | 5 +----
policy/modules/contrib/denyhosts.if | 5 +----
policy/modules/contrib/dhcp.if | 5 +----
policy/modules/contrib/dictd.if | 5 +----
policy/modules/contrib/dirmngr.if | 5 +----
policy/modules/contrib/distcc.if | 5 +----
policy/modules/contrib/dkim.if | 5 +----
policy/modules/contrib/dnsmasq.if | 5 +----
policy/modules/contrib/dnssectrigger.if | 5 +----
policy/modules/contrib/dovecot.if | 5 +----
policy/modules/contrib/drbd.if | 5 +----
policy/modules/contrib/dspam.if | 5 +----
policy/modules/contrib/entropyd.if | 5 +----
policy/modules/contrib/exim.if | 5 +----
policy/modules/contrib/fail2ban.if | 5 +----
policy/modules/contrib/fcoe.if | 5 +----
policy/modules/contrib/fetchmail.if | 5 +----
policy/modules/contrib/firewalld.if | 5 +----
policy/modules/contrib/ftp.if | 5 +----
policy/modules/contrib/gatekeeper.if | 5 +----
policy/modules/contrib/gdomap.if | 5 +----
policy/modules/contrib/glance.if | 6 ++----
policy/modules/contrib/glusterfs.if | 5 +----
policy/modules/contrib/gpm.if | 5 +----
policy/modules/contrib/gpsd.if | 5 +----
policy/modules/contrib/hadoop.if | 5 +----
policy/modules/contrib/hddtemp.if | 5 +----
policy/modules/contrib/howl.if | 5 +----
policy/modules/contrib/hypervkvp.if | 5 +----
policy/modules/contrib/i18n_input.if | 5 +----
policy/modules/contrib/icecast.if | 5 +----
policy/modules/contrib/ifplugd.if | 5 +----
policy/modules/contrib/inn.if | 5 +----
policy/modules/contrib/iodine.if | 5 +----
policy/modules/contrib/ircd.if | 5 +----
policy/modules/contrib/irqbalance.if | 5 +----
policy/modules/contrib/iscsi.if | 5 +----
policy/modules/contrib/isns.if | 5 +----
policy/modules/contrib/jabber.if | 5 +----
policy/modules/contrib/kdump.if | 5 +----
policy/modules/contrib/kerberos.if | 5 +----
policy/modules/contrib/kerneloops.if | 5 +----
policy/modules/contrib/keystone.if | 5 +----
policy/modules/contrib/kismet.if | 5 +----
policy/modules/contrib/ksmtuned.if | 5 +----
policy/modules/contrib/kudzu.if | 5 +----
policy/modules/contrib/l2tp.if | 5 +----
policy/modules/contrib/ldap.if | 5 +----
policy/modules/contrib/likewise.if | 5 +----
policy/modules/contrib/lircd.if | 5 +----
policy/modules/contrib/lldpad.if | 5 +----
policy/modules/contrib/mailscanner.if | 5 +----
policy/modules/contrib/mcelog.if | 5 +----
policy/modules/contrib/memcached.if | 5 +----
policy/modules/contrib/minidlna.if | 5 +----
policy/modules/contrib/minissdpd.if | 5 +----
policy/modules/contrib/mongodb.if | 5 +----
policy/modules/contrib/monop.if | 5 +----
policy/modules/contrib/mpd.if | 5 +----
policy/modules/contrib/mrtg.if | 5 +----
policy/modules/contrib/munin.if | 5 +----
policy/modules/contrib/mysql.if | 6 ++----
106 files changed, 109 insertions(+), 425 deletions(-)
diff --git a/policy/modules/contrib/abrt.if b/policy/modules/contrib/abrt.if
index 058d908..39b6d29 100644
--- a/policy/modules/contrib/abrt.if
+++ b/policy/modules/contrib/abrt.if
@@ -304,10 +304,7 @@ interface(`abrt_admin',`
allow $1 abrt_domain:process { ptrace signal_perms };
ps_process_pattern($1, abrt_domain)
- init_labeled_script_domtrans($1, abrt_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 abrt_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, abrt_t, abrt_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, abrt_etc_t)
diff --git a/policy/modules/contrib/acct.if b/policy/modules/contrib/acct.if
index 81280d0..59d95d0 100644
--- a/policy/modules/contrib/acct.if
+++ b/policy/modules/contrib/acct.if
@@ -106,10 +106,7 @@ interface(`acct_admin',`
allow $1 acct_t:process { ptrace signal_perms };
ps_process_pattern($1, acct_t)
- init_labeled_script_domtrans($1, acct_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 acct_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, acct_t, acct_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, acct_data_t)
diff --git a/policy/modules/contrib/afs.if b/policy/modules/contrib/afs.if
index 3b41be6..d934f45 100644
--- a/policy/modules/contrib/afs.if
+++ b/policy/modules/contrib/afs.if
@@ -103,10 +103,7 @@ interface(`afs_admin',`
allow $1 afs_domain:process { ptrace signal_perms };
ps_process_pattern($1, afs_domain)
- afs_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 afs_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, afs_domain, afs_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, afs_config_t)
diff --git a/policy/modules/contrib/aiccu.if b/policy/modules/contrib/aiccu.if
index 3b5dcb9..cd22faa 100644
--- a/policy/modules/contrib/aiccu.if
+++ b/policy/modules/contrib/aiccu.if
@@ -82,10 +82,7 @@ interface(`aiccu_admin',`
allow $1 aiccu_t:process { ptrace signal_perms };
ps_process_pattern($1, aiccu_t)
- aiccu_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 aiccu_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, aiccu_t, aiccu_initrc_exec_t)
admin_pattern($1, aiccu_etc_t)
files_list_etc($1)
diff --git a/policy/modules/contrib/aisexec.if b/policy/modules/contrib/aisexec.if
index a2997fa..9e1a105 100644
--- a/policy/modules/contrib/aisexec.if
+++ b/policy/modules/contrib/aisexec.if
@@ -86,10 +86,7 @@ interface(`aisexecd_admin',`
allow $1 aisexec_t:process { ptrace signal_perms };
ps_process_pattern($1, aisexec_t)
- init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 aisexec_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, aisexec_t, aisexec_initrc_exec_t)
files_list_var_lib($1)
admin_pattern($1, aisexec_var_lib_t)
diff --git a/policy/modules/contrib/amavis.if b/policy/modules/contrib/amavis.if
index 60d4f8c..f8a810c 100644
--- a/policy/modules/contrib/amavis.if
+++ b/policy/modules/contrib/amavis.if
@@ -237,10 +237,7 @@ interface(`amavis_admin',`
allow $1 amavis_t:process { ptrace signal_perms };
ps_process_pattern($1, amavis_t)
- amavis_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 amavis_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, amavis_t, amavis_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, amavis_etc_t)
diff --git a/policy/modules/contrib/amtu.if b/policy/modules/contrib/amtu.if
index 884b23b..6942560 100644
--- a/policy/modules/contrib/amtu.if
+++ b/policy/modules/contrib/amtu.if
@@ -70,8 +70,5 @@ interface(`amtu_admin',`
allow $1 amtu_t:process { ptrace signal_perms };
ps_process_pattern($1, amtu_t)
- init_labeled_script_domtrans($1, amtu_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 amtu_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, amtu_t, amtu_initrc_exec_t)
')
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 717c6f7..16539db 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -1318,10 +1318,7 @@ interface(`apache_admin',`
ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
- init_labeled_script_domtrans($1, httpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 httpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, httpd_t, httpd_initrc_exec_t)
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
diff --git a/policy/modules/contrib/apcupsd.if b/policy/modules/contrib/apcupsd.if
index f3c0aba..3dda634 100644
--- a/policy/modules/contrib/apcupsd.if
+++ b/policy/modules/contrib/apcupsd.if
@@ -149,10 +149,7 @@ interface(`apcupsd_admin',`
allow $1 apcupsd_t:process { ptrace signal_perms };
ps_process_pattern($1, apcupsd_t)
- apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 apcupsd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, apcupsd_t, apcupsd_initrc_exec_t)
files_list_var($1)
admin_pattern($1, apcupsd_lock_t)
diff --git a/policy/modules/contrib/apm.if b/policy/modules/contrib/apm.if
index 1a7a97e..32a59e1 100644
--- a/policy/modules/contrib/apm.if
+++ b/policy/modules/contrib/apm.if
@@ -166,10 +166,7 @@ interface(`apm_admin',`
allow $1 apmd_t:process { ptrace signal_perms };
ps_process_pattern($1, apmd_t)
- init_labeled_script_domtrans($1, apmd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 apmd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, apmd_t, apmd_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, apmd_log_t)
diff --git a/policy/modules/contrib/arpwatch.if b/policy/modules/contrib/arpwatch.if
index 50c9b9c..76389b7 100644
--- a/policy/modules/contrib/arpwatch.if
+++ b/policy/modules/contrib/arpwatch.if
@@ -143,10 +143,7 @@ interface(`arpwatch_admin',`
allow $1 arpwatch_t:process { ptrace signal_perms };
ps_process_pattern($1, arpwatch_t)
- arpwatch_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 arpwatch_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, arpwatch_tmp_t)
diff --git a/policy/modules/contrib/asterisk.if b/policy/modules/contrib/asterisk.if
index 2077053..2e3f5a4 100644
--- a/policy/modules/contrib/asterisk.if
+++ b/policy/modules/contrib/asterisk.if
@@ -127,10 +127,7 @@ interface(`asterisk_admin',`
allow $1 asterisk_t:process { ptrace signal_perms };
ps_process_pattern($1, asterisk_t)
- init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 asterisk_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, asterisk_t, asterisk_initrc_exec_t)
asterisk_exec($1)
diff --git a/policy/modules/contrib/automount.if b/policy/modules/contrib/automount.if
index f24e369..37847d9 100644
--- a/policy/modules/contrib/automount.if
+++ b/policy/modules/contrib/automount.if
@@ -159,10 +159,7 @@ interface(`automount_admin',`
allow $1 automount_t:process { ptrace signal_perms };
ps_process_pattern($1, automount_t)
- init_labeled_script_domtrans($1, automount_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 automount_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, automount_t, automount_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, automount_keytab_t)
diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if
index 9078c3d..4652358 100644
--- a/policy/modules/contrib/avahi.if
+++ b/policy/modules/contrib/avahi.if
@@ -264,10 +264,7 @@ interface(`avahi_admin',`
allow $1 avahi_t:process { ptrace signal_perms };
ps_process_pattern($1, avahi_t)
- avahi_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 avahi_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, avahi_t, avahi_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, avahi_var_run_t)
diff --git a/policy/modules/contrib/bacula.if b/policy/modules/contrib/bacula.if
index dcd774e..18ad480 100644
--- a/policy/modules/contrib/bacula.if
+++ b/policy/modules/contrib/bacula.if
@@ -74,10 +74,7 @@ interface(`bacula_admin',`
allow $1 bacula_t:process { ptrace signal_perms };
ps_process_pattern($1, bacula_t)
- init_labeled_script_domtrans($1, bacula_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bacula_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, bacula_t, bacula_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, bacula_etc_t)
diff --git a/policy/modules/contrib/bcfg2.if b/policy/modules/contrib/bcfg2.if
index ec95d36..0cd2d35 100644
--- a/policy/modules/contrib/bcfg2.if
+++ b/policy/modules/contrib/bcfg2.if
@@ -141,10 +141,7 @@ interface(`bcfg2_admin',`
allow $1 bcfg2_t:process { ptrace signal_perms };
ps_process_pattern($1, bcfg2_t)
- bcfg2_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 bcfg2_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, bcfg2_t, bcfg2_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, bcfg2_var_run_t)
diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if
index 531a8f2..9654435 100644
--- a/policy/modules/contrib/bind.if
+++ b/policy/modules/contrib/bind.if
@@ -370,10 +370,7 @@ interface(`bind_admin',`
allow $1 { named_t ndc_t }:process { ptrace signal_perms };
ps_process_pattern($1, { named_t ndc_t })
- init_labeled_script_domtrans($1, named_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 named_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, named_t, named_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, named_tmp_t)
diff --git a/policy/modules/contrib/bird.if b/policy/modules/contrib/bird.if
index 85c035f..d744d6b 100644
--- a/policy/modules/contrib/bird.if
+++ b/policy/modules/contrib/bird.if
@@ -26,10 +26,7 @@ interface(`bird_admin',`
allow $1 bird_t:process { ptrace signal_perms };
ps_process_pattern($1, bird_t)
- init_labeled_script_domtrans($1, bird_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bird_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, bird_t, bird_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, bird_etc_t)
diff --git a/policy/modules/contrib/bitlbee.if b/policy/modules/contrib/bitlbee.if
index e73fb79..3409d80 100644
--- a/policy/modules/contrib/bitlbee.if
+++ b/policy/modules/contrib/bitlbee.if
@@ -47,10 +47,7 @@ interface(`bitlbee_admin',`
allow $1 bitlbee_t:process { ptrace signal_perms };
ps_process_pattern($1, bitlbee_t)
- init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bitlbee_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, bitlbee_t, bitlbee_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, bitlbee_conf_t)
diff --git a/policy/modules/contrib/bluetooth.if b/policy/modules/contrib/bluetooth.if
index c723a0a..09d6248 100644
--- a/policy/modules/contrib/bluetooth.if
+++ b/policy/modules/contrib/bluetooth.if
@@ -216,10 +216,7 @@ interface(`bluetooth_admin',`
allow $1 bluetooth_t:process { ptrace signal_perms };
ps_process_pattern($1, bluetooth_t)
- init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 bluetooth_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, bluetooth_t, bluetooth_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, bluetooth_tmp_t)
diff --git a/policy/modules/contrib/boinc.if b/policy/modules/contrib/boinc.if
index 02fefaa..464a896 100644
--- a/policy/modules/contrib/boinc.if
+++ b/policy/modules/contrib/boinc.if
@@ -28,10 +28,7 @@ interface(`boinc_admin',`
allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
ps_process_pattern($1, { boinc_t boinc_project_t })
- init_labeled_script_domtrans($1, boinc_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 boinc_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, boinc_t, boinc_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, boinc_log_t)
diff --git a/policy/modules/contrib/cachefilesd.if b/policy/modules/contrib/cachefilesd.if
index 8de2ab9..c4084b9 100644
--- a/policy/modules/contrib/cachefilesd.if
+++ b/policy/modules/contrib/cachefilesd.if
@@ -26,10 +26,7 @@ interface(`cachefilesd_admin',`
allow $1 cachefilesd_t:process { ptrace signal_perms };
ps_process_pattern($1, cachefilesd_t)
- init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cachefilesd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cachefilesd_t, cachefilesd_initrc_exec_t)
files_search_var($1)
admin_pattern($1, cachefilesd_cache_t)
diff --git a/policy/modules/contrib/callweaver.if b/policy/modules/contrib/callweaver.if
index 16f1855..f89bf39 100644
--- a/policy/modules/contrib/callweaver.if
+++ b/policy/modules/contrib/callweaver.if
@@ -65,10 +65,7 @@ interface(`callweaver_admin',`
allow $1 callweaver_t:process { ptrace signal_perms };
ps_process_pattern($1, callweaver_t)
- init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 callweaver_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, callweaver_t, callweaver_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, callweaver_log_t)
diff --git a/policy/modules/contrib/canna.if b/policy/modules/contrib/canna.if
index 400db07..e3fd199 100644
--- a/policy/modules/contrib/canna.if
+++ b/policy/modules/contrib/canna.if
@@ -46,10 +46,7 @@ interface(`canna_admin',`
allow $1 canna_t:process { ptrace signal_perms };
ps_process_pattern($1, canna_t)
- init_labeled_script_domtrans($1, canna_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 canna_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, canna_t, canna_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, canna_log_t)
diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if
index bb17e0f..92f67fa 100644
--- a/policy/modules/contrib/ccs.if
+++ b/policy/modules/contrib/ccs.if
@@ -105,10 +105,7 @@ interface(`ccs_admin',`
allow $1 ccs_t:process { ptrace signal_perms };
ps_process_pattern($1, ccs_t)
- init_labeled_script_domtrans($1, ccs_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ccs_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ccs_t, ccs_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, ccs_conf_t)
diff --git a/policy/modules/contrib/certmaster.if b/policy/modules/contrib/certmaster.if
index 0c53b18..741fdd3 100644
--- a/policy/modules/contrib/certmaster.if
+++ b/policy/modules/contrib/certmaster.if
@@ -124,10 +124,7 @@ interface(`certmaster_admin',`
allow $1 certmaster_t:process { ptrace signal_perms };
ps_process_pattern($1, certmaster_t)
- init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 certmaster_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, certmaster_t, certmaster_initrc_exec_t)
files_list_etc($1)
miscfiles_manage_generic_cert_dirs($1)
diff --git a/policy/modules/contrib/certmonger.if b/policy/modules/contrib/certmonger.if
index 008f8ef..3a456b7 100644
--- a/policy/modules/contrib/certmonger.if
+++ b/policy/modules/contrib/certmonger.if
@@ -162,10 +162,7 @@ interface(`certmonger_admin',`
ps_process_pattern($1, certmonger_t)
allow $1 certmonger_t:process { ptrace signal_perms };
- certmonger_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 certmonger_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, certmonger_t, certmonger_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, certmonger_var_lib_t)
diff --git a/policy/modules/contrib/cfengine.if b/policy/modules/contrib/cfengine.if
index a731122..fdef5f3 100644
--- a/policy/modules/contrib/cfengine.if
+++ b/policy/modules/contrib/cfengine.if
@@ -97,10 +97,7 @@ interface(`cfengine_admin',`
allow $1 cfengine_domain:process { ptrace signal_perms };
ps_process_pattern($1, cfengine_domain)
- init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cfengine_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cfengine_domain, cfengine_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
diff --git a/policy/modules/contrib/cgroup.if b/policy/modules/contrib/cgroup.if
index 85ca63f..2f8fa6f 100644
--- a/policy/modules/contrib/cgroup.if
+++ b/policy/modules/contrib/cgroup.if
@@ -180,11 +180,8 @@ interface(`cgroup_admin',`
admin_pattern($1, cgred_var_run_t)
files_list_pids($1)
- cgroup_initrc_domtrans_cgconfig($1)
- cgroup_initrc_domtrans_cgred($1)
- domain_system_change_exemption($1)
- role_transition $2 { cgconfig_initrc_exec_t cgred_initrc_exec_t } system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cgred_t, cgred_initrc_exec_t)
+ init_startstop_service($1, $2, cgconfig_t, cgconfig_initrc_exec_t)
cgroup_run_cgclear($1, $2)
')
diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
index 32e8265..3d45be4 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -184,10 +184,7 @@ interface(`chronyd_admin',`
allow $1 chronyd_t:process { ptrace signal_perms };
ps_process_pattern($1, chronyd_t)
- chronyd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 chronyd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, chronyd_t, chronyd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, chronyd_keys_t)
diff --git a/policy/modules/contrib/cipe.if b/policy/modules/contrib/cipe.if
index 5fb51b2..11ec9dc 100644
--- a/policy/modules/contrib/cipe.if
+++ b/policy/modules/contrib/cipe.if
@@ -25,8 +25,5 @@ interface(`cipe_admin',`
allow $1 ciped_t:process { ptrace signal_perms };
ps_process_pattern($1, ciped_t)
- init_labeled_script_domtrans($1, ciped_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ciped_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ciped_t, ciped_initrc_exec_t)
')
diff --git a/policy/modules/contrib/clamav.if b/policy/modules/contrib/clamav.if
index 4cc4a5c..7ad8e80 100644
--- a/policy/modules/contrib/clamav.if
+++ b/policy/modules/contrib/clamav.if
@@ -205,10 +205,7 @@ interface(`clamav_admin',`
allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
- init_labeled_script_domtrans($1, clamd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 clamd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, clamd_t, clamd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, clamd_etc_t)
diff --git a/policy/modules/contrib/cmirrord.if b/policy/modules/contrib/cmirrord.if
index cc4e7cb..0785068 100644
--- a/policy/modules/contrib/cmirrord.if
+++ b/policy/modules/contrib/cmirrord.if
@@ -106,10 +106,7 @@ interface(`cmirrord_admin',`
allow $1 cmirrord_t:process { ptrace signal_perms };
ps_process_pattern($1, cmirrord_t)
- cmirrord_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cmirrord_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cmirrord_t, cmirrord_initrc_exec_t)
files_list_pids($1)
admin_pattern($1, cmirrord_var_run_t)
diff --git a/policy/modules/contrib/cobbler.if b/policy/modules/contrib/cobbler.if
index c223f81..376fa84 100644
--- a/policy/modules/contrib/cobbler.if
+++ b/policy/modules/contrib/cobbler.if
@@ -183,10 +183,7 @@ interface(`cobbler_admin',`
allow $1 cobblerd_t:process { ptrace signal_perms };
ps_process_pattern($1, cobblerd_t)
- cobblerd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cobblerd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cobblerd_t, cobblerd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, cobbler_etc_t)
diff --git a/policy/modules/contrib/collectd.if b/policy/modules/contrib/collectd.if
index 954309e..a55db07 100644
--- a/policy/modules/contrib/collectd.if
+++ b/policy/modules/contrib/collectd.if
@@ -26,10 +26,7 @@ interface(`collectd_admin',`
allow $1 collectd_t:process { ptrace signal_perms };
ps_process_pattern($1, collectd_t)
- init_labeled_script_domtrans($1, collectd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 collectd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, collectd_t, collectd_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, collectd_var_run_t)
diff --git a/policy/modules/contrib/condor.if b/policy/modules/contrib/condor.if
index c80aaf5..b2af357 100644
--- a/policy/modules/contrib/condor.if
+++ b/policy/modules/contrib/condor.if
@@ -66,10 +66,7 @@ interface(`condor_admin',`
allow $1 condor_domain:process { ptrace signal_perms };
ps_process_pattern($1, condor_domain)
- init_labeled_script_domtrans($1, condor_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 condor_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, condor_domain, condor_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, condor_conf_t)
diff --git a/policy/modules/contrib/corosync.if b/policy/modules/contrib/corosync.if
index 694a037..57736aa 100644
--- a/policy/modules/contrib/corosync.if
+++ b/policy/modules/contrib/corosync.if
@@ -165,10 +165,7 @@ interface(`corosync_admin',`
allow $1 corosync_t:process { ptrace signal_perms };
ps_process_pattern($1, corosync_t)
- corosync_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 corosync_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, corosync_t, corosync_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, corosync_tmp_t)
diff --git a/policy/modules/contrib/couchdb.if b/policy/modules/contrib/couchdb.if
index 715a826..830c271 100644
--- a/policy/modules/contrib/couchdb.if
+++ b/policy/modules/contrib/couchdb.if
@@ -103,10 +103,7 @@ interface(`couchdb_admin',`
allow $1 couchdb_t:process { ptrace signal_perms };
ps_process_pattern($1, couchdb_t)
- init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 couchdb_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, couchdb_t, couchdb_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, couchdb_conf_t)
diff --git a/policy/modules/contrib/ctdb.if b/policy/modules/contrib/ctdb.if
index b25b01d..79b0c9a 100644
--- a/policy/modules/contrib/ctdb.if
+++ b/policy/modules/contrib/ctdb.if
@@ -66,10 +66,7 @@ interface(`ctdb_admin',`
allow $1 ctdbd_t:process { ptrace signal_perms };
ps_process_pattern($1, ctdbd_t)
- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ctdbd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ctdbd_t, ctdbd_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, ctdbd_log_t)
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index 3023be7..cad7df2 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -357,10 +357,7 @@ interface(`cups_admin',`
ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
- init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cupsd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cupsd_t, cupsd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t })
diff --git a/policy/modules/contrib/cvs.if b/policy/modules/contrib/cvs.if
index 64775fd..49f6c1c 100644
--- a/policy/modules/contrib/cvs.if
+++ b/policy/modules/contrib/cvs.if
@@ -65,10 +65,7 @@ interface(`cvs_admin',`
allow $1 cvs_t:process { ptrace signal_perms };
ps_process_pattern($1, cvs_t)
- init_labeled_script_domtrans($1, cvs_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cvs_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cvs_t, cvs_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, cvs_keytab_t)
diff --git a/policy/modules/contrib/cyphesis.if b/policy/modules/contrib/cyphesis.if
index df8aa4a..da37d4e 100644
--- a/policy/modules/contrib/cyphesis.if
+++ b/policy/modules/contrib/cyphesis.if
@@ -45,10 +45,7 @@ interface(`cyphesis_admin',`
allow $1 cyphesis_t:process { ptrace signal_perms };
ps_process_pattern($1, cyphesis_t)
- init_labeled_script_domtrans($1, cyphesis_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cyphesis_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cyphesis_t, cyphesis_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, cyphesis_log_t)
diff --git a/policy/modules/contrib/cyrus.if b/policy/modules/contrib/cyrus.if
index 83bfda6..759e074 100644
--- a/policy/modules/contrib/cyrus.if
+++ b/policy/modules/contrib/cyrus.if
@@ -67,10 +67,7 @@ interface(`cyrus_admin',`
allow $1 cyrus_t:process { ptrace signal_perms };
ps_process_pattern($1, cyrus_t)
- init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cyrus_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, cyrus_t, cyrus_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, cyrus_keytab_t)
diff --git a/policy/modules/contrib/dante.if b/policy/modules/contrib/dante.if
index e709177..8d02f8c 100644
--- a/policy/modules/contrib/dante.if
+++ b/policy/modules/contrib/dante.if
@@ -26,10 +26,7 @@ interface(`dante_admin',`
allow $1 dante_t:process { ptrace signal_perms };
ps_process_pattern($1, dante_t)
- init_labeled_script_domtrans($1, dante_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dante_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dante_t, dante_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, dante_conf_t)
diff --git a/policy/modules/contrib/ddclient.if b/policy/modules/contrib/ddclient.if
index 5606b40..96ddeea 100644
--- a/policy/modules/contrib/ddclient.if
+++ b/policy/modules/contrib/ddclient.if
@@ -73,10 +73,7 @@ interface(`ddclient_admin',`
allow $1 ddclient_t:process { ptrace signal_perms };
ps_process_pattern($1, ddclient_t)
- init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ddclient_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ddclient_t, ddclient_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, ddclient_etc_t)
diff --git a/policy/modules/contrib/denyhosts.if b/policy/modules/contrib/denyhosts.if
index a7326da..0fb8ec7 100644
--- a/policy/modules/contrib/denyhosts.if
+++ b/policy/modules/contrib/denyhosts.if
@@ -63,10 +63,7 @@ interface(`denyhosts_admin',`
allow $1 denyhosts_t:process { ptrace signal_perms };
ps_process_pattern($1, denyhosts_t)
- denyhosts_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 denyhosts_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, denyhosts_t, denyhosts_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, denyhosts_var_lib_t)
diff --git a/policy/modules/contrib/dhcp.if b/policy/modules/contrib/dhcp.if
index c697edb..b7a0337 100644
--- a/policy/modules/contrib/dhcp.if
+++ b/policy/modules/contrib/dhcp.if
@@ -84,10 +84,7 @@ interface(`dhcpd_admin',`
allow $1 dhcpd_t:process { ptrace signal_perms };
ps_process_pattern($1, dhcpd_t)
- init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dhcpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dhcpd_t, dhcpd_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, dhcpd_tmp_t)
diff --git a/policy/modules/contrib/dictd.if b/policy/modules/contrib/dictd.if
index 3cc3494..3878acc 100644
--- a/policy/modules/contrib/dictd.if
+++ b/policy/modules/contrib/dictd.if
@@ -41,10 +41,7 @@ interface(`dictd_admin',`
allow $1 dictd_t:process { ptrace signal_perms };
ps_process_pattern($1, dictd_t)
- init_labeled_script_domtrans($1, dictd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dictd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dictd_t, dictd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, dictd_etc_t)
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
index e5f6733..4cd2810 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -26,10 +26,7 @@ interface(`dirmngr_admin',`
allow $1 dirmngr_t:process { ptrace signal_perms };
ps_process_pattern($1, dirmngr_t)
- init_labeled_script_domtrans($1, dirmngr_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dirmngr_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dirmngr_t, dirmngr_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, dirmngr_conf_t)
diff --git a/policy/modules/contrib/distcc.if b/policy/modules/contrib/distcc.if
index 473823d..6b43286 100644
--- a/policy/modules/contrib/distcc.if
+++ b/policy/modules/contrib/distcc.if
@@ -26,10 +26,7 @@ interface(`distcc_admin',`
allow $1 distccd_t:process { ptrace signal_perms };
ps_process_pattern($1, distccd_t)
- init_labeled_script_domtrans($1, distccd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 distccd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, distccd_t, distccd_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, distccd_log_t)
diff --git a/policy/modules/contrib/dkim.if b/policy/modules/contrib/dkim.if
index 386e494..61e1f19 100644
--- a/policy/modules/contrib/dkim.if
+++ b/policy/modules/contrib/dkim.if
@@ -26,10 +26,7 @@ interface(`dkim_admin',`
allow $1 dkim_milter_t:process { ptrace signal_perms };
ps_process_pattern($1, dkim_milter_t)
- init_labeled_script_domtrans($1, dkim_milter_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dkim_milter_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dkim_milter_t, dkim_milter_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, dkim_milter_private_key_t)
diff --git a/policy/modules/contrib/dnsmasq.if b/policy/modules/contrib/dnsmasq.if
index 62e4948..f81566a 100644
--- a/policy/modules/contrib/dnsmasq.if
+++ b/policy/modules/contrib/dnsmasq.if
@@ -273,10 +273,7 @@ interface(`dnsmasq_admin',`
allow $1 dnsmasq_t:process { ptrace signal_perms };
ps_process_pattern($1, dnsmasq_t)
- init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dnsmasq_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dnsmasq_t, dnsmasq_initrc_exec_t)
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
diff --git a/policy/modules/contrib/dnssectrigger.if b/policy/modules/contrib/dnssectrigger.if
index 456da5c..eea250e 100644
--- a/policy/modules/contrib/dnssectrigger.if
+++ b/policy/modules/contrib/dnssectrigger.if
@@ -26,10 +26,7 @@ interface(`dnssectrigger_admin',`
allow $1 dnssec_triggerd_t:process { ptrace signal_perms };
ps_process_pattern($1, dnssec_triggerd_t)
- init_labeled_script_domtrans($1, dnssec_triggerd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dnssec_triggerd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dnssec_triggerd_t, dnssec_triggerd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, dnssec_trigger_conf_t)
diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if
index d5badb7..3608ba2 100644
--- a/policy/modules/contrib/dovecot.if
+++ b/policy/modules/contrib/dovecot.if
@@ -149,10 +149,7 @@ interface(`dovecot_admin',`
allow $1 dovecot_t:process { ptrace signal_perms };
ps_process_pattern($1, dovecot_t)
- init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dovecot_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dovecot_t, dovecot_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
diff --git a/policy/modules/contrib/drbd.if b/policy/modules/contrib/drbd.if
index 9a21639..f147c10 100644
--- a/policy/modules/contrib/drbd.if
+++ b/policy/modules/contrib/drbd.if
@@ -46,10 +46,7 @@ interface(`drbd_admin',`
allow $1 drbd_t:process { ptrace signal_perms };
ps_process_pattern($1, drbd_t)
- init_labeled_script_domtrans($1, drbd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 drbd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, drbd_t, drbd_initrc_exec_t)
files_search_locks($1)
admin_pattern($1, drbd_lock_t)
diff --git a/policy/modules/contrib/dspam.if b/policy/modules/contrib/dspam.if
index 18f2452..a8cd028 100644
--- a/policy/modules/contrib/dspam.if
+++ b/policy/modules/contrib/dspam.if
@@ -66,10 +66,7 @@ interface(`dspam_admin',`
allow $1 dspam_t:process { ptrace signal_perms };
ps_process_pattern($1, dspam_t)
- init_labeled_script_domtrans($1, dspam_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dspam_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, dspam_t, dspam_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, dspam_log_t)
diff --git a/policy/modules/contrib/entropyd.if b/policy/modules/contrib/entropyd.if
index 1161fbf..eedfae6 100644
--- a/policy/modules/contrib/entropyd.if
+++ b/policy/modules/contrib/entropyd.if
@@ -25,10 +25,7 @@ interface(`entropyd_admin',`
allow $1 entropyd_t:process { ptrace signal_perms };
ps_process_pattern($1, entropyd_t)
- init_labeled_script_domtrans($1, entropyd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 entropyd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, entropyd_t, entropyd_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, entropyd_var_run_t)
diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
index 9bbc690..51655bb 100644
--- a/policy/modules/contrib/exim.if
+++ b/policy/modules/contrib/exim.if
@@ -288,10 +288,7 @@ interface(`exim_admin',`
allow $1 exim_t:process { ptrace signal_perms };
ps_process_pattern($1, exim_t)
- init_labeled_script_domtrans($1, exim_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 exim_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, exim_t, exim_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, exim_keytab_t)
diff --git a/policy/modules/contrib/fail2ban.if b/policy/modules/contrib/fail2ban.if
index 50d0084..5b8e08b 100644
--- a/policy/modules/contrib/fail2ban.if
+++ b/policy/modules/contrib/fail2ban.if
@@ -266,10 +266,7 @@ interface(`fail2ban_admin',`
allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
- init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fail2ban_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, fail2ban_t, fail2ban_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, fail2ban_log_t)
diff --git a/policy/modules/contrib/fcoe.if b/policy/modules/contrib/fcoe.if
index c3484a9..78d1147 100644
--- a/policy/modules/contrib/fcoe.if
+++ b/policy/modules/contrib/fcoe.if
@@ -44,10 +44,7 @@ interface(`fcoe_admin',`
allow $1 fcoemon_t:process { ptrace signal_perms };
ps_process_pattern($1, fcoemon_t)
- init_labeled_script_domtrans($1, fcoemon_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fcoemon_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, fcoemon_t, fcoemon_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, fcoemon_var_run_t)
diff --git a/policy/modules/contrib/fetchmail.if b/policy/modules/contrib/fetchmail.if
index c3f7916..5115aff 100644
--- a/policy/modules/contrib/fetchmail.if
+++ b/policy/modules/contrib/fetchmail.if
@@ -23,10 +23,7 @@ interface(`fetchmail_admin',`
type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t;
')
- init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fetchmail_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, fetchmail_t, fetchmail_initrc_exec_t)
allow $1 fetchmail_t:process { ptrace signal_perms };
ps_process_pattern($1, fetchmail_t)
diff --git a/policy/modules/contrib/firewalld.if b/policy/modules/contrib/firewalld.if
index c62c567..a16179b 100644
--- a/policy/modules/contrib/firewalld.if
+++ b/policy/modules/contrib/firewalld.if
@@ -86,10 +86,7 @@ interface(`firewalld_admin',`
allow $1 firewalld_t:process { ptrace signal_perms };
ps_process_pattern($1, firewalld_t)
- init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 firewalld_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, firewalld_t, firewalld_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, firewalld_var_run_t)
diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
index 65adda9..93fd4be 100644
--- a/policy/modules/contrib/ftp.if
+++ b/policy/modules/contrib/ftp.if
@@ -182,10 +182,7 @@ interface(`ftp_admin',`
allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
- init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ftpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ftpd_t, ftpd_initrc_exec_t)
miscfiles_manage_public_files($1)
diff --git a/policy/modules/contrib/gatekeeper.if b/policy/modules/contrib/gatekeeper.if
index 30926d7..83681df 100644
--- a/policy/modules/contrib/gatekeeper.if
+++ b/policy/modules/contrib/gatekeeper.if
@@ -26,10 +26,7 @@ interface(`gatekeeper_admin',`
allow $1 gatekeeper_t:process { ptrace signal_perms };
ps_process_pattern($1, gatekeeper_t)
- init_labeled_script_domtrans($1, gatekeeper_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gatekeeper_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, gatekeeper_t, gatekeeper_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, gatekeeper_etc_t)
diff --git a/policy/modules/contrib/gdomap.if b/policy/modules/contrib/gdomap.if
index 7d6b6b7..58e5c44 100644
--- a/policy/modules/contrib/gdomap.if
+++ b/policy/modules/contrib/gdomap.if
@@ -45,10 +45,7 @@ interface(`gdomap_admin',`
allow $1 gdomap_t:process { ptrace signal_perms };
ps_process_pattern($1, gdomap_t)
- init_labeled_script_domtrans($1, gdomap_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gdomap_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, gdomap_t, gdomap_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, gdomap_conf_t)
diff --git a/policy/modules/contrib/glance.if b/policy/modules/contrib/glance.if
index 9eacb2c..6d9f3da 100644
--- a/policy/modules/contrib/glance.if
+++ b/policy/modules/contrib/glance.if
@@ -245,10 +245,8 @@ interface(`glance_admin',`
allow $1 { glance_api_t glance_registry_t }:process signal_perms;
ps_process_pattern($1, { glance_api_t glance_registry_t })
- init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { glance_api_initrc_exec_t glance_registry_initrc_exec_t } system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, glance_api_t, glance_api_initrc_exec_t)
+ init_startstop_service($1, $2, glance_registry_t, glance_registry_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, glance_log_t)
diff --git a/policy/modules/contrib/glusterfs.if b/policy/modules/contrib/glusterfs.if
index 05233c8..0945d87 100644
--- a/policy/modules/contrib/glusterfs.if
+++ b/policy/modules/contrib/glusterfs.if
@@ -46,10 +46,7 @@ interface(`glusterfs_admin',`
type glusterd_var_run_t;
')
- init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 glusterd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, glusterd_t, glusterd_initrc_exec_t)
allow $1 glusterd_t:process { ptrace signal_perms };
ps_process_pattern($1, glusterd_t)
diff --git a/policy/modules/contrib/gpm.if b/policy/modules/contrib/gpm.if
index f1528c9..b9a4743 100644
--- a/policy/modules/contrib/gpm.if
+++ b/policy/modules/contrib/gpm.if
@@ -106,10 +106,7 @@ interface(`gpm_admin',`
allow $1 gpm_t:process { ptrace signal_perms };
ps_process_pattern($1, gpm_t)
- init_labeled_script_domtrans($1, gpm_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gpm_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, gpm_t, gpm_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, gpm_conf_t)
diff --git a/policy/modules/contrib/gpsd.if b/policy/modules/contrib/gpsd.if
index 92eb564..1d10f63 100644
--- a/policy/modules/contrib/gpsd.if
+++ b/policy/modules/contrib/gpsd.if
@@ -91,10 +91,7 @@ interface(`gpsd_admin',`
allow $1 gpsd_t:process { ptrace signal_perms };
ps_process_pattern($1, gpsd_t)
- init_labeled_script_domtrans($1, gpsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 gpsd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, gpsd_t, gpsd_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, gpsd_var_run_t)
diff --git a/policy/modules/contrib/hadoop.if b/policy/modules/contrib/hadoop.if
index 2b0d488..a0a819f 100644
--- a/policy/modules/contrib/hadoop.if
+++ b/policy/modules/contrib/hadoop.if
@@ -441,10 +441,7 @@ interface(`hadoop_admin',`
allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms };
ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t })
- init_labeled_script_domtrans($1, hadoop_init_script_file)
- domain_system_change_exemption($1)
- role_transition $2 hadoop_init_script_file system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, hadoop_domain, hadoop_init_script_file)
files_search_etc($1)
admin_pattern($1, { hadoop_etc_t zookeeper_etc_t })
diff --git a/policy/modules/contrib/hddtemp.if b/policy/modules/contrib/hddtemp.if
index 1728071..269bafd 100644
--- a/policy/modules/contrib/hddtemp.if
+++ b/policy/modules/contrib/hddtemp.if
@@ -63,10 +63,7 @@ interface(`hddtemp_admin',`
allow $1 hddtemp_t:process { ptrace signal_perms };
ps_process_pattern($1, hddtemp_t)
- init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 hddtemp_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, hddtemp_t, hddtemp_initrc_exec_t)
admin_pattern($1, hddtemp_etc_t)
files_search_etc($1)
diff --git a/policy/modules/contrib/howl.if b/policy/modules/contrib/howl.if
index dc609f0..afea184 100644
--- a/policy/modules/contrib/howl.if
+++ b/policy/modules/contrib/howl.if
@@ -43,10 +43,7 @@ interface(`howl_admin',`
allow $1 howl_t:process { ptrace signal_perms };
ps_process_pattern($1, howl_t)
- init_labeled_script_domtrans($1, howl_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 howl_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, howl_t, howl_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, howl_var_run_t)
diff --git a/policy/modules/contrib/hypervkvp.if b/policy/modules/contrib/hypervkvp.if
index 6517fad..f9a3b8e 100644
--- a/policy/modules/contrib/hypervkvp.if
+++ b/policy/modules/contrib/hypervkvp.if
@@ -25,8 +25,5 @@ interface(`hypervkvp_admin',`
allow $1 hypervkvpd_t:process { ptrace signal_perms };
ps_process_pattern($1, hypervkvpd_t)
- init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 hypervkvpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, hypervkvpd_t, hypervkvpd_initrc_exec_t)
')
diff --git a/policy/modules/contrib/i18n_input.if b/policy/modules/contrib/i18n_input.if
index 5eab254..b908264 100644
--- a/policy/modules/contrib/i18n_input.if
+++ b/policy/modules/contrib/i18n_input.if
@@ -40,10 +40,7 @@ interface(`i18n_input_admin',`
allow $1 i18n_input_t:process { ptrace signal_perms };
ps_process_pattern($1, i18n_input_t)
- init_labeled_script_domtrans($1, i18n_input_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 i18n_input_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, i18n_input_t, i18n_input_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, i18n_input_var_run_t)
diff --git a/policy/modules/contrib/icecast.if b/policy/modules/contrib/icecast.if
index 580b533..38ce1b7 100644
--- a/policy/modules/contrib/icecast.if
+++ b/policy/modules/contrib/icecast.if
@@ -176,10 +176,7 @@ interface(`icecast_admin',`
type icecast_var_run_t;
')
- icecast_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 icecast_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, icecast_t, icecast_initrc_exec_t)
allow $1 icecast_t:process { ptrace signal_perms };
ps_process_pattern($1, icecast_t)
diff --git a/policy/modules/contrib/ifplugd.if b/policy/modules/contrib/ifplugd.if
index 8999899..3cd19b3 100644
--- a/policy/modules/contrib/ifplugd.if
+++ b/policy/modules/contrib/ifplugd.if
@@ -122,10 +122,7 @@ interface(`ifplugd_admin',`
allow $1 ifplugd_t:process { ptrace signal_perms };
ps_process_pattern($1, ifplugd_t)
- init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ifplugd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ifplugd_t, ifplugd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, ifplugd_etc_t)
diff --git a/policy/modules/contrib/inn.if b/policy/modules/contrib/inn.if
index eb87f23..8e24feb 100644
--- a/policy/modules/contrib/inn.if
+++ b/policy/modules/contrib/inn.if
@@ -230,10 +230,7 @@ interface(`inn_admin',`
type innd_var_run_t, innd_initrc_exec_t;
')
- init_labeled_script_domtrans($1, innd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 innd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, innd_t, innd_initrc_exec_t)
allow $1 innd_t:process { ptrace signal_perms };
ps_process_pattern($1, innd_t)
diff --git a/policy/modules/contrib/iodine.if b/policy/modules/contrib/iodine.if
index a0bfbd0..87e47eb 100644
--- a/policy/modules/contrib/iodine.if
+++ b/policy/modules/contrib/iodine.if
@@ -47,8 +47,5 @@ interface(`iodine_admin',`
allow $1 iodined_t:process { ptrace signal_perms };
ps_process_pattern($1, iodined_t)
- init_labeled_script_domtrans($1, iodined_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 iodined_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, iodined_t, iodined_initrc_exec_t)
')
diff --git a/policy/modules/contrib/ircd.if b/policy/modules/contrib/ircd.if
index 1a88664..3dbe87d 100644
--- a/policy/modules/contrib/ircd.if
+++ b/policy/modules/contrib/ircd.if
@@ -23,10 +23,7 @@ interface(`ircd_admin',`
type ircd_log_t, ircd_var_lib_t, ircd_var_run_t;
')
- init_labeled_script_domtrans($1, ircd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ircd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ircd_t, ircd_initrc_exec_t)
allow $1 ircd_t:process { ptrace signal_perms };
ps_process_pattern($1, ircd_t)
diff --git a/policy/modules/contrib/irqbalance.if b/policy/modules/contrib/irqbalance.if
index d7113e7..9e943d3 100644
--- a/policy/modules/contrib/irqbalance.if
+++ b/policy/modules/contrib/irqbalance.if
@@ -25,10 +25,7 @@ interface(`irqbalance_admin',`
allow $1 irqbalance_t:process { ptrace signal_perms };
ps_process_pattern($1, irqbalance_t)
- init_labeled_script_domtrans($1, irqbalance_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 irqbalance_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, irqbalance_t, irqbalance_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, irqbalance_var_run_t)
diff --git a/policy/modules/contrib/iscsi.if b/policy/modules/contrib/iscsi.if
index 1a35420..44a891d 100644
--- a/policy/modules/contrib/iscsi.if
+++ b/policy/modules/contrib/iscsi.if
@@ -105,10 +105,7 @@ interface(`iscsi_admin',`
allow $1 iscsid_t:process { ptrace signal_perms };
ps_process_pattern($1, iscsid_t)
- init_labeled_script_domtrans($1, iscsi_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 iscsi_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, iscsi_t, iscsi_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/policy/modules/contrib/isns.if b/policy/modules/contrib/isns.if
index da7e970..4d847e9 100644
--- a/policy/modules/contrib/isns.if
+++ b/policy/modules/contrib/isns.if
@@ -26,10 +26,7 @@ interface(`isnsd_admin',`
allow $1 isnsd_t:process { ptrace signal_perms };
ps_process_pattern($1, isnsd_t)
- init_labeled_script_domtrans($1, isnsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 isnsd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, isnsd_t, isnsd_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, isnsd_var_lib_t)
diff --git a/policy/modules/contrib/jabber.if b/policy/modules/contrib/jabber.if
index 7eb3811..549dac1 100644
--- a/policy/modules/contrib/jabber.if
+++ b/policy/modules/contrib/jabber.if
@@ -81,10 +81,7 @@ interface(`jabber_admin',`
allow $1 jabberd_domain:process { ptrace signal_perms };
ps_process_pattern($1, jabberd_domain)
- init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 jabberd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, jabberd_domain, jabberd_initrc_exec_t)
files_search_locks($1)
admin_pattern($1, jabberd_lock_t)
diff --git a/policy/modules/contrib/kdump.if b/policy/modules/contrib/kdump.if
index 3a00b3a..f90bfb4 100644
--- a/policy/modules/contrib/kdump.if
+++ b/policy/modules/contrib/kdump.if
@@ -102,10 +102,7 @@ interface(`kdump_admin',`
allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms };
ps_process_pattern($1, { kdump_t kdumpctl_t })
- init_labeled_script_domtrans($1, kdump_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kdump_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, kdump_t, kdump_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index 77a5c49..01caeea 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -493,10 +493,7 @@ interface(`kerberos_admin',`
allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd_t })
- init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kerberos_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, { kadmind_t krb5kdc_t }, kerberos_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, kadmind_log_t)
diff --git a/policy/modules/contrib/kerneloops.if b/policy/modules/contrib/kerneloops.if
index 714448f..d6f5fd8 100644
--- a/policy/modules/contrib/kerneloops.if
+++ b/policy/modules/contrib/kerneloops.if
@@ -108,10 +108,7 @@ interface(`kerneloops_admin',`
allow $1 kerneloops_t:process { ptrace signal_perms };
ps_process_pattern($1, kerneloops_t)
- init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kerneloops_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, kerneloops_t, kerneloops_initrc_exec_t)
files_search_tmp($1)
admin_pattern($1, kerneloops_tmp_t)
diff --git a/policy/modules/contrib/keystone.if b/policy/modules/contrib/keystone.if
index e88fb16..ec9adb0 100644
--- a/policy/modules/contrib/keystone.if
+++ b/policy/modules/contrib/keystone.if
@@ -26,10 +26,7 @@ interface(`keystone_admin',`
allow $1 keystone_t:process { ptrace signal_perms };
ps_process_pattern($1, keystone_t)
- init_labeled_script_domtrans($1, keystone_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 keystone_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, keystone_t, keystone_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, keystone_log_t)
diff --git a/policy/modules/contrib/kismet.if b/policy/modules/contrib/kismet.if
index f20de6e..24d623b 100644
--- a/policy/modules/contrib/kismet.if
+++ b/policy/modules/contrib/kismet.if
@@ -286,10 +286,7 @@ interface(`kismet_admin',`
type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
')
- init_labeled_script_domtrans($1, kismet_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kismet_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, kismet_t, kismet_initrc_exec_t)
ps_process_pattern($1, kismet_t)
allow $1 kismet_t:process { ptrace signal_perms };
diff --git a/policy/modules/contrib/ksmtuned.if b/policy/modules/contrib/ksmtuned.if
index 93a64bc..59f401b 100644
--- a/policy/modules/contrib/ksmtuned.if
+++ b/policy/modules/contrib/ksmtuned.if
@@ -61,10 +61,7 @@ interface(`ksmtuned_admin',`
type ksmtuned_initrc_exec_t, ksmtuned_log_t;
')
- ksmtuned_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 ksmtuned_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, ksmtuned_t, ksmtuned_initrc_exec_t)
allow $1 ksmtuned_t:process { ptrace signal_perms };
ps_process_pattern($1, ksmtuned_t)
diff --git a/policy/modules/contrib/kudzu.if b/policy/modules/contrib/kudzu.if
index 5297064..993e152 100644
--- a/policy/modules/contrib/kudzu.if
+++ b/policy/modules/contrib/kudzu.if
@@ -89,10 +89,7 @@ interface(`kudzu_admin',`
allow $1 kudzu_t:process { ptrace signal_perms };
ps_process_pattern($1, kudzu_t)
- init_labeled_script_domtrans($1, kudzu_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 kudzu_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, kudzu_t, kudzu_initrc_exec_t)
files_search_tmp($1)
admin_pattern($1, kudzu_tmp_t)
diff --git a/policy/modules/contrib/l2tp.if b/policy/modules/contrib/l2tp.if
index 73e2803..24d3c44 100644
--- a/policy/modules/contrib/l2tp.if
+++ b/policy/modules/contrib/l2tp.if
@@ -86,10 +86,7 @@ interface(`l2tp_admin',`
allow $1 l2tpd_t:process { ptrace signal_perms };
ps_process_pattern($1, l2tpd_t)
- init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 l2tpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, l2tpd_t, l2tpd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, l2tp_conf_t)
diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if
index 7f09b4a..b4eabc9 100644
--- a/policy/modules/contrib/ldap.if
+++ b/policy/modules/contrib/ldap.if
@@ -122,10 +122,7 @@ interface(`ldap_admin',`
allow $1 slapd_t:process { ptrace signal_perms };
ps_process_pattern($1, slapd_t)
- init_labeled_script_domtrans($1, slapd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 slapd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, slapd_t, slapd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
diff --git a/policy/modules/contrib/likewise.if b/policy/modules/contrib/likewise.if
index bd20e8c..2b884e6 100644
--- a/policy/modules/contrib/likewise.if
+++ b/policy/modules/contrib/likewise.if
@@ -110,10 +110,7 @@ interface(`likewise_admin',`
allow $1 likewise_domains:process { ptrace signal_perms };
ps_process_pattern($1, likewise_domains)
- init_labeled_script_domtrans($1, likewise_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 likewise_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, likewise_domains, likewise_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t })
diff --git a/policy/modules/contrib/lircd.if b/policy/modules/contrib/lircd.if
index dff21a7..f54240e 100644
--- a/policy/modules/contrib/lircd.if
+++ b/policy/modules/contrib/lircd.if
@@ -84,10 +84,7 @@ interface(`lircd_admin',`
allow $1 lircd_t:process { ptrace signal_perms };
ps_process_pattern($1, lircd_t)
- init_labeled_script_domtrans($1, lircd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 lircd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, lircd_t, lircd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, lircd_etc_t)
diff --git a/policy/modules/contrib/lldpad.if b/policy/modules/contrib/lldpad.if
index d18c960..8d7692a 100644
--- a/policy/modules/contrib/lldpad.if
+++ b/policy/modules/contrib/lldpad.if
@@ -45,10 +45,7 @@ interface(`lldpad_admin',`
allow $1 lldpad_t:process { ptrace signal_perms };
ps_process_pattern($1, lldpad_t)
- init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 lldpad_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, lldpad_t, lldpad_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, lldpad_var_lib_t)
diff --git a/policy/modules/contrib/mailscanner.if b/policy/modules/contrib/mailscanner.if
index 214cb44..a684cfd 100644
--- a/policy/modules/contrib/mailscanner.if
+++ b/policy/modules/contrib/mailscanner.if
@@ -47,10 +47,7 @@ interface(`mscan_admin',`
allow $1 mscan_t:process { ptrace signal_perms };
ps_process_pattern($1, mscan_t)
- init_labeled_script_domtrans($1, mscan_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mscan_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, mscan_t, mscan_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, mscan_etc_t)
diff --git a/policy/modules/contrib/mcelog.if b/policy/modules/contrib/mcelog.if
index f89651e..9b731b8 100644
--- a/policy/modules/contrib/mcelog.if
+++ b/policy/modules/contrib/mcelog.if
@@ -45,10 +45,7 @@ interface(`mcelog_admin',`
allow $1 mcelog_t:process { ptrace signal_perms };
ps_process_pattern($1, mcelog_t)
- init_labeled_script_domtrans($1, mcelog_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mcelog_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, mcelog_t, mcelog_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, mcelog_etc_t)
diff --git a/policy/modules/contrib/memcached.if b/policy/modules/contrib/memcached.if
index 1d4eb19..5c12b31 100644
--- a/policy/modules/contrib/memcached.if
+++ b/policy/modules/contrib/memcached.if
@@ -124,10 +124,7 @@ interface(`memcached_admin',`
allow $1 memcached_t:process { ptrace signal_perms };
ps_process_pattern($1, memcached_t)
- init_labeled_script_domtrans($1, memcached_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 memcached_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, memcached_t, memcached_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, memcached_var_run_t)
diff --git a/policy/modules/contrib/minidlna.if b/policy/modules/contrib/minidlna.if
index 358917a..7aa4fc9 100644
--- a/policy/modules/contrib/minidlna.if
+++ b/policy/modules/contrib/minidlna.if
@@ -26,10 +26,7 @@ interface(`minidlna_admin',`
allow $1 minidlna_t:process { ptrace signal_perms };
ps_process_pattern($1, minidlna_t)
- minidlna_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 minidlna_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, minidlna_t, minidlna_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, minidlna_conf_t)
diff --git a/policy/modules/contrib/minissdpd.if b/policy/modules/contrib/minissdpd.if
index f37a116..d4bdf6c 100644
--- a/policy/modules/contrib/minissdpd.if
+++ b/policy/modules/contrib/minissdpd.if
@@ -45,10 +45,7 @@ interface(`minissdpd_admin',`
allow $1 minissdpd_t:process { ptrace signal_perms };
ps_process_pattern($1, minissdpd_t)
- init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 minissdpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, minissdpd_t, minissdpd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, minissdpd_conf_t)
diff --git a/policy/modules/contrib/mongodb.if b/policy/modules/contrib/mongodb.if
index b247d25..9a184f2 100644
--- a/policy/modules/contrib/mongodb.if
+++ b/policy/modules/contrib/mongodb.if
@@ -26,10 +26,7 @@ interface(`mongodb_admin',`
allow $1 mongod_t:process { ptrace signal_perms };
ps_process_pattern($1, mongod_t)
- init_labeled_script_domtrans($1, mongod_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mongod_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, mongod_t, mongod_initrc_exec_t)
logging_search_logs($1)
admin_pattern($1, mongod_log_t)
diff --git a/policy/modules/contrib/monop.if b/policy/modules/contrib/monop.if
index a6ec137..0106004 100644
--- a/policy/modules/contrib/monop.if
+++ b/policy/modules/contrib/monop.if
@@ -26,10 +26,7 @@ interface(`monop_admin',`
allow $1 monopd_t:process { ptrace signal_perms };
ps_process_pattern($1, monopd_t)
- init_labeled_script_domtrans($1, monopd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 monopd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, monopd_t, monopd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, monopd_etc_t)
diff --git a/policy/modules/contrib/mpd.if b/policy/modules/contrib/mpd.if
index 5fa77c7..384599f 100644
--- a/policy/modules/contrib/mpd.if
+++ b/policy/modules/contrib/mpd.if
@@ -347,10 +347,7 @@ interface(`mpd_admin',`
allow $1 mpd_t:process { ptrace signal_perms };
ps_process_pattern($1, mpd_t)
- mpd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 mpd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, mpd_t, mpd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, mpd_etc_t)
diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if
index c595094..0a71bd8 100644
--- a/policy/modules/contrib/mrtg.if
+++ b/policy/modules/contrib/mrtg.if
@@ -47,10 +47,7 @@ interface(`mrtg_admin',`
allow $1 mrtg_t:process { ptrace signal_perms };
ps_process_pattern($1, mrtg_t)
- init_labeled_script_domtrans($1, mrtg_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mrtg_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, mrtg_t, mrtg_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, mrtg_etc_t)
diff --git a/policy/modules/contrib/munin.if b/policy/modules/contrib/munin.if
index b744fe3..cd67499 100644
--- a/policy/modules/contrib/munin.if
+++ b/policy/modules/contrib/munin.if
@@ -173,10 +173,7 @@ interface(`munin_admin',`
allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms };
ps_process_pattern($1, { munin_plugin_domain munin_t })
- init_labeled_script_domtrans($1, munin_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 munin_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, munin_t, munin_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, { munin_tmp_t munin_plugin_tmp_content })
diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if
index 590748a..e7250f7 100644
--- a/policy/modules/contrib/mysql.if
+++ b/policy/modules/contrib/mysql.if
@@ -450,10 +450,8 @@ interface(`mysql_admin',`
allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t })
- init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, mysqld_t, mysqld_initrc_exec_t)
+ init_startstop_service($1, $2, mysqlmanagerd_t, mysqlmanagerd_initrc_exec_t)
files_search_pids($1)
admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-05-22 19:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-05-22 19:32 UTC (permalink / raw
To: gentoo-commits
commit: 9dbeafd6f528951c4d47edc6a2b2a6482d0c9eaf
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Fri May 22 13:04:59 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:19:23 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9dbeafd6
Module version bump for update to the networkmanager policy module by Stephen Smalley.
policy/modules/contrib/networkmanager.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 820cc5b..a4e179f 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.17.0)
+policy_module(networkmanager, 1.17.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-05-22 19:32 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-05-22 19:32 UTC (permalink / raw
To: gentoo-commits
commit: 4569b61a85d70f5a686dc629fe98b4784a68467a
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri May 22 18:26:17 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:19:24 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4569b61a
Module version bump for init_startstop_service from Jason Zaman.
policy/modules/contrib/abrt.te | 2 +-
policy/modules/contrib/acct.te | 2 +-
policy/modules/contrib/afs.te | 2 +-
policy/modules/contrib/aiccu.te | 2 +-
policy/modules/contrib/aisexec.te | 2 +-
policy/modules/contrib/amavis.te | 2 +-
policy/modules/contrib/amtu.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apcupsd.te | 2 +-
policy/modules/contrib/apm.te | 2 +-
policy/modules/contrib/arpwatch.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/bacula.te | 2 +-
policy/modules/contrib/bcfg2.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/bird.te | 2 +-
policy/modules/contrib/bitlbee.te | 2 +-
policy/modules/contrib/bluetooth.te | 2 +-
policy/modules/contrib/boinc.te | 2 +-
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/callweaver.te | 2 +-
policy/modules/contrib/canna.te | 2 +-
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/certmaster.te | 2 +-
policy/modules/contrib/certmonger.te | 2 +-
policy/modules/contrib/cfengine.te | 2 +-
policy/modules/contrib/cgroup.te | 2 +-
policy/modules/contrib/chronyd.te | 2 +-
policy/modules/contrib/cipe.te | 2 +-
policy/modules/contrib/clamav.te | 2 +-
policy/modules/contrib/cmirrord.te | 2 +-
policy/modules/contrib/cobbler.te | 2 +-
policy/modules/contrib/collectd.te | 2 +-
policy/modules/contrib/condor.te | 2 +-
policy/modules/contrib/corosync.te | 2 +-
policy/modules/contrib/couchdb.te | 2 +-
policy/modules/contrib/ctdb.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/cvs.te | 2 +-
policy/modules/contrib/cyphesis.te | 2 +-
policy/modules/contrib/cyrus.te | 2 +-
policy/modules/contrib/dante.te | 2 +-
policy/modules/contrib/ddclient.te | 2 +-
policy/modules/contrib/denyhosts.te | 2 +-
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/dictd.te | 2 +-
policy/modules/contrib/dirmngr.te | 2 +-
policy/modules/contrib/distcc.te | 2 +-
policy/modules/contrib/dkim.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/dnssectrigger.te | 2 +-
policy/modules/contrib/dovecot.te | 2 +-
policy/modules/contrib/drbd.te | 2 +-
policy/modules/contrib/dspam.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/fail2ban.te | 2 +-
policy/modules/contrib/fcoe.te | 2 +-
policy/modules/contrib/fetchmail.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/gatekeeper.te | 2 +-
policy/modules/contrib/gdomap.te | 2 +-
policy/modules/contrib/glance.te | 2 +-
policy/modules/contrib/glusterfs.te | 2 +-
policy/modules/contrib/gpm.te | 2 +-
policy/modules/contrib/gpsd.te | 2 +-
policy/modules/contrib/hadoop.te | 2 +-
policy/modules/contrib/hddtemp.te | 2 +-
policy/modules/contrib/howl.te | 2 +-
policy/modules/contrib/hypervkvp.te | 2 +-
policy/modules/contrib/i18n_input.te | 2 +-
policy/modules/contrib/icecast.te | 2 +-
policy/modules/contrib/ifplugd.te | 2 +-
policy/modules/contrib/inn.te | 2 +-
policy/modules/contrib/iodine.te | 2 +-
policy/modules/contrib/ircd.te | 2 +-
policy/modules/contrib/irqbalance.te | 2 +-
policy/modules/contrib/iscsi.te | 2 +-
policy/modules/contrib/isns.te | 2 +-
policy/modules/contrib/jabber.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/kerberos.te | 2 +-
policy/modules/contrib/kerneloops.te | 2 +-
policy/modules/contrib/keystone.te | 2 +-
policy/modules/contrib/kismet.te | 2 +-
policy/modules/contrib/ksmtuned.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/l2tp.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/likewise.te | 2 +-
policy/modules/contrib/lircd.te | 2 +-
policy/modules/contrib/lldpad.te | 2 +-
policy/modules/contrib/mailscanner.te | 2 +-
policy/modules/contrib/mcelog.te | 2 +-
policy/modules/contrib/memcached.te | 2 +-
policy/modules/contrib/minissdpd.te | 2 +-
policy/modules/contrib/mongodb.te | 2 +-
policy/modules/contrib/monop.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mrtg.te | 2 +-
policy/modules/contrib/munin.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/nagios.te | 2 +-
policy/modules/contrib/nessus.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nis.te | 2 +-
policy/modules/contrib/nscd.te | 2 +-
policy/modules/contrib/nsd.te | 2 +-
policy/modules/contrib/nslcd.te | 2 +-
policy/modules/contrib/ntop.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/numad.te | 2 +-
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/oident.te | 2 +-
policy/modules/contrib/openct.te | 2 +-
policy/modules/contrib/openhpi.te | 2 +-
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/openvswitch.te | 2 +-
policy/modules/contrib/pacemaker.te | 2 +-
policy/modules/contrib/pads.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
policy/modules/contrib/pegasus.te | 2 +-
policy/modules/contrib/perdition.te | 2 +-
policy/modules/contrib/pingd.te | 2 +-
policy/modules/contrib/pkcs.te | 2 +-
policy/modules/contrib/polipo.te | 2 +-
policy/modules/contrib/portmap.te | 2 +-
policy/modules/contrib/portreserve.te | 2 +-
policy/modules/contrib/postfix.te | 2 +-
policy/modules/contrib/postfixpolicyd.te | 2 +-
policy/modules/contrib/postgrey.te | 2 +-
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/prelude.te | 2 +-
policy/modules/contrib/privoxy.te | 2 +-
policy/modules/contrib/psad.te | 2 +-
policy/modules/contrib/puppet.te | 2 +-
policy/modules/contrib/pxe.te | 2 +-
policy/modules/contrib/pyicqt.te | 2 +-
policy/modules/contrib/pyzor.te | 2 +-
policy/modules/contrib/qpid.te | 2 +-
policy/modules/contrib/quantum.te | 2 +-
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/rabbitmq.te | 2 +-
policy/modules/contrib/radius.te | 2 +-
policy/modules/contrib/radvd.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/redis.te | 2 +-
policy/modules/contrib/resmgr.te | 2 +-
policy/modules/contrib/rgmanager.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/rhsmcertd.te | 2 +-
policy/modules/contrib/ricci.te | 2 +-
policy/modules/contrib/rngd.te | 2 +-
policy/modules/contrib/roundup.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/rtkit.te | 2 +-
policy/modules/contrib/rwho.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/samhain.te | 2 +-
policy/modules/contrib/sanlock.te | 2 +-
policy/modules/contrib/sasl.te | 2 +-
policy/modules/contrib/sblim.te | 2 +-
policy/modules/contrib/sendmail.te | 2 +-
policy/modules/contrib/sensord.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/slpd.te | 2 +-
policy/modules/contrib/smartmon.te | 2 +-
policy/modules/contrib/smokeping.te | 2 +-
policy/modules/contrib/smstools.te | 2 +-
policy/modules/contrib/snmp.te | 2 +-
policy/modules/contrib/snort.te | 2 +-
policy/modules/contrib/soundserver.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/sssd.te | 2 +-
policy/modules/contrib/svnserve.te | 2 +-
policy/modules/contrib/sysstat.te | 2 +-
policy/modules/contrib/systemtap.te | 2 +-
policy/modules/contrib/tcsd.te | 2 +-
policy/modules/contrib/tgtd.te | 2 +-
policy/modules/contrib/tor.te | 2 +-
policy/modules/contrib/transproxy.te | 2 +-
policy/modules/contrib/tuned.te | 2 +-
policy/modules/contrib/ulogd.te | 2 +-
policy/modules/contrib/uptime.te | 2 +-
policy/modules/contrib/uucp.te | 2 +-
policy/modules/contrib/uuidd.te | 2 +-
policy/modules/contrib/varnishd.te | 2 +-
policy/modules/contrib/vdagent.te | 2 +-
policy/modules/contrib/vhostmd.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
policy/modules/contrib/vnstatd.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/wdmd.te | 2 +-
policy/modules/contrib/xfs.te | 2 +-
policy/modules/contrib/zabbix.te | 2 +-
policy/modules/contrib/zarafa.te | 2 +-
policy/modules/contrib/zebra.te | 2 +-
203 files changed, 203 insertions(+), 203 deletions(-)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index f60f9c1..dedf055 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.5.0)
+policy_module(abrt, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/acct.te b/policy/modules/contrib/acct.te
index 8b9ad83..7d6e06d 100644
--- a/policy/modules/contrib/acct.te
+++ b/policy/modules/contrib/acct.te
@@ -1,4 +1,4 @@
-policy_module(acct, 1.6.0)
+policy_module(acct, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
index 2fb6932..c2840ba 100644
--- a/policy/modules/contrib/afs.te
+++ b/policy/modules/contrib/afs.te
@@ -1,4 +1,4 @@
-policy_module(afs, 1.9.2)
+policy_module(afs, 1.9.3)
########################################
#
diff --git a/policy/modules/contrib/aiccu.te b/policy/modules/contrib/aiccu.te
index 5d2b90e..44a23e6 100644
--- a/policy/modules/contrib/aiccu.te
+++ b/policy/modules/contrib/aiccu.te
@@ -1,4 +1,4 @@
-policy_module(aiccu, 1.1.0)
+policy_module(aiccu, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te
index 4e4f063..73e7382 100644
--- a/policy/modules/contrib/aisexec.te
+++ b/policy/modules/contrib/aisexec.te
@@ -1,4 +1,4 @@
-policy_module(aisexec, 1.2.0)
+policy_module(aisexec, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te
index 91fa72a..1214ac1 100644
--- a/policy/modules/contrib/amavis.te
+++ b/policy/modules/contrib/amavis.te
@@ -1,4 +1,4 @@
-policy_module(amavis, 1.15.0)
+policy_module(amavis, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/amtu.te b/policy/modules/contrib/amtu.te
index 16d0d66..918580d 100644
--- a/policy/modules/contrib/amtu.te
+++ b/policy/modules/contrib/amtu.te
@@ -1,4 +1,4 @@
-policy_module(amtu, 1.3.0)
+policy_module(amtu, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index acdf41a..a7fd097 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.9.0)
+policy_module(apache, 2.9.1)
########################################
#
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index 080bc4d..407ca94 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.9.0)
+policy_module(apcupsd, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index b9919b5..b6e5447 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.13.0)
+policy_module(apm, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index 2d7bf34..f52071c 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.11.0)
+policy_module(arpwatch, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index 0dd46ad..f51e183 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.14.0)
+policy_module(asterisk, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index 969be75..6c5e7ed 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.15.0)
+policy_module(automount, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index 02b2b78..46d5aba 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.15.0)
+policy_module(avahi, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te
index f16b000..5c9e2d9 100644
--- a/policy/modules/contrib/bacula.te
+++ b/policy/modules/contrib/bacula.te
@@ -1,4 +1,4 @@
-policy_module(bacula, 1.2.0)
+policy_module(bacula, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/bcfg2.te b/policy/modules/contrib/bcfg2.te
index c3fd7b1..8709020 100644
--- a/policy/modules/contrib/bcfg2.te
+++ b/policy/modules/contrib/bcfg2.te
@@ -1,4 +1,4 @@
-policy_module(bcfg2, 1.1.0)
+policy_module(bcfg2, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 90138a2..45ed04f 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.15.0)
+policy_module(bind, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/bird.te b/policy/modules/contrib/bird.te
index 1d60c27..2f6c545 100644
--- a/policy/modules/contrib/bird.te
+++ b/policy/modules/contrib/bird.te
@@ -1,4 +1,4 @@
-policy_module(bird, 1.1.0)
+policy_module(bird, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te
index f5c1a48..45d8a4b 100644
--- a/policy/modules/contrib/bitlbee.te
+++ b/policy/modules/contrib/bitlbee.te
@@ -1,4 +1,4 @@
-policy_module(bitlbee, 1.5.0)
+policy_module(bitlbee, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index 851769e..08f3c20 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -1,4 +1,4 @@
-policy_module(bluetooth, 3.5.0)
+policy_module(bluetooth, 3.5.1)
########################################
#
diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te
index 8402248..4ada99d 100644
--- a/policy/modules/contrib/boinc.te
+++ b/policy/modules/contrib/boinc.te
@@ -1,4 +1,4 @@
-policy_module(boinc, 1.2.0)
+policy_module(boinc, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index 79807ef..4e5a1a1 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.1.2)
+policy_module(cachefilesd, 1.1.3)
########################################
#
diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te
index 0e5be4c..9218e45 100644
--- a/policy/modules/contrib/callweaver.te
+++ b/policy/modules/contrib/callweaver.te
@@ -1,4 +1,4 @@
-policy_module(callweaver, 1.1.0)
+policy_module(callweaver, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te
index 9fe6162..9ee10b6 100644
--- a/policy/modules/contrib/canna.te
+++ b/policy/modules/contrib/canna.te
@@ -1,4 +1,4 @@
-policy_module(canna, 1.12.0)
+policy_module(canna, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index c4664c7..88cc4ad 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.8.0)
+policy_module(ccs, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/certmaster.te b/policy/modules/contrib/certmaster.te
index 4a87873..5ab985b 100644
--- a/policy/modules/contrib/certmaster.te
+++ b/policy/modules/contrib/certmaster.te
@@ -1,4 +1,4 @@
-policy_module(certmaster, 1.3.0)
+policy_module(certmaster, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index 550b287..2d5ecbc 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.2.0)
+policy_module(certmonger, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/cfengine.te b/policy/modules/contrib/cfengine.te
index fbe3ad9..2fff324 100644
--- a/policy/modules/contrib/cfengine.te
+++ b/policy/modules/contrib/cfengine.te
@@ -1,4 +1,4 @@
-policy_module(cfengine, 1.1.0)
+policy_module(cfengine, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index 80a88a2..82c0c0c 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.2.0)
+policy_module(cgroup, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index e5b621c..7a16731 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.2.0)
+policy_module(chronyd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/cipe.te b/policy/modules/contrib/cipe.te
index a0aa693..76c1954 100644
--- a/policy/modules/contrib/cipe.te
+++ b/policy/modules/contrib/cipe.te
@@ -1,4 +1,4 @@
-policy_module(cipe, 1.6.0)
+policy_module(cipe, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index 5e74354..cdb3492 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.11.0)
+policy_module(clamav, 1.11.1)
## <desc>
## <p>
diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te
index bbdd396..45bdca7 100644
--- a/policy/modules/contrib/cmirrord.te
+++ b/policy/modules/contrib/cmirrord.te
@@ -1,4 +1,4 @@
-policy_module(cmirrord, 1.1.0)
+policy_module(cmirrord, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/cobbler.te b/policy/modules/contrib/cobbler.te
index 5f306dd..e81dcc4 100644
--- a/policy/modules/contrib/cobbler.te
+++ b/policy/modules/contrib/cobbler.te
@@ -1,4 +1,4 @@
-policy_module(cobbler, 1.2.0)
+policy_module(cobbler, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/collectd.te b/policy/modules/contrib/collectd.te
index 6471fa8..07fb350 100644
--- a/policy/modules/contrib/collectd.te
+++ b/policy/modules/contrib/collectd.te
@@ -1,4 +1,4 @@
-policy_module(collectd, 1.0.0)
+policy_module(collectd, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 38ca68b..7b0092e 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -1,4 +1,4 @@
-policy_module(condor, 1.2.0)
+policy_module(condor, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te
index d5aa1e4..fa18d76 100644
--- a/policy/modules/contrib/corosync.te
+++ b/policy/modules/contrib/corosync.te
@@ -1,4 +1,4 @@
-policy_module(corosync, 1.1.0)
+policy_module(corosync, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/couchdb.te b/policy/modules/contrib/couchdb.te
index 5dd39b8..cd5f079 100644
--- a/policy/modules/contrib/couchdb.te
+++ b/policy/modules/contrib/couchdb.te
@@ -1,4 +1,4 @@
-policy_module(couchdb, 1.3.0)
+policy_module(couchdb, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/ctdb.te b/policy/modules/contrib/ctdb.te
index 7be0106..d1fad83 100644
--- a/policy/modules/contrib/ctdb.te
+++ b/policy/modules/contrib/ctdb.te
@@ -1,4 +1,4 @@
-policy_module(ctdb, 1.2.0)
+policy_module(ctdb, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index d2a7255..662b991 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.18.0)
+policy_module(cups, 1.18.1)
########################################
#
diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
index 3d27f73..47a4822 100644
--- a/policy/modules/contrib/cvs.te
+++ b/policy/modules/contrib/cvs.te
@@ -1,4 +1,4 @@
-policy_module(cvs, 1.11.0)
+policy_module(cvs, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/cyphesis.te b/policy/modules/contrib/cyphesis.te
index 77ffc73..956a7ab 100644
--- a/policy/modules/contrib/cyphesis.te
+++ b/policy/modules/contrib/cyphesis.te
@@ -1,4 +1,4 @@
-policy_module(cyphesis, 1.3.0)
+policy_module(cyphesis, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
index d451d1f..c43ee11 100644
--- a/policy/modules/contrib/cyrus.te
+++ b/policy/modules/contrib/cyrus.te
@@ -1,4 +1,4 @@
-policy_module(cyrus, 1.14.0)
+policy_module(cyrus, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te
index 5a5e290..4c86835 100644
--- a/policy/modules/contrib/dante.te
+++ b/policy/modules/contrib/dante.te
@@ -1,4 +1,4 @@
-policy_module(dante, 1.9.0)
+policy_module(dante, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/ddclient.te b/policy/modules/contrib/ddclient.te
index a4caa1b..b4fc53f 100644
--- a/policy/modules/contrib/ddclient.te
+++ b/policy/modules/contrib/ddclient.te
@@ -1,4 +1,4 @@
-policy_module(ddclient, 1.10.0)
+policy_module(ddclient, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/denyhosts.te b/policy/modules/contrib/denyhosts.te
index 583a527..9d3ca70 100644
--- a/policy/modules/contrib/denyhosts.te
+++ b/policy/modules/contrib/denyhosts.te
@@ -1,4 +1,4 @@
-policy_module(denyhosts, 1.1.0)
+policy_module(denyhosts, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index 98a24b9..c7d00ed 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.11.0)
+policy_module(dhcp, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te
index 433d3c5..15582e2 100644
--- a/policy/modules/contrib/dictd.te
+++ b/policy/modules/contrib/dictd.te
@@ -1,4 +1,4 @@
-policy_module(dictd, 1.8.0)
+policy_module(dictd, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
index b3b2188..d0d9241 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -1,4 +1,4 @@
-policy_module(dirmngr, 1.0.0)
+policy_module(dirmngr, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/distcc.te b/policy/modules/contrib/distcc.te
index 7ea741c..2378d0c 100644
--- a/policy/modules/contrib/distcc.te
+++ b/policy/modules/contrib/distcc.te
@@ -1,4 +1,4 @@
-policy_module(distcc, 1.10.0)
+policy_module(distcc, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 19daa68..925ca6f 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.3.0)
+policy_module(dkim, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 149b8f7..15b29cb 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.12.2)
+policy_module(dnsmasq, 1.12.3)
########################################
#
diff --git a/policy/modules/contrib/dnssectrigger.te b/policy/modules/contrib/dnssectrigger.te
index c7bb4e7..181540f 100644
--- a/policy/modules/contrib/dnssectrigger.te
+++ b/policy/modules/contrib/dnssectrigger.te
@@ -1,4 +1,4 @@
-policy_module(dnssectrigger, 1.1.0)
+policy_module(dnssectrigger, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index f43d9e8..8e6b35e 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.17.0)
+policy_module(dovecot, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/drbd.te b/policy/modules/contrib/drbd.te
index f2516cc..d89520c 100644
--- a/policy/modules/contrib/drbd.te
+++ b/policy/modules/contrib/drbd.te
@@ -1,4 +1,4 @@
-policy_module(drbd, 1.1.0)
+policy_module(drbd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/dspam.te b/policy/modules/contrib/dspam.te
index ef62363..0a36018 100644
--- a/policy/modules/contrib/dspam.te
+++ b/policy/modules/contrib/dspam.te
@@ -1,4 +1,4 @@
-policy_module(dspam, 1.1.0)
+policy_module(dspam, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index b8b8328..2f71ed6 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.8.0)
+policy_module(entropyd, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 5ab6d77..b3c7066 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.8.0)
+policy_module(exim, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
index 49d0370..6b9fb7e 100644
--- a/policy/modules/contrib/fail2ban.te
+++ b/policy/modules/contrib/fail2ban.te
@@ -1,4 +1,4 @@
-policy_module(fail2ban, 1.5.0)
+policy_module(fail2ban, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/fcoe.te b/policy/modules/contrib/fcoe.te
index ce358fb..9719a51 100644
--- a/policy/modules/contrib/fcoe.te
+++ b/policy/modules/contrib/fcoe.te
@@ -1,4 +1,4 @@
-policy_module(fcoe, 1.1.0)
+policy_module(fcoe, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te
index 7a3ea93..0c1c51a 100644
--- a/policy/modules/contrib/fetchmail.te
+++ b/policy/modules/contrib/fetchmail.te
@@ -1,4 +1,4 @@
-policy_module(fetchmail, 1.14.0)
+policy_module(fetchmail, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 8897cfd..781295c 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.2.0)
+policy_module(firewalld, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index b8ee588..7a1ec37 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.17.0)
+policy_module(ftp, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/gatekeeper.te b/policy/modules/contrib/gatekeeper.te
index 2820368..25093fd 100644
--- a/policy/modules/contrib/gatekeeper.te
+++ b/policy/modules/contrib/gatekeeper.te
@@ -1,4 +1,4 @@
-policy_module(gatekeeper, 1.8.0)
+policy_module(gatekeeper, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/gdomap.te b/policy/modules/contrib/gdomap.te
index f3d070c..2f2df8c 100644
--- a/policy/modules/contrib/gdomap.te
+++ b/policy/modules/contrib/gdomap.te
@@ -1,4 +1,4 @@
-policy_module(gdomap, 1.1.0)
+policy_module(gdomap, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/glance.te b/policy/modules/contrib/glance.te
index 5cd0909..7bfd3a8 100644
--- a/policy/modules/contrib/glance.te
+++ b/policy/modules/contrib/glance.te
@@ -1,4 +1,4 @@
-policy_module(glance, 1.1.0)
+policy_module(glance, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index f336604..49e52ce 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -1,4 +1,4 @@
-policy_module(glusterfs, 1.2.0)
+policy_module(glusterfs, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
index 69734fd..ef16279 100644
--- a/policy/modules/contrib/gpm.te
+++ b/policy/modules/contrib/gpm.te
@@ -1,4 +1,4 @@
-policy_module(gpm, 1.9.0)
+policy_module(gpm, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te
index fe3895e..d57a144 100644
--- a/policy/modules/contrib/gpsd.te
+++ b/policy/modules/contrib/gpsd.te
@@ -1,4 +1,4 @@
-policy_module(gpsd, 1.2.0)
+policy_module(gpsd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te
index d99a8b6..a40e85b 100644
--- a/policy/modules/contrib/hadoop.te
+++ b/policy/modules/contrib/hadoop.te
@@ -1,4 +1,4 @@
-policy_module(hadoop, 1.3.1)
+policy_module(hadoop, 1.3.2)
########################################
#
diff --git a/policy/modules/contrib/hddtemp.te b/policy/modules/contrib/hddtemp.te
index 9e11b98..23f5a54 100644
--- a/policy/modules/contrib/hddtemp.te
+++ b/policy/modules/contrib/hddtemp.te
@@ -1,4 +1,4 @@
-policy_module(hddtemp, 1.2.0)
+policy_module(hddtemp, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/howl.te b/policy/modules/contrib/howl.te
index b9e60ec..626a92c 100644
--- a/policy/modules/contrib/howl.te
+++ b/policy/modules/contrib/howl.te
@@ -1,4 +1,4 @@
-policy_module(howl, 1.10.0)
+policy_module(howl, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/hypervkvp.te b/policy/modules/contrib/hypervkvp.te
index 4eb7041..1359b2a 100644
--- a/policy/modules/contrib/hypervkvp.te
+++ b/policy/modules/contrib/hypervkvp.te
@@ -1,4 +1,4 @@
-policy_module(hypervkvp, 1.0.0)
+policy_module(hypervkvp, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/i18n_input.te b/policy/modules/contrib/i18n_input.te
index 369a056..069305c 100644
--- a/policy/modules/contrib/i18n_input.te
+++ b/policy/modules/contrib/i18n_input.te
@@ -1,4 +1,4 @@
-policy_module(i18n_input, 1.9.0)
+policy_module(i18n_input, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/icecast.te b/policy/modules/contrib/icecast.te
index a9e573a..b44b952 100644
--- a/policy/modules/contrib/icecast.te
+++ b/policy/modules/contrib/icecast.te
@@ -1,4 +1,4 @@
-policy_module(icecast, 1.2.0)
+policy_module(icecast, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te
index b0546b4..8154360 100644
--- a/policy/modules/contrib/ifplugd.te
+++ b/policy/modules/contrib/ifplugd.te
@@ -1,4 +1,4 @@
-policy_module(ifplugd, 1.1.0)
+policy_module(ifplugd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/inn.te b/policy/modules/contrib/inn.te
index ae64957..bf33eb4 100644
--- a/policy/modules/contrib/inn.te
+++ b/policy/modules/contrib/inn.te
@@ -1,4 +1,4 @@
-policy_module(inn, 1.11.0)
+policy_module(inn, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index d443fee..61572da 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -1,4 +1,4 @@
-policy_module(iodine, 1.1.0)
+policy_module(iodine, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/ircd.te b/policy/modules/contrib/ircd.te
index efaf4b1..1682d5c 100644
--- a/policy/modules/contrib/ircd.te
+++ b/policy/modules/contrib/ircd.te
@@ -1,4 +1,4 @@
-policy_module(ircd, 1.8.0)
+policy_module(ircd, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te
index 22ef537..089e6d7 100644
--- a/policy/modules/contrib/irqbalance.te
+++ b/policy/modules/contrib/irqbalance.te
@@ -1,4 +1,4 @@
-policy_module(irqbalance, 1.7.0)
+policy_module(irqbalance, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index ca020fa..070f8e3 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -1,4 +1,4 @@
-policy_module(iscsi, 1.9.0)
+policy_module(iscsi, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/isns.te b/policy/modules/contrib/isns.te
index bc11034..5b82de7 100644
--- a/policy/modules/contrib/isns.te
+++ b/policy/modules/contrib/isns.te
@@ -1,4 +1,4 @@
-policy_module(isns, 1.0.0)
+policy_module(isns, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te
index af67c36..8f71642 100644
--- a/policy/modules/contrib/jabber.te
+++ b/policy/modules/contrib/jabber.te
@@ -1,4 +1,4 @@
-policy_module(jabber, 1.10.0)
+policy_module(jabber, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 715fc21..7c4e3f1 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.3.0)
+policy_module(kdump, 1.3.1)
#######################################
#
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
index 1a115e8..43df956 100644
--- a/policy/modules/contrib/kerberos.te
+++ b/policy/modules/contrib/kerberos.te
@@ -1,4 +1,4 @@
-policy_module(kerberos, 1.13.0)
+policy_module(kerberos, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/kerneloops.te b/policy/modules/contrib/kerneloops.te
index bcdb295..9360bde 100644
--- a/policy/modules/contrib/kerneloops.te
+++ b/policy/modules/contrib/kerneloops.te
@@ -1,4 +1,4 @@
-policy_module(kerneloops, 1.5.0)
+policy_module(kerneloops, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/keystone.te b/policy/modules/contrib/keystone.te
index 9929647..b832ee1 100644
--- a/policy/modules/contrib/keystone.te
+++ b/policy/modules/contrib/keystone.te
@@ -1,4 +1,4 @@
-policy_module(keystone, 1.1.0)
+policy_module(keystone, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te
index e6d89c3..9b8fedf 100644
--- a/policy/modules/contrib/kismet.te
+++ b/policy/modules/contrib/kismet.te
@@ -1,4 +1,4 @@
-policy_module(kismet, 1.8.0)
+policy_module(kismet, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/ksmtuned.te b/policy/modules/contrib/ksmtuned.te
index 2e93115..a799535 100644
--- a/policy/modules/contrib/ksmtuned.te
+++ b/policy/modules/contrib/ksmtuned.te
@@ -1,4 +1,4 @@
-policy_module(ksmtuned, 1.2.0)
+policy_module(ksmtuned, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index b1628ad..107f652 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -1,4 +1,4 @@
-policy_module(kudzu, 1.10.0)
+policy_module(kudzu, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/l2tp.te b/policy/modules/contrib/l2tp.te
index bb06a7f..f1de38f 100644
--- a/policy/modules/contrib/l2tp.te
+++ b/policy/modules/contrib/l2tp.te
@@ -1,4 +1,4 @@
-policy_module(l2tp, 1.1.0)
+policy_module(l2tp, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 2a2dfd0..1adbf03 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.12.0)
+policy_module(ldap, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te
index d8c2442..e33495b 100644
--- a/policy/modules/contrib/likewise.te
+++ b/policy/modules/contrib/likewise.te
@@ -1,4 +1,4 @@
-policy_module(likewise, 1.3.0)
+policy_module(likewise, 1.3.1)
#################################
#
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index 483c87b..0064b06 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -1,4 +1,4 @@
-policy_module(lircd, 1.2.0)
+policy_module(lircd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te
index 2a491d9..7d580f2 100644
--- a/policy/modules/contrib/lldpad.te
+++ b/policy/modules/contrib/lldpad.te
@@ -1,4 +1,4 @@
-policy_module(lldpad, 1.1.0)
+policy_module(lldpad, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/mailscanner.te b/policy/modules/contrib/mailscanner.te
index 6b6e2e1..509de59 100644
--- a/policy/modules/contrib/mailscanner.te
+++ b/policy/modules/contrib/mailscanner.te
@@ -1,4 +1,4 @@
-policy_module(mailscanner, 1.1.0)
+policy_module(mailscanner, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te
index a9265c8..3fd0dc5 100644
--- a/policy/modules/contrib/mcelog.te
+++ b/policy/modules/contrib/mcelog.te
@@ -1,4 +1,4 @@
-policy_module(mcelog, 1.3.0)
+policy_module(mcelog, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/memcached.te b/policy/modules/contrib/memcached.te
index cf01235..54738e9 100644
--- a/policy/modules/contrib/memcached.te
+++ b/policy/modules/contrib/memcached.te
@@ -1,4 +1,4 @@
-policy_module(memcached, 1.4.0)
+policy_module(memcached, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te
index c80d861..fdfa9a0 100644
--- a/policy/modules/contrib/minissdpd.te
+++ b/policy/modules/contrib/minissdpd.te
@@ -1,4 +1,4 @@
-policy_module(minissdpd, 1.1.0)
+policy_module(minissdpd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/mongodb.te b/policy/modules/contrib/mongodb.te
index 169f236..29b0ab5 100644
--- a/policy/modules/contrib/mongodb.te
+++ b/policy/modules/contrib/mongodb.te
@@ -1,4 +1,4 @@
-policy_module(mongodb, 1.1.0)
+policy_module(mongodb, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/monop.te b/policy/modules/contrib/monop.te
index 5f93763..fe78c10 100644
--- a/policy/modules/contrib/monop.te
+++ b/policy/modules/contrib/monop.te
@@ -1,4 +1,4 @@
-policy_module(monop, 1.8.0)
+policy_module(monop, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index 9029996..e37c363 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -1,4 +1,4 @@
-policy_module(mpd, 1.2.0)
+policy_module(mpd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
index 65a246a..1730669 100644
--- a/policy/modules/contrib/mrtg.te
+++ b/policy/modules/contrib/mrtg.te
@@ -1,4 +1,4 @@
-policy_module(mrtg, 1.9.0)
+policy_module(mrtg, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/munin.te b/policy/modules/contrib/munin.te
index c48f60c..2a8152f 100644
--- a/policy/modules/contrib/munin.te
+++ b/policy/modules/contrib/munin.te
@@ -1,4 +1,4 @@
-policy_module(munin, 1.10.0)
+policy_module(munin, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 76d1e84..60a7763 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.16.0)
+policy_module(mysql, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
index 7b3e682..dbdfbeb 100644
--- a/policy/modules/contrib/nagios.te
+++ b/policy/modules/contrib/nagios.te
@@ -1,4 +1,4 @@
-policy_module(nagios, 1.13.0)
+policy_module(nagios, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/nessus.te b/policy/modules/contrib/nessus.te
index fe1068b..13f24c1 100644
--- a/policy/modules/contrib/nessus.te
+++ b/policy/modules/contrib/nessus.te
@@ -1,4 +1,4 @@
-policy_module(nessus, 1.9.0)
+policy_module(nessus, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index a4e179f..427dfe4 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.17.1)
+policy_module(networkmanager, 1.17.2)
########################################
#
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index 3a6b035..6e13b92 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.12.0)
+policy_module(nis, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index ad2a10e..aee77dc 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.12.0)
+policy_module(nscd, 1.12.1)
gen_require(`
class nscd all_nscd_perms;
diff --git a/policy/modules/contrib/nsd.te b/policy/modules/contrib/nsd.te
index 47bb1d2..28ed38f 100644
--- a/policy/modules/contrib/nsd.te
+++ b/policy/modules/contrib/nsd.te
@@ -1,4 +1,4 @@
-policy_module(nsd, 1.8.0)
+policy_module(nsd, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te
index 985823c..ad09d51 100644
--- a/policy/modules/contrib/nslcd.te
+++ b/policy/modules/contrib/nslcd.te
@@ -1,4 +1,4 @@
-policy_module(nslcd, 1.5.0)
+policy_module(nslcd, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te
index 8ec7859..43171f4 100644
--- a/policy/modules/contrib/ntop.te
+++ b/policy/modules/contrib/ntop.te
@@ -1,4 +1,4 @@
-policy_module(ntop, 1.10.0)
+policy_module(ntop, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 56bb390..7600674 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.13.0)
+policy_module(ntp, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/numad.te b/policy/modules/contrib/numad.te
index b0a1be4..cecc64a 100644
--- a/policy/modules/contrib/numad.te
+++ b/policy/modules/contrib/numad.te
@@ -1,4 +1,4 @@
-policy_module(numad, 1.1.0)
+policy_module(numad, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index 64cd06f..1a4907d 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -1,4 +1,4 @@
-policy_module(nut, 1.4.0)
+policy_module(nut, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/oident.te b/policy/modules/contrib/oident.te
index edfad9d..e72ffea 100644
--- a/policy/modules/contrib/oident.te
+++ b/policy/modules/contrib/oident.te
@@ -1,4 +1,4 @@
-policy_module(oident, 2.3.0)
+policy_module(oident, 2.3.1)
########################################
#
diff --git a/policy/modules/contrib/openct.te b/policy/modules/contrib/openct.te
index 2ecffe3..a001328 100644
--- a/policy/modules/contrib/openct.te
+++ b/policy/modules/contrib/openct.te
@@ -1,4 +1,4 @@
-policy_module(openct, 1.7.0)
+policy_module(openct, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/openhpi.te b/policy/modules/contrib/openhpi.te
index 8de6191..d0c61ba 100644
--- a/policy/modules/contrib/openhpi.te
+++ b/policy/modules/contrib/openhpi.te
@@ -1,4 +1,4 @@
-policy_module(openhpi, 1.1.0)
+policy_module(openhpi, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index f9d58cc..bdb689e 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.13.0)
+policy_module(openvpn, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te
index 5885f67..84d7e60 100644
--- a/policy/modules/contrib/openvswitch.te
+++ b/policy/modules/contrib/openvswitch.te
@@ -1,4 +1,4 @@
-policy_module(openvswitch, 1.2.0)
+policy_module(openvswitch, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/pacemaker.te b/policy/modules/contrib/pacemaker.te
index 6e6efb6..8db2c1f 100644
--- a/policy/modules/contrib/pacemaker.te
+++ b/policy/modules/contrib/pacemaker.te
@@ -1,4 +1,4 @@
-policy_module(pacemaker, 1.1.0)
+policy_module(pacemaker, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/pads.te b/policy/modules/contrib/pads.te
index 078adc4..4992358 100644
--- a/policy/modules/contrib/pads.te
+++ b/policy/modules/contrib/pads.te
@@ -1,4 +1,4 @@
-policy_module(pads, 1.1.0)
+policy_module(pads, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index 511d08d..bf5066f 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.10.0)
+policy_module(pcscd, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te
index 742fe1d..3e66bb7 100644
--- a/policy/modules/contrib/pegasus.te
+++ b/policy/modules/contrib/pegasus.te
@@ -1,4 +1,4 @@
-policy_module(pegasus, 1.10.0)
+policy_module(pegasus, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te
index 9feb1ef..1887d96 100644
--- a/policy/modules/contrib/perdition.te
+++ b/policy/modules/contrib/perdition.te
@@ -1,4 +1,4 @@
-policy_module(perdition, 1.8.0)
+policy_module(perdition, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/pingd.te b/policy/modules/contrib/pingd.te
index ab01060..5a91a3c 100644
--- a/policy/modules/contrib/pingd.te
+++ b/policy/modules/contrib/pingd.te
@@ -1,4 +1,4 @@
-policy_module(pingd, 1.1.0)
+policy_module(pingd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index 1e1a490..0e583e1 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -1,4 +1,4 @@
-policy_module(pkcs, 1.1.0)
+policy_module(pkcs, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/polipo.te b/policy/modules/contrib/polipo.te
index baa9b4b..5189e55 100644
--- a/policy/modules/contrib/polipo.te
+++ b/policy/modules/contrib/polipo.te
@@ -1,4 +1,4 @@
-policy_module(polipo, 1.2.0)
+policy_module(polipo, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
index 18b255e..3ba2179 100644
--- a/policy/modules/contrib/portmap.te
+++ b/policy/modules/contrib/portmap.te
@@ -1,4 +1,4 @@
-policy_module(portmap, 1.11.0)
+policy_module(portmap, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te
index 00b01e2..162fe08 100644
--- a/policy/modules/contrib/portreserve.te
+++ b/policy/modules/contrib/portreserve.te
@@ -1,4 +1,4 @@
-policy_module(portreserve, 1.4.0)
+policy_module(portreserve, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 738ce6f..1c0e8a6 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.16.0)
+policy_module(postfix, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
index ea1582a..20e9b79 100644
--- a/policy/modules/contrib/postfixpolicyd.te
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -1,4 +1,4 @@
-policy_module(postfixpolicyd, 1.3.0)
+policy_module(postfixpolicyd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te
index fd58805..705a5b6 100644
--- a/policy/modules/contrib/postgrey.te
+++ b/policy/modules/contrib/postgrey.te
@@ -1,4 +1,4 @@
-policy_module(postgrey, 1.9.0)
+policy_module(postgrey, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index d616ca3..dc115b1 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.14.0)
+policy_module(ppp, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te
index 6cebd0c..6effe7f 100644
--- a/policy/modules/contrib/prelude.te
+++ b/policy/modules/contrib/prelude.te
@@ -1,4 +1,4 @@
-policy_module(prelude, 1.5.0)
+policy_module(prelude, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/privoxy.te b/policy/modules/contrib/privoxy.te
index ec21f80..b2873f6 100644
--- a/policy/modules/contrib/privoxy.te
+++ b/policy/modules/contrib/privoxy.te
@@ -1,4 +1,4 @@
-policy_module(privoxy, 1.12.0)
+policy_module(privoxy, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te
index ad12e3a..ee61046 100644
--- a/policy/modules/contrib/psad.te
+++ b/policy/modules/contrib/psad.te
@@ -1,4 +1,4 @@
-policy_module(psad, 1.2.0)
+policy_module(psad, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 1fa318e..f7f95b0 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.5.0)
+policy_module(puppet, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/pxe.te b/policy/modules/contrib/pxe.te
index 06bec9b..d3b0e6d 100644
--- a/policy/modules/contrib/pxe.te
+++ b/policy/modules/contrib/pxe.te
@@ -1,4 +1,4 @@
-policy_module(pxe, 1.5.0)
+policy_module(pxe, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/pyicqt.te b/policy/modules/contrib/pyicqt.te
index f2863de..45cccaf 100644
--- a/policy/modules/contrib/pyicqt.te
+++ b/policy/modules/contrib/pyicqt.te
@@ -1,4 +1,4 @@
-policy_module(pyicqt, 1.1.0)
+policy_module(pyicqt, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/pyzor.te b/policy/modules/contrib/pyzor.te
index 232d2d4..8462ee0 100644
--- a/policy/modules/contrib/pyzor.te
+++ b/policy/modules/contrib/pyzor.te
@@ -1,4 +1,4 @@
-policy_module(pyzor, 2.4.0)
+policy_module(pyzor, 2.4.1)
########################################
#
diff --git a/policy/modules/contrib/qpid.te b/policy/modules/contrib/qpid.te
index 83eb09e..0ecfe15 100644
--- a/policy/modules/contrib/qpid.te
+++ b/policy/modules/contrib/qpid.te
@@ -1,4 +1,4 @@
-policy_module(qpid, 1.1.0)
+policy_module(qpid, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/quantum.te b/policy/modules/contrib/quantum.te
index 8644d8b..32c1379 100644
--- a/policy/modules/contrib/quantum.te
+++ b/policy/modules/contrib/quantum.te
@@ -1,4 +1,4 @@
-policy_module(quantum, 1.1.0)
+policy_module(quantum, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index 4ec203d..5a92a2c 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -1,4 +1,4 @@
-policy_module(quota, 1.7.0)
+policy_module(quota, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/rabbitmq.te b/policy/modules/contrib/rabbitmq.te
index cced9c3..5bdde4c 100644
--- a/policy/modules/contrib/rabbitmq.te
+++ b/policy/modules/contrib/rabbitmq.te
@@ -1,4 +1,4 @@
-policy_module(rabbitmq, 1.1.0)
+policy_module(rabbitmq, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
index d85eecc..52c05da 100644
--- a/policy/modules/contrib/radius.te
+++ b/policy/modules/contrib/radius.te
@@ -1,4 +1,4 @@
-policy_module(radius, 1.13.1)
+policy_module(radius, 1.13.2)
########################################
#
diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te
index 6d162e4..76bba12 100644
--- a/policy/modules/contrib/radvd.te
+++ b/policy/modules/contrib/radvd.te
@@ -1,4 +1,4 @@
-policy_module(radvd, 1.14.0)
+policy_module(radvd, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index a9ebb52..6f96e98 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.14.0)
+policy_module(raid, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index d2eecfe..bf6e4e9 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.1.0)
+policy_module(redis, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/resmgr.te b/policy/modules/contrib/resmgr.te
index f6eb358..a5b9878 100644
--- a/policy/modules/contrib/resmgr.te
+++ b/policy/modules/contrib/resmgr.te
@@ -1,4 +1,4 @@
-policy_module(resmgr, 1.3.0)
+policy_module(resmgr, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te
index 147ce0c..4ef5d59 100644
--- a/policy/modules/contrib/rgmanager.te
+++ b/policy/modules/contrib/rgmanager.te
@@ -1,4 +1,4 @@
-policy_module(rgmanager, 1.4.0)
+policy_module(rgmanager, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 3ac5646..ef7c72b 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -1,4 +1,4 @@
-policy_module(rhcs, 1.4.0)
+policy_module(rhcs, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/rhsmcertd.te b/policy/modules/contrib/rhsmcertd.te
index 8de4907..3fb1e18 100644
--- a/policy/modules/contrib/rhsmcertd.te
+++ b/policy/modules/contrib/rhsmcertd.te
@@ -1,4 +1,4 @@
-policy_module(rhsmcertd, 1.2.0)
+policy_module(rhsmcertd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te
index 0ba2569..dd763c4 100644
--- a/policy/modules/contrib/ricci.te
+++ b/policy/modules/contrib/ricci.te
@@ -1,4 +1,4 @@
-policy_module(ricci, 1.8.0)
+policy_module(ricci, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
index a4e8a5e..17b9504 100644
--- a/policy/modules/contrib/rngd.te
+++ b/policy/modules/contrib/rngd.te
@@ -1,4 +1,4 @@
-policy_module(rngd, 1.2.0)
+policy_module(rngd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/roundup.te b/policy/modules/contrib/roundup.te
index ccb5991..11a013f 100644
--- a/policy/modules/contrib/roundup.te
+++ b/policy/modules/contrib/roundup.te
@@ -1,4 +1,4 @@
-policy_module(roundup, 1.8.0)
+policy_module(roundup, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index f0fa041..a150dc2 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.16.1)
+policy_module(rpc, 1.16.2)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 9604d59..9cdb548 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.8.1)
+policy_module(rpcbind, 1.8.2)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 672fade..e56f892 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.17.0)
+policy_module(rpm, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 7eea21f..906ebb5 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.2.0)
+policy_module(rtkit, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/rwho.te b/policy/modules/contrib/rwho.te
index 7fb75f4..24a685a 100644
--- a/policy/modules/contrib/rwho.te
+++ b/policy/modules/contrib/rwho.te
@@ -1,4 +1,4 @@
-policy_module(rwho, 1.7.0)
+policy_module(rwho, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index de3adf2..2e782c5 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.17.0)
+policy_module(samba, 1.17.1)
#################################
#
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index 3ed8e45..f2e4eaf 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -1,4 +1,4 @@
-policy_module(samhain, 1.2.1)
+policy_module(samhain, 1.2.2)
########################################
#
diff --git a/policy/modules/contrib/sanlock.te b/policy/modules/contrib/sanlock.te
index 0045465..af72f44 100644
--- a/policy/modules/contrib/sanlock.te
+++ b/policy/modules/contrib/sanlock.te
@@ -1,4 +1,4 @@
-policy_module(sanlock, 1.1.0)
+policy_module(sanlock, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te
index 9f91f8b..d1028b7 100644
--- a/policy/modules/contrib/sasl.te
+++ b/policy/modules/contrib/sasl.te
@@ -1,4 +1,4 @@
-policy_module(sasl, 1.16.0)
+policy_module(sasl, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/sblim.te b/policy/modules/contrib/sblim.te
index 299756b..0834784 100644
--- a/policy/modules/contrib/sblim.te
+++ b/policy/modules/contrib/sblim.te
@@ -1,4 +1,4 @@
-policy_module(sblim, 1.1.0)
+policy_module(sblim, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
index 6b30f39..52a6efa 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -1,4 +1,4 @@
-policy_module(sendmail, 1.13.0)
+policy_module(sendmail, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/sensord.te b/policy/modules/contrib/sensord.te
index 5e82fd6..f9bed73 100644
--- a/policy/modules/contrib/sensord.te
+++ b/policy/modules/contrib/sensord.te
@@ -1,4 +1,4 @@
-policy_module(sensord, 1.0.0)
+policy_module(sensord, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index 7710b9f..107bd15 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.4.0)
+policy_module(shorewall, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/slpd.te b/policy/modules/contrib/slpd.te
index 731512a..65a999d 100644
--- a/policy/modules/contrib/slpd.te
+++ b/policy/modules/contrib/slpd.te
@@ -1,4 +1,4 @@
-policy_module(slpd, 1.1.0)
+policy_module(slpd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te
index 9cf6582..e29affa 100644
--- a/policy/modules/contrib/smartmon.te
+++ b/policy/modules/contrib/smartmon.te
@@ -1,4 +1,4 @@
-policy_module(smartmon, 1.12.0)
+policy_module(smartmon, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te
index ec031a0..b2dafb4 100644
--- a/policy/modules/contrib/smokeping.te
+++ b/policy/modules/contrib/smokeping.te
@@ -1,4 +1,4 @@
-policy_module(smokeping, 1.2.0)
+policy_module(smokeping, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/smstools.te b/policy/modules/contrib/smstools.te
index 5ccf83c..1edf97d 100644
--- a/policy/modules/contrib/smstools.te
+++ b/policy/modules/contrib/smstools.te
@@ -1,4 +1,4 @@
-policy_module(smstools, 1.0.0)
+policy_module(smstools, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te
index 068a706..afa86ff 100644
--- a/policy/modules/contrib/snmp.te
+++ b/policy/modules/contrib/snmp.te
@@ -1,4 +1,4 @@
-policy_module(snmp, 1.14.1)
+policy_module(snmp, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index d5d9766..2cc5761 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -1,4 +1,4 @@
-policy_module(snort, 1.12.0)
+policy_module(snort, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/soundserver.te b/policy/modules/contrib/soundserver.te
index 0919e0c..b9d3104 100644
--- a/policy/modules/contrib/soundserver.te
+++ b/policy/modules/contrib/soundserver.te
@@ -1,4 +1,4 @@
-policy_module(soundserver, 1.9.0)
+policy_module(soundserver, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index b208631..22c3fd4 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.8.0)
+policy_module(spamassassin, 2.8.1)
########################################
#
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 42b6ccf..deb497a 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.13.0)
+policy_module(squid, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index 2d8db1f..17218c2 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -1,4 +1,4 @@
-policy_module(sssd, 1.2.0)
+policy_module(sssd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/svnserve.te b/policy/modules/contrib/svnserve.te
index 03cd1f7..48e5704 100644
--- a/policy/modules/contrib/svnserve.te
+++ b/policy/modules/contrib/svnserve.te
@@ -1,4 +1,4 @@
-policy_module(svnserve, 1.2.0)
+policy_module(svnserve, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te
index b92f677..fd167ee 100644
--- a/policy/modules/contrib/sysstat.te
+++ b/policy/modules/contrib/sysstat.te
@@ -1,4 +1,4 @@
-policy_module(sysstat, 1.8.0)
+policy_module(sysstat, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/systemtap.te b/policy/modules/contrib/systemtap.te
index 61f53ea..b368f33 100644
--- a/policy/modules/contrib/systemtap.te
+++ b/policy/modules/contrib/systemtap.te
@@ -1,4 +1,4 @@
-policy_module(systemtap, 1.2.0)
+policy_module(systemtap, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index 3fc5fda..272c114 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -1,4 +1,4 @@
-policy_module(tcsd, 1.2.0)
+policy_module(tcsd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/tgtd.te b/policy/modules/contrib/tgtd.te
index 931c709..ecd3bfb 100644
--- a/policy/modules/contrib/tgtd.te
+++ b/policy/modules/contrib/tgtd.te
@@ -1,4 +1,4 @@
-policy_module(tgtd, 1.4.0)
+policy_module(tgtd, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index a9441af..519f9bf 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.10.0)
+policy_module(tor, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/transproxy.te b/policy/modules/contrib/transproxy.te
index 34973ee..44dc6c0 100644
--- a/policy/modules/contrib/transproxy.te
+++ b/policy/modules/contrib/transproxy.te
@@ -1,4 +1,4 @@
-policy_module(transproxy, 1.8.0)
+policy_module(transproxy, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/tuned.te b/policy/modules/contrib/tuned.te
index 393a330..5b16bda 100644
--- a/policy/modules/contrib/tuned.te
+++ b/policy/modules/contrib/tuned.te
@@ -1,4 +1,4 @@
-policy_module(tuned, 1.2.0)
+policy_module(tuned, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
index de35e5f..e244c11 100644
--- a/policy/modules/contrib/ulogd.te
+++ b/policy/modules/contrib/ulogd.te
@@ -1,4 +1,4 @@
-policy_module(ulogd, 1.3.0)
+policy_module(ulogd, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/uptime.te b/policy/modules/contrib/uptime.te
index 263d5fb..c0fe79b 100644
--- a/policy/modules/contrib/uptime.te
+++ b/policy/modules/contrib/uptime.te
@@ -1,4 +1,4 @@
-policy_module(uptime, 1.6.0)
+policy_module(uptime, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/uucp.te b/policy/modules/contrib/uucp.te
index 849f607..b6666a5 100644
--- a/policy/modules/contrib/uucp.te
+++ b/policy/modules/contrib/uucp.te
@@ -1,4 +1,4 @@
-policy_module(uucp, 1.13.0)
+policy_module(uucp, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/uuidd.te b/policy/modules/contrib/uuidd.te
index f8e52fc..52f8a7a 100644
--- a/policy/modules/contrib/uuidd.te
+++ b/policy/modules/contrib/uuidd.te
@@ -1,4 +1,4 @@
-policy_module(uuidd, 1.1.0)
+policy_module(uuidd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/varnishd.te b/policy/modules/contrib/varnishd.te
index 9d4d8cb..77fb5b6 100644
--- a/policy/modules/contrib/varnishd.te
+++ b/policy/modules/contrib/varnishd.te
@@ -1,4 +1,4 @@
-policy_module(varnishd, 1.2.0)
+policy_module(varnishd, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te
index 045124a..01403ab 100644
--- a/policy/modules/contrib/vdagent.te
+++ b/policy/modules/contrib/vdagent.te
@@ -1,4 +1,4 @@
-policy_module(vdagent, 1.2.0)
+policy_module(vdagent, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te
index 3d11c6a..dabfe40 100644
--- a/policy/modules/contrib/vhostmd.te
+++ b/policy/modules/contrib/vhostmd.te
@@ -1,4 +1,4 @@
-policy_module(vhostmd, 1.1.0)
+policy_module(vhostmd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 27a28df..42cb462 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.8.1)
+policy_module(virt, 1.8.2)
########################################
#
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index e2220ae..79351c4 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -1,4 +1,4 @@
-policy_module(vnstatd, 1.1.0)
+policy_module(vnstatd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 1a7ad18..25b17a0 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.9.0)
+policy_module(watchdog, 1.9.1)
#################################
#
diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te
index 4815a93..823f289 100644
--- a/policy/modules/contrib/wdmd.te
+++ b/policy/modules/contrib/wdmd.te
@@ -1,4 +1,4 @@
-policy_module(wdmd, 1.1.0)
+policy_module(wdmd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/xfs.te b/policy/modules/contrib/xfs.te
index 0928c5d..46ab354 100644
--- a/policy/modules/contrib/xfs.te
+++ b/policy/modules/contrib/xfs.te
@@ -1,4 +1,4 @@
-policy_module(xfs, 1.7.0)
+policy_module(xfs, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index bd967ab..f297da0 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.8.0)
+policy_module(zabbix, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/zarafa.te b/policy/modules/contrib/zarafa.te
index 3fded1c..f03331e 100644
--- a/policy/modules/contrib/zarafa.te
+++ b/policy/modules/contrib/zarafa.te
@@ -1,4 +1,4 @@
-policy_module(zarafa, 1.2.0)
+policy_module(zarafa, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
index 2e80d04..0f726fc 100644
--- a/policy/modules/contrib/zebra.te
+++ b/policy/modules/contrib/zebra.te
@@ -1,4 +1,4 @@
-policy_module(zebra, 1.13.0)
+policy_module(zebra, 1.13.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-05-16 11:31 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-05-16 11:31 UTC (permalink / raw
To: gentoo-commits
commit: 39073b3161feea2f4e2cbe3c36579127fc235ed6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat May 16 11:28:57 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat May 16 11:28:57 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=39073b31
Additional rights for postfix admin
policy/modules/contrib/postfix.if | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index a7ec448..8bc856e 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -761,5 +761,13 @@ interface(`postfix_admin',`
# Allow postfix admin to send message to log files, needed during operations like "postfix reload"
logging_send_syslog_msg($1)
+
+ # Reloading the system through postfix reload needs a few permissions
+ # "postfix: fatal: socket: Permission denied"
+ allow $1 self:tcp_socket create_stream_socket_perms;
+ # "postfix: fatal: inet_addr_local[getifaddrs]: getifaddrs: Permission denied"
+ allow $1 self:netlink_route_socket r_netlink_socket_perms;
+ # "postsuper: fatal: setuid(207): Operation not permitted"
+ allow $1 self:capability { setuid setgid };
')
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
@ 2015-05-16 11:13 Sven Vermeulen
2015-05-16 11:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2015-05-16 11:13 UTC (permalink / raw
To: gentoo-commits
commit: 94b22b5403841d31a3eeb61bab332e81c3afb69d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat May 16 11:11:10 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat May 16 11:11:10 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=94b22b54
Add postfix operations to postfix_admin
Allow postfix administrator to execute postfix:
~# /usr/sbin/postfix reload
This also requires the administrative domain to have the ability to send
log messages.
policy/modules/contrib/postfix.if | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index 8e7d1e7..a7ec448 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -748,11 +748,18 @@ interface(`postfix_admin',`
ifdef(`distro_gentoo',`
gen_require(`
type postfix_showq_exec_t;
+ type postfix_master_exec_t;
type postfix_postqueue_t;
')
allow postfix_postqueue_t $1:process sigchld;
can_exec($1, postfix_showq_exec_t)
+
+ # Postfix admin must be able to execute postfix main (for instance for "postfix reload")
+ can_exec($1, postfix_master_exec_t)
+
+ # Allow postfix admin to send message to log files, needed during operations like "postfix reload"
+ logging_send_syslog_msg($1)
')
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-05-16 11:13 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
@ 2015-05-16 11:31 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-05-16 11:31 UTC (permalink / raw
To: gentoo-commits
commit: 94b22b5403841d31a3eeb61bab332e81c3afb69d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat May 16 11:11:10 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat May 16 11:11:10 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=94b22b54
Add postfix operations to postfix_admin
Allow postfix administrator to execute postfix:
~# /usr/sbin/postfix reload
This also requires the administrative domain to have the ability to send
log messages.
policy/modules/contrib/postfix.if | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index 8e7d1e7..a7ec448 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -748,11 +748,18 @@ interface(`postfix_admin',`
ifdef(`distro_gentoo',`
gen_require(`
type postfix_showq_exec_t;
+ type postfix_master_exec_t;
type postfix_postqueue_t;
')
allow postfix_postqueue_t $1:process sigchld;
can_exec($1, postfix_showq_exec_t)
+
+ # Postfix admin must be able to execute postfix main (for instance for "postfix reload")
+ can_exec($1, postfix_master_exec_t)
+
+ # Allow postfix admin to send message to log files, needed during operations like "postfix reload"
+ logging_send_syslog_msg($1)
')
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-05-15 13:47 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-05-15 13:47 UTC (permalink / raw
To: gentoo-commits
commit: 4181d381fa9d12a6c7836c6acbc06ccc8b26e6b6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May 15 13:21:49 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 15 13:21:49 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4181d381
Remove catch-all for postfix libraries
The postfix libraries in /usr/lib/postfix were by default marked as
postfix_exec_t. This however is a design mistake. Libraries should be
of a library type (of which lib_t is a default) so that applications
that use it have the proper read/execute rights without needing those on
the *real* executable types of an application.
policy/modules/contrib/postfix.fc | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc
index da1791b..b71d844 100644
--- a/policy/modules/contrib/postfix.fc
+++ b/policy/modules/contrib/postfix.fc
@@ -4,7 +4,8 @@
/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
-/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+# Remove catch-all so that .so files remain lib_t
+#/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-05-15 13:47 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-05-15 13:47 UTC (permalink / raw
To: gentoo-commits
commit: 7f4df16703908b51f8a290532f1902a5981134ce
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May 15 13:28:36 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 15 13:28:36 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7f4df167
Move specifics to ifdef distro_gentoo
policy/modules/contrib/postfix.te | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 1c0a34c..47cfeb0 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -500,8 +500,6 @@ corecmd_read_bin_files(postfix_map_t)
corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
-domain_use_interactive_fds(postfix_map_t)
-
files_list_home(postfix_map_t)
files_read_usr_files(postfix_map_t)
files_read_etc_runtime_files(postfix_map_t)
@@ -513,8 +511,6 @@ logging_send_syslog_msg(postfix_map_t)
miscfiles_read_localization(postfix_map_t)
-userdom_use_user_terminals(postfix_map_t)
-
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -815,4 +811,12 @@ ifdef(`distro_gentoo',`
#
rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+
+ #####################################
+ #
+ # Local postmap policy
+ #
+
+ domain_use_interactive_fds(postfix_map_t)
+ userdom_use_user_terminals(postfix_map_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-05-15 13:47 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-05-15 13:47 UTC (permalink / raw
To: gentoo-commits
commit: 105c5c80ee234d6bed09a47fa36746382e3830f7
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May 15 13:25:06 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 15 13:25:06 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=105c5c80
postmap is a user command
When a postfix admin updates a postfix database, he has to call
"postmap hash:/etc/postfix/databasename" in order to regenerate the
database (in case of a hash database in the example).
To allow postmap to give feedback on errors, grant it access to the user
terminals and private file descriptors of the admin.
policy/modules/contrib/postfix.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index afc1fde..1c0a34c 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -500,6 +500,8 @@ corecmd_read_bin_files(postfix_map_t)
corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
+domain_use_interactive_fds(postfix_map_t)
+
files_list_home(postfix_map_t)
files_read_usr_files(postfix_map_t)
files_read_etc_runtime_files(postfix_map_t)
@@ -511,6 +513,8 @@ logging_send_syslog_msg(postfix_map_t)
miscfiles_read_localization(postfix_map_t)
+userdom_use_user_terminals(postfix_map_t)
+
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-05-15 13:47 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-05-15 13:47 UTC (permalink / raw
To: gentoo-commits
commit: 115949be334ab475bf97fa29ad8dc2bc88b71c4c
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May 15 13:46:27 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 15 13:46:27 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=115949be
Add bugfix number to policy change for tracking
policy/modules/contrib/postfix.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 47cfeb0..738ce6f 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -816,7 +816,8 @@ ifdef(`distro_gentoo',`
#
# Local postmap policy
#
-
+
+ # Bug #549566
domain_use_interactive_fds(postfix_map_t)
userdom_use_user_terminals(postfix_map_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-05-09 12:24 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-05-09 12:24 UTC (permalink / raw
To: gentoo-commits
commit: da19f4dbdc54c44a30ecc218dc1dd01169efe08e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat May 9 12:22:19 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat May 9 12:22:19 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da19f4db
Fix bug #549004 - Add /dev/shm support to salt master
The salt master daemon now uses /dev/shm for its semaphore definitions.
Add in the right salt_master_tmpfs_t type and grant salt_master_t the
right set of privileges (manage salt_master_tmpfs_t files as well as
interact with tmpfs_t).
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=549004
policy/modules/contrib/salt.te | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 4c76ecc..554e927 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -45,6 +45,9 @@ files_type(salt_master_pki_t)
type salt_master_tmp_t;
files_tmp_file(salt_master_tmp_t)
+type salt_master_tmpfs_t;
+files_tmpfs_file(salt_master_tmpfs_t)
+
type salt_master_var_run_t;
init_daemon_pid_file(salt_master_var_run_t, file, "salt-master.pid")
files_pid_file(salt_master_var_run_t)
@@ -140,6 +143,10 @@ files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { file dir })
# libffi, screw you
can_exec(salt_master_t, salt_master_tmp_t)
+# salt_master_tmpfs_t
+allow salt_master_t salt_master_tmpfs_t:file manage_file_perms;
+fs_tmpfs_filetrans(salt_master_t, salt_master_tmpfs_t, file)
+
# salt_master_var_run_t
allow salt_master_t salt_master_var_run_t:file manage_file_perms;
allow salt_master_t salt_master_var_run_t:sock_file manage_sock_file_perms;
@@ -178,6 +185,8 @@ files_dontaudit_search_all_dirs(salt_master_t)
files_read_etc_files(salt_master_t)
files_read_usr_files(salt_master_t)
+fs_getattr_tmpfs(salt_master_t)
+
getty_use_fds(salt_master_t)
miscfiles_read_localization(salt_master_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-04-15 15:04 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-04-15 15:04 UTC (permalink / raw
To: gentoo-commits
commit: 2272507d0f9b9c85ded3fdf2abed5868bc60bbb4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Apr 15 15:04:12 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Apr 15 15:04:12 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2272507d
uwsgi: missing param in domain_entry_file
policy/modules/contrib/uwsgi.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/uwsgi.te b/policy/modules/contrib/uwsgi.te
index a5477ac..02b29e8 100644
--- a/policy/modules/contrib/uwsgi.te
+++ b/policy/modules/contrib/uwsgi.te
@@ -25,7 +25,7 @@ type uwsgi_content_t;
files_type(uwsgi_content_t)
type uwsgi_content_exec_t;
-domain_entry_file(uwsgi_content_exec_t)
+domain_entry_file(uwsgi_t, uwsgi_content_exec_t)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-04-14 14:55 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-04-14 14:55 UTC (permalink / raw
To: gentoo-commits
commit: 83d930031ee29fc0a59440ba420a08680b5ffc01
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Apr 14 14:53:56 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Apr 14 14:53:56 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=83d93003
uwsgi: uwsgi_content_exec_t should be an entrypoint
policy/modules/contrib/uwsgi.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/uwsgi.te b/policy/modules/contrib/uwsgi.te
index e177865..a5477ac 100644
--- a/policy/modules/contrib/uwsgi.te
+++ b/policy/modules/contrib/uwsgi.te
@@ -25,7 +25,7 @@ type uwsgi_content_t;
files_type(uwsgi_content_t)
type uwsgi_content_exec_t;
-files_type(uwsgi_content_exec_t)
+domain_entry_file(uwsgi_content_exec_t)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-04-13 20:27 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-04-13 20:27 UTC (permalink / raw
To: gentoo-commits
commit: bb630cc773cb919761a39687ca050a64403cd185
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Mon Apr 13 18:33:49 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Apr 13 20:01:45 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bb630cc7
Module version bump for changes to the dnsmasq policy module by Jason Zaman
policy/modules/contrib/dnsmasq.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index b3caf80..149b8f7 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.12.1)
+policy_module(dnsmasq, 1.12.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-04-13 20:27 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-04-13 20:27 UTC (permalink / raw
To: gentoo-commits
commit: 819ddf8ede2e2f7b4f2f437cf0eb18e65bd92cab
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Apr 13 15:36:12 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Apr 13 20:01:45 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=819ddf8e
snmp: missing fcontext for snmpd
policy/modules/contrib/snmp.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/snmp.fc b/policy/modules/contrib/snmp.fc
index 2f0a2f2..d3db67a 100644
--- a/policy/modules/contrib/snmp.fc
+++ b/policy/modules/contrib/snmp.fc
@@ -1,5 +1,6 @@
/etc/rc\.d/init\.d/(snmpd|snmptrapd) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
+/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0)
/usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-04-13 20:27 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-04-13 20:27 UTC (permalink / raw
To: gentoo-commits
commit: a98daba3644f9e84e81c784fa1b8773dbbba9681
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Tue Mar 31 16:17:46 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Apr 13 20:01:45 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a98daba3
Cachefilesd module updates
The module was incomplete because I was not confident about various rules implemented in the Fedora policy.
The files_create_all_files_as_is(cachefilesd_t) interface call was a bad idea. Instead it just needs to
maintain files in the cache with the cachefiles_cache_t type.
The process associated with cachefiles_kernel_t is a kernel thread (kworker)
policy/modules/contrib/cachefilesd.te | 30 +++++++++++++++++++++++++++---
1 file changed, 27 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index a3760bc..1d78e00 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.1.0)
+policy_module(cachefilesd, 1.1.1)
########################################
#
@@ -18,22 +18,28 @@ files_type(cachefilesd_cache_t)
type cachefilesd_var_run_t;
files_pid_file(cachefilesd_var_run_t)
+type cachefiles_kernel_t;
+domain_type(cachefiles_kernel_t)
+role system_r types cachefiles_kernel_t;
+
########################################
#
-# Local policy
+# Cachefilesd local policy
#
allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
+allow cachefilesd_t cachefiles_kernel_t:kernel_service use_as_override;
+
manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
+allow cachefilesd_t cachefiles_cache_t:kernel_service create_files_as;
manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
dev_rw_cachefiles(cachefilesd_t)
-files_create_all_files_as(cachefilesd_t)
files_read_etc_files(cachefilesd_t)
fs_getattr_xattr_fs(cachefilesd_t)
@@ -50,3 +56,21 @@ init_dontaudit_use_script_ptys(cachefilesd_t)
optional_policy(`
rpm_use_script_fds(cachefilesd_t)
')
+
+########################################
+#
+# Cachefiles_kernel local policy
+#
+
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
+
+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_cache_t, cachefiles_cache_t)
+manage_files_pattern(cachefiles_kernel_t, cachefiles_cache_t, cachefiles_cache_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
+
+domain_obj_id_change_exemption(cachefiles_kernel_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-04-13 20:27 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-04-13 20:27 UTC (permalink / raw
To: gentoo-commits
commit: af49e16c46c3828ad4d6bbe75f5b587fe466857b
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Mon Apr 13 18:36:03 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Apr 13 20:01:45 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=af49e16c
Module version bump for changes to the pulseaudio policy module by Jason Zaman
policy/modules/contrib/pulseaudio.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 06d17ea..d7f48be 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.7.0)
+policy_module(pulseaudio, 1.7.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-04-13 20:27 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-04-13 20:27 UTC (permalink / raw
To: gentoo-commits
commit: f1a75b0ff007e9236a53d50b2cfdbfc0669d293c
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Mon Apr 13 18:35:15 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Apr 13 20:01:45 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f1a75b0f
Module version bump for changes to the snmp policy module by Jason Zaman
policy/modules/contrib/snmp.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te
index 9dcaeb8..068a706 100644
--- a/policy/modules/contrib/snmp.te
+++ b/policy/modules/contrib/snmp.te
@@ -1,4 +1,4 @@
-policy_module(snmp, 1.14.0)
+policy_module(snmp, 1.14.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-04-13 20:27 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-04-13 20:27 UTC (permalink / raw
To: gentoo-commits
commit: 58fe42e834b0d4c37c7c3ed246fc30f85bf191e8
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Apr 13 15:36:13 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Apr 13 20:01:45 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=58fe42e8
dnsmasq: allow exec shell for scripts
dnsmasq has the --dhcp-script= option to execute scripts when leases are
given. dnsmasq needs to have shell access to run these.
policy/modules/contrib/dnsmasq.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index e2f8300..b3caf80 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -57,6 +57,8 @@ kernel_read_network_state(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)
kernel_request_load_module(dnsmasq_t)
+corecmd_exec_shell(dnsmasq_t)
+
corenet_all_recvfrom_unlabeled(dnsmasq_t)
corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-04-13 20:27 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-04-13 20:27 UTC (permalink / raw
To: gentoo-commits
commit: bba4efc6a96c91653917632569a2dae4fc1ad6d6
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Mon Apr 13 18:48:12 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Apr 13 20:01:45 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bba4efc6
cachefiles: It is cachefilesd_cache_t
policy/modules/contrib/cachefilesd.te | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index 1d78e00..79807ef 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.1.1)
+policy_module(cachefilesd, 1.1.2)
########################################
#
@@ -34,7 +34,7 @@ allow cachefilesd_t cachefiles_kernel_t:kernel_service use_as_override;
manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
-allow cachefilesd_t cachefiles_cache_t:kernel_service create_files_as;
+allow cachefilesd_t cachefilesd_cache_t:kernel_service create_files_as;
manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
@@ -64,8 +64,8 @@ optional_policy(`
allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
-manage_dirs_pattern(cachefiles_kernel_t, cachefiles_cache_t, cachefiles_cache_t)
-manage_files_pattern(cachefiles_kernel_t, cachefiles_cache_t, cachefiles_cache_t)
+manage_dirs_pattern(cachefiles_kernel_t, cachefilesd_cache_t, cachefilesd_cache_t)
+manage_files_pattern(cachefiles_kernel_t, cachefilesd_cache_t, cachefilesd_cache_t)
dev_search_sysfs(cachefiles_kernel_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-04-13 20:27 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-04-13 20:27 UTC (permalink / raw
To: gentoo-commits
commit: 57263bbfc0524a8307e829eb2ff3cacb49b8fd81
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Apr 13 15:36:11 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Apr 13 20:01:45 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=57263bbf
pulseaudio: filetrans for autospawn.lock
Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds the
filetrans rule.
$ start-pulseaudio-x11
W: [autospawn] core-util.c: Failed to create lock file '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied
E: [pulseaudio] main.c: Failed to acquire autospawn lock
policy/modules/contrib/pulseaudio.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index dfb06a9..06d17ea 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
+userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-04-13 20:27 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-04-13 20:27 UTC (permalink / raw
To: gentoo-commits
commit: 285060ccdef454dcd0b410386c7ca9d7433e5d90
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Apr 13 20:01:25 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Apr 13 20:01:25 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=285060cc
remove gentoo specific rules so upstream patch applies
policy/modules/contrib/cachefilesd.te | 33 ---------------------------------
1 file changed, 33 deletions(-)
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index 0490841..a3760bc 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -50,36 +50,3 @@ init_dontaudit_use_script_ptys(cachefilesd_t)
optional_policy(`
rpm_use_script_fds(cachefilesd_t)
')
-
-ifdef(`distro_gentoo',`
- type cachefilesd_kernel_t;
- # Compatible with fedora, for package defaults and so on
- typealias cachefilesd_kernel_t alias cachefiles_kernel_t;
- domain_type(cachefilesd_kernel_t)
- domain_obj_id_change_exemption(cachefilesd_kernel_t)
- role system_r types cachefilesd_kernel_t;
-
- # CacheFiles tells the Linux kernel for which security context
- # it should act to begin caching.
-
- # Allow cachefilesd_t to tell the kernel to use cachefilesd_kernel_t)
- allow cachefilesd_t cachefilesd_kernel_t:kernel_service { use_as_override };
-
- # Allow cachefilesd_t to tell the kernel to write files as cachefilesd_cache_t
- allow cachefilesd_t cachefilesd_cache_t:kernel_service { create_files_as };
-
- ##########################################
- #
- # cachefilesd_kernel_t policy
- #
- allow cachefilesd_kernel_t self:capability { dac_override dac_read_search };
-
- manage_dirs_pattern(cachefilesd_kernel_t, cachefilesd_cache_t, cachefilesd_cache_t)
- manage_files_pattern(cachefilesd_kernel_t, cachefilesd_cache_t, cachefilesd_cache_t)
-
- fs_getattr_xattr_fs(cachefilesd_kernel_t)
-
- dev_search_sysfs(cachefilesd_kernel_t)
-
- init_sigchld_script(cachefilesd_kernel_t)
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-04-11 11:08 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-04-11 11:08 UTC (permalink / raw
To: gentoo-commits
commit: 782389b715adc350dc0f447bfd28895b8930a6bd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Feb 3 13:48:40 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 11:07:36 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=782389b7
add fcontext for openntpd drift file
policy/modules/contrib/ntp.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 6105583..c74d996 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -27,4 +27,5 @@
ifdef(`distro_gentoo',`
/usr/bin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/var/lib/openntpd/ntpd.drift -- gen_context(system_u:object_r:ntp_drift_t,s0)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-04-11 10:10 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-04-11 10:10 UTC (permalink / raw
To: gentoo-commits
commit: 0a6928fa71555cc766096220d66e802f95269443
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Apr 9 09:45:41 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 10:06:36 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0a6928fa
Introduce policy for uWSGI, written by me
policy/modules/contrib/uwsgi.fc | 9 +++
policy/modules/contrib/uwsgi.if | 140 ++++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/uwsgi.te | 88 +++++++++++++++++++++++++
3 files changed, 237 insertions(+)
diff --git a/policy/modules/contrib/uwsgi.fc b/policy/modules/contrib/uwsgi.fc
new file mode 100644
index 0000000..7d2210b
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.fc
@@ -0,0 +1,9 @@
+/etc/uwsgi.d(/.*)? gen_context(system_u:object_r:uwsgi_conf_t,s0)
+
+/usr/bin/uwsgi.* -- gen_context(system_u:object_r:uwsgi_exec_t,s0)
+
+/var/log/uwsgi(/.*)? gen_context(system_u:object_r:uwsgi_var_log_t,s0)
+/var/run/uwsgi(/.*)? gen_context(system_u:object_r:uwsgi_run_t,s0)
+/var/www/wsgi/.*\.so -- gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi/.*/bin/.* gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
+/var/www/wsgi(/.*)? gen_context(system_u:object_r:uwsgi_content_t,s0)
diff --git a/policy/modules/contrib/uwsgi.if b/policy/modules/contrib/uwsgi.if
new file mode 100644
index 0000000..761f8cd
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.if
@@ -0,0 +1,140 @@
+## <summary>uWSGI server for Python web applications</summary>
+
+########################################
+## <summary>
+## Connect to uwsgi using a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_stream_connect',`
+ gen_require(`
+ type uwsgi_t, uwsgi_run_t;
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, uwsgi_run_t, uwsgi_run_t)
+ stream_connect_pattern($1, uwsgi_run_t, uwsgi_run_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+## Manage uwsgi content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_manage_content',`
+ gen_require(`
+ type uwsgi_content_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, uwsgi_content_t, uwsgi_content_t)
+ manage_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+ manage_lnk_files_pattern($1, uwsgi_content_t, uwsgi_content_t)
+
+ manage_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+ manage_lnk_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+ optional_policy(`
+ apache_manage_sys_content($1)
+ ')
+')
+
+########################################
+## <summary>
+## Execute uwsgi in the uwsgi domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`uwsgi_domtrans',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+ domtrans_pattern($1, uwsgi_content_exec_t, uwsgi_t)
+')
+
+########################################
+## <summary>
+## Execute uwsgi in the callers domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uwsgi_content_exec',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, uwsgi_content_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate a uWSGI environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`uwsgi_admin',`
+ gen_require(`
+ type uwsgi_t, uwsgi_exec_t, uwsgi_conf_t;
+ type uwsgi_run_t, uwsgi_var_log_t, uwsgi_tmp_t;
+ type uwsgi_content_t, uwsgi_content_exec_t;
+ ')
+
+ allow $1 uwsgi_t:process { ptrace signal_perms };
+ ps_process_pattern($1, uwsgi_t)
+
+ files_search_etc($1)
+ admin_pattern($1, { uwsgi_conf_t uwsgi_exec_t })
+
+ files_search_var($1)
+ admin_pattern($1, { uwsgi_content_t uwsgi_content_exec_t })
+
+ logging_search_logs($1)
+ admin_pattern($1, { uwsgi_var_log_t })
+
+ files_search_pids($1)
+ admin_pattern($1, uwsgi_run_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, uwsgi_tmp_t)
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, uwsgi_exec_t, uwsgi_t)
+ can_exec($1, uwsgi_content_exec_t)
+
+ optional_policy(`
+ apache_manage_sys_content($1)
+ ')
+')
diff --git a/policy/modules/contrib/uwsgi.te b/policy/modules/contrib/uwsgi.te
new file mode 100644
index 0000000..e177865
--- /dev/null
+++ b/policy/modules/contrib/uwsgi.te
@@ -0,0 +1,88 @@
+policy_module(uwsgi, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type uwsgi_t;
+type uwsgi_exec_t;
+init_daemon_domain(uwsgi_t, uwsgi_exec_t)
+
+type uwsgi_conf_t;
+files_config_file(uwsgi_conf_t)
+
+type uwsgi_run_t;
+init_daemon_pid_file(uwsgi_run_t, dir, "uwsgi")
+
+type uwsgi_var_log_t;
+logging_log_file(uwsgi_var_log_t)
+
+type uwsgi_tmp_t;
+files_tmp_file(uwsgi_tmp_t)
+
+type uwsgi_content_t;
+files_type(uwsgi_content_t)
+
+type uwsgi_content_exec_t;
+files_type(uwsgi_content_exec_t)
+
+########################################
+#
+# uwsgi local policy
+#
+
+allow uwsgi_t self:fifo_file rw_fifo_file_perms;
+allow uwsgi_t self:process { signal sigchld };
+
+can_exec(uwsgi_t, uwsgi_exec_t)
+can_exec(uwsgi_t, uwsgi_tmp_t)
+can_exec(uwsgi_t, uwsgi_content_exec_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+read_files_pattern(uwsgi_t, uwsgi_conf_t, uwsgi_conf_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_t, uwsgi_content_t)
+
+list_dirs_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+read_lnk_files_pattern(uwsgi_t, uwsgi_content_exec_t, uwsgi_content_exec_t)
+
+read_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+append_files_pattern(uwsgi_t, uwsgi_var_log_t, uwsgi_var_log_t)
+logging_log_filetrans(uwsgi_t, uwsgi_var_log_t, { file dir })
+logging_search_logs(uwsgi_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+manage_sock_files_pattern(uwsgi_t, uwsgi_run_t, uwsgi_run_t)
+
+manage_dirs_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+manage_files_pattern(uwsgi_t, uwsgi_tmp_t, uwsgi_tmp_t)
+files_tmp_filetrans(uwsgi_t, uwsgi_tmp_t, { file dir })
+
+files_read_usr_files(uwsgi_t)
+
+auth_use_nsswitch(uwsgi_t)
+
+corecmd_exec_bin(uwsgi_t)
+corecmd_exec_shell(uwsgi_t)
+
+kernel_read_system_state(uwsgi_t)
+
+miscfiles_read_localization(uwsgi_t)
+
+optional_policy(`
+ apache_search_sys_content(uwsgi_t)
+ apache_manage_all_rw_content(uwsgi_t)
+')
+
+optional_policy(`
+ cron_system_entry(uwsgi_t, uwsgi_content_exec_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(uwsgi_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:nginx commit in: policy/modules/contrib/
@ 2015-04-11 10:07 Jason Zaman
2015-04-11 10:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-04-11 10:07 UTC (permalink / raw
To: gentoo-commits
commit: 2943dc689d38767103194b6913308a08c3fd84b3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Apr 11 08:05:19 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 10:06:37 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2943dc68
allow nginx to connect to uwsgi
policy/modules/contrib/nginx.te | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te
index 3a30d69..be59bab 100644
--- a/policy/modules/contrib/nginx.te
+++ b/policy/modules/contrib/nginx.te
@@ -157,3 +157,13 @@ tunable_policy(`nginx_can_network_connect',`
optional_policy(`
phpfpm_stream_connect(nginx_t)
')
+
+ifdef(`distro_gentoo',`
+
+ # needs to be able to signal its children
+ allow nginx_t self:process { signal sigchld };
+
+ optional_policy(`
+ uwsgi_stream_connect(nginx_t)
+ ')
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-29 10:01 Jason Zaman
2015-03-29 9:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-03-29 10:01 UTC (permalink / raw
To: gentoo-commits
commit: 57264aa48955ae0f3b62257b0bb6bf0fd6a312bb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Mar 23 14:55:32 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 29 09:54:10 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=57264aa4
alsa: gentoo saves state files in /var/lib/alsa/oss/CardName
alsa_read/write_lib have permission on files, add in permission
for dirs too since gentoo's init script saves things in subdirs
policy/modules/contrib/alsa.if | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index 8f25112..38bbf80 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -255,6 +255,11 @@ interface(`alsa_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+
+ ifdef(`distro_gentoo',`
+ # gentoo saves the files in /var/lib/alsa/oss/CardName
+ list_dirs_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ ')
')
#########################################
@@ -274,6 +279,11 @@ interface(`alsa_write_lib',`
files_search_var_lib($1)
write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+
+ ifdef(`distro_gentoo',`
+ # gentoo saves the files in /var/lib/alsa/oss/CardName
+ rw_dirs_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ ')
')
# Gentoo specific for now, but cannot use ifdef distro_gentoo in an interface
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-03-29 10:01 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-03-29 9:59 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-03-29 9:59 UTC (permalink / raw
To: gentoo-commits
commit: 57264aa48955ae0f3b62257b0bb6bf0fd6a312bb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Mar 23 14:55:32 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 29 09:54:10 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=57264aa4
alsa: gentoo saves state files in /var/lib/alsa/oss/CardName
alsa_read/write_lib have permission on files, add in permission
for dirs too since gentoo's init script saves things in subdirs
policy/modules/contrib/alsa.if | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index 8f25112..38bbf80 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -255,6 +255,11 @@ interface(`alsa_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+
+ ifdef(`distro_gentoo',`
+ # gentoo saves the files in /var/lib/alsa/oss/CardName
+ list_dirs_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ ')
')
#########################################
@@ -274,6 +279,11 @@ interface(`alsa_write_lib',`
files_search_var_lib($1)
write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+
+ ifdef(`distro_gentoo',`
+ # gentoo saves the files in /var/lib/alsa/oss/CardName
+ rw_dirs_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ ')
')
# Gentoo specific for now, but cannot use ifdef distro_gentoo in an interface
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-29 10:01 Jason Zaman
2015-03-29 9:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-03-29 10:01 UTC (permalink / raw
To: gentoo-commits
commit: ecd0604b018b735a5f47a3fa43a7141f5ab66ab9
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb 9 17:17:40 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 29 09:53:51 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ecd0604b
salt: allow salt to ps all processes
Salt needs to be able to list all processes to check if services
are running
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 970b183..4c76ecc 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -269,7 +269,7 @@ corenet_tcp_connect_salt_port(salt_minion_t)
dev_read_sysfs(salt_minion_t)
domain_dontaudit_exec_all_entry_files(salt_minion_t)
-domain_dontaudit_search_all_domains_state(salt_minion_t)
+domain_read_all_domains_state(salt_minion_t)
files_manage_all_non_security_file_types(salt_minion_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-29 10:01 Jason Zaman
2015-03-29 9:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-03-29 10:01 UTC (permalink / raw
To: gentoo-commits
commit: 394b856733a6953b28aa53ee305aea7d5de03ccb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Mar 24 12:27:05 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 29 09:54:32 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=394b8567
skype: policy rules for v4.3
It now uses pulseaudio and also needs dir permissions in /tmp
policy/modules/contrib/skype.te | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/skype.te b/policy/modules/contrib/skype.te
index 4c71730..be0684f 100644
--- a/policy/modules/contrib/skype.te
+++ b/policy/modules/contrib/skype.te
@@ -55,9 +55,10 @@ manage_fifo_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
manage_sock_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
fs_tmpfs_filetrans(skype_t, skype_tmpfs_t, { file lnk_file sock_file fifo_file })
+manage_dirs_pattern(skype_t, skype_tmp_t, skype_tmp_t)
manage_files_pattern(skype_t, skype_tmp_t, skype_tmp_t)
manage_sock_files_pattern(skype_t, skype_tmp_t, skype_tmp_t)
-files_tmp_filetrans(skype_t, skype_tmp_t, { file sock_file })
+files_tmp_filetrans(skype_t, skype_tmp_t, { dir file sock_file })
kernel_dontaudit_search_sysctl(skype_t)
kernel_dontaudit_read_kernel_sysctls(skype_t)
@@ -73,15 +74,16 @@ corenet_all_recvfrom_netlabel(skype_t)
corenet_all_recvfrom_unlabeled(skype_t)
corenet_sendrecv_http_client_packets(skype_t)
corenet_tcp_bind_generic_node(skype_t)
-corenet_tcp_bind_generic_port(skype_t)
+corenet_tcp_bind_generic_port(skype_t)
corenet_tcp_connect_all_unreserved_ports(skype_t)
corenet_tcp_connect_generic_port(skype_t)
corenet_tcp_connect_http_port(skype_t)
corenet_tcp_sendrecv_http_port(skype_t)
corenet_udp_bind_generic_node(skype_t)
-corenet_udp_bind_generic_port(skype_t)
+corenet_udp_bind_generic_port(skype_t)
dev_dontaudit_search_sysfs(skype_t)
+dev_dontaudit_read_sysfs(skype_t)
dev_read_sound(skype_t)
dev_read_video_dev(skype_t)
dev_write_sound(skype_t)
@@ -112,6 +114,10 @@ tunable_policy(`skype_manage_user_content',`
')
optional_policy(`
+ pulseaudio_client_domain(skype_t, skype_tmpfs_t)
+')
+
+optional_policy(`
dbus_system_bus_client(skype_t)
dbus_all_session_bus_client(skype_t)
')
@@ -120,6 +126,10 @@ optional_policy(`
xdg_manage_config_home(skype_t)
')
+optional_policy(`
+ mozilla_dontaudit_manage_user_home_files(skype_t)
+')
+
ifdef(`use_alsa',`
optional_policy(`
alsa_domain(skype_t, skype_tmpfs_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-03-29 10:01 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-03-29 9:59 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-03-29 9:59 UTC (permalink / raw
To: gentoo-commits
commit: 394b856733a6953b28aa53ee305aea7d5de03ccb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Mar 24 12:27:05 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 29 09:54:32 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=394b8567
skype: policy rules for v4.3
It now uses pulseaudio and also needs dir permissions in /tmp
policy/modules/contrib/skype.te | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/skype.te b/policy/modules/contrib/skype.te
index 4c71730..be0684f 100644
--- a/policy/modules/contrib/skype.te
+++ b/policy/modules/contrib/skype.te
@@ -55,9 +55,10 @@ manage_fifo_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
manage_sock_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
fs_tmpfs_filetrans(skype_t, skype_tmpfs_t, { file lnk_file sock_file fifo_file })
+manage_dirs_pattern(skype_t, skype_tmp_t, skype_tmp_t)
manage_files_pattern(skype_t, skype_tmp_t, skype_tmp_t)
manage_sock_files_pattern(skype_t, skype_tmp_t, skype_tmp_t)
-files_tmp_filetrans(skype_t, skype_tmp_t, { file sock_file })
+files_tmp_filetrans(skype_t, skype_tmp_t, { dir file sock_file })
kernel_dontaudit_search_sysctl(skype_t)
kernel_dontaudit_read_kernel_sysctls(skype_t)
@@ -73,15 +74,16 @@ corenet_all_recvfrom_netlabel(skype_t)
corenet_all_recvfrom_unlabeled(skype_t)
corenet_sendrecv_http_client_packets(skype_t)
corenet_tcp_bind_generic_node(skype_t)
-corenet_tcp_bind_generic_port(skype_t)
+corenet_tcp_bind_generic_port(skype_t)
corenet_tcp_connect_all_unreserved_ports(skype_t)
corenet_tcp_connect_generic_port(skype_t)
corenet_tcp_connect_http_port(skype_t)
corenet_tcp_sendrecv_http_port(skype_t)
corenet_udp_bind_generic_node(skype_t)
-corenet_udp_bind_generic_port(skype_t)
+corenet_udp_bind_generic_port(skype_t)
dev_dontaudit_search_sysfs(skype_t)
+dev_dontaudit_read_sysfs(skype_t)
dev_read_sound(skype_t)
dev_read_video_dev(skype_t)
dev_write_sound(skype_t)
@@ -112,6 +114,10 @@ tunable_policy(`skype_manage_user_content',`
')
optional_policy(`
+ pulseaudio_client_domain(skype_t, skype_tmpfs_t)
+')
+
+optional_policy(`
dbus_system_bus_client(skype_t)
dbus_all_session_bus_client(skype_t)
')
@@ -120,6 +126,10 @@ optional_policy(`
xdg_manage_config_home(skype_t)
')
+optional_policy(`
+ mozilla_dontaudit_manage_user_home_files(skype_t)
+')
+
ifdef(`use_alsa',`
optional_policy(`
alsa_domain(skype_t, skype_tmpfs_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-03-29 9:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-03-29 9:59 UTC (permalink / raw
To: gentoo-commits
commit: cc6a8328ab18f5447fbdba85531c9b521dc2eb0b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Mar 24 15:53:44 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 29 09:54:32 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cc6a8328
introduce chromium_rw_usb_dev
allows chromium to use USB devices for android debugging or to use
a FIDO U2F token.
policy/modules/contrib/chromium.te | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index e5aa5aa..b2c9ccc 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -41,6 +41,17 @@ gen_tunable(chromium_read_system_info, false)
## </desc>
gen_tunable(chromium_bind_tcp_unreserved_ports, false)
+## <desc>
+## <p>
+## Allow chromium to read/write USB devices
+## </p>
+## <p>
+## Although not needed for regular browsing, used for debugging over usb
+## or using FIDO U2F tokens.
+## </p>
+## </desc>
+gen_tunable(chromium_rw_usb_dev, false)
+
type chromium_t;
domain_dyntrans_type(chromium_t)
@@ -181,6 +192,10 @@ tunable_policy(`chromium_bind_tcp_unreserved_ports',`
allow chromium_t self:tcp_socket { listen accept };
')
+tunable_policy(`chromium_rw_usb_dev',`
+ dev_rw_generic_usb_dev(chromium_t)
+')
+
tunable_policy(`chromium_read_system_info',`
kernel_read_kernel_sysctls(chromium_t)
# Memory optimizations & optimizations based on OS/version
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 16:01 Jason Zaman
2015-03-25 15:55 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: df65cfff17b72258446578aafe99edac7ea237bd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:44 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df65cfff
rpc: allow setgid capability
rpc.gssd needs to be able to setgid, otherwise using a kerberized nfs
mount fails with permission denied.
errors:
rpc.gssd[22887]: WARNING: unable to drop supplimentary groups!
rpc.gssd[22887]: WARNING: failed to change identity: Operation not permitted
denials:
type=AVC msg=audit(1427206637.030:9956): avc: denied { setgid } for
pid=22887 comm="rpc.gssd" capability=6
scontext=system_u:system_r:gssd_t tcontext=system_u:system_r:gssd_t
tclass=capability permissive=0
type=SYSCALL msg=audit(1427206637.030:9956): arch=c000003e syscall=116
success=no exit=-1 a0=0 a1=0 a2=5111a30e20 a3=31fc5672090 items=0
ppid=22763 pid=22887 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=2 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd"
subj=system_u:system_r:gssd_t key=(null)
policy/modules/contrib/rpc.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 66f77ab..cf4d1fc 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -282,7 +282,7 @@ optional_policy(`
# GSSD local policy
#
-allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice };
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-03-25 16:01 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-03-25 15:55 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-03-25 15:55 UTC (permalink / raw
To: gentoo-commits
commit: df65cfff17b72258446578aafe99edac7ea237bd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:44 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df65cfff
rpc: allow setgid capability
rpc.gssd needs to be able to setgid, otherwise using a kerberized nfs
mount fails with permission denied.
errors:
rpc.gssd[22887]: WARNING: unable to drop supplimentary groups!
rpc.gssd[22887]: WARNING: failed to change identity: Operation not permitted
denials:
type=AVC msg=audit(1427206637.030:9956): avc: denied { setgid } for
pid=22887 comm="rpc.gssd" capability=6
scontext=system_u:system_r:gssd_t tcontext=system_u:system_r:gssd_t
tclass=capability permissive=0
type=SYSCALL msg=audit(1427206637.030:9956): arch=c000003e syscall=116
success=no exit=-1 a0=0 a1=0 a2=5111a30e20 a3=31fc5672090 items=0
ppid=22763 pid=22887 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=2 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd"
subj=system_u:system_r:gssd_t key=(null)
policy/modules/contrib/rpc.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 66f77ab..cf4d1fc 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -282,7 +282,7 @@ optional_policy(`
# GSSD local policy
#
-allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice };
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 16:01 Jason Zaman
2015-03-25 15:55 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: d4ff30bdc377f3dea934af1b478cdf86d33a7589
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:46 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4ff30bd
introduce virt_leaseshelper_t
policy/modules/contrib/dnsmasq.te | 1 +
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.if | 20 ++++++++++++++++++++
policy/modules/contrib/virt.te | 23 +++++++++++++++++++++++
4 files changed, 45 insertions(+)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index fbfe09f..eb3c7f8 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -127,4 +127,5 @@ optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
+ virt_domtrans_leaseshelper(dnsmasq_t)
')
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index a4f20bc..b38007b 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -18,6 +18,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
+/usr/libexec/libvirt_leaseshelper -- gen_context(system_u:object_r:virt_leaseshelper_exec_t,s0)
/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
index c8bc302..7c97c87 100644
--- a/policy/modules/contrib/virt.if
+++ b/policy/modules/contrib/virt.if
@@ -193,6 +193,26 @@ interface(`virt_domtrans_bridgehelper',`
########################################
## <summary>
+## Execute a domain transition to
+## run virt bridgehelper.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_domtrans_leaseshelper',`
+ gen_require(`
+ type virt_leaseshelper_t, virt_leaseshelper_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, virt_leaseshelper_exec_t, virt_leaseshelper_t)
+')
+
+########################################
+## <summary>
## Execute bridgehelper in the bridgehelper
## domain, and allow the specified role
## the bridgehelper domain.
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 6332b0f..0d50107 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -166,6 +166,12 @@ domain_type(virt_bridgehelper_t)
domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
role virt_bridgehelper_roles types virt_bridgehelper_t;
+type virt_leaseshelper_t;
+type virt_leaseshelper_exec_t;
+domain_type(virt_leaseshelper_t)
+domain_entry_file(virt_leaseshelper_t, virt_leaseshelper_exec_t)
+role system_r types virt_leaseshelper_t;
+
type virtd_lxc_t;
type virtd_lxc_exec_t;
init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
@@ -1220,3 +1226,20 @@ corenet_rw_tun_tap_dev(virt_bridgehelper_t)
userdom_search_user_home_dirs(virt_bridgehelper_t)
userdom_use_user_ptys(virt_bridgehelper_t)
+
+########################################
+#
+# Leaseshelper local policy
+#
+
+allow virt_leaseshelper_t virtd_t:fd use;
+allow virt_leaseshelper_t virtd_t:fifo_file write_fifo_file_perms;
+
+manage_dirs_pattern(virt_leaseshelper_t, virt_var_lib_t, virt_var_lib_t)
+manage_files_pattern(virt_leaseshelper_t, virt_var_lib_t, virt_var_lib_t)
+files_var_lib_filetrans(virt_leaseshelper_t, virt_var_lib_t, { file dir })
+
+manage_files_pattern(virt_leaseshelper_t, virt_var_run_t, virt_var_run_t)
+files_pid_filetrans(virt_leaseshelper_t, virt_var_run_t, file)
+
+kernel_dontaudit_read_system_state(virt_leaseshelper_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-03-25 16:01 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-03-25 15:55 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-03-25 15:55 UTC (permalink / raw
To: gentoo-commits
commit: d4ff30bdc377f3dea934af1b478cdf86d33a7589
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:46 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4ff30bd
introduce virt_leaseshelper_t
policy/modules/contrib/dnsmasq.te | 1 +
policy/modules/contrib/virt.fc | 1 +
policy/modules/contrib/virt.if | 20 ++++++++++++++++++++
policy/modules/contrib/virt.te | 23 +++++++++++++++++++++++
4 files changed, 45 insertions(+)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index fbfe09f..eb3c7f8 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -127,4 +127,5 @@ optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
+ virt_domtrans_leaseshelper(dnsmasq_t)
')
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index a4f20bc..b38007b 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -18,6 +18,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
+/usr/libexec/libvirt_leaseshelper -- gen_context(system_u:object_r:virt_leaseshelper_exec_t,s0)
/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
index c8bc302..7c97c87 100644
--- a/policy/modules/contrib/virt.if
+++ b/policy/modules/contrib/virt.if
@@ -193,6 +193,26 @@ interface(`virt_domtrans_bridgehelper',`
########################################
## <summary>
+## Execute a domain transition to
+## run virt bridgehelper.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_domtrans_leaseshelper',`
+ gen_require(`
+ type virt_leaseshelper_t, virt_leaseshelper_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, virt_leaseshelper_exec_t, virt_leaseshelper_t)
+')
+
+########################################
+## <summary>
## Execute bridgehelper in the bridgehelper
## domain, and allow the specified role
## the bridgehelper domain.
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 6332b0f..0d50107 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -166,6 +166,12 @@ domain_type(virt_bridgehelper_t)
domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
role virt_bridgehelper_roles types virt_bridgehelper_t;
+type virt_leaseshelper_t;
+type virt_leaseshelper_exec_t;
+domain_type(virt_leaseshelper_t)
+domain_entry_file(virt_leaseshelper_t, virt_leaseshelper_exec_t)
+role system_r types virt_leaseshelper_t;
+
type virtd_lxc_t;
type virtd_lxc_exec_t;
init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
@@ -1220,3 +1226,20 @@ corenet_rw_tun_tap_dev(virt_bridgehelper_t)
userdom_search_user_home_dirs(virt_bridgehelper_t)
userdom_use_user_ptys(virt_bridgehelper_t)
+
+########################################
+#
+# Leaseshelper local policy
+#
+
+allow virt_leaseshelper_t virtd_t:fd use;
+allow virt_leaseshelper_t virtd_t:fifo_file write_fifo_file_perms;
+
+manage_dirs_pattern(virt_leaseshelper_t, virt_var_lib_t, virt_var_lib_t)
+manage_files_pattern(virt_leaseshelper_t, virt_var_lib_t, virt_var_lib_t)
+files_var_lib_filetrans(virt_leaseshelper_t, virt_var_lib_t, { file dir })
+
+manage_files_pattern(virt_leaseshelper_t, virt_var_run_t, virt_var_run_t)
+files_pid_filetrans(virt_leaseshelper_t, virt_var_run_t, file)
+
+kernel_dontaudit_read_system_state(virt_leaseshelper_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 16:01 Jason Zaman
2015-03-25 15:55 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: f78e2773a5ccfa735d536aa373d95219a47a3f78
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Mar 25 12:27:04 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f78e2773
Module version bump for patches from Jason Zaman.
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/git.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index eb3c7f8..e2f8300 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.12.0)
+policy_module(dnsmasq, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index a93c976..1ca8c24 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -1,4 +1,4 @@
-policy_module(git, 1.5.0)
+policy_module(git, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index cf4d1fc..f0fa041 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.16.0)
+policy_module(rpc, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 78022b6..9604d59 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.8.0)
+policy_module(rpcbind, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0d50107..27a28df 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.8.0)
+policy_module(virt, 1.8.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-03-25 16:01 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-03-25 15:55 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-03-25 15:55 UTC (permalink / raw
To: gentoo-commits
commit: f78e2773a5ccfa735d536aa373d95219a47a3f78
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Mar 25 12:27:04 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f78e2773
Module version bump for patches from Jason Zaman.
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/git.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index eb3c7f8..e2f8300 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.12.0)
+policy_module(dnsmasq, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index a93c976..1ca8c24 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -1,4 +1,4 @@
-policy_module(git, 1.5.0)
+policy_module(git, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index cf4d1fc..f0fa041 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.16.0)
+policy_module(rpc, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 78022b6..9604d59 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.8.0)
+policy_module(rpcbind, 1.8.1)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0d50107..27a28df 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.8.0)
+policy_module(virt, 1.8.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 16:01 Jason Zaman
2015-03-25 15:55 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: c00545ccf571b026bd76524b6efec2d766ef7f12
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:45 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c00545cc
virt: add virt_tmpfs_t type and permissions
virtd_t writes the spice shm file in tmpfs so this allows access.
type=AVC msg=audit(1427209364.960:10357): avc: granted { add_name }
for pid=24933 comm="qemu-system-x86" name="spice.24933"
scontext=system_u:system_r:virtd_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
type=AVC msg=audit(1427209364.960:10357): avc: granted { write } for
pid=24933 comm="qemu-system-x86" path="/dev/shm/spice.24933" dev="tmpfs"
ino=638614 scontext=system_u:system_r:virtd_t
tcontext=system_u:object_r:tmpfs_t tclass=file
policy/modules/contrib/virt.te | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 59c0f07..6332b0f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -127,6 +127,9 @@ mls_trusted_object(virt_log_t)
type virt_tmp_t;
files_tmp_file(virt_tmp_t)
+type virt_tmpfs_t;
+files_tmpfs_file(virt_tmpfs_t)
+
type virt_var_run_t;
files_pid_file(virt_var_run_t)
@@ -484,6 +487,10 @@ manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir })
+
# This needs a file context specification
manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-03-25 16:01 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-03-25 15:55 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-03-25 15:55 UTC (permalink / raw
To: gentoo-commits
commit: c00545ccf571b026bd76524b6efec2d766ef7f12
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:45 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c00545cc
virt: add virt_tmpfs_t type and permissions
virtd_t writes the spice shm file in tmpfs so this allows access.
type=AVC msg=audit(1427209364.960:10357): avc: granted { add_name }
for pid=24933 comm="qemu-system-x86" name="spice.24933"
scontext=system_u:system_r:virtd_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
type=AVC msg=audit(1427209364.960:10357): avc: granted { write } for
pid=24933 comm="qemu-system-x86" path="/dev/shm/spice.24933" dev="tmpfs"
ino=638614 scontext=system_u:system_r:virtd_t
tcontext=system_u:object_r:tmpfs_t tclass=file
policy/modules/contrib/virt.te | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 59c0f07..6332b0f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -127,6 +127,9 @@ mls_trusted_object(virt_log_t)
type virt_tmp_t;
files_tmp_file(virt_tmp_t)
+type virt_tmpfs_t;
+files_tmpfs_file(virt_tmpfs_t)
+
type virt_var_run_t;
files_pid_file(virt_var_run_t)
@@ -484,6 +487,10 @@ manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir })
+
# This needs a file context specification
manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 16:01 Jason Zaman
2015-03-25 15:55 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: 7b3c908130c376a0c5d312057979dbfa4281d2ea
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:42 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:04 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7b3c9081
git: make inetd interface optional
git-daemon can be run without inetd, this patch makes the
interface optional so that git.pp can be loaded without inetd
policy/modules/contrib/git.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 084ac9d..a93c976 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -86,7 +86,6 @@ apache_content_template(git)
type git_system_t, git_daemon;
type gitd_exec_t;
-inetd_service_domain(git_system_t, gitd_exec_t)
init_daemon_domain(git_system_t, gitd_exec_t)
type git_session_t, git_daemon;
@@ -122,6 +121,10 @@ auth_use_nsswitch(git_session_t)
userdom_use_user_terminals(git_session_t)
+optional_policy(`
+ inetd_service_domain(git_system_t, gitd_exec_t)
+')
+
tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_sendrecv_all_server_packets(git_session_t)
corenet_tcp_bind_all_unreserved_ports(git_session_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-03-25 16:01 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-03-25 15:55 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-03-25 15:55 UTC (permalink / raw
To: gentoo-commits
commit: 7b3c908130c376a0c5d312057979dbfa4281d2ea
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:42 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:04 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7b3c9081
git: make inetd interface optional
git-daemon can be run without inetd, this patch makes the
interface optional so that git.pp can be loaded without inetd
policy/modules/contrib/git.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 084ac9d..a93c976 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -86,7 +86,6 @@ apache_content_template(git)
type git_system_t, git_daemon;
type gitd_exec_t;
-inetd_service_domain(git_system_t, gitd_exec_t)
init_daemon_domain(git_system_t, gitd_exec_t)
type git_session_t, git_daemon;
@@ -122,6 +121,10 @@ auth_use_nsswitch(git_session_t)
userdom_use_user_terminals(git_session_t)
+optional_policy(`
+ inetd_service_domain(git_system_t, gitd_exec_t)
+')
+
tunable_policy(`git_session_bind_all_unreserved_ports',`
corenet_sendrecv_all_server_packets(git_session_t)
corenet_tcp_bind_all_unreserved_ports(git_session_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-03-25 16:01 Jason Zaman
2015-03-25 15:55 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-03-25 16:01 UTC (permalink / raw
To: gentoo-commits
commit: 5661e0858e00e7f331d66a334d7c374842f1180a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:41 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:04 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5661e085
rpcbind: typo fix
policy/modules/contrib/rpcbind.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rpcbind.if b/policy/modules/contrib/rpcbind.if
index 1a1cb99..f78fef0 100644
--- a/policy/modules/contrib/rpcbind.if
+++ b/policy/modules/contrib/rpcbind.if
@@ -21,7 +21,7 @@ interface(`rpcbind_domtrans',`
########################################
## <summary>
-## Connect to rpcbindd with a
+## Connect to rpcbind with a
## unix domain stream socket.
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-03-25 15:55 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-03-25 15:55 UTC (permalink / raw
To: gentoo-commits
commit: 05a1bdce8efe1b2c689f55e1f3018ff7df6de43d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=05a1bdce
rpc: introduce allow_gssd_write_tmp boolean
gssd needs to be able to write the user's kerberos token
into the ticket cache which is stored in /tmp
type=AVC msg=audit(1427206305.314:9914): avc: granted { read write
open } for pid=22562 comm="rpc.gssd" path="/tmp/krb5cc_1000"
dev="tmpfs" ino=327516 scontext=system_u:system_r:gssd_t
tcontext=staff_u:object_r:user_tmp_t tclass=file
policy/modules/contrib/rpc.te | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index d48a946..66f77ab 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -15,6 +15,14 @@ gen_tunable(allow_gssd_read_tmp, false)
## <desc>
## <p>
+## Determine whether gssd can write
+## generic user temporary content.
+## </p>
+## </desc>
+gen_tunable(allow_gssd_write_tmp, false)
+
+## <desc>
+## <p>
## Determine whether nfs can modify
## public files used for public file
## transfer services. Directories/Files must
@@ -313,6 +321,11 @@ tunable_policy(`allow_gssd_read_tmp',`
userdom_read_user_tmp_symlinks(gssd_t)
')
+tunable_policy(`allow_gssd_write_tmp',`
+ userdom_list_user_tmp(gssd_t)
+ userdom_rw_user_tmp_files(gssd_t)
+')
+
optional_policy(`
automount_signal(gssd_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-02-19 10:46 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-02-19 10:46 UTC (permalink / raw
To: gentoo-commits
commit: 2520e92b0d4d6dd062477a74731bf2dcb668350b
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Feb 17 13:33:44 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Feb 19 10:43:27 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2520e92b
Module version bump for fc typo in radius from Sven Vermeulen.
---
policy/modules/contrib/radius.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
index 403a4fe..d85eecc 100644
--- a/policy/modules/contrib/radius.te
+++ b/policy/modules/contrib/radius.te
@@ -1,4 +1,4 @@
-policy_module(radius, 1.13.0)
+policy_module(radius, 1.13.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-02-19 10:46 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-02-19 10:46 UTC (permalink / raw
To: gentoo-commits
commit: 748a5e04609445337bbc5dbbfe5554263fae7720
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Feb 15 17:40:49 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Feb 19 10:43:25 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=748a5e04
Fix typo for radiusd /var/lib location
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/radius.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/radius.fc b/policy/modules/contrib/radius.fc
index d447e85..021438b 100644
--- a/policy/modules/contrib/radius.fc
+++ b/policy/modules/contrib/radius.fc
@@ -9,7 +9,7 @@
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
-/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
+/var/lib/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-02-15 18:06 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-02-15 18:06 UTC (permalink / raw
To: gentoo-commits
commit: de0425cfcaf108a4e726e7ff42d23573bfae4e8d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Feb 15 18:04:57 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb 15 18:04:57 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=de0425cf
Remove duplicate mailman etc declaration
---
policy/modules/contrib/mailman.fc | 2 --
1 file changed, 2 deletions(-)
diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc
index 337f7d1..79c9f80 100644
--- a/policy/modules/contrib/mailman.fc
+++ b/policy/modules/contrib/mailman.fc
@@ -48,6 +48,4 @@ ifdef(`distro_gentoo',`
/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
-
-/etc/mailman(/.*)?
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-02-15 18:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-02-15 18:03 UTC (permalink / raw
To: gentoo-commits
commit: 9bbc62384c84e9ca59adae9e6b2c68bdb5c6102a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Feb 15 18:01:37 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb 15 18:01:37 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9bbc6238
Fix typo
---
policy/modules/contrib/mailman.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/mailman.if b/policy/modules/contrib/mailman.if
index dcede3a..c3c6837 100644
--- a/policy/modules/contrib/mailman.if
+++ b/policy/modules/contrib/mailman.if
@@ -42,7 +42,7 @@ template(`mailman_domain_template',`
ifdef(`distro_gentoo',`
# Bug #536666 - Assign mailman_domain to all mailman domains
- typeattribute mailmain_$1_t mailman_domain;
+ typeattribute mailman_$1_t mailman_domain;
')
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-02-15 18:00 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-02-15 18:00 UTC (permalink / raw
To: gentoo-commits
commit: 8a9db2c7ce1d9ffc2b0e2f789d3eb8fec86eeb53
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Feb 15 17:58:38 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb 15 17:58:38 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8a9db2c7
Fix bug #536666 - Assign mailman_domain to all mailman domains
---
policy/modules/contrib/mailman.if | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/mailman.if b/policy/modules/contrib/mailman.if
index 108c0f1..dcede3a 100644
--- a/policy/modules/contrib/mailman.if
+++ b/policy/modules/contrib/mailman.if
@@ -39,6 +39,11 @@ template(`mailman_domain_template',`
files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
auth_use_nsswitch(mailman_$1_t)
+
+ ifdef(`distro_gentoo',`
+ # Bug #536666 - Assign mailman_domain to all mailman domains
+ typeattribute mailmain_$1_t mailman_domain;
+ ')
')
#######################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-02-15 18:00 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-02-15 18:00 UTC (permalink / raw
To: gentoo-commits
commit: dc06f7836a3223cd02516a937e9cbe858c07084a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Feb 15 17:56:13 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb 15 17:56:13 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dc06f783
Fix bug #536666 - Fix mailman contexts
---
policy/modules/contrib/mailman.fc | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc
index 995d0a5..337f7d1 100644
--- a/policy/modules/contrib/mailman.fc
+++ b/policy/modules/contrib/mailman.fc
@@ -27,3 +27,27 @@
/usr/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+# Bug 536666
+# Seems like Fedora changes trickled in refpolicy and break due to /usr/lib/mailman/bin declaration in corecommands.fc
+/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+
+/usr/lib/cgi-bin/mailman(/.*)? gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/mm-handler -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/cgi-bin(/.*)? gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/cron(/.*)? gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+
+/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+
+/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
+
+/etc/mailman(/.*)?
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-01-31 11:22 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-01-31 11:22 UTC (permalink / raw
To: gentoo-commits
commit: bb37c689dfa61fc5300dd7b7d2c38fb5609d5165
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jan 31 11:17:24 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jan 31 11:17:24 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bb37c689
Enable salt-minion to switch uid/gid to portage
The salt-minion daemon needs to switch its userid/groupid to the portage
ones before calling the emerge command to start installing software.
By allowing setuid/setgid capabilities, the installation succeeds.
---
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 024a165..970b183 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -198,7 +198,7 @@ tunable_policy(`salt_master_read_nfs',`
# salt_minion_t policy
#
-allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin sys_admin sys_tty_config };
+allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_tty_config };
allow salt_minion_t self:capability2 block_suspend;
allow salt_minion_t self:process { signal signull };
allow salt_minion_t self:tcp_socket create_stream_socket_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-01-29 20:53 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-01-29 20:53 UTC (permalink / raw
To: gentoo-commits
commit: b2003e0609bea6e44ac8da4c0f2c5580246012e4
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Mon Jan 5 17:50:03 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 29 20:51:06 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b2003e06
Redundant rules and afs_files_t is not a filesystem type
---
policy/modules/contrib/afs.te | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
index 69067e3..2fb6932 100644
--- a/policy/modules/contrib/afs.te
+++ b/policy/modules/contrib/afs.te
@@ -1,4 +1,4 @@
-policy_module(afs, 1.9.1)
+policy_module(afs, 1.9.2)
########################################
#
@@ -74,7 +74,7 @@ role system_r types afs_vlserver_t;
allow afs_t self:capability { dac_override sys_admin sys_nice sys_tty_config };
allow afs_t self:process { setsched signal };
-allow afs_t self:fifo_file rw_file_perms;
+allow afs_t self:fifo_file rw_fifo_file_perms;
allow afs_t self:unix_stream_socket { accept listen };
manage_files_pattern(afs_t, afs_cache_t, afs_cache_t)
@@ -153,13 +153,9 @@ allow afs_fsserver_t self:process { setsched signal_perms };
allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
-read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
-allow afs_fsserver_t afs_config_t:dir list_dir_perms;
-
manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
-allow afs_fsserver_t afs_files_t:filesystem getattr;
manage_dirs_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
manage_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
manage_lnk_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-01-29 20:53 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-01-29 20:53 UTC (permalink / raw
To: gentoo-commits
commit: cba6dc0028608f027f7e02ab1d4df155632a7a46
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Tue Jan 27 20:17:58 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 29 20:51:08 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cba6dc00
Various samhain fixes
connects to smtp port
resolves smtp dns name
missing samhain_domain attribute
reads random device
samhain_domains use unnamed pipes for internal comms
clarify why some rules are commented out for now in samhain_admin()
remove samhain_run() from samhain_admin()
samhain needs to be able to maintain directories in /var/lib
Signed-off-by: Dominick Grift <dac.override <AT> gmail.com>
---
policy/modules/contrib/samhain.if | 8 +++-----
policy/modules/contrib/samhain.te | 12 ++++++++++--
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/samhain.if b/policy/modules/contrib/samhain.if
index f0236d6..b1ebcee 100644
--- a/policy/modules/contrib/samhain.if
+++ b/policy/modules/contrib/samhain.if
@@ -16,7 +16,7 @@ template(`samhain_service_template',`
type samhain_exec_t;
')
- type $1_t;
+ type $1_t, samhain_domain;
domain_type($1_t)
domain_entry_file($1_t, samhain_exec_t)
@@ -213,14 +213,14 @@ interface(`samhain_manage_pid_files',`
interface(`samhain_admin',`
gen_require(`
attribute samhain_domain;
- type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t;
+ type samhain_db_t, samhain_etc_t;
type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
')
allow $1 samhain_domain:process { ptrace signal_perms };
ps_process_pattern($1, samhain_domain)
- # pending
+ # duplicate role transition: remove samhain_admin(sysadm_t, sysadm_r) first
# init_labeled_script_domtrans($1, samhain_initrc_exec_t)
# domain_system_change_exemption($1)
# role_transition $2 samhain_initrc_exec_t system_r;
@@ -237,6 +237,4 @@ interface(`samhain_admin',`
files_list_pids($1)
admin_pattern($1, samhain_var_run_t)
-
- # samhain_run($1, $2)
')
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index c41ce4b..3ed8e45 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -1,4 +1,4 @@
-policy_module(samhain, 1.2.0)
+policy_module(samhain, 1.2.1)
########################################
#
@@ -50,8 +50,9 @@ ifdef(`enable_mls',`
allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock };
dontaudit samhain_domain self:capability { sys_resource sys_ptrace };
-allow samhain_domain self:fd use;
allow samhain_domain self:process { setsched setrlimit signull };
+allow samhain_domain self:fd use;
+allow samhain_domain self:fifo_file rw_fifo_file_perms;
allow samhain_domain samhain_etc_t:file read_file_perms;
@@ -96,6 +97,7 @@ logging_send_syslog_msg(samhain_domain)
#
manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
+manage_dirs_pattern(samhain_t, samhain_db_t, samhain_db_t)
files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
domain_use_interactive_fds(samhain_t)
@@ -115,4 +117,10 @@ can_exec(samhaind_t, samhain_exec_t)
read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t)
+corenet_tcp_connect_smtp_port(samhaind_t)
+
+dev_read_rand(samhaind_t)
+
init_use_script_ptys(samhaind_t)
+
+sysnet_dns_name_resolve(samhaind_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-01-29 20:53 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-01-29 20:53 UTC (permalink / raw
To: gentoo-commits
commit: 9858e2074793ca61aed6d17f785dfe60ac9a6d0c
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Mon Jan 5 17:05:06 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 29 20:51:03 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9858e207
Module version bump for afs fixes from Chas Williams.
---
policy/modules/contrib/afs.fc | 1 -
policy/modules/contrib/afs.te | 18 +++++++++---------
2 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/policy/modules/contrib/afs.fc b/policy/modules/contrib/afs.fc
index 279b787..c40fe9a 100644
--- a/policy/modules/contrib/afs.fc
+++ b/policy/modules/contrib/afs.fc
@@ -47,4 +47,3 @@
/var/cache/(open)?afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0)
/vicep[a-z][a-z]?(/.*)? gen_context(system_u:object_r:afs_files_t,s0)
-
diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
index 6ba667d..69067e3 100644
--- a/policy/modules/contrib/afs.te
+++ b/policy/modules/contrib/afs.te
@@ -1,4 +1,4 @@
-policy_module(afs, 1.9.0)
+policy_module(afs, 1.9.1)
########################################
#
@@ -135,13 +135,13 @@ corenet_udp_bind_afs_bos_port(afs_bosserver_t)
corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t)
+dev_read_urand(afs_bosserver_t)
+
files_list_home(afs_bosserver_t)
files_read_usr_files(afs_bosserver_t)
seutil_read_config(afs_bosserver_t)
-dev_read_urand(afs_bosserver_t)
-
########################################
#
# fileserver local policy
@@ -190,6 +190,8 @@ corenet_udp_bind_afs_fs_port(afs_fsserver_t)
corenet_tcp_sendrecv_afs_fs_port(afs_fsserver_t)
corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
+dev_read_urand(afs_fsserver_t)
+
files_read_etc_runtime_files(afs_fsserver_t)
files_list_home(afs_fsserver_t)
files_read_usr_files(afs_fsserver_t)
@@ -208,8 +210,6 @@ seutil_read_config(afs_fsserver_t)
userdom_dontaudit_use_user_terminals(afs_fsserver_t)
-dev_read_urand(afs_fsserver_t)
-
########################################
#
# kaserver local policy
@@ -278,10 +278,10 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
corenet_udp_bind_afs_pt_port(afs_ptserver_t)
corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
-userdom_dontaudit_use_user_terminals(afs_ptserver_t)
-
dev_read_urand(afs_ptserver_t)
+userdom_dontaudit_use_user_terminals(afs_ptserver_t)
+
########################################
#
# vlserver local policy
@@ -311,10 +311,10 @@ corenet_udp_bind_generic_node(afs_vlserver_t)
corenet_udp_bind_afs_vl_port(afs_vlserver_t)
corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
-userdom_dontaudit_use_user_terminals(afs_vlserver_t)
-
dev_read_urand(afs_vlserver_t)
+userdom_dontaudit_use_user_terminals(afs_vlserver_t)
+
########################################
#
# Global local policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-01-29 20:53 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-01-29 20:53 UTC (permalink / raw
To: gentoo-commits
commit: 554634acd986adb72fd1a7fb8a616b044387c0b8
Author: Chas Williams - CONTRACTOR <chas <AT> cmf <DOT> nrl <DOT> navy <DOT> mil>
AuthorDate: Mon Jan 5 00:19:15 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 29 20:51:01 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=554634ac
afs: update labels, file contexts and allow access to urandom
Label the DAFS (demand attached) fileserver binaries afs_fsserver_exec_t.
Set the fcontext for the fileserver /vicep parititions and their contents.
Also set fcontext on the openafs-server init script.
Allow OpenAFS server binaries to access urandom.
---
policy/modules/contrib/afs.fc | 14 +++++++++++---
policy/modules/contrib/afs.te | 8 ++++++++
2 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/afs.fc b/policy/modules/contrib/afs.fc
index 8926c16..279b787 100644
--- a/policy/modules/contrib/afs.fc
+++ b/policy/modules/contrib/afs.fc
@@ -1,13 +1,18 @@
/etc/(open)?afs(/.*)? gen_context(system_u:object_r:afs_config_t,s0)
/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/openafs-server -- gen_context(system_u:object_r:afs_initrc_exec_t,s0)
/etc/rc\.d/init\.d/(open)?afs -- gen_context(system_u:object_r:afs_initrc_exec_t,s0)
/usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
+/usr/afs/bin/dafileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/dasalvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/davolserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
/usr/afs/bin/ptserver -- gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
/usr/afs/bin/salvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/salvageserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/afs/bin/volserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/afs/bin/vlserver -- gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
@@ -22,10 +27,14 @@
/usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0)
+/usr/libexec/openafs/dafileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/dasalvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/davolserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/libexec/openafs/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/libexec/openafs/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
/usr/libexec/openafs/ptserver -- gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
/usr/libexec/openafs/salvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/salvagerserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/libexec/openafs/volserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
/usr/libexec/openafs/vlserver -- gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
@@ -37,6 +46,5 @@
/var/cache/(open)?afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0)
-/vicepa gen_context(system_u:object_r:afs_files_t,s0)
-/vicepb gen_context(system_u:object_r:afs_files_t,s0)
-/vicepc gen_context(system_u:object_r:afs_files_t,s0)
+/vicep[a-z][a-z]?(/.*)? gen_context(system_u:object_r:afs_files_t,s0)
+
diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
index 90ce637..6ba667d 100644
--- a/policy/modules/contrib/afs.te
+++ b/policy/modules/contrib/afs.te
@@ -140,6 +140,8 @@ files_read_usr_files(afs_bosserver_t)
seutil_read_config(afs_bosserver_t)
+dev_read_urand(afs_bosserver_t)
+
########################################
#
# fileserver local policy
@@ -206,6 +208,8 @@ seutil_read_config(afs_fsserver_t)
userdom_dontaudit_use_user_terminals(afs_fsserver_t)
+dev_read_urand(afs_fsserver_t)
+
########################################
#
# kaserver local policy
@@ -276,6 +280,8 @@ corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
userdom_dontaudit_use_user_terminals(afs_ptserver_t)
+dev_read_urand(afs_ptserver_t)
+
########################################
#
# vlserver local policy
@@ -307,6 +313,8 @@ corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
userdom_dontaudit_use_user_terminals(afs_vlserver_t)
+dev_read_urand(afs_vlserver_t)
+
########################################
#
# Global local policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-01-29 9:12 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-01-29 9:12 UTC (permalink / raw
To: gentoo-commits
commit: 65e9be2b0d0dc77520bde9590a8d9d5c04b68602
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:23:22 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Jan 29 08:32:53 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=65e9be2b
Introduce networkmanager_rw_rawip_sockets
---
policy/modules/contrib/networkmanager.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index 5aced8c..b512ce0 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -381,3 +381,23 @@ interface(`networkmanager_run_wpa_cli',`
networkmanager_domtrans_wpa_cli($1)
role $2 types wpa_cli_t;
')
+
+# Gentoo specific interfaces follow but not allowed ifdef
+
+########################################
+## <summary>
+## Read and write networkmanager rawip sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_rw_rawip_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:rawip_socket { read write };
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-01-29 9:12 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-01-29 9:12 UTC (permalink / raw
To: gentoo-commits
commit: 437a3cfff57c983594212bfb8ba2ce0fd5367cb9
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:25:58 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Jan 29 08:26:09 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=437a3cff
networkmanager: nm-dispatcher has changed name
gentoo bug: 538110
---
policy/modules/contrib/networkmanager.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index bbf3bba..5ffd285 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -15,7 +15,7 @@
/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-29 8:38 Jason Zaman
2015-01-29 9:12 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-01-29 8:38 UTC (permalink / raw
To: gentoo-commits
commit: ec270d7eca495e088850d5397e3a9f64fcd63844
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:30:45 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Jan 29 08:32:53 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ec270d7e
resolvconf: needs access to networkmanager rawip sockets
---
policy/modules/contrib/resolvconf.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/resolvconf.te b/policy/modules/contrib/resolvconf.te
index 32cba23..b8c8e7e 100644
--- a/policy/modules/contrib/resolvconf.te
+++ b/policy/modules/contrib/resolvconf.te
@@ -49,6 +49,10 @@ optional_policy(`
dnsmasq_write_config(resolvconf_t)
')
+optional_policy(`
+ networkmanager_rw_rawip_sockets(resolvconf_t)
+')
+
#########################################
#
# Resolvconf client policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-29 8:38 Jason Zaman
2015-01-29 9:12 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-01-29 8:38 UTC (permalink / raw
To: gentoo-commits
commit: d9bf60684a0ccb33aa64d3710734d21e702188b0
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:30:07 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Jan 29 08:32:49 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d9bf6068
networkmanager: v1.0.0 needs new socket permissions
---
policy/modules/contrib/networkmanager.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 3abaf53..c29e773 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -372,6 +372,10 @@ ifdef(`distro_gentoo',`
# NetworkManager_t policy
#
+ # bug #538110
+ allow NetworkManager_t self:rawip_socket create_socket_perms;
+ allow NetworkManager_t self:unix_stream_socket connectto;
+
# listing /etc/NetworkManager/dispatch.d/
list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-01-29 8:38 Jason Zaman
2015-01-29 9:12 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2015-01-29 8:38 UTC (permalink / raw
To: gentoo-commits
commit: 0e94bb1e493e057bf771f5a9d82d096c37a59f1d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:57:05 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Jan 29 08:28:55 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0e94bb1e
networkmanager: run dispatch scripts in initrc_t domain
---
policy/modules/contrib/networkmanager.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index a0dc708..3abaf53 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -372,6 +372,11 @@ ifdef(`distro_gentoo',`
# NetworkManager_t policy
#
+ # listing /etc/NetworkManager/dispatch.d/
+ list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+ read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+ init_labeled_script_domtrans(NetworkManager_t, NetworkManager_initrc_exec_t)
+
optional_policy(`
resolvconf_client_domain(NetworkManager_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2015-01-29 8:38 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-01-29 9:12 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-01-29 9:12 UTC (permalink / raw
To: gentoo-commits
commit: 0e94bb1e493e057bf771f5a9d82d096c37a59f1d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:57:05 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Jan 29 08:28:55 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0e94bb1e
networkmanager: run dispatch scripts in initrc_t domain
---
policy/modules/contrib/networkmanager.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index a0dc708..3abaf53 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -372,6 +372,11 @@ ifdef(`distro_gentoo',`
# NetworkManager_t policy
#
+ # listing /etc/NetworkManager/dispatch.d/
+ list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+ read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+ init_labeled_script_domtrans(NetworkManager_t, NetworkManager_initrc_exec_t)
+
optional_policy(`
resolvconf_client_domain(NetworkManager_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-01-26 5:59 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2015-01-26 5:59 UTC (permalink / raw
To: gentoo-commits
commit: 55f243889b8296ed4f0ba967d2289faa797fa09b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jan 26 05:57:27 2015 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Jan 26 05:57:27 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=55f24388
salt: fcontext for the default directory for pillars
---
policy/modules/contrib/salt.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc
index 399f5ad..22c2d13 100644
--- a/policy/modules/contrib/salt.fc
+++ b/policy/modules/contrib/salt.fc
@@ -27,3 +27,4 @@
/var/cache/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_cache_t,s0)
/srv/salt(/.*)? gen_context(system_u:object_r:salt_sls_t,s0)
+/srv/pillar(/.*)? gen_context(system_u:object_r:salt_sls_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-01-25 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-01-25 13:45 UTC (permalink / raw
To: gentoo-commits
commit: edb37123da20d293546a4d8fb5e2fbf522530586
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Jan 18 11:59:17 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 18 11:59:17 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=edb37123
mysql: mysql_install_db fcontext
---
policy/modules/contrib/mysql.fc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/mysql.fc b/policy/modules/contrib/mysql.fc
index 06f8666..1d258c1 100644
--- a/policy/modules/contrib/mysql.fc
+++ b/policy/modules/contrib/mysql.fc
@@ -25,3 +25,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0)
/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
+
+
+ifdef(`distro_gentoo',`
+/usr/share/mysql/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-01-03 12:21 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-01-03 12:21 UTC (permalink / raw
To: gentoo-commits
commit: 91bd6c86deef7614809b3d43d9df34f253b998fe
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jan 3 12:18:20 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jan 3 12:20:54 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=91bd6c86
Enable support for DNSSEC
The dnsmasq application reads in the trust anchors that are by default
in /usr/share/dnsmasq. Considering that these are sort-of configuration
files, I'd wager that a dnsmasq administrator might want to have manage
rights on this. The dnsmasq application at least needs read access at
this location.
We could either grant read privileges on usr_t, but that would increase
the read privs of dnsmasq unnecessarily, and does not allow the dnsmasq
administrator to edit the file.
We could create a separate type for this, but then both the
dnsmasq_dnssec_t (or whatever it is called) and dnsmasq_etc_t would have
the same access privileges associated with it. Hence, we reuse
dnsmasq_etc_t.
See also bug #531836 at https://bugs.gentoo.org/show_bug.cgi?id=531836
---
policy/modules/contrib/dnsmasq.fc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc
index 6bc891a..8ca133c 100644
--- a/policy/modules/contrib/dnsmasq.fc
+++ b/policy/modules/contrib/dnsmasq.fc
@@ -12,3 +12,8 @@
/var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+# Fix bug 531836 - Needed to support dnssec in dnsmasq
+/usr/share/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_etc_t,s0)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-01-02 17:22 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-01-02 17:22 UTC (permalink / raw
To: gentoo-commits
commit: 19677a6d7b12b0568254bbfa6451ea50e58efce6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Dec 31 16:09:57 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 2 17:18:12 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=19677a6d
Execute courier helper script after authentication
After succesful authentication, the IMAP daemon will attempt to execute
a helper script called /usr/lib64/courier-imap/courier-imapd.indirect.
This helper script is to initiate the user session.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/courier.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 29057a7..e3a3b84 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -144,6 +144,8 @@ stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t, cour
domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
+corecmd_exec_shell(courier_pop_t)
+
miscfiles_read_localization(courier_pop_t)
userdom_manage_user_home_content_files(courier_pop_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-01-02 17:22 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-01-02 17:22 UTC (permalink / raw
To: gentoo-commits
commit: 75128b920489e378bc417e10db1af7ed7edb0742
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Dec 31 16:09:54 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 2 17:18:02 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=75128b92
Locate authdaemon socket and communicate with authdaemon
Without this, authentication fails. The following is shown in the logs:
Dec 30 19:36:54 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:36:54 localhost imapd: authdaemon: s_connect() failed: Permission denied
Dec 30 19:36:54 localhost imapd: LOGIN FAILED, user=root, ip=[::ffff:192.168.100.152]
Dec 30 19:36:54 localhost imapd: authentication error: Permission denied
Through logon, the daemon (courier_pop_t) wants to locate the socket in
/var/lib/courier to initiate communication with the authdaemon.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/courier.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index d59f878..e2b0c0d 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -137,6 +137,8 @@ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_s
allow courier_pop_t courier_var_lib_t:file { read write };
+stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t, courier_authdaemon_t)
+
domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
miscfiles_read_localization(courier_pop_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-01-02 17:22 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-01-02 17:22 UTC (permalink / raw
To: gentoo-commits
commit: 9afb261dcdc120ce6467c25d435310ffea31b64b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Dec 31 16:09:58 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 2 17:18:14 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9afb261d
Courier IMAP needs to manage the users' maildir
Without these permissions, the logon immediately terminates and the
following shows up in the logs:
Dec 30 19:45:33 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:45:33 localhost imapd: chdir .maildir: Permission denied
Dec 30 19:45:33 localhost imapd: root: Permission denied
The first denial (and many similar ones follow when granted):
type=AVC msg=audit(1419968733.163:197): avc: denied { search } for
pid=4292 comm="courier-imapd" name=".maildir" dev="vda3" ino=393221
scontext=system_u:system_r:courier_pop_t:s0
tcontext=root:object_r:mail_home_rw_t:s0 tclass=dir
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/courier.te | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index e3a3b84..4746644 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -148,8 +148,7 @@ corecmd_exec_shell(courier_pop_t)
miscfiles_read_localization(courier_pop_t)
-userdom_manage_user_home_content_files(courier_pop_t)
-userdom_manage_user_home_content_dirs(courier_pop_t)
+mta_manage_mail_home_rw_content(courier_pop_t)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-01-02 17:22 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-01-02 17:22 UTC (permalink / raw
To: gentoo-commits
commit: 11d349c98a082d2bdfa0bd189c4805ba8b1844ef
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Thu Jan 1 17:48:47 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 2 17:18:16 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=11d349c9
Module version bump for courier fixes from Sven Vermeulen.
---
policy/modules/contrib/courier.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 4746644..2171e04 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -1,4 +1,4 @@
-policy_module(courier, 1.14.0)
+policy_module(courier, 1.14.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-01-02 17:22 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-01-02 17:22 UTC (permalink / raw
To: gentoo-commits
commit: acbf0504f0645f997f16b3e70164f3c6acc2be86
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Dec 31 16:09:56 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 2 17:18:09 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=acbf0504
Grant setuid/setgid to courier_pop_t
When trying to log on to the IMAP service, the authentication fails and
the following shows up in the courier logs:
Dec 30 19:40:56 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:40:56 localhost imapd: initgroups: Operation not permitted
In the audit logs, the following shows up:
type=AVC msg=audit(1419968456.850:190): avc: denied { setgid } for
pid=4028 comm="imaplogin" capability=6
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability
type=AVC msg=audit(1419968532.622:192): avc: denied { setuid } for
pid=4118 comm="imaplogin" capability=7
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability
The daemon wants to switch user to access the necessary maildir's.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/courier.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index bcfb4b2..29057a7 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -132,6 +132,7 @@ dev_read_rand(courier_pcp_t)
# POP3/IMAP local policy
#
+allow courier_pop_t self:capability { setgid setuid };
allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
allow courier_pop_t courier_authdaemon_t:process sigchld;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-01-02 17:22 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-01-02 17:22 UTC (permalink / raw
To: gentoo-commits
commit: 3f0e0524d443adce4e2c4ce3d460e2d35dc12ec5
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Jan 2 17:21:24 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 2 17:21:24 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3f0e0524
Merge with upstream done, remove gentoo specifics
---
policy/modules/contrib/courier.fc | 5 -----
policy/modules/contrib/courier.if | 38 --------------------------------------
policy/modules/contrib/courier.te | 19 +------------------
3 files changed, 1 insertion(+), 61 deletions(-)
diff --git a/policy/modules/contrib/courier.fc b/policy/modules/contrib/courier.fc
index c0f288b..2f017a0 100644
--- a/policy/modules/contrib/courier.fc
+++ b/policy/modules/contrib/courier.fc
@@ -30,8 +30,3 @@
/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0)
/var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0)
-
-ifdef(`distro_gentoo',`
-# Default location for authdaemon socket, should be /var/run imo but meh
-/var/lib/courier/authdaemon(/.*)? gen_context(system_u:object_r:courier_var_run_t,s0)
-')
diff --git a/policy/modules/contrib/courier.if b/policy/modules/contrib/courier.if
index 0705659..10f820f 100644
--- a/policy/modules/contrib/courier.if
+++ b/policy/modules/contrib/courier.if
@@ -188,41 +188,3 @@ interface(`courier_rw_spool_pipes',`
files_search_var($1)
allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
')
-
-########################################
-## <summary>
-## Allow read/write operations on an inherited stream socket
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`courier_authdaemon_rw_inherited_stream_sockets',`
- gen_require(`
- type courier_authdaemon_t;
- ')
- allow $1 courier_authdaemon_t:unix_stream_socket { read write };
-')
-
-
-########################################
-## <summary>
-## Connect to Authdaemon using a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`courier_authdaemon_stream_connect',`
- gen_require(`
- type courier_authdaemon_t, courier_var_run_t;
- ')
-
- stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t)
-')
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 2171e04..dd23992 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -194,23 +194,6 @@ optional_policy(`
ifdef(`distro_gentoo',`
########################################
#
- # Courier imap/pop daemon policy
- #
-
- # Switch after succesfull authentication (bug 534030)
- allow courier_pop_t self:capability { setuid setgid };
-
- # Executes script /usr/lib64/courier-imap/courier-imapd.indirect after authentication and to start user session (bug 534030)
- corecmd_exec_shell(courier_pop_t)
-
- # Locate authdaemon socket and communicate with authdaemon (bug 534030)
- stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_run_t, courier_authdaemon_t)
-
- # Manage maildir of users (bug 534030)
- mta_manage_mail_home_rw_content(courier_pop_t)
-
- ########################################
- #
# Courier tcpd daemon policy
#
@@ -223,6 +206,6 @@ ifdef(`distro_gentoo',`
#
# Grant authdaemon getattr rights on security_t so that it can check if SELinux is enabled (needed through pam support) (bug 534030)
- # selinux_getattr_fs(courier_authdaemon_t)
+ # Handled through pam use
auth_use_pam(courier_authdaemon_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2015-01-02 17:22 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2015-01-02 17:22 UTC (permalink / raw
To: gentoo-commits
commit: 476ebba0a98c5dddd8e22ce418e9e42017909dff
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Dec 31 16:09:55 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 2 17:18:08 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=476ebba0
Allow authdaemon to access selinux fs to check SELinux state
When attempting to authenticate, the PAM module checks if SELinux is
enabled (pam_unix, in order to verify if the chkpwd helper utility needs
to be called). If it fails to check the SELinux state, then authdaemon
will try to access shadow directly (again, through pam_unix).
This only occurs when a user tries to log on as root (on IMAP server) as
non-root users automatically have chkpwd executed.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/courier.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index e2b0c0d..bcfb4b2 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -114,6 +114,8 @@ libs_read_lib_files(courier_authdaemon_t)
miscfiles_read_localization(courier_authdaemon_t)
+selinux_getattr_fs(courier_authdaemon_t)
+
userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-30 20:46 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-12-30 20:46 UTC (permalink / raw
To: gentoo-commits
commit: a112724e4000453bd4b71d357b7eab790a44ac07
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Dec 30 20:45:32 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Dec 30 20:45:32 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a112724e
Use auth_use_pam in courier
The auth_use_pam() method now includes the proper privileges to check
the SELinux state. As courier is using PAM, this makes the policy easier
to update (manageability) and the reason for the rules are then better
documented.
---
policy/modules/contrib/courier.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index ba0545c..d59f878 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -217,5 +217,6 @@ ifdef(`distro_gentoo',`
#
# Grant authdaemon getattr rights on security_t so that it can check if SELinux is enabled (needed through pam support) (bug 534030)
- selinux_getattr_fs(courier_authdaemon_t)
+ # selinux_getattr_fs(courier_authdaemon_t)
+ auth_use_pam(courier_authdaemon_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-30 19:57 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-12-30 19:57 UTC (permalink / raw
To: gentoo-commits
commit: 1546335dcf467c2a4d85eb4a956e229e6ff09692
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Dec 30 19:57:17 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Dec 30 19:57:17 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1546335d
Fix bug 534030 - Update on courier policy with documentation in comments
---
policy/modules/contrib/courier.te | 36 +++++++++++++++---------------------
1 file changed, 15 insertions(+), 21 deletions(-)
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 213a094..ba0545c 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -186,42 +186,36 @@ optional_policy(`
')
ifdef(`distro_gentoo',`
-
- ########################################
- #
- # Courier authdaemon policy
- #
- read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
-
- optional_policy(`
- mysql_stream_connect(courier_authdaemon_t)
- ')
-
########################################
#
# Courier imap/pop daemon policy
#
- # Switch after succesfull authentication
+ # Switch after succesfull authentication (bug 534030)
allow courier_pop_t self:capability { setuid setgid };
- files_search_var_lib(courier_pop_t)
- search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
- read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
-
- # Executes script /usr/lib64/courier-imap/courier-imapd.indirect after authentication and to start user session
+ # Executes script /usr/lib64/courier-imap/courier-imapd.indirect after authentication and to start user session (bug 534030)
corecmd_exec_shell(courier_pop_t)
- courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t)
+ # Locate authdaemon socket and communicate with authdaemon (bug 534030)
+ stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_run_t, courier_authdaemon_t)
+
+ # Manage maildir of users (bug 534030)
+ mta_manage_mail_home_rw_content(courier_pop_t)
########################################
#
# Courier tcpd daemon policy
#
- # Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock
+ # Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock (bug 534030)
files_pid_filetrans(courier_tcpd_t, courier_var_run_t, file)
- courier_authdaemon_stream_connect(courier_tcpd_t)
- courier_domtrans_authdaemon(courier_tcpd_t)
+ ########################################
+ #
+ # Courier authdaemon policy
+ #
+
+ # Grant authdaemon getattr rights on security_t so that it can check if SELinux is enabled (needed through pam support) (bug 534030)
+ selinux_getattr_fs(courier_authdaemon_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-21 12:49 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-21 12:49 UTC (permalink / raw
To: gentoo-commits
commit: 99b40156a93dcd1147049daca610b53d20eaa4b7
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Dec 20 13:46:45 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sat Dec 20 13:46:45 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=99b40156
salt: allow salt minion to ssh_manage_home_files
also dac_override and dac_read_search since some home dirs are not
world readable.
---
policy/modules/contrib/salt.te | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 279edfb..024a165 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -198,7 +198,7 @@ tunable_policy(`salt_master_read_nfs',`
# salt_minion_t policy
#
-allow salt_minion_t self:capability { fsetid chown net_admin sys_admin sys_tty_config };
+allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin sys_admin sys_tty_config };
allow salt_minion_t self:capability2 block_suspend;
allow salt_minion_t self:process { signal signull };
allow salt_minion_t self:tcp_socket create_stream_socket_perms;
@@ -294,6 +294,10 @@ optional_policy(`
')
optional_policy(`
+ ssh_manage_home_files(salt_minion_t)
+')
+
+optional_policy(`
mount_domtrans(salt_minion_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-20 12:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-20 12:46 UTC (permalink / raw
To: gentoo-commits
commit: 2e785432171dbe3d277641b67f95081d7fe5d84e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Dec 20 12:35:22 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sat Dec 20 12:35:22 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2e785432
fcontext for emerge-webrsync, bug 531994
---
policy/modules/contrib/portage.fc | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.fc b/policy/modules/contrib/portage.fc
index 119043b..5f07098 100644
--- a/policy/modules/contrib/portage.fc
+++ b/policy/modules/contrib/portage.fc
@@ -39,8 +39,9 @@
/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
ifdef(`distro_gentoo',`
+/usr/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/usr/lib/python-exec/python[0-9]\.[0-9]*/glsa-check -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib/python-exec/python[0-9]\.[0-9]*/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/usr/lib/python-exec/python[0-9]\.[0-9]*/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
-/var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
+/var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-20 12:11 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-12-20 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 12f3a156824c73d5a01096a1cd3972992220d098
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Dec 11 15:59:51 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Dec 20 12:08:36 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=12f3a156
Module version bump for hadoop_admin() fix from Jazon Zaman.
---
policy/modules/contrib/hadoop.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te
index e151378..d99a8b6 100644
--- a/policy/modules/contrib/hadoop.te
+++ b/policy/modules/contrib/hadoop.te
@@ -1,4 +1,4 @@
-policy_module(hadoop, 1.3.0)
+policy_module(hadoop, 1.3.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-20 12:11 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-12-20 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 75b6e5ea803750f577434bfff7b5892df6577d83
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Dec 3 19:07:19 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Dec 20 12:08:32 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=75b6e5ea
hadoop: remove _role from _admin interface
---
policy/modules/contrib/hadoop.if | 2 --
1 file changed, 2 deletions(-)
diff --git a/policy/modules/contrib/hadoop.if b/policy/modules/contrib/hadoop.if
index d17a75f..2b0d488 100644
--- a/policy/modules/contrib/hadoop.if
+++ b/policy/modules/contrib/hadoop.if
@@ -463,6 +463,4 @@ interface(`hadoop_admin',`
files_search_var_lib($1)
admin_pattern($1, { hadoop_var_lib_file zookeeper_server_var_t })
-
- hadoop_role($2, $1)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-15 19:41 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-12-15 19:41 UTC (permalink / raw
To: gentoo-commits
commit: 6999541f9917c0f3da53c2792cf72952fe12e4fb
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 10:41:28 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Dec 15 18:56:22 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6999541f
Introduce ntp_manage_config interface
---
policy/modules/contrib/ntp.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index e96a309..6a83626 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -188,3 +188,23 @@ interface(`ntp_admin',`
ntp_run($1, $2)
')
+
+# This should be in an ifdef distro_gentoo but that is not allowed in if files
+
+########################################
+## <summary>
+## Manage ntp(d) configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_manage_config',`
+ gen_require(`
+ type ntp_conf_t;
+ ')
+
+ manage_files_pattern($1, ntp_conf_t, ntp_conf_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-15 18:40 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-12-15 18:40 UTC (permalink / raw
To: gentoo-commits
commit: 70c4420916c7da775aac6f6b383e7f17f85bcb79
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:23:16 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Dec 15 18:37:59 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=70c44209
Bitcoin policy
---
policy/modules/contrib/bitcoin.fc | 16 +++++++
policy/modules/contrib/bitcoin.if | 48 +++++++++++++++++++
policy/modules/contrib/bitcoin.te | 98 +++++++++++++++++++++++++++++++++++++++
3 files changed, 162 insertions(+)
diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 0000000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind -- gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind -- gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+
diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 0000000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## <summary>Bitcoin software-based online payment system</summary>
+
+#########################################
+## <summary>
+## Administer a bitcoin environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`bitcoin_admin',`
+ gen_require(`
+ type bitcoin_t;
+ type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+ type bitcoin_var_lib_t, bitcoin_var_run_t;
+ type bitcoin_initrc_exec_t;
+ ')
+
+ allow $1 bitcoin_t:process { ptrace signal_perms };
+ ps_process_pattern($1, bitcoin_t)
+
+ init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 bitcoin_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, bitcoin_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, bitcoin_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, bitcoin_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, bitcoin_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, bitcoin_var_run_t)
+')
diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 0000000..672516e
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,98 @@
+policy_module(bitcoin, 0.1)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether the bitcoin daemon can bind
+## to all unreserved ports or not.
+## </p>
+## </desc>
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+files_config_file(bitcoin_etc_t)
+init_script_readable_type(bitcoin_etc_t)
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+init_script_readable_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#########################################
+#
+# Local policy
+#
+
+allow bitcoin_t self:process signal_perms;
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+read_lnk_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+#list_dirs_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+manage_dirs_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_system_state(bitcoin_t)
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_connect_http_port(bitcoin_t)
+corenet_tcp_bind_generic_node(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+userdom_use_user_terminals(bitcoin_t)
+
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+ corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-04 1:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-04 1:46 UTC (permalink / raw
To: gentoo-commits
commit: 7573f100596f7b45113cb18cbe8a6287d13783c6
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Dec 3 18:37:38 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 20:40:45 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7573f100
Update Changelog for release.
---
policy/modules/contrib/Changelog | 108 +++++++++++++++++++++++++++++++++++++++
1 file changed, 108 insertions(+)
diff --git a/policy/modules/contrib/Changelog b/policy/modules/contrib/Changelog
index bff3eda..66e7d7c 100644
--- a/policy/modules/contrib/Changelog
+++ b/policy/modules/contrib/Changelog
@@ -1,3 +1,111 @@
+* Wed Dec 03 2014 Chris PeBenito <selinux@tresys.com> - 2.20141203
+Chris PeBenito (26):
+ Whitespace fix in ntp.fc.
+ Module version bump for ntp fc entries from Laurent Bigonville.
+ Whitespace fix in shibboleth.te.
+ Module version bump for new shibboleth module from Martin Lang.
+ Module version bump for apt fix from Nicolas Iooss.
+ Module version bump for dnsmasq MTU fix from Sven Vermeulen.
+ Module version bump for apache content interfaces from Sven Vermeulen.
+ Module version bump for gitweb fc entry on Debian and ArchLinux from
+ Nicolas Iooss.
+ Module version bump for fc regex fixes from Nicolas Iooss.
+ Module version bump for various fixes from Laurent Bigonville.
+ Module version bump for ModemManager fc entry from Laurent Bigonville.
+ Add missing cron_admin_role() dependency.
+ Move sock_file filetrans to fcron_crond conditional.
+ Module version bump for cron and snort updates from Sven Vermeulen.
+ Module version bump for java icedtea fc entries from Sven Vermeulen.
+ Module version bump for apache/mlogc patch from Elia Pinto.
+ Remove name from ntp-kod ntp_drift_t filetrans.
+ Module version bump for ntp-kod file support from Jason Zaman.
+ Module version bump for init_daemon_pid_file use from Sven Vermeulen.
+ Module version bump for alsa and hiawatha fixes from Sven Vermeulen.
+ Module version bump for ftp and tftp fixes from Nicolas Iooss.
+ Move irc exec lines.
+ Module version bump for irc re-exec itself patch from Luis Ressel.
+ Module version bump for NetworkManager fc fix for ArchLinux from Nicolas
+ Iooss.
+ Module version bump for _admin fixes from Jason Zaman.
+ Bump module versions for release.
+
+Dominick Grift (3):
+ Module version bump for changes to the loadkeys module by Nicolas Iooss
+ cron: that boolean identifier does not exist also require it
+ Module version bump for changes to the networkmanager modules by Lubomir
+ Rintel
+
+Elia Pinto (1):
+ apache.te: Add labelling support for /var/log/mlogc
+
+Jason Zaman (20):
+ Add filetrans for ntp-kod file
+ ccs: syntax errors in ccs_admin interface
+ condor: syntax error in condor_admin
+ distcc: syntax error in distcc_admin
+ ftp: syntax error in ftp_admin
+ kerberos: syntax error in kerberos_admin
+ kismet: syntax error in kismet_admin
+ nut: syntax error in nut_admin
+ prelude: syntax error in prelude_admin
+ psad: syntax error in psad_admin
+ quota: syntax error in quota_admin
+ rpcbind: syntax error in rpcbind_admin
+ rpm: syntax error in rpm_admin
+ systemtap: syntax error in stapserver_admin
+ svnserve: syntax error in svnserve_admin
+ uptime: syntax error in uptime_admin
+ zabbix: syntax error in zabbix_admin
+ remove pyzor_role() from pyzor_admin()
+ remove spamassassin_role() from spamassassin_admin()
+ rsync: syntax error in rsync_admin
+
+Laurent Bigonville (7):
+ Add several fcontext for debian specific paths for ntp
+ Fix dbus_all_session_domain(), session_bus_type is an attribute
+ Allow gconfd to be started by the session bus
+ Fix the usage of dbus_spec_session_domain() interface
+ Properly label exim4 initscript under Debian
+ Add new gnome_spec_domtrans_all_gkeyringd() interface
+ Label /usr/sbin/ModemManager as modemmanager_exec_t
+
+Lubomir Rintel (1):
+ Allow NetworkManager to create Bluetooth SDP sockets
+
+Luis Ressel (1):
+ irc.te: Allow irssi to re-execute itself
+
+Martin Lang (1):
+ Add a policy module for shibboleth authentication
+
+Nicolas Iooss (7):
+ apt: remove non-existing permission set write_dir_perms
+ Label /usr/share/gitweb/static as httpd_git_content_t
+ Fix strange file patterns
+ ftp: fix labels in /var/lock/subsys/
+ Label /usr/bin/tftpd as tftpd_exec_t
+ Label /usr/lib/networkmanager/ like /usr/lib/NetworkManager/
+ Allow loadkeys to read usr_t files
+
+Sven Vermeulen (17):
+ dnsmasq reads MTU sysctl
+ Support read/append/manage functions for various httpd content
+ Snort policy updates
+ fcron socket support
+ Fix typo in dnsmasq.if
+ Mark icedtea binaries as java_exec_t
+ Use init_daemon_pid_file for contrib modules
+ Enable asound.state.lock support
+ Add support for Hiawatha web server
+ Use logging_search_logs, not logging_search_log
+ Use logging_search_logs, not logging_search_log
+ Use files_search_etc, not logging_search_etc
+ Use files_search_etc, not logging_search_etc
+ Use files_search_etc, not files_search_config
+ Use corecmd_search_bin, not corecmd_searh_bin
+ Use fs_search_tmpfs, not files_search_tmpfs
+ Use domain_auto_trans, not auto_trans
+
* Tue Mar 11 2014 Chris PeBenito <selinux@tresys.com> - 2.20140311
Chris PeBenito (17):
Minor rearrangement of minidlna lines.
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-04 1:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-04 1:46 UTC (permalink / raw
To: gentoo-commits
commit: 26ed294b55fa7ae0cde92fe9b8da9c346c6427bf
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Dec 3 18:37:38 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 20:40:45 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=26ed294b
Bump module versions for release.
---
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apt.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/condor.te | 2 +-
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/couchdb.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/distcc.te | 2 +-
policy/modules/contrib/dkim.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/finger.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/git.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/irc.te | 2 +-
policy/modules/contrib/java.te | 2 +-
policy/modules/contrib/kerberos.te | 2 +-
policy/modules/contrib/kismet.te | 2 +-
policy/modules/contrib/loadkeys.te | 2 +-
policy/modules/contrib/modemmanager.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nscd.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/obex.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
policy/modules/contrib/prelude.te | 2 +-
policy/modules/contrib/psad.te | 2 +-
policy/modules/contrib/puppet.te | 2 +-
policy/modules/contrib/pyzor.te | 2 +-
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/readahead.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/setroubleshoot.te | 2 +-
policy/modules/contrib/shibboleth.te | 2 +-
policy/modules/contrib/snort.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
policy/modules/contrib/svnserve.te | 2 +-
policy/modules/contrib/systemtap.te | 2 +-
policy/modules/contrib/telepathy.te | 2 +-
policy/modules/contrib/tor.te | 2 +-
policy/modules/contrib/uptime.te | 2 +-
policy/modules/contrib/xen.te | 2 +-
policy/modules/contrib/zabbix.te | 2 +-
53 files changed, 53 insertions(+), 53 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 642a587..46d12e8 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.13.1)
+policy_module(alsa, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 2e187d2..acdf41a 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.8.4)
+policy_module(apache, 2.9.0)
########################################
#
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index c2b7ad1..3c7d9b2 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.9.1)
+policy_module(apt, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index 5b4036a..0dd46ad 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.13.1)
+policy_module(asterisk, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index bfb927f..90138a2 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.14.1)
+policy_module(bind, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index b6f7ae6..c4664c7 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.7.1)
+policy_module(ccs, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 81fb9ae..38ca68b 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -1,4 +1,4 @@
-policy_module(condor, 1.1.1)
+policy_module(condor, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index c9aaea7..050c5c5 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -1,4 +1,4 @@
-policy_module(consolekit, 1.9.1)
+policy_module(consolekit, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/couchdb.te b/policy/modules/contrib/couchdb.te
index 4f61fae..5dd39b8 100644
--- a/policy/modules/contrib/couchdb.te
+++ b/policy/modules/contrib/couchdb.te
@@ -1,4 +1,4 @@
-policy_module(couchdb, 1.2.1)
+policy_module(couchdb, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 0555125..45cce5f 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.7.2)
+policy_module(cron, 2.8.0)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 779caf8..d2a7255 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.17.1)
+policy_module(cups, 1.18.0)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 45b9d32..6f2b890 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.19.2)
+policy_module(dbus, 1.20.0)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/distcc.te b/policy/modules/contrib/distcc.te
index 284b070..7ea741c 100644
--- a/policy/modules/contrib/distcc.te
+++ b/policy/modules/contrib/distcc.te
@@ -1,4 +1,4 @@
-policy_module(distcc, 1.9.1)
+policy_module(distcc, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 959b29c..19daa68 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.2.1)
+policy_module(dkim, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index e286965..fbfe09f 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.11.1)
+policy_module(dnsmasq, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 1924072..5ab6d77 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.7.2)
+policy_module(exim, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te
index 5bcd50b..8abb905 100644
--- a/policy/modules/contrib/finger.te
+++ b/policy/modules/contrib/finger.te
@@ -1,4 +1,4 @@
-policy_module(finger, 1.10.1)
+policy_module(finger, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 7681fec..b8ee588 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.16.2)
+policy_module(ftp, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 42551f9..084ac9d 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -1,4 +1,4 @@
-policy_module(git, 1.4.1)
+policy_module(git, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 99b426d..cd9fcd7 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.4.1)
+policy_module(gnome, 2.5.0)
##############################
#
diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
index de93459..d07bfb8 100644
--- a/policy/modules/contrib/irc.te
+++ b/policy/modules/contrib/irc.te
@@ -1,4 +1,4 @@
-policy_module(irc, 2.4.1)
+policy_module(irc, 2.5.0)
########################################
#
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 67af775..f0ff93b 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.7.1)
+policy_module(java, 2.8.0)
########################################
#
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
index 976a98d..1a115e8 100644
--- a/policy/modules/contrib/kerberos.te
+++ b/policy/modules/contrib/kerberos.te
@@ -1,4 +1,4 @@
-policy_module(kerberos, 1.12.1)
+policy_module(kerberos, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te
index d4f318b..e6d89c3 100644
--- a/policy/modules/contrib/kismet.te
+++ b/policy/modules/contrib/kismet.te
@@ -1,4 +1,4 @@
-policy_module(kismet, 1.7.1)
+policy_module(kismet, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index f987c9e..07b72a7 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -1,4 +1,4 @@
-policy_module(loadkeys, 1.9.1)
+policy_module(loadkeys, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te
index 56b3b73..20c99b6 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -1,4 +1,4 @@
-policy_module(modemmanager, 1.3.1)
+policy_module(modemmanager, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 6f2a4f5..76d1e84 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.15.1)
+policy_module(mysql, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 07701fd..a0dc708 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.16.2)
+policy_module(networkmanager, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index a1ba3af..ad2a10e 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.11.1)
+policy_module(nscd, 1.12.0)
gen_require(`
class nscd all_nscd_perms;
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 053097b..56bb390 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.12.2)
+policy_module(ntp, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index 78b7eda..64cd06f 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -1,4 +1,4 @@
-policy_module(nut, 1.3.2)
+policy_module(nut, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/obex.te b/policy/modules/contrib/obex.te
index dfb181c..724df1a 100644
--- a/policy/modules/contrib/obex.te
+++ b/policy/modules/contrib/obex.te
@@ -1,4 +1,4 @@
-policy_module(obex, 1.0.1)
+policy_module(obex, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index 162cd3e..511d08d 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.9.1)
+policy_module(pcscd, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te
index e21e13c..6cebd0c 100644
--- a/policy/modules/contrib/prelude.te
+++ b/policy/modules/contrib/prelude.te
@@ -1,4 +1,4 @@
-policy_module(prelude, 1.4.1)
+policy_module(prelude, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te
index 4124deb..ad12e3a 100644
--- a/policy/modules/contrib/psad.te
+++ b/policy/modules/contrib/psad.te
@@ -1,4 +1,4 @@
-policy_module(psad, 1.1.1)
+policy_module(psad, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 8b8a51c..1fa318e 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.4.1)
+policy_module(puppet, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/pyzor.te b/policy/modules/contrib/pyzor.te
index 464007e..232d2d4 100644
--- a/policy/modules/contrib/pyzor.te
+++ b/policy/modules/contrib/pyzor.te
@@ -1,4 +1,4 @@
-policy_module(pyzor, 2.3.1)
+policy_module(pyzor, 2.4.0)
########################################
#
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index 69c08f8..4ec203d 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -1,4 +1,4 @@
-policy_module(quota, 1.6.1)
+policy_module(quota, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te
index 92ad7d1..50ebeb6 100644
--- a/policy/modules/contrib/readahead.te
+++ b/policy/modules/contrib/readahead.te
@@ -1,4 +1,4 @@
-policy_module(readahead, 1.13.1)
+policy_module(readahead, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index f5afb7c..3ac5646 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -1,4 +1,4 @@
-policy_module(rhcs, 1.3.1)
+policy_module(rhcs, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 86ddde4..78022b6 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.7.2)
+policy_module(rpcbind, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 3354cd1..672fade 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.16.1)
+policy_module(rpm, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/setroubleshoot.te b/policy/modules/contrib/setroubleshoot.te
index 62b935a..4ce8f6d 100644
--- a/policy/modules/contrib/setroubleshoot.te
+++ b/policy/modules/contrib/setroubleshoot.te
@@ -1,4 +1,4 @@
-policy_module(setroubleshoot, 1.13.1)
+policy_module(setroubleshoot, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/shibboleth.te b/policy/modules/contrib/shibboleth.te
index 9314b5e..ba64413 100644
--- a/policy/modules/contrib/shibboleth.te
+++ b/policy/modules/contrib/shibboleth.te
@@ -1,4 +1,4 @@
-policy_module(shibboleth, 1.0.1)
+policy_module(shibboleth, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 60d92b9..d5d9766 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -1,4 +1,4 @@
-policy_module(snort, 1.11.2)
+policy_module(snort, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index e8e2174..b208631 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.7.1)
+policy_module(spamassassin, 2.8.0)
########################################
#
diff --git a/policy/modules/contrib/svnserve.te b/policy/modules/contrib/svnserve.te
index 57c9df5..03cd1f7 100644
--- a/policy/modules/contrib/svnserve.te
+++ b/policy/modules/contrib/svnserve.te
@@ -1,4 +1,4 @@
-policy_module(svnserve, 1.1.1)
+policy_module(svnserve, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/systemtap.te b/policy/modules/contrib/systemtap.te
index cdc4e70..61f53ea 100644
--- a/policy/modules/contrib/systemtap.te
+++ b/policy/modules/contrib/systemtap.te
@@ -1,4 +1,4 @@
-policy_module(systemtap, 1.1.1)
+policy_module(systemtap, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te
index e7fe4da..db2a27b 100644
--- a/policy/modules/contrib/telepathy.te
+++ b/policy/modules/contrib/telepathy.te
@@ -1,4 +1,4 @@
-policy_module(telepathy, 1.5.1)
+policy_module(telepathy, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 373760a..a9441af 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.9.1)
+policy_module(tor, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/uptime.te b/policy/modules/contrib/uptime.te
index 8d5e69a..263d5fb 100644
--- a/policy/modules/contrib/uptime.te
+++ b/policy/modules/contrib/uptime.te
@@ -1,4 +1,4 @@
-policy_module(uptime, 1.5.1)
+policy_module(uptime, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index ddb8fa2..3e52fed 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -1,4 +1,4 @@
-policy_module(xen, 1.13.1)
+policy_module(xen, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index d61d657..bd967ab 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.7.1)
+policy_module(zabbix, 1.8.0)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-04 1:46 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-04 1:46 UTC (permalink / raw
To: gentoo-commits
commit: 662543a6c6d371779ecf5324455c22a4f8e61238
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Dec 3 12:26:41 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 20:40:45 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=662543a6
rsync: syntax error in rsync_admin
---
policy/modules/contrib/rsync.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if
index 431471b..e916de8 100644
--- a/policy/modules/contrib/rsync.if
+++ b/policy/modules/contrib/rsync.if
@@ -257,7 +257,7 @@ interface(`rsync_etc_filetrans_config',`
interface(`rsync_admin',`
gen_require(`
type rsync_t, rsync_etc_t, rsync_data_t;
- type rsync_log_t, rsync_tmp_t. rsync_var_run_t;
+ type rsync_log_t, rsync_tmp_t, rsync_var_run_t;
')
allow $1 rsync_t:process { ptrace signal_perms };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/
@ 2014-12-03 12:56 Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:56 UTC (permalink / raw
To: gentoo-commits
commit: 60135df3a91152af95bdab0fb136da7d5a3523e1
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:16 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:33 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=60135df3
remove spamassassin_role() from spamassassin_admin()
spamassassin_role contains some named filetrans's which can not be
applied twice. The roles already contain spamassassin_role which makes
adding spamassassin_admin impossible. This removes the role so they can
both be applied.
---
policy/modules/contrib/spamassassin.if | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/spamassassin.if b/policy/modules/contrib/spamassassin.if
index 1499b0b..7f5a1cc 100644
--- a/policy/modules/contrib/spamassassin.if
+++ b/policy/modules/contrib/spamassassin.if
@@ -404,5 +404,6 @@ interface(`spamassassin_admin',`
files_list_pids($1)
admin_pattern($1, spamd_var_run_t)
- spamassassin_role($2, $1)
+ # This makes it impossible to apply _admin if _role has already been applied
+ #spamassassin_role($2, $1)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/
@ 2014-12-03 12:56 Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:56 UTC (permalink / raw
To: gentoo-commits
commit: c178e55dd18e808d161bf03084c768a3fe069427
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:10 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:32 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c178e55d
rpm: syntax error in rpm_admin
---
policy/modules/contrib/rpm.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index ef3b225..fc9c8d8 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -626,8 +626,8 @@ interface(`rpm_pid_filetrans_rpm_pid',`
interface(`rpm_admin',`
gen_require(`
type rpm_t, rpm_script_t, rpm_initrc_exec_t;
- type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
- type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
+ type rpm_cache_t, rpm_var_lib_t, rpm_lock_t;
+ type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t, rpm_var_run_t;
type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
@ 2014-12-03 12:54 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:54 UTC (permalink / raw
To: gentoo-commits
commit: c178e55dd18e808d161bf03084c768a3fe069427
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:10 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:32 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c178e55d
rpm: syntax error in rpm_admin
---
policy/modules/contrib/rpm.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index ef3b225..fc9c8d8 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -626,8 +626,8 @@ interface(`rpm_pid_filetrans_rpm_pid',`
interface(`rpm_admin',`
gen_require(`
type rpm_t, rpm_script_t, rpm_initrc_exec_t;
- type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
- type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
+ type rpm_cache_t, rpm_var_lib_t, rpm_lock_t;
+ type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t, rpm_var_run_t;
type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/
@ 2014-12-03 12:56 Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:56 UTC (permalink / raw
To: gentoo-commits
commit: 830ec3e6758f5d6887a9f681a871caf0b293eabc
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:12 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:32 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=830ec3e6
svnserve: syntax error in svnserve_admin
---
policy/modules/contrib/svnserve.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/svnserve.if b/policy/modules/contrib/svnserve.if
index 2ac91b6..5cd46e9 100644
--- a/policy/modules/contrib/svnserve.if
+++ b/policy/modules/contrib/svnserve.if
@@ -31,5 +31,5 @@ interface(`svnserve_admin',`
allow $2 system_r;
files_search_pids($1)
- admin_pattern($1, httpd_var_run_t)
+ admin_pattern($1, svnserve_var_run_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/
@ 2014-12-03 12:56 Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:56 UTC (permalink / raw
To: gentoo-commits
commit: c4c6cf58cad3174b2cd02b7a2734a06901f45007
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:07 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:19 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c4c6cf58
psad: syntax error in psad_admin
---
policy/modules/contrib/psad.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/psad.if b/policy/modules/contrib/psad.if
index d4dcf78..cdc83d2 100644
--- a/policy/modules/contrib/psad.if
+++ b/policy/modules/contrib/psad.if
@@ -236,7 +236,7 @@ interface(`psad_admin',`
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
type psad_initrc_exec_t, psad_var_lib_t;
- type psad_tmp_t;
+ type psad_tmp_t, psad_etc_t;
')
allow $1 psad_t:process { ptrace signal_perms };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
@ 2014-12-03 12:54 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:54 UTC (permalink / raw
To: gentoo-commits
commit: c4c6cf58cad3174b2cd02b7a2734a06901f45007
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:07 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:19 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c4c6cf58
psad: syntax error in psad_admin
---
policy/modules/contrib/psad.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/psad.if b/policy/modules/contrib/psad.if
index d4dcf78..cdc83d2 100644
--- a/policy/modules/contrib/psad.if
+++ b/policy/modules/contrib/psad.if
@@ -236,7 +236,7 @@ interface(`psad_admin',`
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
type psad_initrc_exec_t, psad_var_lib_t;
- type psad_tmp_t;
+ type psad_tmp_t, psad_etc_t;
')
allow $1 psad_t:process { ptrace signal_perms };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/
@ 2014-12-03 12:56 Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:56 UTC (permalink / raw
To: gentoo-commits
commit: 30451cc4ca123da3b5066e7387717e9163b319ad
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:13 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:33 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=30451cc4
uptime: syntax error in uptime_admin
---
policy/modules/contrib/uptime.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if
index 01a3234..19f4724 100644
--- a/policy/modules/contrib/uptime.if
+++ b/policy/modules/contrib/uptime.if
@@ -19,7 +19,7 @@
#
interface(`uptime_admin',`
gen_require(`
- type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t;
+ type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t;
type uptimed_spool_t, uptimed_var_run_t;
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
@ 2014-12-03 12:54 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:54 UTC (permalink / raw
To: gentoo-commits
commit: 30451cc4ca123da3b5066e7387717e9163b319ad
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:13 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:33 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=30451cc4
uptime: syntax error in uptime_admin
---
policy/modules/contrib/uptime.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/uptime.if b/policy/modules/contrib/uptime.if
index 01a3234..19f4724 100644
--- a/policy/modules/contrib/uptime.if
+++ b/policy/modules/contrib/uptime.if
@@ -19,7 +19,7 @@
#
interface(`uptime_admin',`
gen_require(`
- type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t;
+ type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t;
type uptimed_spool_t, uptimed_var_run_t;
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/
@ 2014-12-03 12:56 Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:56 UTC (permalink / raw
To: gentoo-commits
commit: cf39871364351cf39081d785e73b26131b8221db
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:38:59 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:00 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf398713
ccs: syntax errors in ccs_admin interface
---
policy/modules/contrib/ccs.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if
index 5ded72d..bb17e0f 100644
--- a/policy/modules/contrib/ccs.if
+++ b/policy/modules/contrib/ccs.if
@@ -98,8 +98,8 @@ interface(`ccs_manage_config',`
interface(`ccs_admin',`
gen_require(`
type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
- type ccs_var_lib_t_t, ccs_var_log_t;
- type ccs_var_run_t, ccs_tmp_t;
+ type ccs_var_lib_t, ccs_var_log_t;
+ type ccs_var_run_t, ccs_tmp_t, ccs_conf_t;
')
allow $1 ccs_t:process { ptrace signal_perms };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
@ 2014-12-03 12:54 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:54 UTC (permalink / raw
To: gentoo-commits
commit: cf39871364351cf39081d785e73b26131b8221db
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:38:59 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:00 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf398713
ccs: syntax errors in ccs_admin interface
---
policy/modules/contrib/ccs.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if
index 5ded72d..bb17e0f 100644
--- a/policy/modules/contrib/ccs.if
+++ b/policy/modules/contrib/ccs.if
@@ -98,8 +98,8 @@ interface(`ccs_manage_config',`
interface(`ccs_admin',`
gen_require(`
type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
- type ccs_var_lib_t_t, ccs_var_log_t;
- type ccs_var_run_t, ccs_tmp_t;
+ type ccs_var_lib_t, ccs_var_log_t;
+ type ccs_var_run_t, ccs_tmp_t, ccs_conf_t;
')
allow $1 ccs_t:process { ptrace signal_perms };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/
@ 2014-12-03 12:56 Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:56 UTC (permalink / raw
To: gentoo-commits
commit: 73ef58b0056f5406b4a8911385b2b8beb35c7f92
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:00 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:19 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=73ef58b0
condor: syntax error in condor_admin
---
policy/modules/contrib/condor.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/condor.if b/policy/modules/contrib/condor.if
index 881d92f..c80aaf5 100644
--- a/policy/modules/contrib/condor.if
+++ b/policy/modules/contrib/condor.if
@@ -58,7 +58,7 @@ template(`condor_domain_template',`
interface(`condor_admin',`
gen_require(`
attribute condor_domain;
- type condor_initrc_exec_config_t, condor_log_t;
+ type condor_initrc_exec_t, condor_log_t;
type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
@ 2014-12-03 12:54 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:54 UTC (permalink / raw
To: gentoo-commits
commit: 73ef58b0056f5406b4a8911385b2b8beb35c7f92
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:00 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:19 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=73ef58b0
condor: syntax error in condor_admin
---
policy/modules/contrib/condor.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/condor.if b/policy/modules/contrib/condor.if
index 881d92f..c80aaf5 100644
--- a/policy/modules/contrib/condor.if
+++ b/policy/modules/contrib/condor.if
@@ -58,7 +58,7 @@ template(`condor_domain_template',`
interface(`condor_admin',`
gen_require(`
attribute condor_domain;
- type condor_initrc_exec_config_t, condor_log_t;
+ type condor_initrc_exec_t, condor_log_t;
type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/contrib/
@ 2014-12-03 12:56 Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:56 UTC (permalink / raw
To: gentoo-commits
commit: 817c2b06a9056545eb11ff3d6f247c4d52913fdc
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:04 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:19 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=817c2b06
kismet: syntax error in kismet_admin
---
policy/modules/contrib/kismet.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/kismet.if b/policy/modules/contrib/kismet.if
index aa2a337..f20de6e 100644
--- a/policy/modules/contrib/kismet.if
+++ b/policy/modules/contrib/kismet.if
@@ -283,7 +283,7 @@ interface(`kismet_manage_log',`
interface(`kismet_admin',`
gen_require(`
type kismet_t, kismet_var_lib_t, kismet_var_run_t;
- type kismet_log_t, kismet_tmp_t;
+ type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
')
init_labeled_script_domtrans($1, kismet_initrc_exec_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
@ 2014-12-03 12:54 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:54 UTC (permalink / raw
To: gentoo-commits
commit: 817c2b06a9056545eb11ff3d6f247c4d52913fdc
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:04 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:19 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=817c2b06
kismet: syntax error in kismet_admin
---
policy/modules/contrib/kismet.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/kismet.if b/policy/modules/contrib/kismet.if
index aa2a337..f20de6e 100644
--- a/policy/modules/contrib/kismet.if
+++ b/policy/modules/contrib/kismet.if
@@ -283,7 +283,7 @@ interface(`kismet_manage_log',`
interface(`kismet_admin',`
gen_require(`
type kismet_t, kismet_var_lib_t, kismet_var_run_t;
- type kismet_log_t, kismet_tmp_t;
+ type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
')
init_labeled_script_domtrans($1, kismet_initrc_exec_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:userroles commit in: policy/modules/contrib/
@ 2014-12-03 12:56 Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:56 UTC (permalink / raw
To: gentoo-commits
commit: b6fc3fcdd166ae3851c52e32a1f8f50c4b4d047e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:15 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:33 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b6fc3fcd
remove pyzor_role() from pyzor_admin()
pyzor_role contains some named filetrans's which can not be applied
twice. The roles already contain pyzor_role which makes adding
pyzor_admin impossible. This removes the role so they can both be
applied.
---
policy/modules/contrib/pyzor.if | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pyzor.if b/policy/modules/contrib/pyzor.if
index 593c03d..c05a504 100644
--- a/policy/modules/contrib/pyzor.if
+++ b/policy/modules/contrib/pyzor.if
@@ -132,5 +132,6 @@ interface(`pyzor_admin',`
files_search_var_lib($1)
admin_pattern($1, pyzor_var_lib_t)
- pyzor_role($2, $1)
+ # This makes it impossible to apply _admin if _role has already been applied
+ #pyzor_role($2, $1)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:userroles commit in: policy/modules/contrib/
@ 2014-12-03 12:56 Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:56 UTC (permalink / raw
To: gentoo-commits
commit: 70d7fd9925e72bb51c0fa62de900238385e28781
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:11 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:32 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=70d7fd99
systemtap: syntax error in stapserver_admin
---
policy/modules/contrib/systemtap.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/systemtap.if b/policy/modules/contrib/systemtap.if
index c755e2d..d60a21e 100644
--- a/policy/modules/contrib/systemtap.if
+++ b/policy/modules/contrib/systemtap.if
@@ -20,7 +20,7 @@
interface(`stapserver_admin',`
gen_require(`
type stapserver_t, stapserver_conf_t, stapserver_log_t;
- type stap_server_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t;
+ type stapserver_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t;
')
allow $1 stapserver_t:process { ptrace signal_perms };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:userroles " Jason Zaman
@ 2014-12-03 12:54 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:54 UTC (permalink / raw
To: gentoo-commits
commit: 70d7fd9925e72bb51c0fa62de900238385e28781
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:11 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:32 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=70d7fd99
systemtap: syntax error in stapserver_admin
---
policy/modules/contrib/systemtap.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/systemtap.if b/policy/modules/contrib/systemtap.if
index c755e2d..d60a21e 100644
--- a/policy/modules/contrib/systemtap.if
+++ b/policy/modules/contrib/systemtap.if
@@ -20,7 +20,7 @@
interface(`stapserver_admin',`
gen_require(`
type stapserver_t, stapserver_conf_t, stapserver_log_t;
- type stap_server_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t;
+ type stapserver_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t;
')
allow $1 stapserver_t:process { ptrace signal_perms };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:userroles commit in: policy/modules/contrib/
@ 2014-12-03 12:56 Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:56 UTC (permalink / raw
To: gentoo-commits
commit: ba2ce29976d91e58d6cf6912552ca6ec0f563f9b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:06 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:19 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ba2ce299
prelude: syntax error in prelude_admin
---
policy/modules/contrib/prelude.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/prelude.if b/policy/modules/contrib/prelude.if
index c83a838..db8f510 100644
--- a/policy/modules/contrib/prelude.if
+++ b/policy/modules/contrib/prelude.if
@@ -120,6 +120,7 @@ interface(`prelude_admin',`
type prelude_var_run_t, prelude_var_lib_t, prelude_log_t;
type prelude_audisp_t, prelude_audisp_var_run_t;
type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t;
+ type prelude_correlator_t;
')
allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:userroles " Jason Zaman
@ 2014-12-03 12:54 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:54 UTC (permalink / raw
To: gentoo-commits
commit: ba2ce29976d91e58d6cf6912552ca6ec0f563f9b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:06 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:19 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ba2ce299
prelude: syntax error in prelude_admin
---
policy/modules/contrib/prelude.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/prelude.if b/policy/modules/contrib/prelude.if
index c83a838..db8f510 100644
--- a/policy/modules/contrib/prelude.if
+++ b/policy/modules/contrib/prelude.if
@@ -120,6 +120,7 @@ interface(`prelude_admin',`
type prelude_var_run_t, prelude_var_lib_t, prelude_log_t;
type prelude_audisp_t, prelude_audisp_var_run_t;
type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t;
+ type prelude_correlator_t;
')
allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:userroles commit in: policy/modules/contrib/
@ 2014-12-03 12:56 Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:56 UTC (permalink / raw
To: gentoo-commits
commit: 5bbf23fc711e26d7c7073567e105313fadcd6c3c
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:02 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:19 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5bbf23fc
ftp: syntax error in ftp_admin
---
policy/modules/contrib/ftp.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
index 4498143..65adda9 100644
--- a/policy/modules/contrib/ftp.if
+++ b/policy/modules/contrib/ftp.if
@@ -179,7 +179,7 @@ interface(`ftp_admin',`
type ftpd_keytab_t;
')
- allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
+ allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-03 12:54 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:54 UTC (permalink / raw
To: gentoo-commits
commit: 023ffc02b383f6e2a7c1c7a4fb0ecf032bde1014
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:14 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:33 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=023ffc02
zabbix: syntax error in zabbix_admin
---
policy/modules/contrib/zabbix.if | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/zabbix.if b/policy/modules/contrib/zabbix.if
index dd63de0..29d87d7 100644
--- a/policy/modules/contrib/zabbix.if
+++ b/policy/modules/contrib/zabbix.if
@@ -138,9 +138,9 @@ interface(`zabbix_agent_tcp_connect',`
#
interface(`zabbix_admin',`
gen_require(`
- type zabbix_t, zabbix_log_t, zabbix_var_run_t;
- type zabbix_initrc_exec_t, zabbit_agent_initrc_exec_t, zabbix_tmp_t;
- type zabbit_tmpfs_t;
+ type zabbix_t, zabbix_agent_t, zabbix_log_t, zabbix_var_run_t;
+ type zabbix_initrc_exec_t, zabbix_agent_initrc_exec_t, zabbix_tmp_t;
+ type zabbix_tmpfs_t;
')
allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-03 12:54 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:54 UTC (permalink / raw
To: gentoo-commits
commit: 46d4ce5719f6e53d1aa290d714581f80753b5a20
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Dec 2 15:30:48 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:33 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=46d4ce57
Module version bump for _admin fixes from Jason Zaman.
---
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/condor.te | 2 +-
policy/modules/contrib/distcc.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/kerberos.te | 2 +-
policy/modules/contrib/kismet.te | 2 +-
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/prelude.te | 2 +-
policy/modules/contrib/psad.te | 2 +-
policy/modules/contrib/pyzor.te | 2 +-
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
policy/modules/contrib/svnserve.te | 2 +-
policy/modules/contrib/systemtap.te | 2 +-
policy/modules/contrib/uptime.te | 2 +-
policy/modules/contrib/zabbix.te | 2 +-
18 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index 849873d..b6f7ae6 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.7.0)
+policy_module(ccs, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 3787034..81fb9ae 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -1,4 +1,4 @@
-policy_module(condor, 1.1.0)
+policy_module(condor, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/distcc.te b/policy/modules/contrib/distcc.te
index 898b2f4..284b070 100644
--- a/policy/modules/contrib/distcc.te
+++ b/policy/modules/contrib/distcc.te
@@ -1,4 +1,4 @@
-policy_module(distcc, 1.9.0)
+policy_module(distcc, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index b59e761..7681fec 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.16.1)
+policy_module(ftp, 1.16.2)
########################################
#
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
index 8833d59..976a98d 100644
--- a/policy/modules/contrib/kerberos.te
+++ b/policy/modules/contrib/kerberos.te
@@ -1,4 +1,4 @@
-policy_module(kerberos, 1.12.0)
+policy_module(kerberos, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te
index 8ad0d4d..d4f318b 100644
--- a/policy/modules/contrib/kismet.te
+++ b/policy/modules/contrib/kismet.te
@@ -1,4 +1,4 @@
-policy_module(kismet, 1.7.0)
+policy_module(kismet, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index ab8b8da..78b7eda 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -1,4 +1,4 @@
-policy_module(nut, 1.3.1)
+policy_module(nut, 1.3.2)
########################################
#
diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te
index 8f44609..e21e13c 100644
--- a/policy/modules/contrib/prelude.te
+++ b/policy/modules/contrib/prelude.te
@@ -1,4 +1,4 @@
-policy_module(prelude, 1.4.0)
+policy_module(prelude, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te
index b5d717b..4124deb 100644
--- a/policy/modules/contrib/psad.te
+++ b/policy/modules/contrib/psad.te
@@ -1,4 +1,4 @@
-policy_module(psad, 1.1.0)
+policy_module(psad, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/pyzor.te b/policy/modules/contrib/pyzor.te
index 2439d13..464007e 100644
--- a/policy/modules/contrib/pyzor.te
+++ b/policy/modules/contrib/pyzor.te
@@ -1,4 +1,4 @@
-policy_module(pyzor, 2.3.0)
+policy_module(pyzor, 2.3.1)
########################################
#
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index f47c8e8..69c08f8 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -1,4 +1,4 @@
-policy_module(quota, 1.6.0)
+policy_module(quota, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index eefc5df..86ddde4 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.7.1)
+policy_module(rpcbind, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 8d44a78..3354cd1 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.16.0)
+policy_module(rpm, 1.16.1)
########################################
#
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 35053ab..e8e2174 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.7.0)
+policy_module(spamassassin, 2.7.1)
########################################
#
diff --git a/policy/modules/contrib/svnserve.te b/policy/modules/contrib/svnserve.te
index 49d688d..57c9df5 100644
--- a/policy/modules/contrib/svnserve.te
+++ b/policy/modules/contrib/svnserve.te
@@ -1,4 +1,4 @@
-policy_module(svnserve, 1.1.0)
+policy_module(svnserve, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/systemtap.te b/policy/modules/contrib/systemtap.te
index ffde368..cdc4e70 100644
--- a/policy/modules/contrib/systemtap.te
+++ b/policy/modules/contrib/systemtap.te
@@ -1,4 +1,4 @@
-policy_module(systemtap, 1.1.0)
+policy_module(systemtap, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/uptime.te b/policy/modules/contrib/uptime.te
index 58397dc..8d5e69a 100644
--- a/policy/modules/contrib/uptime.te
+++ b/policy/modules/contrib/uptime.te
@@ -1,4 +1,4 @@
-policy_module(uptime, 1.5.0)
+policy_module(uptime, 1.5.1)
########################################
#
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index 6ea314a..d61d657 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.7.0)
+policy_module(zabbix, 1.7.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-03 12:54 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:54 UTC (permalink / raw
To: gentoo-commits
commit: 7e0d04ce8a6717c305f2811ac84d6f1e0f25fc53
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:03 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:19 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7e0d04ce
kerberos: syntax error in kerberos_admin
---
policy/modules/contrib/kerberos.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index f6c00d8..77a5c49 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -490,8 +490,8 @@ interface(`kerberos_admin',`
type krb5kdc_var_run_t, krb5_host_rcache_t;
')
- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
- ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd })
+ allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms };
+ ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd_t })
init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
domain_system_change_exemption($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-03 12:54 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:54 UTC (permalink / raw
To: gentoo-commits
commit: 89e9586e05e56f7e16e58f39e2b8f62dbeae4772
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:08 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:32 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=89e9586e
quota: syntax error in quota_admin
---
policy/modules/contrib/quota.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/quota.if b/policy/modules/contrib/quota.if
index da64218..68611e3 100644
--- a/policy/modules/contrib/quota.if
+++ b/policy/modules/contrib/quota.if
@@ -190,7 +190,7 @@ interface(`quota_admin',`
allow $2 system_r;
files_list_all($1)
- admin_pattern($1, { quota_db_t quota_flag quota_nld_var_run_t })
+ admin_pattern($1, { quota_db_t quota_flag_t quota_nld_var_run_t })
quota_run($1, $2)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-03 12:54 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:54 UTC (permalink / raw
To: gentoo-commits
commit: c0443c2bf50696969c5534eab62caf5c3fd2d4cd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:01 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:19 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c0443c2b
distcc: syntax error in distcc_admin
---
policy/modules/contrib/distcc.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/distcc.if b/policy/modules/contrib/distcc.if
index 24d8c74..473823d 100644
--- a/policy/modules/contrib/distcc.if
+++ b/policy/modules/contrib/distcc.if
@@ -20,7 +20,7 @@
interface(`distcc_admin',`
gen_require(`
type distccd_t, distccd_t, distccd_log_t;
- type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
+ type distccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
')
allow $1 distccd_t:process { ptrace signal_perms };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-03 12:54 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:54 UTC (permalink / raw
To: gentoo-commits
commit: 1a6ba9f4ab6c255289c3a43d6ba130101b1aed4b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:09 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:32 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1a6ba9f4
rpcbind: syntax error in rpcbind_admin
---
policy/modules/contrib/rpcbind.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rpcbind.if b/policy/modules/contrib/rpcbind.if
index 3b5e9ee..1a1cb99 100644
--- a/policy/modules/contrib/rpcbind.if
+++ b/policy/modules/contrib/rpcbind.if
@@ -160,7 +160,7 @@ interface(`rpcbind_admin',`
allow $1 rpcbind_t:process { ptrace signal_perms };
ps_process_pattern($1, rpcbind_t)
- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
+ init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rpcbind_initrc_exec_t system_r;
allow $2 system_r;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-12-03 12:54 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-12-03 12:54 UTC (permalink / raw
To: gentoo-commits
commit: 3dc49e7336ef420697a7fa36661518c47e4f4356
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 06:39:05 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 08:43:19 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3dc49e73
nut: syntax error in nut_admin
---
policy/modules/contrib/nut.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/nut.if b/policy/modules/contrib/nut.if
index 57c0161..c606ae6 100644
--- a/policy/modules/contrib/nut.if
+++ b/policy/modules/contrib/nut.if
@@ -24,7 +24,7 @@ interface(`nut_admin',`
')
allow $1 nut_domain:process { ptrace signal_perms };
- ps_process_pattern($1, nut_domain_t)
+ ps_process_pattern($1, nut_domain)
init_labeled_script_domtrans($1, nut_initrc_exec_t)
domain_system_change_exemption($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-11-28 9:40 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-11-28 9:40 UTC (permalink / raw
To: gentoo-commits
commit: 7a74e7ba38497d870a3d3c51c8ffd6ffb876d00e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 09:28:46 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Nov 28 09:28:46 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7a74e7ba
Allow cgroup handler to access /sys/fs/cgroup as tmpfs_t
Currently, the /sys/fs/cgroup location is mounted as a tmpfs_t. As the
mount options cannot be easily modified as of yet, we grant the cgroup
handler search privileges over tmpfs_t.
Additional cgroup mounts within /sys/fs/cgroup do hold the right context
(cgroup_t).
---
policy/modules/contrib/openrc.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/openrc.te b/policy/modules/contrib/openrc.te
index 91afb6e..6a0d7cb 100644
--- a/policy/modules/contrib/openrc.te
+++ b/policy/modules/contrib/openrc.te
@@ -28,5 +28,8 @@ files_search_pids(openrc_cgroup_release_t)
fs_manage_cgroup_dirs(openrc_cgroup_release_t)
fs_manage_cgroup_files(openrc_cgroup_release_t)
+# /sys/fs/cgroup is by default mounted as tmpfs_t
+# Allow search until we can have it mounted correctly (TODO)
+fs_search_tmpfs(openrc_cgroup_release_t)
auth_use_nsswitch(openrc_cgroup_release_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-11-23 13:22 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-11-23 13:22 UTC (permalink / raw
To: gentoo-commits
commit: 74986b6148745779596c8604e6f6e489a2c89c13
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Nov 23 12:46:08 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 23 12:46:08 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=74986b61
OpenRC cgroup helper requires dac_override privilege
Managing and updating cgroups through the kernel-invoked openrc cgroup
helper has the helper run under root privileges, but accessing files
(reading mostly) that are owned by a different user.
---
policy/modules/contrib/openrc.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/openrc.te b/policy/modules/contrib/openrc.te
index bf5a336..91afb6e 100644
--- a/policy/modules/contrib/openrc.te
+++ b/policy/modules/contrib/openrc.te
@@ -13,6 +13,7 @@ role system_r types openrc_cgroup_release_t;
# OpenRC cgroup release policy
#
+allow openrc_cgroup_release_t self:capability dac_override;
allow openrc_cgroup_release_t self:unix_stream_socket create_socket_perms;
kernel_domtrans_to(openrc_cgroup_release_t, openrc_cgroup_release_exec_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-11-11 13:38 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-11-11 13:38 UTC (permalink / raw
To: gentoo-commits
commit: 5930912adf0ca652cdcc7c0708086e21788fc022
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 13:37:38 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 13:37:38 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5930912a
Add info on why munin crontab is explicitly mentioned
---
policy/modules/contrib/cron.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
index 590908c..cbb19b7 100644
--- a/policy/modules/contrib/cron.fc
+++ b/policy/modules/contrib/cron.fc
@@ -62,5 +62,6 @@ ifdef(`distro_suse',`
')
ifdef(`distro_gentoo',`
+# Fix bug 526532 - Workaround so that munin crontab gets a system_u label assigned
/var/spool/cron/crontabs/munin -- gen_context(system_u:object_r:system_cron_spool_t,s0)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-11-11 13:36 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-11-11 13:36 UTC (permalink / raw
To: gentoo-commits
commit: f849d7e0c29175d717cb3addf4285ce09a20c2bb
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 13:33:21 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 13:33:21 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f849d7e0
Force munin crontab to be system_u (define context), fix bug #526532
---
policy/modules/contrib/cron.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
index 266a439..590908c 100644
--- a/policy/modules/contrib/cron.fc
+++ b/policy/modules/contrib/cron.fc
@@ -60,3 +60,7 @@ ifdef(`distro_suse',`
/var/spool/cron/lastrun/[^/]* -- <<none>>
/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
')
+
+ifdef(`distro_gentoo',`
+/var/spool/cron/crontabs/munin -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-11-11 10:38 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-11-11 10:38 UTC (permalink / raw
To: gentoo-commits
commit: 28f48ea9662d40ad2692559fbc97fb2e3cb6ae44
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 10:37:46 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 10:37:46 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=28f48ea9
Fix bug #528602 - Update context for vnstatd binary
---
policy/modules/contrib/vnstatd.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc
index 5f125a2..52f8f68 100644
--- a/policy/modules/contrib/vnstatd.fc
+++ b/policy/modules/contrib/vnstatd.fc
@@ -11,4 +11,5 @@
ifdef(`distro_gentoo',`
# Fix bug 528602 - name is vnstatd in Gentoo
/etc/rc\.d/init\.d/vnstatd -- gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0)
+/usr/bin/vnstatd -- gen_context(system_u:object_r:vnstat_exec_t,s0)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-11-08 16:36 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-11-08 16:36 UTC (permalink / raw
To: gentoo-commits
commit: 3a8ac7c8f7f648a826b5c2c668bf75856ac931bf
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 8 16:35:45 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 8 16:35:45 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3a8ac7c8
Fix bug #528602 - vnstatd init script naming fix in fc file thanks to Eric Glisse
---
policy/modules/contrib/vnstatd.fc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc
index 24228b6..5f125a2 100644
--- a/policy/modules/contrib/vnstatd.fc
+++ b/policy/modules/contrib/vnstatd.fc
@@ -7,3 +7,8 @@
/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0)
/var/run/vnstat.* gen_context(system_u:object_r:vnstatd_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+# Fix bug 528602 - name is vnstatd in Gentoo
+/etc/rc\.d/init\.d/vnstatd -- gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-11-01 18:00 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-11-01 18:00 UTC (permalink / raw
To: gentoo-commits
commit: 717d10b31cce2a5c92950c480444205a3c9ab839
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 1 17:58:15 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 1 17:58:15 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=717d10b3
Emerge is also handled by python-exec
---
policy/modules/contrib/portage.fc | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/portage.fc b/policy/modules/contrib/portage.fc
index cc65c01..2eaa62c 100644
--- a/policy/modules/contrib/portage.fc
+++ b/policy/modules/contrib/portage.fc
@@ -18,6 +18,7 @@
/usr/lib/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
+
/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
@@ -37,7 +38,8 @@
/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
ifdef(`distro_gentoo',`
-/usr/lib/python-exec/python[0-9]?\.[0-9]?/glsa-check -- gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib/python-exec/python[0-9].\.[0-9]?/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
+/usr/lib/python-exec/python[0-9]\.[0-9]*/glsa-check -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib/python-exec/python[0-9]\.[0-9]*/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
+/usr/lib/python-exec/python[0-9]\.[0-9]*/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
/var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
@ 2014-10-19 17:38 Jason Zaman
2014-10-25 19:21 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2014-10-19 17:38 UTC (permalink / raw
To: gentoo-commits
commit: 170ab2bf6b82c6110ee26d9f2915c7cf52caae15
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 19 17:37:47 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=170ab2bf
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 6 +++
policy/modules/contrib/android.if | 98 ++++++++++++++++++++++++++++++++++
policy/modules/contrib/android.te | 108 ++++++++++++++++++++++++++++++++++++++
3 files changed, 212 insertions(+)
diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..a16fc47
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.gradle(/.*)? gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..f0173d5
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,98 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+## The role for using the android tools.
+## </summary>
+## <param name="role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## The user domain.
+## </summary>
+## </param>
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+## Execute the android tools commands in the
+## android tools domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+## Send and receive messages from the android java
+## domain over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..08f3c83
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,108 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_adb_port(android_tools_t)
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_search_user_home_content(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_udp_bind_generic_node(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+userdom_use_user_terminals(android_java_t)
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".android")
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudioBeta")
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudio")
+
+android_tools_domtrans(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2014-10-19 17:38 [gentoo-commits] proj/hardened-refpolicy:perfinion " Jason Zaman
@ 2014-10-25 19:21 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-10-25 19:21 UTC (permalink / raw
To: gentoo-commits
commit: 170ab2bf6b82c6110ee26d9f2915c7cf52caae15
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:54:23 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 19 17:37:47 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=170ab2bf
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 6 +++
policy/modules/contrib/android.if | 98 ++++++++++++++++++++++++++++++++++
policy/modules/contrib/android.te | 108 ++++++++++++++++++++++++++++++++++++++
3 files changed, 212 insertions(+)
diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc
new file mode 100644
index 0000000..a16fc47
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.gradle(/.*)? gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if b/policy/modules/contrib/android.if
new file mode 100644
index 0000000..f0173d5
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,98 @@
+## <summary>Android development tools - adb, fastboot, android studio</summary>
+
+#######################################
+## <summary>
+## The role for using the android tools.
+## </summary>
+## <param name="role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## The user domain.
+## </summary>
+## </param>
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#########################################
+## <summary>
+## Execute the android tools commands in the
+## android tools domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#########################################
+## <summary>
+## Send and receive messages from the android java
+## domain over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
diff --git a/policy/modules/contrib/android.te b/policy/modules/contrib/android.te
new file mode 100644
index 0000000..08f3c83
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,108 @@
+policy_module(android, 1.0.0)
+
+############################
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+userdom_user_home_dir_filetrans(android_tools_t, android_home_t, { dir file })
+
+
+############################
+#
+# Android Tools Policy Rules
+#
+
+# this domain has access to usb and is intended for adb and fastboot
+# the java domain can run these tools
+
+allow android_tools_t self:process { execmem signal_perms };
+
+allow android_tools_t self:fifo_file rw_fifo_file_perms;
+allow android_tools_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(android_tools_t, android_tools_exec_t)
+
+manage_dirs_pattern(android_tools_t, android_home_t, android_home_t)
+manage_files_pattern(android_tools_t, android_home_t, android_home_t)
+
+files_tmp_filetrans(android_tools_t, android_tmp_t, { file dir })
+manage_dirs_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_tools_t, android_tmp_t, android_tmp_t)
+
+corenet_tcp_bind_adb_port(android_tools_t)
+corenet_tcp_bind_generic_node(android_tools_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+
+dev_rw_generic_usb_dev(android_tools_t)
+
+userdom_manage_user_home_content_dirs(android_tools_t)
+userdom_manage_user_home_content_files(android_tools_t)
+userdom_search_user_home_content(android_tools_t)
+userdom_use_user_terminals(android_tools_t)
+
+
+############################
+#
+# Android Java Policy Rules
+#
+
+# this domain is for java and android studio and
+# all the (java-based) build tools
+
+allow android_java_t self:tcp_socket { accept listen };
+
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+manage_dirs_pattern(android_java_t, android_home_t, android_home_t)
+manage_files_pattern(android_java_t, android_home_t, android_home_t)
+
+manage_dirs_pattern(android_java_t, android_tmp_t, android_tmp_t)
+manage_files_pattern(android_java_t, android_tmp_t, android_tmp_t)
+
+corecmd_exec_bin(android_java_t)
+corecmd_exec_shell(android_java_t)
+
+corenet_tcp_bind_all_unreserved_ports(android_java_t)
+corenet_tcp_bind_generic_node(android_java_t)
+corenet_tcp_connect_adb_port(android_tools_t)
+corenet_tcp_connect_http_port(android_tools_t)
+corenet_udp_bind_generic_node(android_java_t)
+
+miscfiles_read_fonts(android_java_t)
+miscfiles_read_localization(android_java_t)
+
+userdom_use_user_terminals(android_java_t)
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".android")
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudioBeta")
+userdom_user_home_dir_filetrans(android_java_t, android_home_t, dir, ".AndroidStudio")
+
+android_tools_domtrans(android_java_t)
+
+dbus_all_session_bus_client(android_java_t)
+
+xdg_read_config_home_files(android_java_t)
+
+xserver_user_x_domain_template(android_java, android_java_t, android_tmpfs_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
@ 2014-10-12 9:51 Jason Zaman
2014-10-25 19:21 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2014-10-12 9:51 UTC (permalink / raw
To: gentoo-commits
commit: b00d95d26533a2ee7ac99c90e26d7d4240ad9209
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:51:22 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 12 09:51:25 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b00d95d2
Add java_domain_type interface
This interface will enable another domain to use Java without
having to domtrans to java_t
---
policy/modules/contrib/java.if | 34 ++++++++++++++++++++++++++++++++++
policy/modules/contrib/java.te | 3 +++
2 files changed, 37 insertions(+)
diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
index acf6a63..4b5e7a7 100644
--- a/policy/modules/contrib/java.if
+++ b/policy/modules/contrib/java.if
@@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',`
java_domtrans($1)
')
+
+# everything after here is gentoo-specific. ifdef's are not allowed for this unfortunately
+
+#######################################
+## <summary>
+## The template for using java in a domain.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for java applications.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The type of the domain to be given java privs.
+## </summary>
+## </param>
+#
+template(`java_domain_type',`
+ gen_require(`
+ attribute java_domain;
+ ')
+
+ ########################################
+ #
+ # Policy
+ #
+
+ typeattribute $1 java_domain;
+
+ # cannot be called on the attribute, so do it now
+ auth_use_nsswitch($1)
+')
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 11e996d..67af775 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -120,6 +120,9 @@ ifdef(`distro_gentoo',`
manage_dirs_pattern(java_domain, java_home_t, java_home_t)
manage_files_pattern(java_domain, java_home_t, java_home_t)
userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
+
+ manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t)
+ files_tmp_filetrans(java_domain, java_tmp_t, lnk_file)
')
tunable_policy(`allow_java_execstack',`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2014-10-12 9:51 [gentoo-commits] proj/hardened-refpolicy:perfinion " Jason Zaman
@ 2014-10-25 19:21 ` Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-10-25 19:21 UTC (permalink / raw
To: gentoo-commits
commit: b00d95d26533a2ee7ac99c90e26d7d4240ad9209
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Aug 18 09:51:22 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 12 09:51:25 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b00d95d2
Add java_domain_type interface
This interface will enable another domain to use Java without
having to domtrans to java_t
---
policy/modules/contrib/java.if | 34 ++++++++++++++++++++++++++++++++++
policy/modules/contrib/java.te | 3 +++
2 files changed, 37 insertions(+)
diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
index acf6a63..4b5e7a7 100644
--- a/policy/modules/contrib/java.if
+++ b/policy/modules/contrib/java.if
@@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',`
java_domtrans($1)
')
+
+# everything after here is gentoo-specific. ifdef's are not allowed for this unfortunately
+
+#######################################
+## <summary>
+## The template for using java in a domain.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for java applications.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The type of the domain to be given java privs.
+## </summary>
+## </param>
+#
+template(`java_domain_type',`
+ gen_require(`
+ attribute java_domain;
+ ')
+
+ ########################################
+ #
+ # Policy
+ #
+
+ typeattribute $1 java_domain;
+
+ # cannot be called on the attribute, so do it now
+ auth_use_nsswitch($1)
+')
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 11e996d..67af775 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -120,6 +120,9 @@ ifdef(`distro_gentoo',`
manage_dirs_pattern(java_domain, java_home_t, java_home_t)
manage_files_pattern(java_domain, java_home_t, java_home_t)
userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
+
+ manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t)
+ files_tmp_filetrans(java_domain, java_tmp_t, lnk_file)
')
tunable_policy(`allow_java_execstack',`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-10-12 8:27 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-10-12 8:27 UTC (permalink / raw
To: gentoo-commits
commit: 34865b2af29b5f3d6ef837ed6d5d3f97ab1d337d
Author: Lubomir Rintel <lkundrak <AT> v3 <DOT> sk>
AuthorDate: Wed Oct 1 09:39:17 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:23:13 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=34865b2a
Allow NetworkManager to create Bluetooth SDP sockets
It's going to do the the discovery for DUN service for modems with Bluez 5.
---
policy/modules/contrib/networkmanager.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 3f69757..b3deb5b 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -56,6 +56,7 @@ allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
allow NetworkManager_t self:tcp_socket { accept listen };
allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:socket create_socket_perms;
allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-10-12 8:27 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-10-12 8:27 UTC (permalink / raw
To: gentoo-commits
commit: 63c4bbae315e8277a8323e88606853ad24feaa7f
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Wed Oct 1 10:35:50 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:23:16 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=63c4bbae
Module version bump for changes to the networkmanager modules by Lubomir Rintel
---
policy/modules/contrib/networkmanager.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index b3deb5b..07701fd 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.16.1)
+policy_module(networkmanager, 1.16.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-09-13 9:38 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-09-13 9:38 UTC (permalink / raw
To: gentoo-commits
commit: 146e952a40fd58ae69176dfdde31d389cc516c2d
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Tue Sep 9 16:12:02 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Sep 13 09:16:55 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=146e952a
cron: that boolean identifier does not exist also require it
---
policy/modules/contrib/cron.if | 4 ++--
policy/modules/contrib/cron.te | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 893ff91..868d89f 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -223,7 +223,7 @@ interface(`cron_admin_role',`
type cronjob_t, crontab_exec_t, admin_crontab_t;
class passwd crontab;
type crond_t, crond_var_run_t, user_cron_spool_t;
- bool cron_userdomain_transition;
+ bool cron_userdomain_transition, fcron_crond;
')
##############################
@@ -277,7 +277,7 @@ interface(`cron_admin_role',`
dontaudit $2 cronjob_t:process { ptrace signal_perms };
')
- tunable_policy(`crond_fcron',`
+ tunable_policy(`fcron_crond',`
# Support for fcrondyn
stream_connect_pattern($2, crond_var_run_t, crond_var_run_t, crond_t)
')
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 237c2a6..0555125 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.7.1)
+policy_module(cron, 2.7.2)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-09-13 9:38 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-09-13 9:38 UTC (permalink / raw
To: gentoo-commits
commit: d46331160bf316a8b836c7730177b046599f6dd2
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Sep 7 21:32:21 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Sep 13 09:16:50 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d4633116
Allow loadkeys to read usr_t files
loadeys loads a keymap from files in /usr.
Debian console-data package installs keymaps in /usr/share/keymaps [1].
Arch Linux kbd package installs keymaps in /usr/share/kbd/keymaps [2].
[1] https://packages.debian.org/sid/all/console-data/filelist
[2] https://www.archlinux.org/packages/core/x86_64/kbd/files/
---
policy/modules/contrib/loadkeys.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index d2f4643..72ba702 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -27,6 +27,8 @@ corecmd_exec_shell(loadkeys_t)
files_read_etc_files(loadkeys_t)
files_read_etc_runtime_files(loadkeys_t)
+# keymap files are in /usr/share/keymaps or /usr/share/kbd/keymaps
+files_read_usr_files(loadkeys_t)
term_dontaudit_use_console(loadkeys_t)
term_use_unallocated_ttys(loadkeys_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-09-13 9:38 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-09-13 9:38 UTC (permalink / raw
To: gentoo-commits
commit: 412bf80ea01c436b6f0afc2338fd3fc3951d527a
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Mon Sep 8 16:05:53 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Sep 13 09:16:53 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=412bf80e
Module version bump for changes to the loadkeys module by Nicolas Iooss
---
policy/modules/contrib/loadkeys.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index 72ba702..f987c9e 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -1,4 +1,4 @@
-policy_module(loadkeys, 1.9.0)
+policy_module(loadkeys, 1.9.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
@ 2014-09-03 19:37 Jason Zaman
2014-09-03 19:36 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
0 siblings, 1 reply; 1958+ messages in thread
From: Jason Zaman @ 2014-09-03 19:37 UTC (permalink / raw
To: gentoo-commits
commit: 2836736274aabe6830e1dc7b93932bc3a7500408
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Sep 3 19:35:46 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Sep 3 19:35:46 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=28367362
fcontext for bluetoothd on gentoo
---
policy/modules/contrib/bluetooth.fc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/bluetooth.fc b/policy/modules/contrib/bluetooth.fc
index 2b9c7f3..a28101f 100644
--- a/policy/modules/contrib/bluetooth.fc
+++ b/policy/modules/contrib/bluetooth.fc
@@ -22,3 +22,8 @@
/var/run/bluetoothd_address -- gen_context(system_u:object_r:bluetooth_var_run_t,s0)
/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
+
+
+ifdef(`distro_gentoo',`
+/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-09-01 20:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-09-01 20:42 UTC (permalink / raw
To: gentoo-commits
commit: 621ad99c174a0b00b178fdb06bdec20a653cdefb
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Aug 31 20:00:17 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Sep 1 20:39:27 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=621ad99c
add xdg_config support to pulseaudio
---
policy/modules/contrib/pulseaudio.fc | 5 +++++
policy/modules/contrib/pulseaudio.te | 20 ++++++++++++++++++++
2 files changed, 25 insertions(+)
diff --git a/policy/modules/contrib/pulseaudio.fc b/policy/modules/contrib/pulseaudio.fc
index 6864479..9cc63f6 100644
--- a/policy/modules/contrib/pulseaudio.fc
+++ b/policy/modules/contrib/pulseaudio.fc
@@ -7,3 +7,8 @@ HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+
+
+ifdef(`distro_gentoo',`
+HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_xdg_config_t,s0)
+')
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 4665af2..dfb06a9 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -257,3 +257,23 @@ optional_policy(`
optional_policy(`
unconfined_signull(pulseaudio_client)
')
+
+ifdef(`distro_gentoo',`
+ type pulseaudio_xdg_config_t;
+ xdg_config_home_content(pulseaudio_xdg_config_t)
+
+ # create ~/.config/pulse/
+ manage_files_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+ manage_lnk_files_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+ manage_dirs_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+ xdg_config_home_filetrans(pulseaudio_t, pulseaudio_xdg_config_t, dir, "pulse")
+
+ # pulseaudio cannot manage the files from its clients
+ allow pulseaudio_t pulseaudio_tmpfsfile:file manage_file_perms;
+
+ # pulseaudio client perms on ~/.config/pulse/
+ manage_files_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+ manage_lnk_files_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+ manage_dirs_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+ xdg_config_home_filetrans(pulseaudio_client, pulseaudio_xdg_config_t, dir, "pulse")
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-09-01 20:42 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-09-01 20:42 UTC (permalink / raw
To: gentoo-commits
commit: 6d5e567b05cc42a77d19ada93bdc723239efc1ec
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Aug 31 20:48:12 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Sep 1 20:40:57 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6d5e567b
allow chromium to use pulseaudio
---
policy/modules/contrib/chromium.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 48a0abd..e5aa5aa 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -240,6 +240,10 @@ ifdef(`use_alsa',`
optional_policy(`
alsa_domain(chromium_t, chromium_tmpfs_t)
')
+
+ optional_policy(`
+ pulseaudio_client_domain(chromium_t, chromium_tmpfs_t)
+ ')
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-09-01 20:11 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-09-01 20:11 UTC (permalink / raw
To: gentoo-commits
commit: 46d6e0a6f3eeadd6a61d468f7eff459c94fd6802
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Sep 1 20:04:43 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 1 20:04:43 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=46d6e0a6
Courier has imap managed through courier_pop_t as well, so remove gentoo comment block for IMAP
---
policy/modules/contrib/courier.te | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 11aad5a..4fdfade 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -199,13 +199,7 @@ ifdef(`distro_gentoo',`
########################################
#
- # Courier imap daemon policy
- #
-
-
- ########################################
- #
- # Courier pop daemon policy
+ # Courier imap/pop daemon policy
#
files_search_var_lib(courier_pop_t)
search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-09-01 20:11 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-09-01 20:11 UTC (permalink / raw
To: gentoo-commits
commit: c1a2275dd401ad5c2fc58916c3e33dcdaa00deba
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Sep 1 20:02:48 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 1 20:02:48 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c1a2275d
Courier authdaemon default socket location is in /var/lib
---
policy/modules/contrib/courier.fc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/courier.fc b/policy/modules/contrib/courier.fc
index 2f017a0..c0f288b 100644
--- a/policy/modules/contrib/courier.fc
+++ b/policy/modules/contrib/courier.fc
@@ -30,3 +30,8 @@
/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0)
/var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0)
+
+ifdef(`distro_gentoo',`
+# Default location for authdaemon socket, should be /var/run imo but meh
+/var/lib/courier/authdaemon(/.*)? gen_context(system_u:object_r:courier_var_run_t,s0)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-09-01 20:11 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-09-01 20:11 UTC (permalink / raw
To: gentoo-commits
commit: e729b10da16a724809e099b2f10f2fca51b8222d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Sep 1 20:09:19 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 1 20:09:19 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e729b10d
courier_pop_t executes script to start user session
---
policy/modules/contrib/courier.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 58faaf7..213a094 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -208,7 +208,10 @@ ifdef(`distro_gentoo',`
files_search_var_lib(courier_pop_t)
search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
-
+
+ # Executes script /usr/lib64/courier-imap/courier-imapd.indirect after authentication and to start user session
+ corecmd_exec_shell(courier_pop_t)
+
courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t)
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-09-01 20:11 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-09-01 20:11 UTC (permalink / raw
To: gentoo-commits
commit: c604f614aeae6674059c83c4e1d574a1c115e7df
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Sep 1 20:07:38 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 1 20:07:38 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c604f614
After succesful authentication, the courier_pop_t session uses setuid/setgid to switch to the proper user credentials to access the user mailbox
---
policy/modules/contrib/courier.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 4fdfade..58faaf7 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -201,6 +201,10 @@ ifdef(`distro_gentoo',`
#
# Courier imap/pop daemon policy
#
+
+ # Switch after succesfull authentication
+ allow courier_pop_t self:capability { setuid setgid };
+
files_search_var_lib(courier_pop_t)
search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-31 16:07 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-31 16:07 UTC (permalink / raw
To: gentoo-commits
commit: b1e0a75ca9dd68264191b04214a4e18d4312b8fc
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 31 16:04:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Aug 31 16:04:34 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b1e0a75c
Move gentoo specifics downward
---
policy/modules/contrib/courier.te | 53 ++++++++++++++++++++++++---------------
1 file changed, 33 insertions(+), 20 deletions(-)
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 9bd64f5..5660ef5 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -116,10 +116,6 @@ miscfiles_read_localization(courier_authdaemon_t)
userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
-ifdef(`distro_gentoo',`
- read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
-')
-
########################################
#
# Calendar (PCP) local policy
@@ -148,14 +144,6 @@ miscfiles_read_localization(courier_pop_t)
userdom_manage_user_home_content_files(courier_pop_t)
userdom_manage_user_home_content_dirs(courier_pop_t)
-ifdef(`distro_gentoo',`
- files_search_var_lib(courier_pop_t)
- search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
- read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
-
- courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t)
-')
-
########################################
#
# TCPd local policy
@@ -186,11 +174,6 @@ dev_read_urand(courier_tcpd_t)
miscfiles_read_localization(courier_tcpd_t)
-ifdef(`distro_gentoo',`
- courier_authdaemon_stream_connect(courier_tcpd_t)
- courier_domtrans_authdaemon(courier_tcpd_t)
-')
-
########################################
#
# Webmail local policy
@@ -198,12 +181,42 @@ ifdef(`distro_gentoo',`
kernel_read_kernel_sysctls(courier_sqwebmail_t)
+optional_policy(`
+ cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
+')
+
ifdef(`distro_gentoo',`
+
+ ########################################
+ #
+ # Courier authdaemon policy
+ #
+ read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
+
optional_policy(`
mysql_stream_connect(courier_authdaemon_t)
')
-')
-optional_policy(`
- cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
+ ########################################
+ #
+ # Courier imap daemon policy
+ #
+
+
+ ########################################
+ #
+ # Courier pop daemon policy
+ #
+ files_search_var_lib(courier_pop_t)
+ search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
+ read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
+
+ courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t)
+
+ ########################################
+ #
+ # Courier tcpd daemon policy
+ #
+ courier_authdaemon_stream_connect(courier_tcpd_t)
+ courier_domtrans_authdaemon(courier_tcpd_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-31 16:07 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-31 16:07 UTC (permalink / raw
To: gentoo-commits
commit: 32884aa76d0438d43b8dc42acfe4c17443690d69
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 31 16:06:57 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Aug 31 16:06:57 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=32884aa7
Courier imapd creates pid in /var/run by default
---
policy/modules/contrib/courier.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index 5660ef5..11aad5a 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -217,6 +217,10 @@ ifdef(`distro_gentoo',`
#
# Courier tcpd daemon policy
#
+
+ # Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock
+ files_pid_filetrans(courier_tcpd_t, courier_var_run_t, file)
+
courier_authdaemon_stream_connect(courier_tcpd_t)
courier_domtrans_authdaemon(courier_tcpd_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-30 20:16 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-30 20:16 UTC (permalink / raw
To: gentoo-commits
commit: 02fa620d3ded0f4b2eeca78cb7c6bb13542c19af
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 30 20:15:48 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Aug 30 20:15:48 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=02fa620d
Updates on salt policy - interaction with postfix
---
policy/modules/contrib/salt.te | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 180305f..279edfb 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -200,7 +200,7 @@ tunable_policy(`salt_master_read_nfs',`
allow salt_minion_t self:capability { fsetid chown net_admin sys_admin sys_tty_config };
allow salt_minion_t self:capability2 block_suspend;
-allow salt_minion_t self:process { signull };
+allow salt_minion_t self:process { signal signull };
allow salt_minion_t self:tcp_socket create_stream_socket_perms;
allow salt_minion_t self:udp_socket create_socket_perms;
allow salt_minion_t self:unix_dgram_socket create_socket_perms;
@@ -277,8 +277,12 @@ fs_getattr_all_fs(salt_minion_t)
getty_use_fds(salt_minion_t)
+init_exec_rc(salt_minion_t)
+
miscfiles_read_localization(salt_minion_t)
+seutil_domtrans_setfiles(salt_minion_t)
+
sysnet_exec_ifconfig(salt_minion_t)
sysnet_read_config(salt_minion_t)
@@ -298,6 +302,11 @@ optional_policy(`
')
optional_policy(`
+ postfix_domtrans_master(salt_minion_t)
+ postfix_run_map(salt_minion_t, salt_minion_roles)
+')
+
+optional_policy(`
shutdown_domtrans(salt_minion_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-29 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-29 19:03 UTC (permalink / raw
To: gentoo-commits
commit: 681df9189b527624d63cda4e49dc8b9359f2fa87
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 29 19:03:29 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 29 19:03:29 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=681df918
Allow salt minions to shut down the system
---
policy/modules/contrib/salt.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index b8cc1a4..180305f 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -298,6 +298,10 @@ optional_policy(`
')
optional_policy(`
+ shutdown_domtrans(salt_minion_t)
+')
+
+optional_policy(`
usermanage_run_groupadd(salt_minion_t, salt_minion_roles)
usermanage_run_passwd(salt_minion_t, salt_minion_roles)
usermanage_run_useradd(salt_minion_t, salt_minion_roles)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-26 15:26 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-26 15:26 UTC (permalink / raw
To: gentoo-commits
commit: aa318c0ec7e586ed427bb60e1ce5eb9d59b33717
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Aug 26 15:26:24 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Aug 26 15:26:24 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=aa318c0e
Add read privs to system_dbusd_var_lib_t files for system dbus clients
---
policy/modules/contrib/dbus.if | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index 21e8b5c..077dabc 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -126,6 +126,11 @@ interface(`dbus_system_bus_client',`
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
dbus_read_config($1)
+
+ ifdef(`distro_gentoo',`
+ # The /var/lib/dbus/machine-id file is a link to /etc/machine-id
+ read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ ')
')
#######################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-26 14:55 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-26 14:55 UTC (permalink / raw
To: gentoo-commits
commit: 88f3dbf5838fe740099039c3dd29428442d14d43
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Aug 23 11:41:10 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Aug 26 14:54:24 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=88f3dbf5
Label /usr/lib/networkmanager/ like /usr/lib/NetworkManager/
On ArchLinux the directory name of Network Manager in /usr/lib is
written in lowercase but not the files in /usr/bin, /var/lib, etc.
---
policy/modules/contrib/networkmanager.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index 7b80c1e..bbf3bba 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -14,6 +14,7 @@
/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-26 14:55 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-26 14:55 UTC (permalink / raw
To: gentoo-commits
commit: 3d46c99b1f404344a6f5c3bdc7419389a650f6d0
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Aug 26 13:35:26 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Aug 26 14:54:27 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3d46c99b
Module version bump for NetworkManager fc fix for ArchLinux from Nicolas Iooss.
---
policy/modules/contrib/networkmanager.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index f70479a..3f69757 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.16.0)
+policy_module(networkmanager, 1.16.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-22 17:55 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-22 17:55 UTC (permalink / raw
To: gentoo-commits
commit: 8872be65d073445f6bf62fe2ac1715049f851170
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 22 17:54:41 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 22 17:54:41 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8872be65
Allow admins to interact with vde through vdeterm application (using vde socket)
---
policy/modules/contrib/vde.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/vde.if b/policy/modules/contrib/vde.if
index af85ea3..4a9c208 100644
--- a/policy/modules/contrib/vde.if
+++ b/policy/modules/contrib/vde.if
@@ -26,6 +26,7 @@ interface(`vde_role',`
role $1 types vde_t;
allow $2 vde_t:process { ptrace signal_perms };
+ allow $2 vde_t:unix_stream_socket connectto;
allow vde_t $2:process { sigchld signull };
allow vde_t $2:fd use;
allow vde_t $2:tun_socket { relabelfrom };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-19 20:16 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-19 20:16 UTC (permalink / raw
To: gentoo-commits
commit: 8536b0d09cab98d71c8efac29e5c0bed93563807
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Aug 19 20:16:33 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Aug 19 20:16:33 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8536b0d0
Add filetrans for ~/.pki
---
policy/modules/contrib/chromium.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 0f72dd7..48a0abd 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -157,6 +157,7 @@ miscfiles_manage_user_certs(chromium_t)
miscfiles_read_all_certs(chromium_t)
miscfiles_read_localization(chromium_t)
miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".nss")
+miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".pki")
sysnet_dns_name_resolve(chromium_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-19 20:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-19 20:05 UTC (permalink / raw
To: gentoo-commits
commit: cf031f5133b0603f71a8690db53a7afa4a25a1c9
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Tue Aug 12 12:08:44 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Aug 19 20:05:33 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf031f51
irc.te: Allow irssi to re-execute itself
---
policy/modules/contrib/irc.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
index 070c5c6..4899a0d 100644
--- a/policy/modules/contrib/irc.te
+++ b/policy/modules/contrib/irc.te
@@ -70,6 +70,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
kernel_read_system_state(irc_t)
+can_exec(irc_t, irc_exec_t)
+corecmd_search_bin(irc_t)
+
corenet_all_recvfrom_unlabeled(irc_t)
corenet_all_recvfrom_netlabel(irc_t)
corenet_tcp_sendrecv_generic_if(irc_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-19 20:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-19 20:05 UTC (permalink / raw
To: gentoo-commits
commit: 1b60b7fbeb93d351f8ee41b4666266c52d91b73c
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Aug 19 12:51:43 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Aug 19 20:05:36 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1b60b7fb
Module version bump for irc re-exec itself patch from Luis Ressel.
---
policy/modules/contrib/irc.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
index 024c4fd..de93459 100644
--- a/policy/modules/contrib/irc.te
+++ b/policy/modules/contrib/irc.te
@@ -1,4 +1,4 @@
-policy_module(irc, 2.4.0)
+policy_module(irc, 2.4.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-19 20:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-19 20:05 UTC (permalink / raw
To: gentoo-commits
commit: e80dbd9f643e80a8cd406919a4a3c83ace838f1c
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Aug 19 12:51:23 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Aug 19 20:05:35 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e80dbd9f
Move irc exec lines.
---
policy/modules/contrib/irc.te | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
index 4899a0d..024c4fd 100644
--- a/policy/modules/contrib/irc.te
+++ b/policy/modules/contrib/irc.te
@@ -50,6 +50,9 @@ allow irc_t self:unix_stream_socket { accept listen };
allow irc_t irc_conf_t:file read_file_perms;
+can_exec(irc_t, irc_exec_t)
+corecmd_search_bin(irc_t)
+
manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
manage_files_pattern(irc_t, irc_home_t, irc_home_t)
manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
@@ -70,9 +73,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
kernel_read_system_state(irc_t)
-can_exec(irc_t, irc_exec_t)
-corecmd_search_bin(irc_t)
-
corenet_all_recvfrom_unlabeled(irc_t)
corenet_all_recvfrom_netlabel(irc_t)
corenet_tcp_sendrecv_generic_if(irc_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-19 9:19 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-08-19 9:19 UTC (permalink / raw
To: gentoo-commits
commit: ab68207e7d256eb40416d707b31c8cec87e3ca19
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 18:03:34 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 15 13:36:52 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ab68207e
Introducing Salt policy
Salt (or Staltstack) is a system and configuration management solution,
build on Python. This policy introduces support for the salt master (the
system managing the configuration repository) and salt minion (the
agents on the target systems that pull configuration information from
the master).
---
policy/modules/contrib/salt.fc | 29 ++++
policy/modules/contrib/salt.if | 88 ++++++++++++
policy/modules/contrib/salt.te | 308 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 425 insertions(+)
diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc
new file mode 100644
index 0000000..399f5ad
--- /dev/null
+++ b/policy/modules/contrib/salt.fc
@@ -0,0 +1,29 @@
+/etc/salt(/.*)? gen_context(system_u:object_r:salt_etc_t,s0)
+/etc/salt/pki(/.*)? gen_context(system_u:object_r:salt_pki_t,s0)
+/etc/salt/pki/master(/.*)? gen_context(system_u:object_r:salt_master_pki_t,s0)
+/etc/salt/pki/minion(/.*)? gen_context(system_u:object_r:salt_minion_pki_t,s0)
+
+/etc/rc\.d/init\.d/salt-master -- gen_context(system_u:object_r:salt_master_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/salt-minion -- gen_context(system_u:object_r:salt_minion_initrc_exec_t,s0)
+
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/usr/bin/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/bin/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/var/log/salt -d gen_context(system_u:object_r:salt_log_t,s0)
+/var/log/salt/master -- gen_context(system_u:object_r:salt_master_log_t,s0)
+/var/log/salt/minion -- gen_context(system_u:object_r:salt_minion_log_t,s0)
+
+/var/run/salt -d gen_context(system_u:object_r:salt_var_run_t,s0)
+/var/run/salt/master(/.*)? gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+/var/run/salt-master\.pid -- gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt-minion\.pid -- gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+
+/var/cache/salt -d gen_context(system_u:object_r:salt_cache_t,s0)
+/var/cache/salt/master(/.*)? gen_context(system_u:object_r:salt_master_cache_t,s0)
+/var/cache/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_cache_t,s0)
+
+/srv/salt(/.*)? gen_context(system_u:object_r:salt_sls_t,s0)
diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if
new file mode 100644
index 0000000..7ab9e6b
--- /dev/null
+++ b/policy/modules/contrib/salt.if
@@ -0,0 +1,88 @@
+## <summary>Infrastructure management toolset</summary>
+
+#########################################
+## <summary>
+## All the rules required to administer a salt master environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_master',`
+ gen_require(`
+ type salt_master_t;
+ type salt_master_initrc_exec_t;
+ type salt_master_exec_t;
+ type salt_etc_t;
+ type salt_var_run_t;
+ type salt_master_var_run_t;
+ attribute_role salt_master_roles;
+ ')
+
+ allow $1 salt_master_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_master_t)
+
+ init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_master_initrc_exec_t system_r;
+
+ # for debugging?
+ role_transition $2 salt_master_exec_t system_r;
+ domtrans_pattern($1, salt_master_exec_t, salt_master_t)
+
+ roleattribute $2 salt_master_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+
+ allow $1 salt_var_run_t:dir search_dir_perms;
+ stream_connect_pattern($1, salt_master_var_run_t, salt_master_var_run_t, salt_master_t)
+')
+
+#########################################
+## <summary>
+## All the rules required to administer a salt minion environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_minion',`
+ gen_require(`
+ type salt_minion_t;
+ type salt_minion_initrc_exec_t;
+ type salt_minion_exec_t;
+ type salt_etc_t;
+ attribute_role salt_minion_roles;
+ ')
+
+ allow $1 salt_minion_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_minion_t)
+
+ init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_minion_initrc_exec_t system_r;
+
+ # for debugging
+ role_transition $2 salt_minion_exec_t system_r;
+ domtrans_pattern($1, salt_minion_exec_t, salt_minion_t)
+
+ roleattribute $2 salt_minion_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+')
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
new file mode 100644
index 0000000..b8cc1a4
--- /dev/null
+++ b/policy/modules/contrib/salt.te
@@ -0,0 +1,308 @@
+policy_module(salt, 1.0)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine wether the salt master can read NFS files
+## </p>
+## </desc>
+gen_tunable(salt_master_read_nfs, false)
+
+## <desc>
+## <p>
+## Determine wether the salt minion can manage NFS files
+## </p>
+## </desc>
+gen_tunable(salt_minion_manage_nfs, false)
+
+attribute_role salt_master_roles;
+roleattribute system_r salt_master_roles;
+
+attribute_role salt_minion_roles;
+roleattribute system_r salt_minion_roles;
+
+type salt_master_t;
+type salt_master_exec_t;
+init_daemon_domain(salt_master_t, salt_master_exec_t)
+role salt_master_roles types salt_master_t;
+
+type salt_master_cache_t;
+files_type(salt_master_cache_t)
+
+type salt_master_initrc_exec_t;
+init_script_file(salt_master_initrc_exec_t)
+
+type salt_master_log_t;
+logging_log_file(salt_master_log_t)
+
+type salt_master_pki_t;
+files_type(salt_master_pki_t)
+
+type salt_master_tmp_t;
+files_tmp_file(salt_master_tmp_t)
+
+type salt_master_var_run_t;
+init_daemon_pid_file(salt_master_var_run_t, file, "salt-master.pid")
+files_pid_file(salt_master_var_run_t)
+
+type salt_minion_t;
+type salt_minion_exec_t;
+init_daemon_domain(salt_minion_t, salt_minion_exec_t)
+role salt_minion_roles types salt_minion_t;
+
+type salt_minion_cache_t;
+files_type(salt_minion_cache_t)
+
+type salt_minion_initrc_exec_t;
+init_script_file(salt_minion_initrc_exec_t)
+
+type salt_minion_log_t;
+logging_log_file(salt_minion_log_t)
+
+type salt_minion_pki_t;
+files_type(salt_minion_pki_t)
+
+type salt_minion_tmp_t;
+files_tmp_file(salt_minion_tmp_t)
+
+type salt_minion_var_run_t;
+init_daemon_pid_file(salt_minion_var_run_t, file, "salt-minion.pid")
+files_pid_file(salt_minion_var_run_t)
+
+type salt_cache_t;
+files_type(salt_cache_t)
+
+type salt_etc_t;
+files_config_file(salt_etc_t)
+
+type salt_log_t;
+logging_log_file(salt_log_t)
+
+type salt_sls_t;
+files_type(salt_sls_t)
+
+type salt_pki_t;
+files_type(salt_pki_t)
+
+type salt_var_run_t;
+files_pid_file(salt_var_run_t)
+
+#########################################
+#
+# salt_master_t policy
+#
+
+allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_master_t self:capability2 block_suspend;
+allow salt_master_t self:process signal;
+allow salt_master_t self:tcp_socket create_stream_socket_perms;
+allow salt_master_t self:udp_socket create_socket_perms;
+allow salt_master_t self:fifo_file rw_fifo_file_perms;
+allow salt_master_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_master_t self:unix_stream_socket connectto;
+allow salt_master_t self:unix_dgram_socket create_socket_perms;
+
+# salt_cache_t
+allow salt_master_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_master_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_master_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_master_t, salt_log_t, dir, "salt")
+
+# salt_master_cache_t
+manage_dirs_pattern(salt_master_t, salt_cache_t, salt_master_cache_t)
+allow salt_master_t salt_master_cache_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_cache_t, salt_master_cache_t, dir, "master")
+
+# salt_master_log_t
+manage_files_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+manage_dirs_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+filetrans_pattern(salt_master_t, salt_log_t, salt_master_log_t, { file dir })
+
+# salt_master_pki_t
+manage_dirs_pattern(salt_master_t, salt_pki_t, salt_master_pki_t)
+allow salt_master_t salt_master_pki_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_pki_t, salt_master_pki_t, dir, "master")
+
+# salt_master_tmp_t
+manage_files_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+manage_dirs_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_master_t, salt_master_tmp_t)
+
+# salt_master_var_run_t
+allow salt_master_t salt_master_var_run_t:file manage_file_perms;
+allow salt_master_t salt_master_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t)
+filetrans_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_master_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_master_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_sls_t
+read_files_pattern(salt_master_t, salt_sls_t, salt_sls_t)
+allow salt_master_t salt_sls_t:dir list_dir_perms;
+
+# salt_var_run_t
+allow salt_master_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_master_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, "salt-master.pid")
+
+kernel_read_network_state(salt_master_t)
+kernel_read_system_state(salt_master_t)
+
+corecmd_exec_bin(salt_master_t)
+corecmd_exec_shell(salt_master_t)
+
+corenet_tcp_bind_generic_node(salt_master_t)
+corenet_tcp_bind_salt_port(salt_master_t)
+
+dev_read_sysfs(salt_master_t)
+
+domain_dontaudit_exec_all_entry_files(salt_master_t)
+domain_dontaudit_search_all_domains_state(salt_master_t)
+domain_use_interactive_fds(salt_master_t)
+
+files_dontaudit_search_all_dirs(salt_master_t)
+files_read_etc_files(salt_master_t)
+files_read_usr_files(salt_master_t)
+
+getty_use_fds(salt_master_t)
+
+miscfiles_read_localization(salt_master_t)
+
+sysnet_exec_ifconfig(salt_master_t)
+sysnet_read_config(salt_master_t)
+
+userdom_dontaudit_list_user_home_dirs(salt_master_t)
+userdom_use_user_terminals(salt_master_t)
+
+tunable_policy(`salt_master_read_nfs',`
+ fs_read_nfs_files(salt_master_t)
+')
+
+
+#########################################
+#
+# salt_minion_t policy
+#
+
+allow salt_minion_t self:capability { fsetid chown net_admin sys_admin sys_tty_config };
+allow salt_minion_t self:capability2 block_suspend;
+allow salt_minion_t self:process { signull };
+allow salt_minion_t self:tcp_socket create_stream_socket_perms;
+allow salt_minion_t self:udp_socket create_socket_perms;
+allow salt_minion_t self:unix_dgram_socket create_socket_perms;
+allow salt_minion_t self:fifo_file rw_fifo_file_perms;
+allow salt_minion_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_minion_t self:unix_stream_socket connectto;
+
+# salt_cache_t
+allow salt_minion_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_minion_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_minion_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_minion_t, salt_log_t, dir, "salt")
+
+# salt_minion_cache_t
+manage_dirs_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t)
+allow salt_minion_t salt_minion_cache_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t, dir, "minion")
+
+# salt_minion_log_t
+manage_files_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+manage_dirs_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+filetrans_pattern(salt_minion_t, salt_log_t, salt_minion_log_t, { file dir })
+
+# salt_minion_pki_t
+manage_dirs_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t)
+allow salt_minion_t salt_minion_pki_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t, dir, "minion")
+
+# salt_minion_tmp_t
+manage_files_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+manage_dirs_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+files_tmp_filetrans(salt_minion_t, salt_minion_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_minion_t, salt_minion_tmp_t)
+
+# salt_minion_var_run_t
+allow salt_minion_t salt_minion_var_run_t:file manage_file_perms;
+allow salt_minion_t salt_minion_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t)
+filetrans_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_minion_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_minion_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_var_run_t
+allow salt_minion_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_minion_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_minion_t, salt_minion_var_run_t, file, "salt-minion.pid")
+
+kernel_read_network_state(salt_minion_t)
+kernel_read_system_state(salt_minion_t)
+kernel_rw_all_sysctls(salt_minion_t)
+
+corecmd_exec_bin(salt_minion_t)
+corecmd_exec_shell(salt_minion_t)
+
+corenet_tcp_connect_salt_port(salt_minion_t)
+
+dev_read_sysfs(salt_minion_t)
+
+domain_dontaudit_exec_all_entry_files(salt_minion_t)
+domain_dontaudit_search_all_domains_state(salt_minion_t)
+
+files_manage_all_non_security_file_types(salt_minion_t)
+
+fs_getattr_all_fs(salt_minion_t)
+
+getty_use_fds(salt_minion_t)
+
+miscfiles_read_localization(salt_minion_t)
+
+sysnet_exec_ifconfig(salt_minion_t)
+sysnet_read_config(salt_minion_t)
+
+userdom_dontaudit_list_user_home_dirs(salt_minion_t)
+userdom_use_user_terminals(salt_minion_t)
+
+optional_policy(`
+ auth_read_shadow(salt_minion_t)
+')
+
+optional_policy(`
+ mount_domtrans(salt_minion_t)
+')
+
+optional_policy(`
+ portage_run(salt_minion_t, salt_minion_roles)
+')
+
+optional_policy(`
+ usermanage_run_groupadd(salt_minion_t, salt_minion_roles)
+ usermanage_run_passwd(salt_minion_t, salt_minion_roles)
+ usermanage_run_useradd(salt_minion_t, salt_minion_roles)
+')
+
+tunable_policy(`salt_minion_manage_nfs',`
+ fs_manage_nfs_files(salt_master_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-19 9:19 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-08-19 9:19 UTC (permalink / raw
To: gentoo-commits
commit: 42eba632f2912d915fe769b02b464d8c3f04fcfb
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 15 16:10:37 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 15 16:10:37 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=42eba632
Add salt policy manual page
---
policy/modules/contrib/salt.rst | 166 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 166 insertions(+)
diff --git a/policy/modules/contrib/salt.rst b/policy/modules/contrib/salt.rst
new file mode 100644
index 0000000..5039edf
--- /dev/null
+++ b/policy/modules/contrib/salt.rst
@@ -0,0 +1,166 @@
+============
+salt_selinux
+============
+
+------------------------------
+SELinux policy module for Salt
+------------------------------
+
+:Author: Sven Vermeulen <swift@gentoo.org>
+:Date: 2013-04-11
+:Manual section: 8
+:Manual group: SELinux
+
+DESCRIPTION
+===========
+
+The **salt** SELinux module supports the Salt configuration management (as
+offered by Saltstack) tools and resources.
+
+BOOLEANS
+========
+
+The following booleans are defined through the **salt** SELinux policy module.
+They can be toggled using ``setsebool``, like so::
+
+ setsebool -P salt_master_read_nfs on
+
+salt_master_read_nfs
+ Should be enabled if the Salt state files (SLS) are stored on an NFS mount
+
+salt_minion_manage_nfs
+ Should be enabled if the Salt minion needs manage privileges on NFS mounts
+
+DOMAINS
+=======
+
+salt_master_t
+-------------
+
+The **salt_master_t** domain is used by the Salt master. It is usually launched
+by the init script ``salt-master`` although it can also be launched through the
+command line command **salt-master -d**.
+
+This domain is responsible for servicing the Salt minions. Unlike the Salt
+minion domain (**salt_minion_t**) the master domain is not very privileged as it
+only provides access to the Salt state files.
+
+salt_minion_t
+-------------
+
+The **salt_minion_t** domain is used by the Salt minion. It is usually launched
+by the init script ``salt-minion`` although it can also be launched through the
+command line command **salt-minion -d**.
+
+This domain is responsible for enforcing the state as provided by the Salt
+master on the system. This makes the **salt_minion_t** domain a *very
+privileged* domain.
+
+LOCATIONS
+=========
+
+FUNCTIONAL
+----------
+
+The following list of locations identify file resources that are used by the
+Salt domains. They are by default allocated towards the default locations for
+Salt, so if you use a different location, you will need to properly address
+this. You can do so through ``semanage``, like so::
+
+ semanage fcontext -a -t salt_sls_t "/var/lib/salt/state(/.*)?"
+
+The above example marks the */var/lib/salt/state* location as the location where
+the Salt state files (``*.sls``) are stored (identified through the
+**salt_sls_t** type).
+
+salt_sls_t
+ is used for the Salt state files (*/srv/salt*)
+
+salt_pki_t
+ is used as the parent directory in which the master and minion keys are stored
+ (*/etc/salt/pki*)
+
+salt_master_pki_t
+ is used for the private and public keys managed by the Salt master
+ (*/etc/salt/pki/master*)
+
+salt_minion_pki_t
+ is used for the private and public keys managed by the Salt minion
+ (*/etc/salt/pki/minion*)
+
+EXEUTABLES
+----------
+
+salt_master_exec_t
+ is used as entry point for the Salt master (**salt_master_t**)
+
+salt_minion_exec_t
+ is used as entry point for the Salt minion (**salt_minion_t**)
+
+salt_master_initrc_exec_t
+ is used for the init script to launch the salt master
+
+salt_minion_initrc_exec_t
+ is used for the init script to launch the salt minion
+
+DAEMON FILES
+------------
+
+salt_cache_t
+ is used for the parent directory for Salt caches (*/var/cache/salt*)
+
+salt_master_cache_t
+ is used to store the Salt master cache (*/var/cache/salt/master*)
+
+salt_minion_cache_t
+ is used to store the Salt minion cache (*/var/cache/salt/minion*)
+
+salt_log_t
+ is used for the parent directory for Salt log files (*/var/log/salt*)
+
+salt_master_log_t
+ is used for the Salt master log file (*/var/log/salt/master*)
+
+salt_minion_log_t
+ is used for the Salt minion log file (*/var/log/salt/minion*)
+
+salt_var_run_t
+ is used for the parent directory for Salt run-time files (*/var/run/salt*)
+
+salt_master_var_run_t
+ is used for the Salt master variable run-time files (*/var/run/salt/master*)
+
+salt_minion_var_run_t
+ is used for the Salt minion variable run-time files (*/var/run/salt/minion*)
+
+CONFIGURATION FILES
+-------------------
+
+salt_etc_t
+ is used for the Salt configuration (*/etc/salt*)
+
+POLICY
+======
+
+The following interfaces can be used to enhance the default policy with
+Salt-related provileges. More details on these interfaces can be found in the
+interface HTML documentation, we will not list all available interfaces here.
+
+Role interfaces
+---------------
+
+The following role interfaces allow users and roles access to the specified
+domains. Only to be used for user domains and roles.
+
+salt_admin_master
+ is used for user domains to allow administration of a Salt master environment
+
+salt_minion_master
+ is used for user domains to allow administration of a Salt minion environment
+
+SEE ALSO
+========
+
+* Gentoo and SELinux at https://wiki.gentoo.org/wiki/SELinux
+* Gentoo Hardened SELinux Project at
+ https://wiki.gentoo.org/wiki/Project:Hardened
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-19 9:19 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-08-19 9:19 UTC (permalink / raw
To: gentoo-commits
commit: a8a604e6b7c53c08233875c2c2163f794a62cb6c
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:35 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 15 09:57:24 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a8a604e6
Use fs_search_tmpfs, not files_search_tmpfs
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/tgtd.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/tgtd.if b/policy/modules/contrib/tgtd.if
index 5406b6e..dc5b46e 100644
--- a/policy/modules/contrib/tgtd.if
+++ b/policy/modules/contrib/tgtd.if
@@ -97,6 +97,6 @@ interface(`tgtd_admin',`
files_search_tmp($1)
admin_pattern($1, tgtd_tmp_t)
- files_search_tmpfs($1)
+ fs_search_tmpfs($1)
admin_pattern($1, tgtd_tmpfs_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-19 9:19 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-08-19 9:19 UTC (permalink / raw
To: gentoo-commits
commit: 66fc9340b109959940eadb002d999692fd015f0b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:34 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 15 09:57:22 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66fc9340
Use corecmd_search_bin, not corecmd_searh_bin
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/nslcd.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/nslcd.if b/policy/modules/contrib/nslcd.if
index 97df768..bbd7cac 100644
--- a/policy/modules/contrib/nslcd.if
+++ b/policy/modules/contrib/nslcd.if
@@ -15,7 +15,7 @@ interface(`nslcd_domtrans',`
type nslcd_t, nslcd_exec_t;
')
- corecmd_searh_bin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1, nslcd_exec_t, nslcd_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-19 9:19 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-08-19 9:19 UTC (permalink / raw
To: gentoo-commits
commit: ab2ca5bcad85bbba8d53b4edf4d459f52a5ca512
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:33 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 15 09:57:19 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ab2ca5bc
Use files_search_etc, not files_search_config
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/smstools.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/smstools.if b/policy/modules/contrib/smstools.if
index cbfe369..81136f0 100644
--- a/policy/modules/contrib/smstools.if
+++ b/policy/modules/contrib/smstools.if
@@ -32,7 +32,7 @@ interface(`smstools_admin',`
role_transition $2 smsd_initrc_exec_t system_r;
allow $2 system_r;
- files_search_config($1)
+ files_search_etc($1)
admin_pattern($1, smsd_conf_t)
files_search_var_lib($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-19 9:19 Jason Zaman
0 siblings, 0 replies; 1958+ messages in thread
From: Jason Zaman @ 2014-08-19 9:19 UTC (permalink / raw
To: gentoo-commits
commit: e5681b29db2df81a124b2a985a5a5e2eb816a03e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:36 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 15 09:57:27 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e5681b29
Use domain_auto_trans, not auto_trans
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/rsync.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if
index f1140ef..431471b 100644
--- a/policy/modules/contrib/rsync.if
+++ b/policy/modules/contrib/rsync.if
@@ -50,7 +50,7 @@ interface(`rsync_entry_spec_domtrans',`
')
corecmd_search_bin($1)
- auto_trans($1, rsync_exec_t, $2)
+ domain_auto_trans($1, rsync_exec_t, $2)
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-15 16:14 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-15 16:14 UTC (permalink / raw
To: gentoo-commits
commit: 42eba632f2912d915fe769b02b464d8c3f04fcfb
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 15 16:10:37 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 16:10:37 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=42eba632
Add salt policy manual page
---
policy/modules/contrib/salt.rst | 166 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 166 insertions(+)
diff --git a/policy/modules/contrib/salt.rst b/policy/modules/contrib/salt.rst
new file mode 100644
index 0000000..5039edf
--- /dev/null
+++ b/policy/modules/contrib/salt.rst
@@ -0,0 +1,166 @@
+============
+salt_selinux
+============
+
+------------------------------
+SELinux policy module for Salt
+------------------------------
+
+:Author: Sven Vermeulen <swift@gentoo.org>
+:Date: 2013-04-11
+:Manual section: 8
+:Manual group: SELinux
+
+DESCRIPTION
+===========
+
+The **salt** SELinux module supports the Salt configuration management (as
+offered by Saltstack) tools and resources.
+
+BOOLEANS
+========
+
+The following booleans are defined through the **salt** SELinux policy module.
+They can be toggled using ``setsebool``, like so::
+
+ setsebool -P salt_master_read_nfs on
+
+salt_master_read_nfs
+ Should be enabled if the Salt state files (SLS) are stored on an NFS mount
+
+salt_minion_manage_nfs
+ Should be enabled if the Salt minion needs manage privileges on NFS mounts
+
+DOMAINS
+=======
+
+salt_master_t
+-------------
+
+The **salt_master_t** domain is used by the Salt master. It is usually launched
+by the init script ``salt-master`` although it can also be launched through the
+command line command **salt-master -d**.
+
+This domain is responsible for servicing the Salt minions. Unlike the Salt
+minion domain (**salt_minion_t**) the master domain is not very privileged as it
+only provides access to the Salt state files.
+
+salt_minion_t
+-------------
+
+The **salt_minion_t** domain is used by the Salt minion. It is usually launched
+by the init script ``salt-minion`` although it can also be launched through the
+command line command **salt-minion -d**.
+
+This domain is responsible for enforcing the state as provided by the Salt
+master on the system. This makes the **salt_minion_t** domain a *very
+privileged* domain.
+
+LOCATIONS
+=========
+
+FUNCTIONAL
+----------
+
+The following list of locations identify file resources that are used by the
+Salt domains. They are by default allocated towards the default locations for
+Salt, so if you use a different location, you will need to properly address
+this. You can do so through ``semanage``, like so::
+
+ semanage fcontext -a -t salt_sls_t "/var/lib/salt/state(/.*)?"
+
+The above example marks the */var/lib/salt/state* location as the location where
+the Salt state files (``*.sls``) are stored (identified through the
+**salt_sls_t** type).
+
+salt_sls_t
+ is used for the Salt state files (*/srv/salt*)
+
+salt_pki_t
+ is used as the parent directory in which the master and minion keys are stored
+ (*/etc/salt/pki*)
+
+salt_master_pki_t
+ is used for the private and public keys managed by the Salt master
+ (*/etc/salt/pki/master*)
+
+salt_minion_pki_t
+ is used for the private and public keys managed by the Salt minion
+ (*/etc/salt/pki/minion*)
+
+EXEUTABLES
+----------
+
+salt_master_exec_t
+ is used as entry point for the Salt master (**salt_master_t**)
+
+salt_minion_exec_t
+ is used as entry point for the Salt minion (**salt_minion_t**)
+
+salt_master_initrc_exec_t
+ is used for the init script to launch the salt master
+
+salt_minion_initrc_exec_t
+ is used for the init script to launch the salt minion
+
+DAEMON FILES
+------------
+
+salt_cache_t
+ is used for the parent directory for Salt caches (*/var/cache/salt*)
+
+salt_master_cache_t
+ is used to store the Salt master cache (*/var/cache/salt/master*)
+
+salt_minion_cache_t
+ is used to store the Salt minion cache (*/var/cache/salt/minion*)
+
+salt_log_t
+ is used for the parent directory for Salt log files (*/var/log/salt*)
+
+salt_master_log_t
+ is used for the Salt master log file (*/var/log/salt/master*)
+
+salt_minion_log_t
+ is used for the Salt minion log file (*/var/log/salt/minion*)
+
+salt_var_run_t
+ is used for the parent directory for Salt run-time files (*/var/run/salt*)
+
+salt_master_var_run_t
+ is used for the Salt master variable run-time files (*/var/run/salt/master*)
+
+salt_minion_var_run_t
+ is used for the Salt minion variable run-time files (*/var/run/salt/minion*)
+
+CONFIGURATION FILES
+-------------------
+
+salt_etc_t
+ is used for the Salt configuration (*/etc/salt*)
+
+POLICY
+======
+
+The following interfaces can be used to enhance the default policy with
+Salt-related provileges. More details on these interfaces can be found in the
+interface HTML documentation, we will not list all available interfaces here.
+
+Role interfaces
+---------------
+
+The following role interfaces allow users and roles access to the specified
+domains. Only to be used for user domains and roles.
+
+salt_admin_master
+ is used for user domains to allow administration of a Salt master environment
+
+salt_minion_master
+ is used for user domains to allow administration of a Salt minion environment
+
+SEE ALSO
+========
+
+* Gentoo and SELinux at https://wiki.gentoo.org/wiki/SELinux
+* Gentoo Hardened SELinux Project at
+ https://wiki.gentoo.org/wiki/Project:Hardened
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-15 14:51 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-15 14:51 UTC (permalink / raw
To: gentoo-commits
commit: ab68207e7d256eb40416d707b31c8cec87e3ca19
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 18:03:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 13:36:52 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ab68207e
Introducing Salt policy
Salt (or Staltstack) is a system and configuration management solution,
build on Python. This policy introduces support for the salt master (the
system managing the configuration repository) and salt minion (the
agents on the target systems that pull configuration information from
the master).
---
policy/modules/contrib/salt.fc | 29 ++++
policy/modules/contrib/salt.if | 88 ++++++++++++
policy/modules/contrib/salt.te | 308 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 425 insertions(+)
diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc
new file mode 100644
index 0000000..399f5ad
--- /dev/null
+++ b/policy/modules/contrib/salt.fc
@@ -0,0 +1,29 @@
+/etc/salt(/.*)? gen_context(system_u:object_r:salt_etc_t,s0)
+/etc/salt/pki(/.*)? gen_context(system_u:object_r:salt_pki_t,s0)
+/etc/salt/pki/master(/.*)? gen_context(system_u:object_r:salt_master_pki_t,s0)
+/etc/salt/pki/minion(/.*)? gen_context(system_u:object_r:salt_minion_pki_t,s0)
+
+/etc/rc\.d/init\.d/salt-master -- gen_context(system_u:object_r:salt_master_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/salt-minion -- gen_context(system_u:object_r:salt_minion_initrc_exec_t,s0)
+
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/usr/bin/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/bin/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/var/log/salt -d gen_context(system_u:object_r:salt_log_t,s0)
+/var/log/salt/master -- gen_context(system_u:object_r:salt_master_log_t,s0)
+/var/log/salt/minion -- gen_context(system_u:object_r:salt_minion_log_t,s0)
+
+/var/run/salt -d gen_context(system_u:object_r:salt_var_run_t,s0)
+/var/run/salt/master(/.*)? gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+/var/run/salt-master\.pid -- gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt-minion\.pid -- gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+
+/var/cache/salt -d gen_context(system_u:object_r:salt_cache_t,s0)
+/var/cache/salt/master(/.*)? gen_context(system_u:object_r:salt_master_cache_t,s0)
+/var/cache/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_cache_t,s0)
+
+/srv/salt(/.*)? gen_context(system_u:object_r:salt_sls_t,s0)
diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if
new file mode 100644
index 0000000..7ab9e6b
--- /dev/null
+++ b/policy/modules/contrib/salt.if
@@ -0,0 +1,88 @@
+## <summary>Infrastructure management toolset</summary>
+
+#########################################
+## <summary>
+## All the rules required to administer a salt master environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_master',`
+ gen_require(`
+ type salt_master_t;
+ type salt_master_initrc_exec_t;
+ type salt_master_exec_t;
+ type salt_etc_t;
+ type salt_var_run_t;
+ type salt_master_var_run_t;
+ attribute_role salt_master_roles;
+ ')
+
+ allow $1 salt_master_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_master_t)
+
+ init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_master_initrc_exec_t system_r;
+
+ # for debugging?
+ role_transition $2 salt_master_exec_t system_r;
+ domtrans_pattern($1, salt_master_exec_t, salt_master_t)
+
+ roleattribute $2 salt_master_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+
+ allow $1 salt_var_run_t:dir search_dir_perms;
+ stream_connect_pattern($1, salt_master_var_run_t, salt_master_var_run_t, salt_master_t)
+')
+
+#########################################
+## <summary>
+## All the rules required to administer a salt minion environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_minion',`
+ gen_require(`
+ type salt_minion_t;
+ type salt_minion_initrc_exec_t;
+ type salt_minion_exec_t;
+ type salt_etc_t;
+ attribute_role salt_minion_roles;
+ ')
+
+ allow $1 salt_minion_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_minion_t)
+
+ init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_minion_initrc_exec_t system_r;
+
+ # for debugging
+ role_transition $2 salt_minion_exec_t system_r;
+ domtrans_pattern($1, salt_minion_exec_t, salt_minion_t)
+
+ roleattribute $2 salt_minion_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+')
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
new file mode 100644
index 0000000..b8cc1a4
--- /dev/null
+++ b/policy/modules/contrib/salt.te
@@ -0,0 +1,308 @@
+policy_module(salt, 1.0)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine wether the salt master can read NFS files
+## </p>
+## </desc>
+gen_tunable(salt_master_read_nfs, false)
+
+## <desc>
+## <p>
+## Determine wether the salt minion can manage NFS files
+## </p>
+## </desc>
+gen_tunable(salt_minion_manage_nfs, false)
+
+attribute_role salt_master_roles;
+roleattribute system_r salt_master_roles;
+
+attribute_role salt_minion_roles;
+roleattribute system_r salt_minion_roles;
+
+type salt_master_t;
+type salt_master_exec_t;
+init_daemon_domain(salt_master_t, salt_master_exec_t)
+role salt_master_roles types salt_master_t;
+
+type salt_master_cache_t;
+files_type(salt_master_cache_t)
+
+type salt_master_initrc_exec_t;
+init_script_file(salt_master_initrc_exec_t)
+
+type salt_master_log_t;
+logging_log_file(salt_master_log_t)
+
+type salt_master_pki_t;
+files_type(salt_master_pki_t)
+
+type salt_master_tmp_t;
+files_tmp_file(salt_master_tmp_t)
+
+type salt_master_var_run_t;
+init_daemon_pid_file(salt_master_var_run_t, file, "salt-master.pid")
+files_pid_file(salt_master_var_run_t)
+
+type salt_minion_t;
+type salt_minion_exec_t;
+init_daemon_domain(salt_minion_t, salt_minion_exec_t)
+role salt_minion_roles types salt_minion_t;
+
+type salt_minion_cache_t;
+files_type(salt_minion_cache_t)
+
+type salt_minion_initrc_exec_t;
+init_script_file(salt_minion_initrc_exec_t)
+
+type salt_minion_log_t;
+logging_log_file(salt_minion_log_t)
+
+type salt_minion_pki_t;
+files_type(salt_minion_pki_t)
+
+type salt_minion_tmp_t;
+files_tmp_file(salt_minion_tmp_t)
+
+type salt_minion_var_run_t;
+init_daemon_pid_file(salt_minion_var_run_t, file, "salt-minion.pid")
+files_pid_file(salt_minion_var_run_t)
+
+type salt_cache_t;
+files_type(salt_cache_t)
+
+type salt_etc_t;
+files_config_file(salt_etc_t)
+
+type salt_log_t;
+logging_log_file(salt_log_t)
+
+type salt_sls_t;
+files_type(salt_sls_t)
+
+type salt_pki_t;
+files_type(salt_pki_t)
+
+type salt_var_run_t;
+files_pid_file(salt_var_run_t)
+
+#########################################
+#
+# salt_master_t policy
+#
+
+allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_master_t self:capability2 block_suspend;
+allow salt_master_t self:process signal;
+allow salt_master_t self:tcp_socket create_stream_socket_perms;
+allow salt_master_t self:udp_socket create_socket_perms;
+allow salt_master_t self:fifo_file rw_fifo_file_perms;
+allow salt_master_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_master_t self:unix_stream_socket connectto;
+allow salt_master_t self:unix_dgram_socket create_socket_perms;
+
+# salt_cache_t
+allow salt_master_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_master_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_master_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_master_t, salt_log_t, dir, "salt")
+
+# salt_master_cache_t
+manage_dirs_pattern(salt_master_t, salt_cache_t, salt_master_cache_t)
+allow salt_master_t salt_master_cache_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_cache_t, salt_master_cache_t, dir, "master")
+
+# salt_master_log_t
+manage_files_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+manage_dirs_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+filetrans_pattern(salt_master_t, salt_log_t, salt_master_log_t, { file dir })
+
+# salt_master_pki_t
+manage_dirs_pattern(salt_master_t, salt_pki_t, salt_master_pki_t)
+allow salt_master_t salt_master_pki_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_pki_t, salt_master_pki_t, dir, "master")
+
+# salt_master_tmp_t
+manage_files_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+manage_dirs_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_master_t, salt_master_tmp_t)
+
+# salt_master_var_run_t
+allow salt_master_t salt_master_var_run_t:file manage_file_perms;
+allow salt_master_t salt_master_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t)
+filetrans_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_master_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_master_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_sls_t
+read_files_pattern(salt_master_t, salt_sls_t, salt_sls_t)
+allow salt_master_t salt_sls_t:dir list_dir_perms;
+
+# salt_var_run_t
+allow salt_master_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_master_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, "salt-master.pid")
+
+kernel_read_network_state(salt_master_t)
+kernel_read_system_state(salt_master_t)
+
+corecmd_exec_bin(salt_master_t)
+corecmd_exec_shell(salt_master_t)
+
+corenet_tcp_bind_generic_node(salt_master_t)
+corenet_tcp_bind_salt_port(salt_master_t)
+
+dev_read_sysfs(salt_master_t)
+
+domain_dontaudit_exec_all_entry_files(salt_master_t)
+domain_dontaudit_search_all_domains_state(salt_master_t)
+domain_use_interactive_fds(salt_master_t)
+
+files_dontaudit_search_all_dirs(salt_master_t)
+files_read_etc_files(salt_master_t)
+files_read_usr_files(salt_master_t)
+
+getty_use_fds(salt_master_t)
+
+miscfiles_read_localization(salt_master_t)
+
+sysnet_exec_ifconfig(salt_master_t)
+sysnet_read_config(salt_master_t)
+
+userdom_dontaudit_list_user_home_dirs(salt_master_t)
+userdom_use_user_terminals(salt_master_t)
+
+tunable_policy(`salt_master_read_nfs',`
+ fs_read_nfs_files(salt_master_t)
+')
+
+
+#########################################
+#
+# salt_minion_t policy
+#
+
+allow salt_minion_t self:capability { fsetid chown net_admin sys_admin sys_tty_config };
+allow salt_minion_t self:capability2 block_suspend;
+allow salt_minion_t self:process { signull };
+allow salt_minion_t self:tcp_socket create_stream_socket_perms;
+allow salt_minion_t self:udp_socket create_socket_perms;
+allow salt_minion_t self:unix_dgram_socket create_socket_perms;
+allow salt_minion_t self:fifo_file rw_fifo_file_perms;
+allow salt_minion_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_minion_t self:unix_stream_socket connectto;
+
+# salt_cache_t
+allow salt_minion_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_minion_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_minion_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_minion_t, salt_log_t, dir, "salt")
+
+# salt_minion_cache_t
+manage_dirs_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t)
+allow salt_minion_t salt_minion_cache_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t, dir, "minion")
+
+# salt_minion_log_t
+manage_files_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+manage_dirs_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+filetrans_pattern(salt_minion_t, salt_log_t, salt_minion_log_t, { file dir })
+
+# salt_minion_pki_t
+manage_dirs_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t)
+allow salt_minion_t salt_minion_pki_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t, dir, "minion")
+
+# salt_minion_tmp_t
+manage_files_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+manage_dirs_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+files_tmp_filetrans(salt_minion_t, salt_minion_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_minion_t, salt_minion_tmp_t)
+
+# salt_minion_var_run_t
+allow salt_minion_t salt_minion_var_run_t:file manage_file_perms;
+allow salt_minion_t salt_minion_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t)
+filetrans_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_minion_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_minion_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_var_run_t
+allow salt_minion_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_minion_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_minion_t, salt_minion_var_run_t, file, "salt-minion.pid")
+
+kernel_read_network_state(salt_minion_t)
+kernel_read_system_state(salt_minion_t)
+kernel_rw_all_sysctls(salt_minion_t)
+
+corecmd_exec_bin(salt_minion_t)
+corecmd_exec_shell(salt_minion_t)
+
+corenet_tcp_connect_salt_port(salt_minion_t)
+
+dev_read_sysfs(salt_minion_t)
+
+domain_dontaudit_exec_all_entry_files(salt_minion_t)
+domain_dontaudit_search_all_domains_state(salt_minion_t)
+
+files_manage_all_non_security_file_types(salt_minion_t)
+
+fs_getattr_all_fs(salt_minion_t)
+
+getty_use_fds(salt_minion_t)
+
+miscfiles_read_localization(salt_minion_t)
+
+sysnet_exec_ifconfig(salt_minion_t)
+sysnet_read_config(salt_minion_t)
+
+userdom_dontaudit_list_user_home_dirs(salt_minion_t)
+userdom_use_user_terminals(salt_minion_t)
+
+optional_policy(`
+ auth_read_shadow(salt_minion_t)
+')
+
+optional_policy(`
+ mount_domtrans(salt_minion_t)
+')
+
+optional_policy(`
+ portage_run(salt_minion_t, salt_minion_roles)
+')
+
+optional_policy(`
+ usermanage_run_groupadd(salt_minion_t, salt_minion_roles)
+ usermanage_run_passwd(salt_minion_t, salt_minion_roles)
+ usermanage_run_useradd(salt_minion_t, salt_minion_roles)
+')
+
+tunable_policy(`salt_minion_manage_nfs',`
+ fs_manage_nfs_files(salt_master_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/contrib/
@ 2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: e5681b29db2df81a124b2a985a5a5e2eb816a03e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:36 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:27 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e5681b29
Use domain_auto_trans, not auto_trans
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/rsync.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if
index f1140ef..431471b 100644
--- a/policy/modules/contrib/rsync.if
+++ b/policy/modules/contrib/rsync.if
@@ -50,7 +50,7 @@ interface(`rsync_entry_spec_domtrans',`
')
corecmd_search_bin($1)
- auto_trans($1, rsync_exec_t, $2)
+ domain_auto_trans($1, rsync_exec_t, $2)
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2014-08-15 10:04 [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
@ 2014-08-15 10:04 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: e5681b29db2df81a124b2a985a5a5e2eb816a03e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:36 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:27 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e5681b29
Use domain_auto_trans, not auto_trans
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/rsync.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if
index f1140ef..431471b 100644
--- a/policy/modules/contrib/rsync.if
+++ b/policy/modules/contrib/rsync.if
@@ -50,7 +50,7 @@ interface(`rsync_entry_spec_domtrans',`
')
corecmd_search_bin($1)
- auto_trans($1, rsync_exec_t, $2)
+ domain_auto_trans($1, rsync_exec_t, $2)
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/contrib/
@ 2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: e6b8fdd44731878c345840a48e22b327d3448ad5
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:30 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:14 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e6b8fdd4
Use logging_search_logs, not logging_search_log
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/zarafa.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/zarafa.if b/policy/modules/contrib/zarafa.if
index 36e32df..83b4ca5 100644
--- a/policy/modules/contrib/zarafa.if
+++ b/policy/modules/contrib/zarafa.if
@@ -163,7 +163,7 @@ interface(`zarafa_admin',`
files_search_tmp($1)
admin_pattern($1, { zarafa_deliver_tmp_t zarafa_indexer_tmp_t zarafa_server_tmp_t })
- logging_search_log($1)
+ logging_search_logs($1)
admin_pattern($1, zarafa_logfile)
files_search_var_lib($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/contrib/
@ 2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: 66fc9340b109959940eadb002d999692fd015f0b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:22 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66fc9340
Use corecmd_search_bin, not corecmd_searh_bin
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/nslcd.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/nslcd.if b/policy/modules/contrib/nslcd.if
index 97df768..bbd7cac 100644
--- a/policy/modules/contrib/nslcd.if
+++ b/policy/modules/contrib/nslcd.if
@@ -15,7 +15,7 @@ interface(`nslcd_domtrans',`
type nslcd_t, nslcd_exec_t;
')
- corecmd_searh_bin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1, nslcd_exec_t, nslcd_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2014-08-15 10:04 [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
@ 2014-08-15 10:04 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: 66fc9340b109959940eadb002d999692fd015f0b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:22 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66fc9340
Use corecmd_search_bin, not corecmd_searh_bin
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/nslcd.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/nslcd.if b/policy/modules/contrib/nslcd.if
index 97df768..bbd7cac 100644
--- a/policy/modules/contrib/nslcd.if
+++ b/policy/modules/contrib/nslcd.if
@@ -15,7 +15,7 @@ interface(`nslcd_domtrans',`
type nslcd_t, nslcd_exec_t;
')
- corecmd_searh_bin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1, nslcd_exec_t, nslcd_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/contrib/
@ 2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: d6c241709eb5baee3636d37cee336a20b53c2e34
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:31 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:16 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d6c24170
Use files_search_etc, not logging_search_etc
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/monop.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/monop.if b/policy/modules/contrib/monop.if
index 8fdaece..a6ec137 100644
--- a/policy/modules/contrib/monop.if
+++ b/policy/modules/contrib/monop.if
@@ -31,7 +31,7 @@ interface(`monop_admin',`
role_transition $2 monopd_initrc_exec_t system_r;
allow $2 system_r;
- logging_search_etc($1)
+ files_search_etc($1)
admin_pattern($1, monopd_etc_t)
files_search_pids($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-15 10:04 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: ab2ca5bcad85bbba8d53b4edf4d459f52a5ca512
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:33 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:19 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ab2ca5bc
Use files_search_etc, not files_search_config
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/smstools.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/smstools.if b/policy/modules/contrib/smstools.if
index cbfe369..81136f0 100644
--- a/policy/modules/contrib/smstools.if
+++ b/policy/modules/contrib/smstools.if
@@ -32,7 +32,7 @@ interface(`smstools_admin',`
role_transition $2 smsd_initrc_exec_t system_r;
allow $2 system_r;
- files_search_config($1)
+ files_search_etc($1)
admin_pattern($1, smsd_conf_t)
files_search_var_lib($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-15 10:04 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: b80b32ff3c17ebae80a24c934c6a3a4b31327b5b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:32 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:18 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b80b32ff
Use files_search_etc, not logging_search_etc
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/networkmanager.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index 5bf874a..5aced8c 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -302,7 +302,7 @@ interface(`networkmanager_admin',`
role_transition $2 NetworkManager_initrc_exec_t system_r;
allow $2 system_r;
- logging_search_etc($1)
+ files_search_etc($1)
admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t })
logging_search_logs($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-15 10:04 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: a8a604e6b7c53c08233875c2c2163f794a62cb6c
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:35 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:24 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a8a604e6
Use fs_search_tmpfs, not files_search_tmpfs
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/tgtd.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/tgtd.if b/policy/modules/contrib/tgtd.if
index 5406b6e..dc5b46e 100644
--- a/policy/modules/contrib/tgtd.if
+++ b/policy/modules/contrib/tgtd.if
@@ -97,6 +97,6 @@ interface(`tgtd_admin',`
files_search_tmp($1)
admin_pattern($1, tgtd_tmp_t)
- files_search_tmpfs($1)
+ fs_search_tmpfs($1)
admin_pattern($1, tgtd_tmpfs_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-15 10:04 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: 15349d3803e89122716e327fb230f1e0f0711b9a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:29 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:13 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=15349d38
Use logging_search_logs, not logging_search_log
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/ircd.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ircd.if b/policy/modules/contrib/ircd.if
index ade9803..1a88664 100644
--- a/policy/modules/contrib/ircd.if
+++ b/policy/modules/contrib/ircd.if
@@ -34,7 +34,7 @@ interface(`ircd_admin',`
files_search_etc($1)
admin_pattern($1, ircd_etc_t)
- logging_search_log($1)
+ logging_search_logs($1)
admin_pattern($1, ircd_log_t)
files_search_var_lib($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-11 15:09 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-11 15:09 UTC (permalink / raw
To: gentoo-commits
commit: b8a1516b2f901333579d7b96324259210cf5c736
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Aug 11 15:09:41 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Aug 11 15:09:41 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b8a1516b
Revert last change, not needed
---
policy/modules/contrib/shutdown.if | 20 --------------------
1 file changed, 20 deletions(-)
diff --git a/policy/modules/contrib/shutdown.if b/policy/modules/contrib/shutdown.if
index bf9cfbe..d1706bf 100644
--- a/policy/modules/contrib/shutdown.if
+++ b/policy/modules/contrib/shutdown.if
@@ -107,23 +107,3 @@ interface(`shutdown_getattr_exec_files',`
corecmd_search_bin($1)
allow $1 shutdown_exec_t:file getattr_file_perms;
')
-
-# This is for Gentoo and should be in a if def distro_gentoo
-
-#########################################
-## <summary>
-## Do not audit execute attempts of the shutdown binary
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain not to audit
-## </summary>
-## </param>
-#
-interface(`shutdown_dontaudit_exec',`
- gen_require(`
- type shutdown_exec_t;
- ')
-
- dontaudit $1 shutdown_exec_t:file exec_file_perms;
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-11 15:04 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-11 15:04 UTC (permalink / raw
To: gentoo-commits
commit: ed3b82dac4a89ce8b9da50986d88b2000b95db33
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Aug 11 15:04:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Aug 11 15:04:34 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ed3b82da
Introduce shutdown_dontaudit_exec
---
policy/modules/contrib/shutdown.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/policy/modules/contrib/shutdown.if b/policy/modules/contrib/shutdown.if
index d1706bf..bf9cfbe 100644
--- a/policy/modules/contrib/shutdown.if
+++ b/policy/modules/contrib/shutdown.if
@@ -107,3 +107,23 @@ interface(`shutdown_getattr_exec_files',`
corecmd_search_bin($1)
allow $1 shutdown_exec_t:file getattr_file_perms;
')
+
+# This is for Gentoo and should be in a if def distro_gentoo
+
+#########################################
+## <summary>
+## Do not audit execute attempts of the shutdown binary
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit
+## </summary>
+## </param>
+#
+interface(`shutdown_dontaudit_exec',`
+ gen_require(`
+ type shutdown_exec_t;
+ ')
+
+ dontaudit $1 shutdown_exec_t:file exec_file_perms;
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-10 16:59 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-10 16:59 UTC (permalink / raw
To: gentoo-commits
commit: 5e606ee00a9f96391f63fad8c2b127b41f1d8713
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 16:58:59 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Aug 10 16:58:59 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5e606ee0
Layman needs manage rights on portage cache (write to /var/cache/edb) as well as ebuild symlinks
---
policy/modules/contrib/portage.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 14a7b04..83d6ab4 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -390,8 +390,10 @@ gen_tunable(portage_mount_fs, false)
# Portage fetch local policy
#
+ manage_files_pattern(portage_fetch_t, portage_cache_t, portage_cache_t)
+ manage_dirs_pattern(portage_fetch_t, portage_cache_t, portage_cache_t)
read_lnk_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
- read_lnk_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
+ manage_lnk_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
dev_rw_autofs(portage_fetch_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-10 16:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-10 16:49 UTC (permalink / raw
To: gentoo-commits
commit: 79fedf6d43030d7b52d04e564c076fe3a5be3df0
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 16:48:54 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Aug 10 16:48:54 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=79fedf6d
Mark python-exec/layman as portage_fetch_exec_t
---
policy/modules/contrib/portage.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/portage.fc b/policy/modules/contrib/portage.fc
index 6599573..cc65c01 100644
--- a/policy/modules/contrib/portage.fc
+++ b/policy/modules/contrib/portage.fc
@@ -38,5 +38,6 @@
ifdef(`distro_gentoo',`
/usr/lib/python-exec/python[0-9]?\.[0-9]?/glsa-check -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib/python-exec/python[0-9].\.[0-9]?/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-10 16:42 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-10 16:42 UTC (permalink / raw
To: gentoo-commits
commit: b99a4b641907dcefd72246c7f389bcc77c18c1c7
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 16:42:06 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Aug 10 16:42:06 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b99a4b64
Update file context definition for glsa-check
---
policy/modules/contrib/portage.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/portage.fc b/policy/modules/contrib/portage.fc
index 73326f2..6599573 100644
--- a/policy/modules/contrib/portage.fc
+++ b/policy/modules/contrib/portage.fc
@@ -37,5 +37,6 @@
/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
ifdef(`distro_gentoo',`
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/glsa-check -- gen_context(system_u:object_r:portage_exec_t,s0)
/var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-10 14:02 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-10 14:02 UTC (permalink / raw
To: gentoo-commits
commit: ac63ef72892a2cc20406cf1951998e2c15361f6a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 14:02:16 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Aug 10 14:02:16 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ac63ef72
Add context for thunderbird (non-bin distro) as per bug #505406
---
policy/modules/contrib/thunderbird.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/thunderbird.fc b/policy/modules/contrib/thunderbird.fc
index 4a579fe..eacb7a1 100644
--- a/policy/modules/contrib/thunderbird.fc
+++ b/policy/modules/contrib/thunderbird.fc
@@ -3,6 +3,8 @@ HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:thunderbird_home_t,s0
/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
ifdef(`distro_gentoo',`
+/usr/lib/thunderbird/thunderbird -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
+
/opt/thunderbird/plugin-container -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
/opt/thunderbird/run-mozilla\.sh -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
/opt/thunderbird/thunderbird -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-10 13:54 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-10 13:54 UTC (permalink / raw
To: gentoo-commits
commit: 15f4cb7c1387e72719c9948281f4818842baea96
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 13:53:00 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Aug 10 13:53:00 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=15f4cb7c
Fix bug #505406 - Make thunderbird work on Gentoo again
Changes made:
- Support thunderbird_tmp_t for /tmp created files and directories
- Support XDG types
- Make user content management optional (through access template)
---
policy/modules/contrib/thunderbird.fc | 8 ++++++++
policy/modules/contrib/thunderbird.te | 36 ++++++++++++++++++++++++++++++++---
2 files changed, 41 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/thunderbird.fc b/policy/modules/contrib/thunderbird.fc
index c01805a..4a579fe 100644
--- a/policy/modules/contrib/thunderbird.fc
+++ b/policy/modules/contrib/thunderbird.fc
@@ -1,3 +1,11 @@
HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:thunderbird_home_t,s0)
/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/opt/thunderbird/plugin-container -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
+/opt/thunderbird/run-mozilla\.sh -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
+/opt/thunderbird/thunderbird -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
+/opt/thunderbird/thunderbird-bin -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
+/opt/thunderbird/updater -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
+')
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index 04a56d2..cbf9e39 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -105,9 +105,10 @@ userdom_write_user_tmp_sockets(thunderbird_t)
userdom_manage_user_tmp_dirs(thunderbird_t)
userdom_manage_user_tmp_files(thunderbird_t)
-userdom_manage_user_home_content_dirs(thunderbird_t)
-userdom_manage_user_home_content_files(thunderbird_t)
-userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file })
+# Gentoo: managed through booleans defined thruogh userdom_user_content_access_template
+#userdom_manage_user_home_content_dirs(thunderbird_t)
+#userdom_manage_user_home_content_files(thunderbird_t)
+#userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file })
xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
xserver_read_xdm_tmp_files(thunderbird_t)
@@ -168,11 +169,40 @@ optional_policy(`
')
ifdef(`distro_gentoo',`
+ type thunderbird_xdg_cache_home_t;
+ xdg_cache_home_content(thunderbird_xdg_cache_home_t)
+
+ type thunderbird_tmp_t;
+ userdom_user_tmp_file(thunderbird_tmp_t)
+
################################
#
# Thunderbird local policy
#
+ # thunderbird-bin to execute stuff in /opt/thunderbird/
+ can_exec(thunderbird_t, thunderbird_exec_t)
+
+ manage_dirs_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t)
+ manage_files_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t)
+ files_tmp_filetrans(thunderbird_t, thunderbird_tmp_t, { dir file })
+
+ manage_files_pattern(thunderbird_t, thunderbird_xdg_cache_home_t, thunderbird_xdg_cache_home_t)
+ manage_dirs_pattern(thunderbird_t, thunderbird_xdg_cache_home_t, thunderbird_xdg_cache_home_t)
+ xdg_cache_home_filetrans(thunderbird_t, thunderbird_xdg_cache_home_t, dir)
+
+ # File preview apps for instance
+ corecmd_exec_bin(thunderbird_t)
+
+ dev_read_sysfs(thunderbird_t)
+ dev_rw_dri(thunderbird_t)
+
+ userdom_use_user_ptys(thunderbird_t)
+ # User content access
+ userdom_user_content_access_template(thunderbird, thunderbird_t)
+
+ xdg_read_data_home_files(thunderbird_t)
+
optional_policy(`
pulseaudio_client_domain(thunderbird_t, thunderbird_tmpfs_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/contrib/
@ 2014-08-08 12:36 Sven Vermeulen
2014-08-08 12:36 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-08 12:36 UTC (permalink / raw
To: gentoo-commits
commit: 6ebb5fbf42a00295958c71b7f3281c728f3ce7a8
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri Aug 8 11:27:03 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 8 11:27:03 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6ebb5fbf
Allow resolvconf to configure dnsmasq
Resolvconf needs to be able to set which dns servers dnsmasq uses.
Bug #519240
---
policy/modules/contrib/resolvconf.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/resolvconf.te b/policy/modules/contrib/resolvconf.te
index 7fbd00d..32cba23 100644
--- a/policy/modules/contrib/resolvconf.te
+++ b/policy/modules/contrib/resolvconf.te
@@ -44,6 +44,11 @@ optional_policy(`
term_dontaudit_use_console(resolvconf_t)
')
+optional_policy(`
+ dnsmasq_read_config(resolvconf_t)
+ dnsmasq_write_config(resolvconf_t)
+')
+
#########################################
#
# Resolvconf client policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-06 18:09 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-06 18:09 UTC (permalink / raw
To: gentoo-commits
commit: 651e8313fa132e001f07edc4cafdcf50b1b0a031
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 6 18:07:32 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Aug 6 18:07:32 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=651e8313
Merged upstream, so can be removed from the ifdef distro_gentoo
---
policy/modules/contrib/apache.fc | 15 ---------------
1 file changed, 15 deletions(-)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index 0a2dbfd..4222f2e 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -175,19 +175,4 @@ ifdef(`distro_suse',`
ifdef(`distro_gentoo',`
/usr/share/build-1/libtool -- gen_context(system_u:object_r:bin_t,s0)
-
-# Support for Hiawatha bug 513362
-/etc/hiawatha(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-
-/etc/rc\.d/init\.d/hiawatha -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-
-/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
-
-/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
-
-/var/lib/hiawatha(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-
-/var/log/hiawatha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-01 11:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-08-01 11:49 UTC (permalink / raw
To: gentoo-commits
commit: eb973f14b8e146b7384d55101935473d16707bbc
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 1 11:47:35 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 1 11:47:35 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=eb973f14
Workaround for bug #514440 - sntp is in bin, not sbin
---
policy/modules/contrib/ntp.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 89b9cb1..6105583 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -24,3 +24,7 @@
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/bin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-07-31 15:28 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-07-31 15:28 UTC (permalink / raw
To: gentoo-commits
commit: 4e8cfae734742c80fa9e3a79994f301046afd1ae
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jul 29 14:14:12 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jul 31 15:26:32 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4e8cfae7
fcontext for /run/resolvconf/
---
policy/modules/contrib/resolvconf.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/resolvconf.fc b/policy/modules/contrib/resolvconf.fc
index a7c9eed..e6a410f 100644
--- a/policy/modules/contrib/resolvconf.fc
+++ b/policy/modules/contrib/resolvconf.fc
@@ -4,3 +4,5 @@
/lib/resolvconf(/.*)? gen_context(system_u:object_r:bin_t,s0)
/sbin/resolvconf -- gen_context(system_u:object_r:resolvconf_exec_t,s0)
+
+/var/run/resolvconf(/.*)? gen_context(system_u:object_r:resolvconf_var_run_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-07-31 15:26 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-07-31 15:26 UTC (permalink / raw
To: gentoo-commits
commit: fa80a229d122a166c8185af0ff5c1feaeee08655
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jul 29 14:14:10 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jul 31 15:24:47 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fa80a229
silence portage sandbox a little
---
policy/modules/contrib/portage.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 579447c..14a7b04 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -469,6 +469,9 @@ gen_tunable(portage_mount_fs, false)
filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "git3-src") # git-r3.eclass
filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "svn-src")
+ # install-xattr does listxattr() which throws a lot of this
+ dontaudit portage_sandbox_t self:capability sys_admin;
+
##########################################
#
# Portage eselect module domain
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-07-29 14:07 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-07-29 14:07 UTC (permalink / raw
To: gentoo-commits
commit: 58a3b14c6019fd006044050c1d01eee619276007
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Jul 8 12:50:44 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jul 29 14:05:31 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=58a3b14c
Module version bump for ftp and tftp fixes from Nicolas Iooss.
---
policy/modules/contrib/ftp.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 33cda5e..b59e761 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.16.0)
+policy_module(ftp, 1.16.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-07-29 14:07 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-07-29 14:07 UTC (permalink / raw
To: gentoo-commits
commit: 4accddc2a2ee81d9ab501b96d866731969af79fa
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Jul 5 16:40:44 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jul 29 14:05:28 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4accddc2
Label /usr/bin/tftpd as tftpd_exec_t
This TFTP daemon executable is provided by iputils package in Arch Linux
(https://www.archlinux.org/packages/core/x86_64/iputils/files/).
---
policy/modules/contrib/tftp.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/tftp.fc b/policy/modules/contrib/tftp.fc
index 3dd87da..fb0b982 100644
--- a/policy/modules/contrib/tftp.fc
+++ b/policy/modules/contrib/tftp.fc
@@ -1,5 +1,7 @@
/etc/(x)?inetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0)
+/usr/bin/tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
+
/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-07-29 14:07 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-07-29 14:07 UTC (permalink / raw
To: gentoo-commits
commit: 4d42e1b7f3cb8de8d5073cde603986bf82189485
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Jul 8 12:45:00 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jul 29 14:05:23 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4d42e1b7
Module version bump for alsa and hiawatha fixes from Sven Vermeulen.
---
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 4b818a0..642a587 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.13.0)
+policy_module(alsa, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 5570175..2e187d2 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.8.3)
+policy_module(apache, 2.8.4)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-07-29 14:07 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-07-29 14:07 UTC (permalink / raw
To: gentoo-commits
commit: ad9cc622fb5bef6e37054150efd55ecead438889
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 5 16:19:14 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jul 29 14:05:20 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ad9cc622
Enable asound.state.lock support
asound.state.lock file when managing alsa state operations.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/alsa.fc | 2 ++
policy/modules/contrib/alsa.te | 6 ++++++
2 files changed, 8 insertions(+)
diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index 33d9d31..6c3c0ba 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -24,3 +24,5 @@ ifdef(`distro_debian',`
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+
+/var/lock/asound\.state\.lock -- gen_context(system_u:object_r:alsa_var_lock_t,s0)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 5b04663..4b818a0 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -24,6 +24,9 @@ files_tmpfs_file(alsa_tmpfs_t)
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
+type alsa_var_lock_t;
+files_lock_file(alsa_var_lock_t)
+
type alsa_home_t;
userdom_user_home_content(alsa_home_t)
@@ -57,6 +60,9 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+allow alsa_t alsa_var_lock_t:file manage_file_perms;
+files_lock_filetrans(alsa_t, alsa_var_lock_t, file);
+
kernel_read_system_state(alsa_t)
corecmd_exec_bin(alsa_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-07-29 14:07 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-07-29 14:07 UTC (permalink / raw
To: gentoo-commits
commit: 11cb1c719459a62bbb5a62f1ed7e54a602040ae9
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 5 16:53:00 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jul 29 14:05:22 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=11cb1c71
Add support for Hiawatha web server
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/apache.fc | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index 818e177..0a2dbfd 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -8,6 +8,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec
/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/hiawatha(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -19,6 +20,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec
/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hiawatha -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
@@ -36,6 +38,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec
/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
@@ -52,12 +55,15 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
ifdef(`distro_suse',`
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -105,6 +111,7 @@ ifdef(`distro_suse',`
/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/hiawatha(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -124,6 +131,7 @@ ifdef(`distro_suse',`
/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/hiawatha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-07-29 14:07 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-07-29 14:07 UTC (permalink / raw
To: gentoo-commits
commit: d98d2b28806a778ca2edfab26a5d81a2e79e8e9a
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Jul 5 16:42:29 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jul 29 14:05:26 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d98d2b28
ftp: fix labels in /var/lock/subsys/
In the pattern "/var/lock/subsys/*.ftpd", the star is applied to the
slash instead to the dot. This means that the pattern matches these
files:
* "Xftpd" in "/var/lock/subsys/" (where X is whatever character)
* "subsysXftpd" in "/var/lock/" (where X is whatever character)
"/var/lock/subsys/vsftpd", which has been used by vsftpd, is therefore
not matched by the pattern.
As "*." looks like a typo, this patch replaces it with ".*".
---
policy/modules/contrib/ftp.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc
index ddb75c1..fa132af 100644
--- a/policy/modules/contrib/ftp.fc
+++ b/policy/modules/contrib/ftp.fc
@@ -19,7 +19,7 @@
/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
-/var/lock/subsys/*.ftpd -- gen_context(system_u:object_r:ftpd_lock_t,s0)
+/var/lock/subsys/.*ftpd -- gen_context(system_u:object_r:ftpd_lock_t,s0)
/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-07-15 16:16 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-07-15 16:16 UTC (permalink / raw
To: gentoo-commits
commit: 672aebd0c55d3c3f4f51143a95e3a65d4649c937
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jul 15 16:10:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 16:12:42 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=672aebd0
dropbox exec path change
Dropbox has apparently decided that it will now use the following:
~/.dropbox-dist/dropbox-lnx.x86_64-2.10.1/dropbox
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
---
policy/modules/contrib/dropbox.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dropbox.fc b/policy/modules/contrib/dropbox.fc
index ddc22f0..a83a1bf 100644
--- a/policy/modules/contrib/dropbox.fc
+++ b/policy/modules/contrib/dropbox.fc
@@ -4,7 +4,7 @@ HOME_DIR/\.dropbox(/.*)? gen_context(system_u:object_r:dropbo
HOME_DIR/\.dropbox-dist(/.*)? gen_context(system_u:object_r:dropbox_home_t,s0)
HOME_DIR/\.dropbox-master(/.*)? gen_context(system_u:object_r:dropbox_home_t,s0)
-HOME_DIR/\.dropbox-dist/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0)
+HOME_DIR/\.dropbox-dist(/.*)?/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0)
/opt/bin/dropbox -l gen_context(system_u:object_r:dropbox_exec_t,s0)
/opt/dropbox/.*py?\.?.*egg(/.*)? gen_context(system_u:object_r:lib_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-07-06 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-07-06 9:49 UTC (permalink / raw
To: gentoo-commits
commit: 9668ef191f10834fd4d5904c8a5a9f62eb04dfb4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 5 16:19:09 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 6 09:48:20 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9668ef19
dontaudits for chromium
When chromium_read_system_info is enabled, chromium tries to getattr
on a lot of files in /dev. They are not required and this quiets
chromium a bit more.
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
---
policy/modules/contrib/chromium.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 878d8c9..0f72dd7 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -191,6 +191,9 @@ tunable_policy(`chromium_read_system_info',`
storage_getattr_fixed_disk_dev(chromium_t)
files_read_etc_runtime_files(chromium_t)
+
+ dev_dontaudit_getattr_all_chr_files(chromium_t)
+ init_dontaudit_getattr_initctl(chromium_t)
',`
kernel_dontaudit_read_kernel_sysctls(chromium_t)
kernel_dontaudit_read_system_state(chromium_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-07-06 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-07-06 9:49 UTC (permalink / raw
To: gentoo-commits
commit: e272f69ec718dcd0f6e0df8ade02e722df918440
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 5 16:19:08 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 6 09:48:19 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e272f69e
Create chromium_bind_tcp_unreserved_ports boolean
Some extensions for chromium need to be able to listen on tcp ports.
This adds a boolean (default off) to allow binding to unreserved tcp
ports.
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
---
policy/modules/contrib/chromium.te | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index b460904..878d8c9 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -30,6 +30,17 @@ gen_tunable(chromium_use_java, false)
## </desc>
gen_tunable(chromium_read_system_info, false)
+## <desc>
+## <p>
+## Allow chromium to bind to tcp ports
+## </p>
+## <p>
+## Although not needed for regular browsing, some chrome extensions need to
+## bind to tcp ports and accept connections.
+## </p>
+## </desc>
+gen_tunable(chromium_bind_tcp_unreserved_ports, false)
+
type chromium_t;
domain_dyntrans_type(chromium_t)
@@ -163,6 +174,12 @@ xdg_read_data_home_files(chromium_t)
xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
+tunable_policy(`chromium_bind_tcp_unreserved_ports',`
+ corenet_tcp_bind_generic_node(chromium_t)
+ corenet_tcp_bind_all_unreserved_ports(chromium_t)
+ allow chromium_t self:tcp_socket { listen accept };
+')
+
tunable_policy(`chromium_read_system_info',`
kernel_read_kernel_sysctls(chromium_t)
# Memory optimizations & optimizations based on OS/version
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-07-05 17:17 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-07-05 17:17 UTC (permalink / raw
To: gentoo-commits
commit: 0f31533b6763859bc8c27a82530671130633dadc
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 5 16:46:00 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jul 5 16:46:00 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0f31533b
Move gentoo specifics downwards
---
policy/modules/contrib/alsa.if | 36 +++++++++++++++++++-----------------
1 file changed, 19 insertions(+), 17 deletions(-)
diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index 29806ad..8f25112 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -257,6 +257,25 @@ interface(`alsa_read_lib',`
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
')
+#########################################
+## <summary>
+## Write Alsa lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_write_lib',`
+ gen_require(`
+ type alsa_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+')
+
# Gentoo specific for now, but cannot use ifdef distro_gentoo in an interface
# alsa_domain - see http://oss.tresys.com/pipermail/refpolicy/2014-March/007029.html
@@ -287,21 +306,4 @@ interface(`alsa_domain',`
typeattribute $2 alsatmpfsfile;
')
-########################################
-## <summary>
-## Write Alsa lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`alsa_write_lib',`
- gen_require(`
- type alsa_var_lib_t;
- ')
- files_search_var_lib($1)
- write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-07-05 17:17 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-07-05 17:17 UTC (permalink / raw
To: gentoo-commits
commit: 8a0f2621599af239512c2a063a1fe746803f4826
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 5 16:44:38 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jul 5 16:44:38 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8a0f2621
Add upstream links for tracking
---
policy/modules/contrib/alsa.if | 3 +++
policy/modules/contrib/alsa.te | 4 ++++
2 files changed, 7 insertions(+)
diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index 0de51d3..29806ad 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -259,6 +259,9 @@ interface(`alsa_read_lib',`
# Gentoo specific for now, but cannot use ifdef distro_gentoo in an interface
+# alsa_domain - see http://oss.tresys.com/pipermail/refpolicy/2014-March/007029.html
+# http://oss.tresys.com/pipermail/refpolicy/2014-April/007044.html
+
########################################
## <summary>
## Mark the selected domain as an alsa-capable domain
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 93cd23b..5b04663 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -115,6 +115,10 @@ optional_policy(`
')
ifdef(`distro_gentoo',`
+
+# alsa_domain - see http://oss.tresys.com/pipermail/refpolicy/2014-March/007029.html
+# http://oss.tresys.com/pipermail/refpolicy/2014-April/007044.html
+
attribute alsadomain;
attribute alsatmpfsfile;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-07-05 16:26 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-07-05 16:26 UTC (permalink / raw
To: gentoo-commits
commit: d26c82938d92e243bd011c1e21d8444035ac8f89
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 5 16:25:41 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jul 5 16:25:41 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d26c8293
Fix bug #516238 - /usr/sbin/upsdrvctl is symlink to /lib64/nut/upsdrvctl
---
policy/modules/contrib/nut.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/nut.fc b/policy/modules/contrib/nut.fc
index 379af96..40338b3 100644
--- a/policy/modules/contrib/nut.fc
+++ b/policy/modules/contrib/nut.fc
@@ -21,3 +21,7 @@
/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/lib/nut/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-06-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-06-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: af754468a7fde0d8e230e2eb923489735112a5a1
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jun 28 11:09:33 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Jun 30 18:59:49 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=af754468
Use init_daemon_pid_file for contrib modules
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/couchdb.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/dkim.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/nscd.te | 2 +-
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
policy/modules/contrib/puppet.te | 2 +-
policy/modules/contrib/readahead.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/shibboleth.te | 2 +-
policy/modules/contrib/snort.te | 2 +-
policy/modules/contrib/tor.te | 2 +-
policy/modules/contrib/xen.te | 2 +-
19 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index e1ec6bb..2975acd 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -32,7 +32,7 @@ files_type(asterisk_var_lib_t)
type asterisk_var_run_t;
files_pid_file(asterisk_var_run_t)
-init_daemon_run_dir(asterisk_var_run_t, "asterisk")
+init_daemon_pid_file(asterisk_var_run_t, dir, "asterisk")
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 796c270..9ba5f03 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -55,7 +55,7 @@ files_tmp_file(named_tmp_t)
type named_var_run_t;
files_pid_file(named_var_run_t)
-init_daemon_run_dir(named_var_run_t, "named")
+init_daemon_pid_file(named_var_run_t, dir, "named")
# for primary zone files
type named_zone_t;
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index bd18063..25f444e 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -17,7 +17,7 @@ files_tmpfs_file(consolekit_tmpfs_t)
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
-init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
+init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit")
########################################
#
diff --git a/policy/modules/contrib/couchdb.te b/policy/modules/contrib/couchdb.te
index 9469b57..2248ede 100644
--- a/policy/modules/contrib/couchdb.te
+++ b/policy/modules/contrib/couchdb.te
@@ -30,7 +30,7 @@ files_type(couchdb_var_lib_t)
type couchdb_var_run_t;
files_pid_file(couchdb_var_run_t)
-init_daemon_run_dir(couchdb_var_run_t, "couchdb")
+init_daemon_pid_file(couchdb_var_run_t, dir, "couchdb")
########################################
#
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 5b06ce2..7ed33ac 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -59,7 +59,7 @@ files_tmp_file(cupsd_tmp_t)
type cupsd_var_run_t;
files_pid_file(cupsd_var_run_t)
-init_daemon_run_dir(cupsd_var_run_t, "cups")
+init_daemon_pid_file(cupsd_var_run_t, dir, "cups")
mls_trusted_object(cupsd_var_run_t)
type hplip_t;
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 8075f85..6557312 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -41,7 +41,7 @@ files_type(system_dbusd_var_lib_t)
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
-init_daemon_run_dir(system_dbusd_var_run_t, "dbus")
+init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 6a73d60..021a7ae 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -13,7 +13,7 @@ init_script_file(dkim_milter_initrc_exec_t)
type dkim_milter_private_key_t;
files_type(dkim_milter_private_key_t)
-init_daemon_run_dir(dkim_milter_data_t, "opendkim")
+init_daemon_pid_file(dkim_milter_data_t, dir, "opendkim")
########################################
#
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 768a69f..508504a 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -64,7 +64,7 @@ type exim_var_run_t;
files_pid_file(exim_var_run_t)
ifdef(`distro_debian',`
- init_daemon_run_dir(exim_var_run_t, "exim4")
+ init_daemon_pid_file(exim_var_run_t, dir, "exim4")
')
########################################
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 80d2c6f..f023642 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -27,7 +27,7 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
type mysqld_var_run_t;
files_pid_file(mysqld_var_run_t)
-init_daemon_run_dir(mysqld_var_run_t, "mysqld")
+init_daemon_pid_file(mysqld_var_run_t, dir, "mysqld")
type mysqld_db_t;
files_type(mysqld_db_t)
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index bcd7d0a..eaf1a56 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -21,7 +21,7 @@ attribute_role nscd_roles;
type nscd_var_run_t;
files_pid_file(nscd_var_run_t)
-init_daemon_run_dir(nscd_var_run_t, "nscd")
+init_daemon_pid_file(nscd_var_run_t, dir, "nscd")
type nscd_t;
type nscd_exec_t;
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index 5b2cb0d..4816f03 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -27,7 +27,7 @@ init_script_file(nut_initrc_exec_t)
type nut_var_run_t;
files_pid_file(nut_var_run_t)
-init_daemon_run_dir(nut_var_run_t, "nut")
+init_daemon_pid_file(nut_var_run_t, dir, "nut")
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index 1af594e..16ceba4 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -14,7 +14,7 @@ init_script_file(pcscd_initrc_exec_t)
type pcscd_var_run_t;
files_pid_file(pcscd_var_run_t)
-init_daemon_run_dir(pcscd_var_run_t, "pcscd")
+init_daemon_pid_file(pcscd_var_run_t, dir, "pcscd")
########################################
#
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 86e3512..6fa9b91 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -37,7 +37,7 @@ files_type(puppet_var_lib_t)
type puppet_var_run_t;
files_pid_file(puppet_var_run_t)
-init_daemon_run_dir(puppet_var_run_t, "puppet")
+init_daemon_pid_file(puppet_var_run_t, dir, "puppet")
type puppetca_t;
type puppetca_exec_t;
diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te
index c0b02c9..27e3bc5 100644
--- a/policy/modules/contrib/readahead.te
+++ b/policy/modules/contrib/readahead.te
@@ -15,7 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
type readahead_var_run_t;
files_pid_file(readahead_var_run_t)
-init_daemon_run_dir(readahead_var_run_t, "readahead")
+init_daemon_pid_file(readahead_var_run_t, dir, "readahead")
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 75f7e70..1f36970 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -14,7 +14,7 @@ init_script_file(rpcbind_initrc_exec_t)
type rpcbind_var_run_t;
files_pid_file(rpcbind_var_run_t)
-init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
+init_daemon_pid_file(rpcbind_var_run_t, dir, "rpcbind")
type rpcbind_var_lib_t;
files_type(rpcbind_var_lib_t)
diff --git a/policy/modules/contrib/shibboleth.te b/policy/modules/contrib/shibboleth.te
index 63950ea..23730ee 100644
--- a/policy/modules/contrib/shibboleth.te
+++ b/policy/modules/contrib/shibboleth.te
@@ -17,7 +17,7 @@ logging_log_file(shibboleth_log_t)
type shibboleth_var_run_t;
files_pid_file(shibboleth_var_run_t)
-init_daemon_run_dir(shibboleth_var_run_t, "shibboleth")
+init_daemon_pid_file(shibboleth_var_run_t, dir, "shibboleth")
########################################
#
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 42e685f..80d9713 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -23,7 +23,7 @@ files_tmp_file(snort_tmp_t)
type snort_var_run_t;
files_pid_file(snort_var_run_t)
-init_daemon_run_dir(snort_var_run_t, "snort")
+init_daemon_pid_file(snort_var_run_t, dir, "snort")
########################################
#
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 5ceacde..8db861b 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -31,7 +31,7 @@ logging_log_file(tor_var_log_t)
type tor_var_run_t;
files_pid_file(tor_var_run_t)
-init_daemon_run_dir(tor_var_run_t, "tor")
+init_daemon_pid_file(tor_var_run_t, dir, "tor")
########################################
#
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index 6f736a9..3d95d69 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -105,7 +105,7 @@ logging_log_file(xenstored_var_log_t)
type xenstored_var_run_t;
files_pid_file(xenstored_var_run_t)
-init_daemon_run_dir(xenstored_var_run_t, "xenstored")
+init_daemon_pid_file(xenstored_var_run_t, dir, "xenstored")
type xenconsoled_t;
type xenconsoled_exec_t;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-06-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-06-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: cf2c3e45df5395456c6a7074446df47ce4f34550
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Jun 30 18:33:52 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Jun 30 19:00:11 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf2c3e45
Module version bump for init_daemon_pid_file use from Sven Vermeulen.
---
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/couchdb.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/dkim.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/nscd.te | 2 +-
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
policy/modules/contrib/puppet.te | 2 +-
policy/modules/contrib/readahead.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/shibboleth.te | 2 +-
policy/modules/contrib/snort.te | 2 +-
policy/modules/contrib/tor.te | 2 +-
policy/modules/contrib/xen.te | 2 +-
19 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index 2975acd..5b4036a 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.13.0)
+policy_module(asterisk, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 9ba5f03..bfb927f 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.14.0)
+policy_module(bind, 1.14.1)
########################################
#
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 25f444e..c9aaea7 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -1,4 +1,4 @@
-policy_module(consolekit, 1.9.0)
+policy_module(consolekit, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/couchdb.te b/policy/modules/contrib/couchdb.te
index 2248ede..4f61fae 100644
--- a/policy/modules/contrib/couchdb.te
+++ b/policy/modules/contrib/couchdb.te
@@ -1,4 +1,4 @@
-policy_module(couchdb, 1.2.0)
+policy_module(couchdb, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 7ed33ac..779caf8 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.17.0)
+policy_module(cups, 1.17.1)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 6557312..45b9d32 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.19.1)
+policy_module(dbus, 1.19.2)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 021a7ae..959b29c 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.2.0)
+policy_module(dkim, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 508504a..1924072 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.7.1)
+policy_module(exim, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index f023642..6f2a4f5 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.15.0)
+policy_module(mysql, 1.15.1)
########################################
#
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index eaf1a56..a1ba3af 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.11.0)
+policy_module(nscd, 1.11.1)
gen_require(`
class nscd all_nscd_perms;
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index 4816f03..ab8b8da 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -1,4 +1,4 @@
-policy_module(nut, 1.3.0)
+policy_module(nut, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index 16ceba4..162cd3e 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.9.0)
+policy_module(pcscd, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 6fa9b91..8b8a51c 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.4.0)
+policy_module(puppet, 1.4.1)
########################################
#
diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te
index 27e3bc5..92ad7d1 100644
--- a/policy/modules/contrib/readahead.te
+++ b/policy/modules/contrib/readahead.te
@@ -1,4 +1,4 @@
-policy_module(readahead, 1.13.0)
+policy_module(readahead, 1.13.1)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 1f36970..eefc5df 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.7.0)
+policy_module(rpcbind, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/shibboleth.te b/policy/modules/contrib/shibboleth.te
index 23730ee..9314b5e 100644
--- a/policy/modules/contrib/shibboleth.te
+++ b/policy/modules/contrib/shibboleth.te
@@ -1,4 +1,4 @@
-policy_module(shibboleth, 1.0.0)
+policy_module(shibboleth, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 80d9713..60d92b9 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -1,4 +1,4 @@
-policy_module(snort, 1.11.1)
+policy_module(snort, 1.11.2)
########################################
#
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 8db861b..373760a 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.9.0)
+policy_module(tor, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index 3d95d69..ddb8fa2 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -1,4 +1,4 @@
-policy_module(xen, 1.13.0)
+policy_module(xen, 1.13.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-06-25 20:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-06-25 20:05 UTC (permalink / raw
To: gentoo-commits
commit: c2fb096af41c18f6e8d7f891fe86c8206aa886e9
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jun 24 18:44:00 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 25 20:04:14 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c2fb096a
Filetrans for git-r3.eclass
the filetrans was for the old git.eclass
which is not used anymore
---
policy/modules/contrib/portage.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 149586e..579447c 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -465,8 +465,8 @@ gen_tunable(portage_mount_fs, false)
# When using live ebuilds, manipulation is done in sandbox domain
filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "cvs-src")
- filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "egit-src")
- filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "git-src")
+ filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "egit-src") # git-2.eclass
+ filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "git3-src") # git-r3.eclass
filetrans_pattern(portage_sandbox_t, portage_ebuild_t, portage_srcrepo_t, dir, "svn-src")
##########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-06-25 19:56 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-06-25 19:56 UTC (permalink / raw
To: gentoo-commits
commit: f4284ca3c2aa40c9c5296be9a157e45250f497c5
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jun 25 19:53:48 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 25 19:53:48 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f4284ca3
Fix bug #509728 - Add openresolv support
The openresolv application implements the resolvconf interface that many
network services have. This policy should support those network services
*if* they are enabled further through the resolvconf_client_domain()
attribute.
For instance:
resolvconf_client_domain(dhcpc_t)
---
policy/modules/contrib/resolvconf.fc | 6 +++
policy/modules/contrib/resolvconf.if | 102 +++++++++++++++++++++++++++++++++++
policy/modules/contrib/resolvconf.te | 52 ++++++++++++++++++
3 files changed, 160 insertions(+)
diff --git a/policy/modules/contrib/resolvconf.fc b/policy/modules/contrib/resolvconf.fc
new file mode 100644
index 0000000..a7c9eed
--- /dev/null
+++ b/policy/modules/contrib/resolvconf.fc
@@ -0,0 +1,6 @@
+
+/etc/resolvconf.conf -- gen_context(system_u:object_r:resolvconf_conf_t,s0)
+
+/lib/resolvconf(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/sbin/resolvconf -- gen_context(system_u:object_r:resolvconf_exec_t,s0)
diff --git a/policy/modules/contrib/resolvconf.if b/policy/modules/contrib/resolvconf.if
new file mode 100644
index 0000000..7a93eb6
--- /dev/null
+++ b/policy/modules/contrib/resolvconf.if
@@ -0,0 +1,102 @@
+## <summary>OpenResolv network configuration management</summary>
+
+#########################################
+## <summary>
+## Mark the domain as a resolvconf client, automatically granting
+## the necessary privileges (execute resolvconf and type access).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to mark as a resolvconf client
+## </summary>
+## </param>
+#
+interface(`resolvconf_client_domain',`
+ gen_require(`
+ attribute resolvconf_client;
+ ')
+
+ typeattribute $1 resolvconf_client;
+')
+
+#########################################
+## <summary>
+## Assign the proper permissions to the domain, such as
+## executing resolvconf and accessing its types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to assign proper permissions to
+## </summary>
+## </param>
+#
+interface(`resolvconf_client_domain_privs',`
+ resolvconf_domtrans($1)
+ resolvconf_generic_run_filetrans_run($1, dir, "resolvconf")
+')
+
+#########################################
+## <summary>
+## Execute resolvconf and transition to the resolvconf_t domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition
+## </summary>
+## </param>
+#
+interface(`resolvconf_domtrans',`
+ gen_require(`
+ type resolvconf_t;
+ type resolvconf_exec_t;
+ ')
+
+ domtrans_pattern($1, resolvconf_exec_t, resolvconf_t)
+')
+
+#########################################
+## <summary>
+## Execute resolvconf in the calling domain (no transition)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to execute
+## </summary>
+## </param>
+#
+interface(`resolvconf_exec',`
+ gen_require(`
+ type resolvconf_exec_t;
+ ')
+
+ can_exec($1, resolvconf_exec_t)
+')
+
+#########################################
+## <summary>
+## Transition to resolvconf_run_t when creating resources
+## inside the generic run directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Class on which a file transition has to occur
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the resource on which a file transition has to occur
+## </summary>
+## </param>
+#
+interface(`resolvconf_generic_run_filetrans_run',`
+ gen_require(`
+ type resolvconf_var_run_t;
+ ')
+
+ files_pid_filetrans($1, resolvconf_var_run_t, $2, $3)
+')
diff --git a/policy/modules/contrib/resolvconf.te b/policy/modules/contrib/resolvconf.te
new file mode 100644
index 0000000..7fbd00d
--- /dev/null
+++ b/policy/modules/contrib/resolvconf.te
@@ -0,0 +1,52 @@
+policy_module(resolvconf, 0.1)
+
+type resolvconf_t;
+type resolvconf_exec_t;
+domain_type(resolvconf_t)
+domain_entry_file(resolvconf_t, resolvconf_exec_t)
+role system_r types resolvconf_t;
+
+attribute resolvconf_client;
+
+type resolvconf_conf_t;
+files_config_file(resolvconf_conf_t)
+
+type resolvconf_var_run_t;
+files_pid_file(resolvconf_var_run_t)
+
+#########################################
+#
+# OpenResolv policy
+#
+
+allow resolvconf_t self:fifo_file manage_fifo_file_perms;
+allow resolvconf_t resolvconf_conf_t:file read_file_perms;
+
+manage_dirs_pattern(resolvconf_t, resolvconf_var_run_t, resolvconf_var_run_t)
+manage_files_pattern(resolvconf_t, resolvconf_var_run_t, resolvconf_var_run_t)
+
+corecmd_exec_bin(resolvconf_t)
+corecmd_exec_shell(resolvconf_t)
+
+files_pid_filetrans(resolvconf_t, resolvconf_var_run_t, { dir file })
+files_read_etc_files(resolvconf_t)
+
+sysnet_manage_config(resolvconf_t)
+
+optional_policy(`
+ init_domtrans_script(resolvconf_t)
+ init_read_script_status_files(resolvconf_t)
+ init_use_script_fds(resolvconf_t)
+ init_use_script_ptys(resolvconf_t)
+')
+
+optional_policy(`
+ term_dontaudit_use_console(resolvconf_t)
+')
+
+#########################################
+#
+# Resolvconf client policy
+#
+
+resolvconf_client_domain_privs(resolvconf_client)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-06-25 19:06 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-06-25 19:06 UTC (permalink / raw
To: gentoo-commits
commit: a62050c31b26767018a3c7585b2905d9b7a40b0f
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jun 23 18:41:01 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 25 19:04:46 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a62050c3
Add filetrans for ntp-kod file
sntp has a file used to persist the history of KoD responses
received from servers. The default is /var/db/ntp-kod.
This patch adds the fcontext and a filetrans so it can be created.
Changes from v1:
* use files_var_filetrans instead of filetrans_pattern
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
---
policy/modules/contrib/ntp.fc | 1 +
policy/modules/contrib/ntp.te | 1 +
2 files changed, 2 insertions(+)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 147e480..89b9cb1 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -17,6 +17,7 @@
/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index c37385e..37d974a 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -53,6 +53,7 @@ allow ntpd_t self:tcp_socket { accept listen };
manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+files_var_filetrans(ntpd_t, ntp_drift_t, file, "ntp-kod")
allow ntpd_t ntp_conf_t:file read_file_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-06-25 19:06 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-06-25 19:06 UTC (permalink / raw
To: gentoo-commits
commit: 41ec36430d71733407a568f4c579ec16ef7e51a0
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Jun 25 15:53:56 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 25 19:04:48 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=41ec3643
Remove name from ntp-kod ntp_drift_t filetrans.
---
policy/modules/contrib/ntp.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 37d974a..1c89ff6 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -53,7 +53,7 @@ allow ntpd_t self:tcp_socket { accept listen };
manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
-files_var_filetrans(ntpd_t, ntp_drift_t, file, "ntp-kod")
+files_var_filetrans(ntpd_t, ntp_drift_t, file)
allow ntpd_t ntp_conf_t:file read_file_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-06-25 19:06 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-06-25 19:06 UTC (permalink / raw
To: gentoo-commits
commit: d3ad3fd3b22e7728874b475230d164f08e33c817
Author: Elia Pinto <andronicus.spiros <AT> gmail <DOT> com>
AuthorDate: Tue Jun 10 15:22:47 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 25 19:04:41 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d3ad3fd3
apache.te: Add labelling support for /var/log/mlogc
Add the right labelling support for the
ModSecurity Audit Log Collector(mlogc).
mlogc is started by apache and run with the
same selinux security context.
Signed-off-by: Elia Pinto <andronicus.spiros <AT> gmail.com>
---
policy/modules/contrib/apache.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index ab4a625..818e177 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -124,6 +124,7 @@ ifdef(`distro_suse',`
/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-06-25 19:06 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-06-25 19:06 UTC (permalink / raw
To: gentoo-commits
commit: 5c79f87fee48bc65ac41833c763af9b0fa6b98aa
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Jun 25 15:56:06 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 25 19:04:49 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5c79f87f
Module version bump for ntp-kod file support from Jason Zaman.
---
policy/modules/contrib/ntp.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 1c89ff6..053097b 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.12.1)
+policy_module(ntp, 1.12.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-06-25 19:06 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-06-25 19:06 UTC (permalink / raw
To: gentoo-commits
commit: 24724727e695f23133880829fab6ce68c73e079b
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Jun 17 12:22:43 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 25 19:04:45 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=24724727
Module version bump for apache/mlogc patch from Elia Pinto.
---
policy/modules/contrib/apache.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index c4264c4..f39b6ca 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.8.2)
+policy_module(apache, 2.8.3)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-06-21 18:36 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-06-21 18:36 UTC (permalink / raw
To: gentoo-commits
commit: 0a38de932f0c01b5d7850f72437215fa50dc97d7
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jun 21 18:35:44 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jun 21 18:35:44 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0a38de93
Fix bug #513362 - Support hiawatha within httpd_t domain
---
policy/modules/contrib/apache.fc | 15 +++++++++++++++
policy/modules/contrib/apache.te | 17 +++++++++++++++--
2 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index ff4abce..ab4a625 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -166,4 +166,19 @@ ifdef(`distro_suse',`
ifdef(`distro_gentoo',`
/usr/share/build-1/libtool -- gen_context(system_u:object_r:bin_t,s0)
+
+# Support for Hiawatha bug 513362
+/etc/hiawatha(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+
+/etc/rc\.d/init\.d/hiawatha -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+
+/usr/bin/ssi-cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+/usr/sbin/cgi-wrapper -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+/var/lib/hiawatha(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/log/hiawatha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
')
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 4faa22c..c4264c4 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1427,6 +1427,19 @@ optional_policy(`
')
ifdef(`distro_gentoo',`
- init_daemon_run_dir(httpd_var_run_t, "apache_ssl_mutex")
- init_daemon_run_dir(httpd_var_run_t, "apache2")
+## <desc>
+## <p>
+## Enable specific permissions for the Hiawatha web server
+## </p>
+## </desc>
+gen_tunable(hiawatha_httpd, false)
+
+init_daemon_run_dir(httpd_var_run_t, "apache_ssl_mutex")
+init_daemon_run_dir(httpd_var_run_t, "apache2")
+
+tunable_policy(`hiawatha_httpd',`
+ # bug 513362
+ allow httpd_t self:capability fowner;
+')
+
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-06-08 18:08 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-06-08 18:08 UTC (permalink / raw
To: gentoo-commits
commit: 32eb57d914d8ae17c92eba384fec40f7ce2c3aad
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jun 8 18:07:15 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jun 8 18:07:15 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=32eb57d9
Fix bug #511966 - clamav fails to start due to wrong label on /var/run/clamav (thanks to Alexander Wetzel)
---
policy/modules/contrib/clamav.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index ce3836a..34e3f61 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -321,3 +321,7 @@ optional_policy(`
mta_send_mail(clamscan_t)
mta_read_queue(clamscan_t)
')
+
+ifdef(`distro_gentoo',`
+ init_daemon_run_dir(clamd_var_run_t, "clamav")
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-06-08 13:29 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-06-08 13:29 UTC (permalink / raw
To: gentoo-commits
commit: 595885f86a72eea113e88fb6696e5251253ebdfa
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jun 8 13:28:40 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jun 8 13:28:40 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=595885f8
Fix bug #512146 - buildtool must be bin_t or apache-tools build fails
---
policy/modules/contrib/apache.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index 69d89db..ff4abce 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -163,3 +163,7 @@ ifdef(`distro_suse',`
/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/share/build-1/libtool -- gen_context(system_u:object_r:bin_t,s0)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-06-07 19:18 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-06-07 19:18 UTC (permalink / raw
To: gentoo-commits
commit: 16ff7b295abda770a89717da10f312fc235c9050
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jun 7 19:09:59 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jun 7 19:12:07 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=16ff7b29
Gentoo additions for the Dropbox module
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
---
policy/modules/contrib/dropbox.fc | 3 +++
policy/modules/contrib/dropbox.te | 8 ++++++++
2 files changed, 11 insertions(+)
diff --git a/policy/modules/contrib/dropbox.fc b/policy/modules/contrib/dropbox.fc
index 8f35880..ddc22f0 100644
--- a/policy/modules/contrib/dropbox.fc
+++ b/policy/modules/contrib/dropbox.fc
@@ -7,5 +7,8 @@ HOME_DIR/\.dropbox-master(/.*)? gen_context(system_u:object_r:dropbo
HOME_DIR/\.dropbox-dist/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0)
/opt/bin/dropbox -l gen_context(system_u:object_r:dropbox_exec_t,s0)
+/opt/dropbox/.*py?\.?.*egg(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/opt/dropbox/lib.*\.so\.. -- gen_context(system_u:object_r:lib_t,s0)
/opt/dropbox/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0)
+/opt/dropbox/library\.zip -l gen_context(system_u:object_r:lib_t,s0)
diff --git a/policy/modules/contrib/dropbox.te b/policy/modules/contrib/dropbox.te
index 1348ff0..0921a59 100644
--- a/policy/modules/contrib/dropbox.te
+++ b/policy/modules/contrib/dropbox.te
@@ -108,3 +108,11 @@ tunable_policy(`dropbox_bind_port',`
allow dropbox_t self:udp_socket { send_msg recv_msg };
')
+ifdef(`distro_gentoo',`
+ optional_policy(`
+ xdg_read_config_home_files(dropbox_t)
+ xdg_read_data_home_files(dropbox_t)
+ userdom_user_content_access_template(dropbox, dropbox_t)
+ ')
+')
+
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-06-07 19:18 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-06-07 19:18 UTC (permalink / raw
To: gentoo-commits
commit: f405a39417d6a763f0193cd03c8b122a1fc93ab1
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jun 7 19:09:58 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jun 7 19:12:07 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f405a394
New policy module for Dropbox
https://www.dropbox.com/
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
---
policy/modules/contrib/dropbox.fc | 11 ++++
policy/modules/contrib/dropbox.if | 113 ++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/dropbox.te | 110 +++++++++++++++++++++++++++++++++++++
3 files changed, 234 insertions(+)
diff --git a/policy/modules/contrib/dropbox.fc b/policy/modules/contrib/dropbox.fc
new file mode 100644
index 0000000..8f35880
--- /dev/null
+++ b/policy/modules/contrib/dropbox.fc
@@ -0,0 +1,11 @@
+HOME_DIR/Dropbox(/.*)? gen_context(system_u:object_r:dropbox_content_t,s0)
+
+HOME_DIR/\.dropbox(/.*)? gen_context(system_u:object_r:dropbox_home_t,s0)
+HOME_DIR/\.dropbox-dist(/.*)? gen_context(system_u:object_r:dropbox_home_t,s0)
+HOME_DIR/\.dropbox-master(/.*)? gen_context(system_u:object_r:dropbox_home_t,s0)
+
+HOME_DIR/\.dropbox-dist/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0)
+
+/opt/bin/dropbox -l gen_context(system_u:object_r:dropbox_exec_t,s0)
+/opt/dropbox/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0)
+
diff --git a/policy/modules/contrib/dropbox.if b/policy/modules/contrib/dropbox.if
new file mode 100644
index 0000000..51e9f88
--- /dev/null
+++ b/policy/modules/contrib/dropbox.if
@@ -0,0 +1,113 @@
+## <summary>Dropbox client - Store, Sync and Share Files Online</summary>
+
+#######################################
+## <summary>
+## The role for using the dropbox client.
+## </summary>
+## <param name="role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## The user domain.
+## </summary>
+## </param>
+#
+interface(`dropbox_role',`
+ gen_require(`
+ type dropbox_t;
+ type dropbox_exec_t;
+ type dropbox_home_t;
+ type dropbox_tmp_t;
+ ')
+
+ role $1 types dropbox_t;
+
+ domtrans_pattern($2, dropbox_exec_t, dropbox_t)
+
+ allow $2 dropbox_t:process { ptrace signal_perms };
+
+ manage_dirs_pattern($2, dropbox_home_t, dropbox_home_t)
+ manage_files_pattern($2, dropbox_home_t, dropbox_home_t)
+ manage_sock_files_pattern($2, dropbox_home_t, dropbox_home_t)
+
+ manage_files_pattern($2, dropbox_home_t, dropbox_exec_t)
+ manage_lnk_files_pattern($2, dropbox_home_t, dropbox_exec_t)
+
+ userdom_user_home_dir_filetrans($2, dropbox_home_t, dir, ".dropbox-dist")
+ filetrans_pattern($2, dropbox_home_t, dropbox_exec_t, file, "dropbox")
+ filetrans_pattern($2, dropbox_home_t, dropbox_exec_t, file, "dropboxd")
+
+ manage_dirs_pattern($2, dropbox_tmp_t, dropbox_tmp_t)
+ manage_files_pattern($2, dropbox_tmp_t, dropbox_tmp_t)
+
+ allow $2 dropbox_content_t:dir relabel_dir_perms;
+ allow $2 dropbox_content_t:file relabel_file_perms;
+
+ dropbox_manage_content($2)
+ dropbox_dbus_chat($2)
+
+ ps_process_pattern($2, dropbox_t)
+')
+
+#########################################
+## <summary>
+## Send and receive messages from the dropbox daemon
+## over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dropbox_dbus_chat',`
+ gen_require(`
+ type dropbox_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 dropbox_t:dbus send_msg;
+ allow dropbox_t $1:dbus send_msg;
+')
+
+#######################################
+## <summary>
+## Allow other domains to read dropbox's content files
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain that is allowed read access to the dropbox_content_t files
+## </summary>
+## </param>
+#
+interface(`dropbox_read_content',`
+ gen_require(`
+ type dropbox_content_t;
+ ')
+
+ list_dirs_pattern($1, dropbox_content_t, dropbox_content_t)
+ read_files_pattern($1, dropbox_content_t, dropbox_content_t)
+')
+
+#######################################
+## <summary>
+## Allow other domains to manage dropbox's content files
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain that is allowed to manage the dropbox_content_t files and directories
+## </summary>
+## </param>
+#
+interface(`dropbox_manage_content',`
+ gen_require(`
+ type dropbox_content_t;
+ ')
+
+ manage_dirs_pattern($1, dropbox_content_t, dropbox_content_t)
+ manage_files_pattern($1, dropbox_content_t, dropbox_content_t)
+')
+
diff --git a/policy/modules/contrib/dropbox.te b/policy/modules/contrib/dropbox.te
new file mode 100644
index 0000000..1348ff0
--- /dev/null
+++ b/policy/modules/contrib/dropbox.te
@@ -0,0 +1,110 @@
+policy_module(dropbox, 0.0.1)
+
+############################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether dropbox can bind to
+## local tcp and udp ports.
+## Required for Dropbox' LAN Sync feature
+## </p>
+## </desc>
+gen_tunable(dropbox_bind_port, false)
+
+type dropbox_t;
+type dropbox_exec_t;
+userdom_user_application_domain(dropbox_t, dropbox_exec_t)
+
+# the dropbox dirs eg. ~/.dropbox/
+type dropbox_home_t;
+userdom_user_home_content(dropbox_home_t)
+
+# the type for the main ~/Dropbox folder
+type dropbox_content_t; # customizable
+userdom_user_home_content(dropbox_content_t)
+
+type dropbox_tmp_t;
+userdom_user_tmp_file(dropbox_tmp_t)
+
+# for X server SHM
+type dropbox_tmpfs_t;
+userdom_user_tmpfs_file(dropbox_tmpfs_t)
+
+############################
+#
+# Local Policy Rules
+#
+
+allow dropbox_t self:process signal_perms;
+allow dropbox_t self:fifo_file rw_fifo_file_perms;
+allow dropbox_t dropbox_home_t:file mmap_file_perms;
+
+# dropbox updates itself in /tmp then in ~/.dropbox-dist/
+can_exec(dropbox_t, dropbox_exec_t)
+can_exec(dropbox_t, dropbox_tmp_t)
+
+manage_dirs_pattern(dropbox_t, dropbox_home_t, dropbox_home_t)
+manage_files_pattern(dropbox_t, dropbox_home_t, dropbox_home_t)
+manage_lnk_files_pattern(dropbox_t, dropbox_home_t, dropbox_home_t)
+manage_sock_files_pattern(dropbox_t, dropbox_home_t, dropbox_home_t)
+userdom_user_home_dir_filetrans(dropbox_t, dropbox_home_t, { dir file })
+
+manage_files_pattern(dropbox_t, dropbox_home_t, dropbox_exec_t)
+manage_lnk_files_pattern(dropbox_t, dropbox_home_t, dropbox_exec_t)
+filetrans_pattern(dropbox_t, dropbox_home_t, dropbox_exec_t, file, "dropbox")
+filetrans_pattern(dropbox_t, dropbox_home_t, dropbox_exec_t, file, "dropboxd")
+
+manage_dirs_pattern(dropbox_t, dropbox_content_t, dropbox_content_t)
+manage_files_pattern(dropbox_t, dropbox_content_t, dropbox_content_t)
+userdom_user_home_dir_filetrans(dropbox_t, dropbox_content_t, dir, "Dropbox")
+
+manage_dirs_pattern(dropbox_t, dropbox_tmp_t, dropbox_tmp_t)
+manage_files_pattern(dropbox_t, dropbox_tmp_t, dropbox_tmp_t)
+files_tmp_filetrans(dropbox_t, dropbox_tmp_t, { file dir })
+
+manage_dirs_pattern(dropbox_t, dropbox_tmpfs_t, dropbox_tmpfs_t)
+manage_files_pattern(dropbox_t, dropbox_tmpfs_t, dropbox_tmpfs_t)
+fs_tmpfs_filetrans(dropbox_t, dropbox_tmpfs_t, { file dir })
+
+fs_getattr_xattr_fs(dropbox_t)
+fs_getattr_tmpfs(dropbox_t)
+kernel_read_vm_sysctls(dropbox_t)
+
+kernel_dontaudit_read_system_state(dropbox_t)
+kernel_dontaudit_list_proc(dropbox_t)
+
+corecmd_exec_bin(dropbox_t)
+corecmd_exec_shell(dropbox_t)
+
+dev_read_rand(dropbox_t)
+dev_read_urand(dropbox_t)
+
+files_read_usr_files(dropbox_t)
+auth_use_nsswitch(dropbox_t)
+miscfiles_read_localization(dropbox_t)
+
+userdom_search_user_home_content(dropbox_t)
+userdom_use_user_terminals(dropbox_t)
+
+xserver_user_x_domain_template(dropbox, dropbox_t, dropbox_tmpfs_t)
+
+dbus_all_session_bus_client(dropbox_t)
+
+corenet_all_recvfrom_netlabel(dropbox_t)
+corenet_all_recvfrom_unlabeled(dropbox_t)
+corenet_tcp_connect_http_port(dropbox_t)
+corenet_tcp_sendrecv_generic_if(dropbox_t)
+corenet_tcp_sendrecv_generic_node(dropbox_t)
+
+tunable_policy(`dropbox_bind_port',`
+ corenet_tcp_bind_dropbox_port(dropbox_t)
+ corenet_udp_bind_dropbox_port(dropbox_t)
+ corenet_tcp_bind_generic_node(dropbox_t)
+ corenet_udp_bind_generic_node(dropbox_t)
+ allow dropbox_t self:tcp_socket { accept listen };
+ allow dropbox_t self:udp_socket { send_msg recv_msg };
+')
+
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-06-07 19:18 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-06-07 19:18 UTC (permalink / raw
To: gentoo-commits
commit: 3d6ceaf09456045483ebfdab649c7b0458083630
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jun 7 19:15:49 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jun 7 19:15:49 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3d6ceaf0
Some restructuring
---
policy/modules/contrib/dropbox.te | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/dropbox.te b/policy/modules/contrib/dropbox.te
index 0921a59..f3d01e9 100644
--- a/policy/modules/contrib/dropbox.te
+++ b/policy/modules/contrib/dropbox.te
@@ -100,19 +100,22 @@ corenet_tcp_sendrecv_generic_if(dropbox_t)
corenet_tcp_sendrecv_generic_node(dropbox_t)
tunable_policy(`dropbox_bind_port',`
+ allow dropbox_t self:tcp_socket { accept listen };
+ allow dropbox_t self:udp_socket { send_msg recv_msg };
+
corenet_tcp_bind_dropbox_port(dropbox_t)
corenet_udp_bind_dropbox_port(dropbox_t)
corenet_tcp_bind_generic_node(dropbox_t)
corenet_udp_bind_generic_node(dropbox_t)
- allow dropbox_t self:tcp_socket { accept listen };
- allow dropbox_t self:udp_socket { send_msg recv_msg };
')
ifdef(`distro_gentoo',`
optional_policy(`
xdg_read_config_home_files(dropbox_t)
xdg_read_data_home_files(dropbox_t)
+ ')
+
+ optional_policy(`
userdom_user_content_access_template(dropbox, dropbox_t)
')
')
-
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-05-29 17:29 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-05-29 17:29 UTC (permalink / raw
To: gentoo-commits
commit: 2d41348bbc572a365a257976002d9f5e145eefc8
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 29 14:53:07 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 29 17:28:29 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2d41348b
Allow mozilla to send dbus messages to gconfd
Firefox throws the following error when it starts if it cannot talk to gconfd
Configuration server couldn't be contacted: D-BUS error: An SELinux
policy prevents this sender from sending this message to this recipient,
0 matched rules; type="method_call", sender=":1.120" (uid=1000 pid=26773
comm="/opt/firefox/firefox ") interface="org.gnome.GConf.Server"
member="GetDefaultDatabase" error name="(unset)" requested_reply="0"
destination="org.gnome.GConf" (uid=1000 pid=20128
comm="/usr/libexec/gconfd-2 ")
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
---
policy/modules/contrib/mozilla.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 87728ae..6d7bac7 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -761,4 +761,8 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t)
')
')
+
+ optional_policy(`
+ gnome_dbus_chat_gconfd(mozilla_t)
+ ')
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-05-29 16:37 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-05-29 16:37 UTC (permalink / raw
To: gentoo-commits
commit: 3d04e6e43e2cf2dc82633dccbb3fcc3025c5e6a0
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu May 29 16:36:24 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 29 16:36:24 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3d04e6e4
Add support for git3-src repo
---
policy/modules/contrib/portage.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.fc b/policy/modules/contrib/portage.fc
index a2738ea..73326f2 100644
--- a/policy/modules/contrib/portage.fc
+++ b/policy/modules/contrib/portage.fc
@@ -21,7 +21,7 @@
/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
-/usr/portage/distfiles/git-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/git.?-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-05-28 17:54 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-05-28 17:54 UTC (permalink / raw
To: gentoo-commits
commit: 89b14c472ffd3b15552f4dbc5b39e0081ec72f7e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed May 28 17:52:02 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed May 28 17:52:02 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=89b14c47
Add gnome_dbus_chat_gconfd interface (bug #510572)
---
policy/modules/contrib/gnome.if | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 118ee01..5e05e12 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -735,3 +735,26 @@ interface(`gnome_stream_connect_all_gkeyringd',`
files_search_tmp($1)
stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
')
+
+# From here Gentoo specific but cannot use ifdef distro_gentoo here
+
+#########################################
+## <summary>
+## Send and receive messages from the gconf daemon
+## over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gconfd',`
+ gen_require(`
+ type gconfd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gconfd_t:dbus send_msg;
+ allow gconfd_t $1:dbus send_msg;
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-05-28 17:54 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-05-28 17:54 UTC (permalink / raw
To: gentoo-commits
commit: ce8cd6e1a0c4bd7b15c26763603c34beb4f88df2
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed May 28 17:54:01 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed May 28 17:54:01 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ce8cd6e1
Allow GNOME enabled user domains to send dbus messages to gconfd
---
policy/modules/contrib/gnome.if | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 5e05e12..cad0e95 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -115,6 +115,12 @@ template(`gnome_role_template',`
gnome_dbus_chat_gkeyringd($1, $3)
')
')
+
+ ifdef(`distro_gentoo',`
+ optional_policy(`
+ gnome_dbus_chat_gconfd($3)
+ ')
+ ')
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-05-22 16:53 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-05-22 16:53 UTC (permalink / raw
To: gentoo-commits
commit: 8f3ac480c34bff1c605ba8f4a71bc484dccd8b9d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon May 19 20:44:44 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 22 16:52:42 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8f3ac480
Gnome Keyring policies
Gnome keyring communicates with other programs via a socket in
~/.cache/. This patch creates gnome_xdg_*_home_t labels and lets
gnome keyring manage them
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
---
policy/modules/contrib/gnome.fc | 5 +++++
policy/modules/contrib/gnome.te | 24 ++++++++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index 209314b..9bc2c50 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -15,3 +15,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
/usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+
+ifdef(`distro_gentoo',`
+HOME_DIR/\.cache/keyring-.* gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
+')
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 5dd3498..98cd996 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -141,9 +141,33 @@ optional_policy(`
')
ifdef(`distro_gentoo',`
+ type gnome_xdg_cache_home_t;
type gnome_xdg_config_t; # Fase out
type gnome_xdg_config_home_t;
+ type gnome_xdg_data_home_t;
+ xdg_cache_home_content(gnome_xdg_cache_home_t)
xdg_config_home_content(gnome_xdg_config_t)
xdg_config_home_content(gnome_xdg_config_home_t)
+ xdg_data_home_content(gnome_xdg_data_home_t)
+
+ ##
+ ## Keyring
+ ##
+
+ # When gnome-keyring creates a .cache/keyring-.... make sure it is gnome_xdg_cache_home_t
+ xdg_cache_home_filetrans(gkeyringd_domain, gnome_xdg_cache_home_t, dir)
+ # Same for ~/.config and ~/.local stuff
+ xdg_config_home_filetrans(gkeyringd_domain, gnome_xdg_config_home_t, dir)
+ xdg_data_home_filetrans(gkeyringd_domain, gnome_xdg_data_home_t, dir)
+
+ allow gkeyringd_domain gnome_xdg_cache_home_t:file manage_file_perms;
+ allow gkeyringd_domain gnome_xdg_cache_home_t:sock_file manage_sock_file_perms;
+ manage_dirs_pattern(gkeyringd_domain, gnome_xdg_cache_home_t, gnome_xdg_cache_home_t)
+
+ allow gkeyringd_domain gnome_xdg_config_home_t:file manage_file_perms;
+ manage_dirs_pattern(gkeyringd_domain, gnome_xdg_config_home_t, gnome_xdg_config_home_t)
+
+ allow gkeyringd_domain gnome_xdg_data_home_t:file manage_file_perms;
+ manage_dirs_pattern(gkeyringd_domain, gnome_xdg_data_home_t, gnome_xdg_data_home_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-05-22 16:53 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-05-22 16:53 UTC (permalink / raw
To: gentoo-commits
commit: f0c9d69ef883747dd922d9bdcf3b24e534aa4469
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon May 19 20:44:45 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 22 16:52:42 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f0c9d69e
gconfd keeps its database in the xdg directories
gconfd stores settings for applications in the gnome desktop.
it needs to be able to manage gnome directories inside
~/.{cache,config,local}/
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
---
policy/modules/contrib/gnome.fc | 2 ++
policy/modules/contrib/gnome.te | 18 ++++++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index 9bc2c50..31d8c6c 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -18,5 +18,7 @@ HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
ifdef(`distro_gentoo',`
+HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_config_home_t,s0)
+HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
HOME_DIR/\.cache/keyring-.* gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
')
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 98cd996..99b426d 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -170,4 +170,22 @@ ifdef(`distro_gentoo',`
allow gkeyringd_domain gnome_xdg_data_home_t:file manage_file_perms;
manage_dirs_pattern(gkeyringd_domain, gnome_xdg_data_home_t, gnome_xdg_data_home_t)
+
+ ##
+ ## gconfd
+ ##
+
+ xdg_cache_home_filetrans(gconfd_t, gnome_xdg_cache_home_t, dir)
+ xdg_config_home_filetrans(gconfd_t, gnome_xdg_config_home_t, dir)
+ xdg_data_home_filetrans(gconfd_t, gnome_xdg_data_home_t, dir)
+
+ # gconf stores settings for gnome, it needs access
+ allow gconfd_t gnome_xdg_cache_home_t:file manage_file_perms;
+ manage_dirs_pattern(gconfd_t, gnome_xdg_cache_home_t, gnome_xdg_cache_home_t)
+
+ allow gconfd_t gnome_xdg_config_home_t:file manage_file_perms;
+ manage_dirs_pattern(gconfd_t, gnome_xdg_config_home_t, gnome_xdg_config_home_t)
+
+ allow gconfd_t gnome_xdg_data_home_t:file manage_file_perms;
+ manage_dirs_pattern(gconfd_t, gnome_xdg_data_home_t, gnome_xdg_data_home_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-05-22 16:33 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-05-22 16:33 UTC (permalink / raw
To: gentoo-commits
commit: e5e9e3b1d23814120d95b4bc247056b72a38c3ea
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May 16 18:34:37 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 22 16:32:05 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e5e9e3b1
Fix typo in dnsmasq.if
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/dnsmasq.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dnsmasq.if b/policy/modules/contrib/dnsmasq.if
index 19aa0b8..62e4948 100644
--- a/policy/modules/contrib/dnsmasq.if
+++ b/policy/modules/contrib/dnsmasq.if
@@ -281,7 +281,7 @@ interface(`dnsmasq_admin',`
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
- logging_seearch_logs($1)
+ logging_search_logs($1)
admin_pattern($1, dnsmasq_var_log_t)
files_list_pids($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-05-22 16:33 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-05-22 16:33 UTC (permalink / raw
To: gentoo-commits
commit: 08e4725f1152c1c4671090440d6461dbc89b3f22
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue May 20 13:16:55 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 22 16:32:08 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=08e4725f
Module version bump for java icedtea fc entries from Sven Vermeulen.
---
policy/modules/contrib/java.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 8503180..11e996d 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.7.0)
+policy_module(java, 2.7.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-05-22 16:33 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-05-22 16:33 UTC (permalink / raw
To: gentoo-commits
commit: 48be2f701bc828ed49544836c4963b9d9eab0489
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat May 17 15:26:50 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 22 16:32:07 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=48be2f70
Mark icedtea binaries as java_exec_t
Add the icedtea location to the java file contexts so that the icedtea
java binaries are marked as java_exec_t.
See also https://bugs.gentoo.org/show_bug.cgi?id=510364
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/java.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/java.fc b/policy/modules/contrib/java.fc
index e3be797..cc4f515 100644
--- a/policy/modules/contrib/java.fc
+++ b/policy/modules/contrib/java.fc
@@ -22,6 +22,7 @@ HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:java_home_t,s0)
/usr/lib/bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/icedtea[67]/bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-05-18 12:00 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-05-18 12:00 UTC (permalink / raw
To: gentoo-commits
commit: f798c56c670f48f3e06b16188b4cd1ddab08508e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May 18 12:00:13 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 18 12:00:13 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f798c56c
Make cachefiles_kernel_t an alias to cachefilesd_kernel_t so that default package settings can be retained
---
policy/modules/contrib/cachefilesd.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index 353aa85..0490841 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -53,6 +53,8 @@ optional_policy(`
ifdef(`distro_gentoo',`
type cachefilesd_kernel_t;
+ # Compatible with fedora, for package defaults and so on
+ typealias cachefilesd_kernel_t alias cachefiles_kernel_t;
domain_type(cachefilesd_kernel_t)
domain_obj_id_change_exemption(cachefilesd_kernel_t)
role system_r types cachefilesd_kernel_t;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-05-18 11:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-05-18 11:03 UTC (permalink / raw
To: gentoo-commits
commit: e272b12c0e2345b698444b24675566a014e0ae75
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May 18 11:01:54 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 18 11:01:54 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e272b12c
Introduce cachefilesd_kernel_t for cachefiles
When the Linux kernel is acting for cachefilesd, it does so through the
defined context. As the module is called cachefilesd, we call it
cachefilesd_kernel_t (unlike fedora, which uses cachefiles_kernel_t).
Port changes from fedora to use the kernel_service class into this
module as well.
---
policy/modules/contrib/cachefilesd.te | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index a3760bc..353aa85 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -50,3 +50,34 @@ init_dontaudit_use_script_ptys(cachefilesd_t)
optional_policy(`
rpm_use_script_fds(cachefilesd_t)
')
+
+ifdef(`distro_gentoo',`
+ type cachefilesd_kernel_t;
+ domain_type(cachefilesd_kernel_t)
+ domain_obj_id_change_exemption(cachefilesd_kernel_t)
+ role system_r types cachefilesd_kernel_t;
+
+ # CacheFiles tells the Linux kernel for which security context
+ # it should act to begin caching.
+
+ # Allow cachefilesd_t to tell the kernel to use cachefilesd_kernel_t)
+ allow cachefilesd_t cachefilesd_kernel_t:kernel_service { use_as_override };
+
+ # Allow cachefilesd_t to tell the kernel to write files as cachefilesd_cache_t
+ allow cachefilesd_t cachefilesd_cache_t:kernel_service { create_files_as };
+
+ ##########################################
+ #
+ # cachefilesd_kernel_t policy
+ #
+ allow cachefilesd_kernel_t self:capability { dac_override dac_read_search };
+
+ manage_dirs_pattern(cachefilesd_kernel_t, cachefilesd_cache_t, cachefilesd_cache_t)
+ manage_files_pattern(cachefilesd_kernel_t, cachefilesd_cache_t, cachefilesd_cache_t)
+
+ fs_getattr_xattr_fs(cachefilesd_kernel_t)
+
+ dev_search_sysfs(cachefilesd_kernel_t)
+
+ init_sigchld_script(cachefilesd_kernel_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-05-15 18:10 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-05-15 18:10 UTC (permalink / raw
To: gentoo-commits
commit: e9a93b0d4db7a376a9eb4b5e2fe84885124be4e6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu May 15 18:02:15 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 15 18:02:15 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e9a93b0d
Move distro_gentoo to bottom, fade-oout wrong type name
---
policy/modules/contrib/gnome.te | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index b4a361a..5dd3498 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -46,12 +46,6 @@ userdom_user_home_content(gnome_keyring_home_t)
type gnome_keyring_tmp_t;
userdom_user_tmp_file(gnome_keyring_tmp_t)
-ifdef(`distro_gentoo',`
- type gnome_xdg_config_t;
-
- xdg_config_home_content(gnome_xdg_config_t)
-')
-
##############################
#
# Common local Policy
@@ -145,3 +139,11 @@ optional_policy(`
optional_policy(`
telepathy_mission_control_read_state(gkeyringd_domain)
')
+
+ifdef(`distro_gentoo',`
+ type gnome_xdg_config_t; # Fase out
+ type gnome_xdg_config_home_t;
+
+ xdg_config_home_content(gnome_xdg_config_t)
+ xdg_config_home_content(gnome_xdg_config_home_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-05-04 10:51 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-05-04 10:51 UTC (permalink / raw
To: gentoo-commits
commit: 8ed40c400e05797f6abd6c372bd583d6e175c182
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May 4 10:51:07 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 4 10:51:07 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8ed40c40
gcc-config uses libffi (execute tmp) and accesses non-root directory info (portage or user for overlays)
---
policy/modules/contrib/portage.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 443460b..149586e 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -405,7 +405,9 @@ gen_tunable(portage_mount_fs, false)
# GCC config local policy
#
+ allow gcc_config_t self:capability dac_override;
allow gcc_config_t gcc_config_tmp_t:file manage_file_perms;
+ can_exec(gcc_config_t, gcc_config_tmp_t) # libffi support
files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file)
files_manage_etc_runtime_files(gcc_config_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-05-01 20:22 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-05-01 20:22 UTC (permalink / raw
To: gentoo-commits
commit: 3622f0211f17555747da2bf7acb6d8aba7785d1e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu May 1 20:19:15 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 1 20:19:35 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3622f021
emerge-webrsync updates
Two small changes for emerge-webrsync.
The first one is that portage_fetch_t must be able to execute
portage_fetch_tmp_t. This is because portage_fetch_t calls portageq,
which (as a Python app) creates a temporary executable file to parse.
The second change allows portage_fetch_t to read user content (when an
overlay is in /home) optionally through the portage_read_user_content
boolean.
---
policy/modules/contrib/portage.te | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index d5b29d6..443460b 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -13,6 +13,14 @@ policy_module(portage, 1.14.0)
## </desc>
gen_tunable(portage_use_nfs, false)
+## <desc>
+## <p>
+## Determine whether portage domains can read user content.
+## This is for non-portage_t domains as portage_t can manage the entire file system.
+## </p>
+## </desc>
+gen_tunable(portage_read_user_content, false)
+
attribute_role gcc_config_roles;
attribute_role portage_roles;
attribute_role portage_fetch_roles;
@@ -262,6 +270,8 @@ manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
+# Needed as otherwise we get large Python tracebacks when using emerge-webrsync (portageq failure)
+can_exec(portage_fetch_t, portage_fetch_tmp_t)
kernel_read_system_state(portage_fetch_t)
kernel_read_kernel_sysctls(portage_fetch_t)
@@ -307,7 +317,6 @@ miscfiles_read_generic_certs(portage_fetch_t)
miscfiles_read_localization(portage_fetch_t)
userdom_use_user_terminals(portage_fetch_t)
-userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
rsync_exec(portage_fetch_t)
@@ -322,6 +331,13 @@ tunable_policy(`portage_use_nfs',`
fs_manage_nfs_symlinks(portage_fetch_t)
')
+tunable_policy(`portage_read_user_content',`
+ userdom_read_user_home_content_files(portage_fetch_t)
+ userdom_list_user_home_content(portage_fetch_t)
+',`
+ userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
+')
+
optional_policy(`
gpg_exec(portage_fetch_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-05-01 8:46 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-05-01 8:46 UTC (permalink / raw
To: gentoo-commits
commit: be9577afa2ce0f880abb272b8f1fe0a556ca6552
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu May 1 08:46:21 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 1 08:46:21 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=be9577af
ALSA domains need usr read access to access /usr/share/alsa/*
---
policy/modules/contrib/alsa.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index ee37692..93cd23b 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -128,6 +128,9 @@ ifdef(`distro_gentoo',`
allow alsadomain alsadomain:shm rw_shm_perms;
allow alsadomain alsatmpfsfile:file rw_file_perms;
+ # ALSA applications need access to /usr/share/alsa/*
+ files_read_usr_files(alsadomain)
+
alsa_read_rw_config(alsadomain)
alsa_read_home_files(alsadomain)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-27 15:34 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-27 15:34 UTC (permalink / raw
To: gentoo-commits
commit: 3e011c458788c08fb6f0ecbb5759f0018c2e4c1d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Apr 27 15:29:50 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Apr 27 15:29:50 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3e011c45
Supported upstream
---
policy/modules/contrib/snort.te | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 88819c7..42e685f 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -115,15 +115,3 @@ optional_policy(`
optional_policy(`
udev_read_db(snort_t)
')
-
-ifdef(`distro_gentoo',`
- ##########################################
- #
- # Local policy
- #
- # Reported through IRC - needs write, append is not enough
- allow snort_t snort_log_t:file write_file_perms;
-
- # Init creates /var/run/snort if it does not exist yet
- init_daemon_run_dir(snort_var_run_t, "snort")
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-27 15:34 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-27 15:34 UTC (permalink / raw
To: gentoo-commits
commit: 3ef4d35e0f7e1f801c7c0f5b4aedd0041e780411
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Apr 24 16:56:06 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Apr 27 15:28:37 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3ef4d35e
Module version bump for cron and snort updates from Sven Vermeulen.
---
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/snort.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 8cf6dc8..237c2a6 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.7.0)
+policy_module(cron, 2.7.1)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 4568977..88819c7 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -1,4 +1,4 @@
-policy_module(snort, 1.11.0)
+policy_module(snort, 1.11.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-27 15:34 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-27 15:34 UTC (permalink / raw
To: gentoo-commits
commit: 0dcd9b4afc2135463c0d6884a6011f8274450b41
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Apr 21 15:08:23 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Apr 27 15:28:31 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0dcd9b4a
fcron socket support
The fcron daemon creates a socket file in /var/run (called fcron.fifo)
which is used by the fcrondyn application to interact with the fcron
daemon. This application allows admins to list the defined jobs, run
jobs immediately, remove jobs, etc.
Without this, fcrondyn cannot connect to the cron daemon; fcron also
logs this at start-up:
fcron[23724]: Cannot bind socket to '/var/run/fcron.fifo': Permission
denied
Through this patch, we allow the crond daemon to create this socket and
update the admin role to allow the admin domain to stream_connect
through this socket to the crond_t domain.
Changes since v1:
- Moved named file transition outside tunable_policy
- Use user domain instead of role in cron_admin's stream_connect_pattern
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/cron.if | 5 +++++
policy/modules/contrib/cron.te | 2 ++
2 files changed, 7 insertions(+)
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index a58ce50..2ad65f8 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -277,6 +277,11 @@ interface(`cron_admin_role',`
dontaudit $2 cronjob_t:process { ptrace signal_perms };
')
+ tunable_policy(`crond_fcron',`
+ # Support for fcrondyn
+ stream_connect_pattern($2, crond_var_run_t, crond_var_run_t, crond_t)
+ ')
+
optional_policy(`
gen_require(`
class dbus send_msg;
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 4ab10d8..da85d9b 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -234,6 +234,7 @@ logging_log_filetrans(crond_t, cron_log_t, file)
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
files_pid_filetrans(crond_t, crond_var_run_t, file)
+files_pid_filetrans(crond_t, crond_var_run_t, sock_file, "fcron.fifo")
manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
@@ -347,6 +348,7 @@ tunable_policy(`allow_polyinstantiation',`
tunable_policy(`fcron_crond',`
allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
+ allow crond_t crond_var_run_t:sock_file manage_sock_file_perms;
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-27 15:34 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-27 15:34 UTC (permalink / raw
To: gentoo-commits
commit: cd2913c0447477ade591f93034f1c01c15136117
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Apr 21 15:08:22 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Apr 27 15:28:22 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cd2913c0
Snort policy updates
When snort starts up, its init script creates the /var/run/snort directory.
However, the policy did not have a file transition for this, which results
in the /var/run/snort directory to be initrc_var_run_t.
By supporting a file transition to snort_var_run_t the PID file can be
hosted inside its own directory as intended.
Error logs from Snort:
Apr 9 14:42:45 server snort[1916]: WARNING: /var/run/snort is invalid,
trying /var/run...
Apr 9 14:42:45 server snort[1916]: Previous Error, errno=13,
(Permission denied)
Apr 9 14:42:45 server snort[1916]: PID path stat checked out ok, PID
path set to /var/run/
Second, snort is not able to write to its own log file. It needs the
write privilege for this (append no longer cuts it) as found through the
AVC denial.
Error logs from Snort:
Apr 9 14:42:45 server snort[1916]: FATAL ERROR: spo_unified2.c(320)
Could not open /var/log/snort//merged.log: Permission denied
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/snort.fc | 3 ---
policy/modules/contrib/snort.te | 3 ++-
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc
index ad73ece..2b1ea6b 100644
--- a/policy/modules/contrib/snort.fc
+++ b/policy/modules/contrib/snort.fc
@@ -10,7 +10,4 @@
/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0)
-
-ifdef(`distro_gentoo',`
/var/run/snort(/.*)? gen_context(system_u:object_r:snort_var_run_t,s0)
-')
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 44fcaf9..4568977 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -23,6 +23,7 @@ files_tmp_file(snort_tmp_t)
type snort_var_run_t;
files_pid_file(snort_var_run_t)
+init_daemon_run_dir(snort_var_run_t, "snort")
########################################
#
@@ -43,9 +44,9 @@ allow snort_t snort_etc_t:file read_file_perms;
allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(snort_t, snort_log_t, snort_log_t)
-append_files_pattern(snort_t, snort_log_t, snort_log_t)
create_files_pattern(snort_t, snort_log_t, snort_log_t)
setattr_files_pattern(snort_t, snort_log_t, snort_log_t)
+write_files_pattern(snort_t, snort_log_t, snort_log_t)
logging_log_filetrans(snort_t, snort_log_t, { file dir })
manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-27 15:34 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-27 15:34 UTC (permalink / raw
To: gentoo-commits
commit: 9b8a447824f56c4c8cb7427b8d791287f4a4b03a
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Apr 24 16:53:11 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Apr 27 15:28:35 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9b8a4478
Move sock_file filetrans to fcron_crond conditional.
Also drop the name in the filetrans.
---
policy/modules/contrib/cron.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index da85d9b..8cf6dc8 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -234,7 +234,6 @@ logging_log_filetrans(crond_t, cron_log_t, file)
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
files_pid_filetrans(crond_t, crond_var_run_t, file)
-files_pid_filetrans(crond_t, crond_var_run_t, sock_file, "fcron.fifo")
manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
@@ -349,6 +348,7 @@ tunable_policy(`allow_polyinstantiation',`
tunable_policy(`fcron_crond',`
allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
allow crond_t crond_var_run_t:sock_file manage_sock_file_perms;
+ files_pid_filetrans(crond_t, crond_var_run_t, sock_file)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-27 15:34 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-27 15:34 UTC (permalink / raw
To: gentoo-commits
commit: 3c4177f900ccfde8a5731099afbc98fee3131e31
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Apr 24 16:51:50 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Apr 27 15:28:33 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3c4177f9
Add missing cron_admin_role() dependency.
---
policy/modules/contrib/cron.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 2ad65f8..893ff91 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -222,7 +222,7 @@ interface(`cron_admin_role',`
gen_require(`
type cronjob_t, crontab_exec_t, admin_crontab_t;
class passwd crontab;
- type crond_t, user_cron_spool_t;
+ type crond_t, crond_var_run_t, user_cron_spool_t;
bool cron_userdomain_transition;
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-21 15:25 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-21 15:25 UTC (permalink / raw
To: gentoo-commits
commit: 8332561b46b40b9cfd6f82bb5a4fe7f1c401c80d
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Apr 21 13:23:24 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 21 15:24:07 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8332561b
Module version bump for ModemManager fc entry from Laurent Bigonville.
---
policy/modules/contrib/modemmanager.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te
index 67c67f2..56b3b73 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -1,4 +1,4 @@
-policy_module(modemmanager, 1.3.0)
+policy_module(modemmanager, 1.3.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-21 15:25 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-21 15:25 UTC (permalink / raw
To: gentoo-commits
commit: 7e0e4551f80335ed60ecabf988bdb22b603cd03f
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sat Apr 12 20:53:30 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 21 15:22:53 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7e0e4551
Label /usr/sbin/ModemManager as modemmanager_exec_t
modem-manager executable has been renamed in recent versions (>= 0.7.990)
---
policy/modules/contrib/modemmanager.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/modemmanager.fc b/policy/modules/contrib/modemmanager.fc
index a83894c..c43901e 100644
--- a/policy/modules/contrib/modemmanager.fc
+++ b/policy/modules/contrib/modemmanager.fc
@@ -1 +1,2 @@
+/usr/sbin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
/usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-17 19:04 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-17 19:04 UTC (permalink / raw
To: gentoo-commits
commit: 5709cab00aaa691d78dfd6c3bcc1a14db5384de8
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Apr 15 18:50:46 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Apr 17 19:02:16 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5709cab0
Module version bump for various fixes from Laurent Bigonville.
---
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/obex.te | 2 +-
policy/modules/contrib/telepathy.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index b9838d1..8075f85 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.19.0)
+policy_module(dbus, 1.19.1)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index b6a7fb3..768a69f 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.7.0)
+policy_module(exim, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index e6fe219..b4a361a 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.4.0)
+policy_module(gnome, 2.4.1)
##############################
#
diff --git a/policy/modules/contrib/obex.te b/policy/modules/contrib/obex.te
index cd29ea8..dfb181c 100644
--- a/policy/modules/contrib/obex.te
+++ b/policy/modules/contrib/obex.te
@@ -1,4 +1,4 @@
-policy_module(obex, 1.0.0)
+policy_module(obex, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te
index 5383971..e7fe4da 100644
--- a/policy/modules/contrib/telepathy.te
+++ b/policy/modules/contrib/telepathy.te
@@ -1,4 +1,4 @@
-policy_module(telepathy, 1.5.0)
+policy_module(telepathy, 1.5.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-17 19:04 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-17 19:04 UTC (permalink / raw
To: gentoo-commits
commit: 8f976037a6642f6725d76d3b4b8395fca3bc1e53
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri Apr 11 17:27:14 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Apr 17 19:02:05 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8f976037
Fix dbus_all_session_domain(), session_bus_type is an attribute
Fix dbus_all_session_domain(), session_bus_type is an attribute not a
type
---
policy/modules/contrib/dbus.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index 733f027..fa6d806 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -432,7 +432,7 @@ interface(`dbus_session_domain',`
#
interface(`dbus_all_session_domain',`
gen_require(`
- type session_bus_type;
+ attribute session_bus_type;
')
domtrans_pattern(session_bus_type, $2, $1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-17 19:04 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-17 19:04 UTC (permalink / raw
To: gentoo-commits
commit: 1b3f7528b59220920ac2b66e3e5fd2aa960c4c5e
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri Apr 11 17:27:15 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Apr 17 19:02:08 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1b3f7528
Allow gconfd to be started by the session bus
Allow gconfd to be started by the session bus and make it transition to
its own domain.
It also connects to the system bus to listen to signals from
org.gnome.GConf.Defaults interface
---
policy/modules/contrib/gnome.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 0b45360..e6fe219 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -97,6 +97,12 @@ userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
optional_policy(`
+ dbus_all_session_domain(gconfd_t, gconfd_exec_t)
+
+ dbus_system_bus_client(gconfd_t)
+')
+
+optional_policy(`
nscd_dontaudit_search_pid(gconfd_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-17 19:04 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-17 19:04 UTC (permalink / raw
To: gentoo-commits
commit: 8ae4a42143f20541f9a43506ffb3e94fe19c42e1
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri Apr 11 17:27:16 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Apr 17 19:02:10 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8ae4a421
Fix the usage of dbus_spec_session_domain() interface
Change the order of the parameters for the calls to
dbus_spec_session_domain() interface.
For consistancy with the other dbus interfaces and the backward
compatibility, we consider that the description was correct and we
change the callers instead.
The order of the parameter for this interface is the following:
dbus_spec_session_domain(role_prefix, domain, entry_point)
---
policy/modules/contrib/dbus.if | 2 +-
policy/modules/contrib/gnome.if | 2 +-
policy/modules/contrib/obex.if | 2 +-
policy/modules/contrib/telepathy.if | 18 +++++++++---------
4 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index fa6d806..21e8b5c 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -469,7 +469,7 @@ interface(`dbus_spec_session_domain',`
type $1_dbusd_t;
')
- domtrans_pattern($1_dbusd_t, $2, $3)
+ domtrans_pattern($1_dbusd_t, $3, $2)
dbus_spec_session_bus_client($1, $2)
dbus_connect_spec_session_bus($1, $2)
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index ab09d61..112d33b 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -109,7 +109,7 @@ template(`gnome_role_template',`
gnome_stream_connect_gkeyringd($1, $3)
optional_policy(`
- dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
optional_policy(`
gnome_dbus_chat_gkeyringd($1, $3)
diff --git a/policy/modules/contrib/obex.if b/policy/modules/contrib/obex.if
index 8635ea2..410c0e8 100644
--- a/policy/modules/contrib/obex.if
+++ b/policy/modules/contrib/obex.if
@@ -42,7 +42,7 @@ template(`obex_role_template',`
allow $3 obex_t:process { ptrace signal_perms };
ps_process_pattern($3, obex_t)
- dbus_spec_session_domain($1, obex_exec_t, obex_t)
+ dbus_spec_session_domain($1, obex_t, obex_exec_t)
obex_dbus_chat($3)
')
diff --git a/policy/modules/contrib/telepathy.if b/policy/modules/contrib/telepathy.if
index 42946bc..0d58469 100644
--- a/policy/modules/contrib/telepathy.if
+++ b/policy/modules/contrib/telepathy.if
@@ -78,15 +78,15 @@ template(`telepathy_role_template',`
telepathy_msn_stream_connect($3)
telepathy_salut_stream_connect($3)
- dbus_spec_session_domain($1, telepathy_gabble_exec_t, telepathy_gabble_t)
- dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
- dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t)
- dbus_spec_session_domain($1, telepathy_logger_exec_t, telepathy_logger_t)
- dbus_spec_session_domain($1, telepathy_mission_control_exec_t, telepathy_mission_control_t)
- dbus_spec_session_domain($1, telepathy_salut_exec_t, telepathy_salut_t)
- dbus_spec_session_domain($1, telepathy_sunshine_exec_t, telepathy_sunshine_t)
- dbus_spec_session_domain($1, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
- dbus_spec_session_domain($1, telepathy_msn_exec_t, telepathy_msn_t)
+ dbus_spec_session_domain($1, telepathy_gabble_t, telepathy_gabble_exec_t)
+ dbus_spec_session_domain($1, telepathy_sofiasip_t, telepathy_sofiasip_exec_t)
+ dbus_spec_session_domain($1, telepathy_idle_t, telepathy_idle_exec_t)
+ dbus_spec_session_domain($1, telepathy_logger_t, telepathy_logger_exec_t)
+ dbus_spec_session_domain($1, telepathy_mission_control_t, telepathy_mission_control_exec_t)
+ dbus_spec_session_domain($1, telepathy_salut_t, telepathy_salut_exec_t)
+ dbus_spec_session_domain($1, telepathy_sunshine_t, telepathy_sunshine_exec_t)
+ dbus_spec_session_domain($1, telepathy_stream_engine_t, telepathy_stream_engine_exec_t)
+ dbus_spec_session_domain($1, telepathy_msn_t, telepathy_msn_exec_t)
allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms };
allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-17 19:04 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-17 19:04 UTC (permalink / raw
To: gentoo-commits
commit: 0af22df335db344407c0254eae8f278fb0dfc8a4
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri Apr 11 17:27:18 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Apr 17 19:02:14 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0af22df3
Add new gnome_spec_domtrans_all_gkeyringd() interface
Allow the caller to transition to all the gkeyringd domains
---
policy/modules/contrib/gnome.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 112d33b..118ee01 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -671,6 +671,26 @@ interface(`gnome_dbus_chat_all_gkeyringd',`
########################################
## <summary>
+## Run all gkeyringd in gkeyringd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gnome_spec_domtrans_all_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ type gkeyringd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ spec_domtrans_pattern($1, gkeyringd_exec_t, gkeyringd_domain)
+')
+
+########################################
+## <summary>
## Connect to gnome keyring daemon
## with a unix stream socket.
## </summary>
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-17 19:04 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-17 19:04 UTC (permalink / raw
To: gentoo-commits
commit: b092bd58fa1a153909737c9c8a16b0354a45e08d
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri Apr 11 17:27:17 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Apr 17 19:02:11 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b092bd58
Properly label exim4 initscript under Debian
Keep the same regex expression as for the other filecontexts
---
policy/modules/contrib/exim.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc
index 9df498d..48abe95 100644
--- a/policy/modules/contrib/exim.fc
+++ b/policy/modules/contrib/exim.fc
@@ -1,4 +1,4 @@
-/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/exim[0-9]? -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-12 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-12 19:03 UTC (permalink / raw
To: gentoo-commits
commit: f545f061fccaddd18620fe5b50bc179db9c2de6f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Apr 12 19:03:32 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Apr 12 19:03:32 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f545f061
Allow chromium to kill its own processes if it detects issues
---
policy/modules/contrib/chromium.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 9e06778..b460904 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -66,7 +66,7 @@ xdg_cache_home_content(chromium_xdg_cache_t)
# chromium local policy
#
-allow chromium_t self:process { getsched setrlimit setsched signal };
+allow chromium_t self:process { getsched setrlimit setsched sigkill signal };
allow chromium_t self:fifo_file rw_fifo_file_perms;;
allow chromium_t self:sem create_sem_perms;
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-12 13:38 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-12 13:38 UTC (permalink / raw
To: gentoo-commits
commit: 17ffc8e920a4dab85c5626bdc9844ee79f0555b2
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 11 18:31:04 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Apr 11 18:31:04 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=17ffc8e9
Allow mutt to read/write attachments in XDG downloads dir
---
policy/modules/contrib/mutt.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/mutt.te b/policy/modules/contrib/mutt.te
index f6d3489..393b943 100644
--- a/policy/modules/contrib/mutt.te
+++ b/policy/modules/contrib/mutt.te
@@ -91,5 +91,7 @@ optional_policy(`
optional_policy(`
xdg_manage_cache_home(mutt_t)
+ # Save and send attachments
+ xdg_manage_downloads_home(mutt_t)
xdg_read_config_home_files(mutt_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-12 13:38 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-12 13:38 UTC (permalink / raw
To: gentoo-commits
commit: eb72a1a6cf9947aebd0d5df523c180ef0cfa6446
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Apr 12 13:37:06 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Apr 12 13:37:06 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=eb72a1a6
Snort policy updates
When snort starts up, its init script creates the /var/run/snort directory.
However, the policy did not have a file transition for this, which results
in the /var/run/snort directory to be initrc_var_run_t.
By supporting a file transition to snort_var_run_t the PID file can be
hosted inside its own directory as intended.
Error logs from Snort:
Apr 9 14:42:45 server snort[1916]: WARNING: /var/run/snort is invalid,
trying /var/run...
Apr 9 14:42:45 server snort[1916]: Previous Error, errno=13,
(Permission denied)
Apr 9 14:42:45 server snort[1916]: PID path stat checked out ok, PID
path set to /var/run/
Second, snort is not able to write to its own log file. It needs the
write privilege for this (append no longer cuts it) as found through the
AVC denial.
Error logs from Snort:
Apr 9 14:42:45 server snort[1916]: FATAL ERROR: spo_unified2.c(320)
Could not open /var/log/snort//merged.log: Permission denied
Reported-by: sgnut <sgnut@freenode>
---
policy/modules/contrib/snort.fc | 4 ++++
policy/modules/contrib/snort.te | 12 ++++++++++++
2 files changed, 16 insertions(+)
diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc
index 591b9a1..ad73ece 100644
--- a/policy/modules/contrib/snort.fc
+++ b/policy/modules/contrib/snort.fc
@@ -10,3 +10,7 @@
/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/var/run/snort(/.*)? gen_context(system_u:object_r:snort_var_run_t,s0)
+')
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 1af72df..44fcaf9 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -114,3 +114,15 @@ optional_policy(`
optional_policy(`
udev_read_db(snort_t)
')
+
+ifdef(`distro_gentoo',`
+ ##########################################
+ #
+ # Local policy
+ #
+ # Reported through IRC - needs write, append is not enough
+ allow snort_t snort_log_t:file write_file_perms;
+
+ # Init creates /var/run/snort if it does not exist yet
+ init_daemon_run_dir(snort_var_run_t, "snort")
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-11 17:48 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-11 17:48 UTC (permalink / raw
To: gentoo-commits
commit: ae1067f21dc8dc41b8a42ef0edd777fe4805b1cf
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Apr 11 15:43:13 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Apr 11 17:46:48 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ae1067f2
Module version bump for fc regex fixes from Nicolas Iooss.
---
policy/modules/contrib/finger.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/setroubleshoot.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te
index 35da09d..5bcd50b 100644
--- a/policy/modules/contrib/finger.te
+++ b/policy/modules/contrib/finger.te
@@ -1,4 +1,4 @@
-policy_module(finger, 1.10.0)
+policy_module(finger, 1.10.1)
########################################
#
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 16f1a23..f5afb7c 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -1,4 +1,4 @@
-policy_module(rhcs, 1.3.0)
+policy_module(rhcs, 1.3.1)
########################################
#
diff --git a/policy/modules/contrib/setroubleshoot.te b/policy/modules/contrib/setroubleshoot.te
index 6f6d668..62b935a 100644
--- a/policy/modules/contrib/setroubleshoot.te
+++ b/policy/modules/contrib/setroubleshoot.te
@@ -1,4 +1,4 @@
-policy_module(setroubleshoot, 1.13.0)
+policy_module(setroubleshoot, 1.13.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-11 17:48 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-11 17:48 UTC (permalink / raw
To: gentoo-commits
commit: 86a756e52673f5ef0eb6169b7b445ad7de765961
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Apr 11 13:17:06 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Apr 11 17:46:45 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=86a756e5
Module version bump for gitweb fc entry on Debian and ArchLinux from Nicolas Iooss.
---
policy/modules/contrib/git.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 653392c..42551f9 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -1,4 +1,4 @@
-policy_module(git, 1.4.0)
+policy_module(git, 1.4.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-11 17:48 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-11 17:48 UTC (permalink / raw
To: gentoo-commits
commit: f04beadc745baa12d14310a2e12757d945d67101
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Apr 5 20:37:45 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Apr 11 17:46:46 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f04beadc
Fix strange file patterns
Some file patterns look very strange, like:
/var/log/cluster/.*\.*log
I've found such patterns while writing a script that parses the file patterns.
Hence I haven't tested if the new file contexts apply to the existing files.
For example, this patch changes
/var/run/*.fingerd\.pid
to
/var/run/fingerd\.pid
because "/*" seems weird to me, but this also changes the semantic of the
pattern. Another possibility which doesn't change the meaning is:
/var/run/?.fingerd\.pid
I send this patch as an RFC because what I consider abnormal may in fact be
something expected or a workaround to fix some bugs I'm not aware of.
---
policy/modules/contrib/finger.fc | 2 +-
policy/modules/contrib/rhcs.fc | 2 +-
policy/modules/contrib/setroubleshoot.fc | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/finger.fc b/policy/modules/contrib/finger.fc
index 843940b..623421d 100644
--- a/policy/modules/contrib/finger.fc
+++ b/policy/modules/contrib/finger.fc
@@ -7,4 +7,4 @@
/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0)
-/var/run/*.fingerd\.pid -- gen_context(system_u:object_r:fingerd_var_run_t,s0)
+/var/run/fingerd\.pid -- gen_context(system_u:object_r:fingerd_var_run_t,s0)
diff --git a/policy/modules/contrib/rhcs.fc b/policy/modules/contrib/rhcs.fc
index 47de2d6..c619502 100644
--- a/policy/modules/contrib/rhcs.fc
+++ b/policy/modules/contrib/rhcs.fc
@@ -14,7 +14,7 @@
/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
-/var/log/cluster/.*\.*log <<none>>
+/var/log/cluster/.*\.log <<none>>
/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
diff --git a/policy/modules/contrib/setroubleshoot.fc b/policy/modules/contrib/setroubleshoot.fc
index 0b3a971..e89c06f 100644
--- a/policy/modules/contrib/setroubleshoot.fc
+++ b/policy/modules/contrib/setroubleshoot.fc
@@ -1,6 +1,6 @@
/usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
-/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
+/usr/share/setroubleshoot/SetroubleshootFixit\.py -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-11 17:48 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-11 17:48 UTC (permalink / raw
To: gentoo-commits
commit: db9bbe71ff53be3cac3ec53063728a21b6f02f58
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Apr 5 17:10:53 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Apr 11 17:46:44 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=db9bbe71
Label /usr/share/gitweb/static as httpd_git_content_t
This directory contains gitweb static files at least on Debian and ArchLinux.
---
policy/modules/contrib/git.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/git.fc b/policy/modules/contrib/git.fc
index d8a3f8e..c26586d 100644
--- a/policy/modules/contrib/git.fc
+++ b/policy/modules/contrib/git.fc
@@ -5,6 +5,7 @@ HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)
/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
/usr/share/gitweb/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/usr/share/gitweb/static(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-08 17:02 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-08 17:02 UTC (permalink / raw
To: gentoo-commits
commit: db642f6a500038cd36fd65f4268eb35448805269
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Apr 8 17:01:57 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr 8 17:01:57 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=db642f6a
Remove duplicate declarations
---
policy/modules/contrib/apache.te | 3 ---
1 file changed, 3 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 69fa4b7..4faa22c 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1427,9 +1427,6 @@ optional_policy(`
')
ifdef(`distro_gentoo',`
- attribute httpd_ra_content;
- attribute httpd_rw_content;
-
init_daemon_run_dir(httpd_var_run_t, "apache_ssl_mutex")
init_daemon_run_dir(httpd_var_run_t, "apache2")
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-08 16:02 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-08 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 433013d235557841904f9217fc2705b50013191a
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Apr 4 20:25:02 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr 8 15:55:10 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=433013d2
Module version bump for apache content interfaces from Sven Vermeulen.
---
policy/modules/contrib/apache.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index ba6b285..69fa4b7 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.8.1)
+policy_module(apache, 2.8.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-08 16:02 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-08 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 74463625f2bf9c3ecb3904207fccb0a6140f7bda
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Apr 8 16:00:54 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr 8 16:00:54 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=74463625
Remove merged code
---
policy/modules/contrib/apache.if | 133 --------------------------------------
policy/modules/contrib/dnsmasq.te | 10 ---
2 files changed, 143 deletions(-)
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 1a07241..717c6f7 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -83,17 +83,6 @@ template(`apache_content_template',`
allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms;
allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms;
- ifdef(`distro_gentoo',`
- gen_require(`
- attribute httpd_rw_content;
- attribute httpd_ra_content;
- type httpd_log_t;
- ')
-
- typeattribute httpd_$1_rw_content_t httpd_rw_content;
- typeattribute httpd_$1_ra_content_t httpd_ra_content;
- ')
-
tunable_policy(`allow_httpd_$1_script_anon_write',`
miscfiles_manage_public_files(httpd_$1_script_t)
')
@@ -1357,125 +1346,3 @@ interface(`apache_admin',`
apache_run_all_scripts($1, $2)
apache_run_helper($1, $2)
')
-
-########################################
-## <summary>
-## Read all appendable content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apache_read_all_ra_content',`
- gen_require(`
- attribute httpd_ra_content;
- ')
-
- read_files_pattern($1, httpd_ra_content, httpd_ra_content)
- read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
-')
-
-########################################
-## <summary>
-## Append to all appendable web content files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apache_append_all_ra_content',`
- gen_require(`
- attribute httpd_ra_content;
- ')
-
- apache_search_all_content($1)
- append_files_pattern($1, httpd_ra_content, httpd_ra_content)
-')
-
-########################################
-## <summary>
-## Read all read/write content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apache_read_all_rw_content',`
- gen_require(`
- attribute httpd_rw_content;
- ')
-
- read_files_pattern($1, httpd_rw_content, httpd_rw_content)
- read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
-')
-
-########################################
-## <summary>
-## Manage all read/write content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apache_manage_all_rw_content',`
- gen_require(`
- attribute httpd_rw_content;
- ')
-
- manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
- manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
- manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
-')
-
-########################################
-## <summary>
-## Read all web content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apache_read_all_content',`
- gen_require(`
- attribute httpdcontent, httpd_script_exec_type;
- ')
-
- read_files_pattern($1, httpdcontent, httpdcontent)
- read_lnk_files_pattern($1, httpdcontent, httpdcontent)
-
- read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
- read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
-')
-
-########################################
-## <summary>
-## Search all apache content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_search_all_content',`
- gen_require(`
- attribute httpdcontent;
- ')
-
- allow $1 httpdcontent:dir search_dir_perms;
-')
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 4abe6bf..e286965 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -128,13 +128,3 @@ optional_policy(`
virt_read_pid_files(dnsmasq_t)
virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
')
-
-ifdef(`distro_gentoo',`
- ####################################
- #
- # dnsmasq_t policy
- #
-
-
- kernel_read_net_sysctls(dnsmasq_t)
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-08 16:02 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-08 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 14231a7ebe8835d31adfb73f97d3b168fb30e567
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Apr 4 19:12:48 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr 8 15:54:54 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=14231a7e
Module version bump for new shibboleth module from Martin Lang.
Reduces shibboleth to 1.0.0, as it is the initial refpolicy version.
---
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/shibboleth.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 32f9251..de61615 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.8.0)
+policy_module(apache, 2.8.1)
########################################
#
diff --git a/policy/modules/contrib/shibboleth.te b/policy/modules/contrib/shibboleth.te
index e59de3e..63950ea 100644
--- a/policy/modules/contrib/shibboleth.te
+++ b/policy/modules/contrib/shibboleth.te
@@ -1,4 +1,4 @@
-policy_module(shibboleth, 2.0.0)
+policy_module(shibboleth, 1.0.0)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-08 16:02 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-08 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 39cc094a67628edbc6539c8d0b9734de80a6c4a0
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 30 14:09:11 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr 8 15:55:05 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=39cc094a
Support read/append/manage functions for various httpd content
We make the web content types as defined by the apache module more
generic in use so that other domains, who need to interact with these
types, can do so without getting too many privileges assigned (like with
apache_manage_all_content).
Within the apache module, the apache_content_template() allows creation
of additional derived types for "apache web content". But this is
actually being used to label generic web content, and it creates
additional types based on the prefix.
When we want to support additional web servers (or parsers used by web
servers, such as php-fpm) that do not run within the apache-provided
domains, they have a hard time accessing the data. There is currently
one interface available (apache_manage_all_content) but that is a lot of
privileges for a parser that possibly just needs to read content.
In this patch, we create additional attributes (httpd_ra_content for
read/append data, and httpd_rw_content for read/write content) and
define interfaces to manage the types that have these attributes
assigned.
This is the result of the discussion of June 2012, which was version 3
of the patchset (I never came to finish up the commit), see also
http://oss.tresys.com/pipermail/refpolicy/2012-June/005175.html
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/apache.if | 120 ++++++++++++++++++++++++++++++++++++++-
policy/modules/contrib/apache.te | 3 +
2 files changed, 121 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 655cbe1..1a07241 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -15,6 +15,7 @@ template(`apache_content_template',`
gen_require(`
attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
attribute httpd_script_domains, httpd_htaccess_type;
+ attribute httpd_rw_content, httpd_ra_content;
type httpd_t, httpd_suexec_t;
')
@@ -48,11 +49,11 @@ template(`apache_content_template',`
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
- type httpd_$1_rw_content_t, httpdcontent; # customizable
+ type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable
typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
files_type(httpd_$1_rw_content_t)
- type httpd_$1_ra_content_t, httpdcontent; # customizable
+ type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
files_type(httpd_$1_ra_content_t)
@@ -402,6 +403,121 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
########################################
## <summary>
+## Read all appendable content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_read_all_ra_content',`
+ gen_require(`
+ attribute httpd_ra_content;
+ ')
+
+ read_files_pattern($1, httpd_ra_content, httpd_ra_content)
+ read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
+')
+
+########################################
+## <summary>
+## Append to all appendable web content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_append_all_ra_content',`
+ gen_require(`
+ attribute httpd_ra_content;
+ ')
+
+ append_files_pattern($1, httpd_ra_content, httpd_ra_content)
+')
+
+########################################
+## <summary>
+## Read all read/write content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_read_all_rw_content',`
+ gen_require(`
+ attribute httpd_rw_content;
+ ')
+
+ read_files_pattern($1, httpd_rw_content, httpd_rw_content)
+ read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
+')
+
+########################################
+## <summary>
+## Manage all read/write content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_manage_all_rw_content',`
+ gen_require(`
+ attribute httpd_rw_content;
+ ')
+
+ manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
+ manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
+ manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
+')
+########################################
+## <summary>
+## Read all web content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_read_all_content',`
+ gen_require(`
+ attribute httpdcontent, httpd_script_exec_type;
+ ')
+
+ read_files_pattern($1, httpdcontent, httpdcontent)
+ read_lnk_files_pattern($1, httpdcontent, httpdcontent)
+
+ read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+ read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+')
+
+#######################################
+## <summary>
+## Search all apache content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_search_all_content',`
+ gen_require(`
+ attribute httpdcontent;
+ ')
+
+ allow $1 httpdcontent:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## all httpd content.
## </summary>
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index de61615..ba6b285 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -257,6 +257,9 @@ attribute httpd_htaccess_type;
# domains that can exec all scripts
attribute httpd_exec_scripts;
+attribute httpd_ra_content;
+attribute httpd_rw_content;
+
attribute httpd_script_exec_type;
# all script domains
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-08 16:02 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-08 16:02 UTC (permalink / raw
To: gentoo-commits
commit: a613b96aa77e7fb576408a71335844d6005ad4b0
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Mar 15 17:13:11 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr 8 15:54:57 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a613b96a
apt: remove non-existing permission set write_dir_perms
write_dir_perms doesn't exist in policy/support/obj_perm_sets.spt so this
patch removes the buggy dontaudit statement from apt_read_cache.
---
policy/modules/contrib/apt.if | 1 -
1 file changed, 1 deletion(-)
diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if
index cde81d2..0a1bc49 100644
--- a/policy/modules/contrib/apt.if
+++ b/policy/modules/contrib/apt.if
@@ -171,7 +171,6 @@ interface(`apt_read_cache',`
files_search_var($1)
allow $1 apt_var_cache_t:dir list_dir_perms;
- dontaudit $1 apt_var_cache_t:dir write_dir_perms;
allow $1 apt_var_cache_t:file read_file_perms;
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-08 16:02 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-08 16:02 UTC (permalink / raw
To: gentoo-commits
commit: d534fb609483e7e649c328a80e9cc1ff64f7844d
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Apr 4 19:11:51 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr 8 15:54:52 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d534fb60
Whitespace fix in shibboleth.te.
---
policy/modules/contrib/shibboleth.te | 3 ---
1 file changed, 3 deletions(-)
diff --git a/policy/modules/contrib/shibboleth.te b/policy/modules/contrib/shibboleth.te
index d1f4212..e59de3e 100644
--- a/policy/modules/contrib/shibboleth.te
+++ b/policy/modules/contrib/shibboleth.te
@@ -41,7 +41,6 @@ manage_files_pattern(shibboleth_t, shibboleth_log_t, shibboleth_log_t)
manage_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t)
manage_sock_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t)
-
corenet_all_recvfrom_netlabel(shibboleth_t)
corenet_all_recvfrom_unlabeled(shibboleth_t)
corenet_tcp_connect_http_port(shibboleth_t)
@@ -61,7 +60,6 @@ term_dontaudit_search_ptys(shibboleth_t)
term_dontaudit_use_all_ptys(shibboleth_t)
term_dontaudit_use_all_ttys(shibboleth_t)
-
logging_log_filetrans(shibboleth_t, shibboleth_log_t, { file dir })
logging_send_syslog_msg(shibboleth_t)
@@ -69,7 +67,6 @@ miscfiles_read_localization(shibboleth_t)
sysnet_dns_name_resolve(shibboleth_t)
-
# permissions for the configuration files
# there is shared information between apache and shibboleth, e.g., certificates
apache_read_config(shibboleth_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-08 16:02 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-08 16:02 UTC (permalink / raw
To: gentoo-commits
commit: b3140630d8a0db7bbb7faa0cc074f1ac6034bd7b
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Apr 4 20:18:45 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr 8 15:55:03 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b3140630
Module version bump for dnsmasq MTU fix from Sven Vermeulen.
---
policy/modules/contrib/dnsmasq.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 7027424..4abe6bf 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.11.0)
+policy_module(dnsmasq, 1.11.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-08 16:02 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-08 16:02 UTC (permalink / raw
To: gentoo-commits
commit: cf6444b17f433683e92dc5f94814896bf0c6a34b
Author: Martin Lang <lang <AT> automata <DOT> rwth-aachen <DOT> de>
AuthorDate: Sat Mar 15 13:29:46 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr 8 15:54:46 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf6444b1
Add a policy module for shibboleth authentication
Signed-off-by: Martin Lang <lang <AT> automata.rwth-aachen.de>
---
policy/modules/contrib/apache.te | 5 +++
policy/modules/contrib/shibboleth.fc | 6 +++
policy/modules/contrib/shibboleth.if | 40 +++++++++++++++++++
policy/modules/contrib/shibboleth.te | 75 ++++++++++++++++++++++++++++++++++++
4 files changed, 126 insertions(+)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 102d5a8..32f9251 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -867,6 +867,11 @@ optional_policy(`
')
optional_policy(`
+ shibboleth_read_config(httpd_t)
+ shibboleth_stream_connect(httpd_t)
+')
+
+optional_policy(`
smokeping_read_lib_files(httpd_t)
')
diff --git a/policy/modules/contrib/shibboleth.fc b/policy/modules/contrib/shibboleth.fc
new file mode 100644
index 0000000..a0b9626
--- /dev/null
+++ b/policy/modules/contrib/shibboleth.fc
@@ -0,0 +1,6 @@
+/etc/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_etc_t,s0)
+
+/usr/sbin/shibd -- gen_context(system_u:object_r:shibboleth_exec_t,s0)
+
+/var/log/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_log_t,s0)
+/var/run/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_var_run_t,s0)
diff --git a/policy/modules/contrib/shibboleth.if b/policy/modules/contrib/shibboleth.if
new file mode 100644
index 0000000..4a3ba02
--- /dev/null
+++ b/policy/modules/contrib/shibboleth.if
@@ -0,0 +1,40 @@
+## <summary>Shibboleth authentication deamon</summary>
+
+########################################
+## <summary>
+## Allow your application domain to access
+## config files from shibboleth
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain which should be enabled.
+## </summary>
+## </param>
+#
+interface(`shibboleth_read_config',`
+ gen_require(`
+ type shibboleth_etc_t;
+ ')
+
+ read_files_pattern($1, shibboleth_etc_t, shibboleth_etc_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to shibboleth with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shibboleth_stream_connect',`
+ gen_require(`
+ type shibboleth_t;
+ type shibboleth_var_run_t;
+ ')
+
+ stream_connect_pattern($1, shibboleth_var_run_t, shibboleth_var_run_t, shibboleth_t)
+ files_search_pids($1)
+')
diff --git a/policy/modules/contrib/shibboleth.te b/policy/modules/contrib/shibboleth.te
new file mode 100644
index 0000000..d1f4212
--- /dev/null
+++ b/policy/modules/contrib/shibboleth.te
@@ -0,0 +1,75 @@
+policy_module(shibboleth, 2.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type shibboleth_t;
+type shibboleth_exec_t;
+init_daemon_domain(shibboleth_t, shibboleth_exec_t)
+
+type shibboleth_etc_t;
+files_config_file(shibboleth_etc_t)
+
+type shibboleth_log_t;
+logging_log_file(shibboleth_log_t)
+
+type shibboleth_var_run_t;
+files_pid_file(shibboleth_var_run_t)
+init_daemon_run_dir(shibboleth_var_run_t, "shibboleth")
+
+########################################
+#
+# Local policy
+#
+
+allow shibboleth_t self:process { signal_perms };
+
+# networking:
+# shibboleth uses tcp sockets for connecting to central
+# authentication server and unix stream sockets
+# to exchange information with the apache module
+allow shibboleth_t self:unix_stream_socket create_stream_socket_perms;
+allow shibboleth_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(shibboleth_t, shibboleth_etc_t, shibboleth_etc_t)
+read_lnk_files_pattern(shibboleth_t, shibboleth_etc_t, shibboleth_etc_t)
+
+manage_files_pattern(shibboleth_t, shibboleth_log_t, shibboleth_log_t)
+
+manage_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t)
+manage_sock_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t)
+
+
+corenet_all_recvfrom_netlabel(shibboleth_t)
+corenet_all_recvfrom_unlabeled(shibboleth_t)
+corenet_tcp_connect_http_port(shibboleth_t)
+corenet_tcp_sendrecv_all_ports(shibboleth_t)
+corenet_tcp_sendrecv_generic_if(shibboleth_t)
+corenet_tcp_sendrecv_generic_node(shibboleth_t)
+
+dev_read_urand(shibboleth_t)
+
+domain_dontaudit_use_interactive_fds(shibboleth_t)
+
+files_read_etc_files(shibboleth_t)
+files_read_usr_files(shibboleth_t)
+files_search_etc(shibboleth_t)
+
+term_dontaudit_search_ptys(shibboleth_t)
+term_dontaudit_use_all_ptys(shibboleth_t)
+term_dontaudit_use_all_ttys(shibboleth_t)
+
+
+logging_log_filetrans(shibboleth_t, shibboleth_log_t, { file dir })
+logging_send_syslog_msg(shibboleth_t)
+
+miscfiles_read_localization(shibboleth_t)
+
+sysnet_dns_name_resolve(shibboleth_t)
+
+
+# permissions for the configuration files
+# there is shared information between apache and shibboleth, e.g., certificates
+apache_read_config(shibboleth_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-08 16:02 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-08 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 9fea8be50eaffaab464c2138945673f5a0117207
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Apr 4 19:15:56 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr 8 15:54:59 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9fea8be5
Module version bump for apt fix from Nicolas Iooss.
---
policy/modules/contrib/apt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index 6b2f022..c2b7ad1 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.9.0)
+policy_module(apt, 1.9.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-04-08 16:02 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-04-08 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 1e38c79a38749e559fd12eeddd14eda3ae6ebb8c
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 30 14:09:12 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr 8 15:55:01 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1e38c79a
dnsmasq reads MTU sysctl
The dnsmasq application reads in the value of the
/proc/sys/net/ipv6/conf/*/mtu values.
This is confirmed through looking at the source code of dnsmasq, in
src/radv.c.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/dnsmasq.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index f1fdee0..7027424 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -52,6 +52,7 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
kernel_read_kernel_sysctls(dnsmasq_t)
+kernel_read_net_sysctls(dnsmasq_t)
kernel_read_network_state(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)
kernel_request_load_module(dnsmasq_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-03-31 18:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-03-31 18:49 UTC (permalink / raw
To: gentoo-commits
commit: 447936782bfb89286beb2373ca41ae460e862750
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Mar 31 17:24:43 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 31 17:41:03 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=44793678
Qemu socket support
The VDE switch implementation in Qemu, depending on how it is called
command-line, requires Qemu to create a socket through which network
communication is to be handled.
Without this, qemu fails to start.
---
policy/modules/contrib/qemu.if | 20 ++++++++++++++++++++
policy/modules/contrib/qemu.te | 9 +++++++++
policy/modules/contrib/vde.te | 4 ++++
3 files changed, 33 insertions(+)
diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if
index eaf56b8..ea947bc 100644
--- a/policy/modules/contrib/qemu.if
+++ b/policy/modules/contrib/qemu.if
@@ -374,3 +374,23 @@ interface(`qemu_entry_type',`
domain_entry_file($1, qemu_exec_t)
')
+
+# Gentoo specific but cannot use ifdef distro_gentoo here
+
+#######################################
+## <summary>
+## Read/write to qemu socket files in /var/run
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_rw_pid_sock_files',`
+ gen_require(`
+ type qemu_var_run_t;
+ ')
+
+ allow $1 qemu_var_run_t:sock_file rw_sock_file_perms;
+')
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 9a6a082..cf647bb 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -62,9 +62,18 @@ ifdef(`distro_gentoo',`
#
# Local policy
#
+ type qemu_var_run_t;
+ files_pid_file(qemu_var_run_t)
+
+ # VNC/GDB support
allow qemu_t self:tcp_socket create_stream_socket_perms;
allow qemu_t self:udp_socket create_socket_perms;
+ # Network related socket
+ allow qemu_t qemu_var_run_t:sock_file manage_sock_file_perms;
+
+ files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
+
optional_policy(`
vde_connect(qemu_t)
')
diff --git a/policy/modules/contrib/vde.te b/policy/modules/contrib/vde.te
index 3b89491..56f668d 100644
--- a/policy/modules/contrib/vde.te
+++ b/policy/modules/contrib/vde.te
@@ -47,3 +47,7 @@ miscfiles_read_localization(vde_t)
corenet_rw_tun_tap_dev(vde_t)
logging_send_syslog_msg(vde_t)
+
+optional_policy(`
+ qemu_rw_pid_sock_files(vde_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-03-31 18:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-03-31 18:49 UTC (permalink / raw
To: gentoo-commits
commit: d8e9a16c97f40ba83c7a55f9a543149006f24da1
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 30 12:16:30 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 30 12:42:57 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d8e9a16c
Explicitly mention attribute, otherwise self becomes the domain
---
policy/modules/contrib/alsa.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 054cbe9..ee37692 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -124,8 +124,8 @@ ifdef(`distro_gentoo',`
#
# alsadomain policy
#
- allow alsadomain self:sem create_sem_perms;
- allow alsadomain self:shm rw_shm_perms;
+ allow alsadomain alsadomain:sem create_sem_perms;
+ allow alsadomain alsadomain:shm rw_shm_perms;
allow alsadomain alsatmpfsfile:file rw_file_perms;
alsa_read_rw_config(alsadomain)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-03-31 18:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-03-31 18:49 UTC (permalink / raw
To: gentoo-commits
commit: 75ce5057c2fb4afcafb110d6aadd2d80c1aec174
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 30 11:02:04 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 30 11:02:04 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=75ce5057
Move alsa_domain calls into USE triggered definition
---
policy/modules/contrib/chromium.te | 10 ++++++----
policy/modules/contrib/googletalk.te | 10 ++++++----
policy/modules/contrib/java.te | 11 ++++++-----
policy/modules/contrib/mozilla.te | 26 +++++++++++++-------------
policy/modules/contrib/mplayer.te | 8 +++++---
policy/modules/contrib/skype.te | 10 ++++++----
6 files changed, 42 insertions(+), 33 deletions(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 3585ae8..9e06778 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -184,10 +184,6 @@ tunable_policy(`chromium_read_system_info',`
')
optional_policy(`
- alsa_domain(chromium_t, chromium_tmpfs_t)
-')
-
-optional_policy(`
cups_read_config(chromium_t)
cups_stream_connect(chromium_t)
')
@@ -219,6 +215,12 @@ optional_policy(`
mozilla_read_user_home(chromium_t)
')
+ifdef(`use_alsa',`
+ optional_policy(`
+ alsa_domain(chromium_t, chromium_tmpfs_t)
+ ')
+')
+
########################################
#
# chromium_renderer local policy
diff --git a/policy/modules/contrib/googletalk.te b/policy/modules/contrib/googletalk.te
index 5a71f60..0736a7a 100644
--- a/policy/modules/contrib/googletalk.te
+++ b/policy/modules/contrib/googletalk.te
@@ -80,10 +80,6 @@ userdom_use_user_terminals(googletalk_plugin_t)
googletalk_generic_xdg_config_home_filetrans_plugin_xdg_config(googletalk_plugin_t, dir, "google-googletalkplugin")
optional_policy(`
- alsa_domain(googletalk_plugin_t, googletalk_plugin_tmpfs_t)
-')
-
-optional_policy(`
dbus_system_bus_client(googletalk_plugin_t)
')
@@ -99,3 +95,9 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(googletalk_plugin, googletalk_plugin_t, googletalk_plugin_tmpfs_t)
')
+
+ifdef(`use_alsa',`
+ optional_policy(`
+ alsa_domain(googletalk_plugin_t, googletalk_plugin_tmpfs_t)
+ ')
+')
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index d131c8b..8503180 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -142,11 +142,6 @@ ifdef(`distro_gentoo',`
userdom_use_user_terminals(java_t)
optional_policy(`
- alsa_domain(java_t, java_tmpfs_t)
- alsa_read_rw_config(java_t)
- ')
-
- optional_policy(`
# Plugin communication
chromium_rw_tmp_pipes(java_t)
')
@@ -155,6 +150,12 @@ ifdef(`distro_gentoo',`
# Plugin communication
mozilla_rw_tmp_pipes(java_t)
')
+
+ ifdef(`use_alsa',`
+ optional_policy(`
+ alsa_domain(java_t, java_tmpfs_t)
+ ')
+ ')
')
optional_policy(`
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index b8d8c30..87728ae 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -690,13 +690,6 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
')
')
- ifdef(`use_alsa',`
- optional_policy(`
- # HTML5 support is built-in (no plugin) - bug 464398
- alsa_domain(mozilla_t, mozilla_tmpfs_t)
- ')
- ')
-
optional_policy(`
nscd_socket_use(mozilla_t)
')
@@ -705,6 +698,13 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
pulseaudio_client_domain(mozilla_t, mozilla_tmpfs_t)
')
+ ifdef(`use_alsa',`
+ optional_policy(`
+ # HTML5 support is built-in (no plugin) - bug 464398
+ alsa_domain(mozilla_t, mozilla_tmpfs_t)
+ ')
+ ')
+
###########################
#
# Mozilla plugin policy
@@ -740,12 +740,6 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
corenet_dontaudit_tcp_connect_all_unreserved_ports(mozilla_plugin_t)
')
- ifdef(`use_alsa',`
- optional_policy(`
- alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t)
- ')
- ')
-
optional_policy(`
flash_manage_home(mozilla_plugin_t)
')
@@ -761,4 +755,10 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
optional_policy(`
pulseaudio_client_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t)
')
+
+ ifdef(`use_alsa',`
+ optional_policy(`
+ alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t)
+ ')
+ ')
')
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index 5378660..5ebba47 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -288,10 +288,12 @@ ifdef(`distro_gentoo',`
')
optional_policy(`
- alsa_domain(mplayer_t, mplayer_tmpfs_t)
+ pulseaudio_client_domain(mplayer_t, mplayer_tmpfs_t)
')
- optional_policy(`
- pulseaudio_client_domain(mplayer_t, mplayer_tmpfs_t)
+ ifdef(`use_alsa',`
+ optional_policy(`
+ alsa_domain(mplayer_t, mplayer_tmpfs_t)
+ ')
')
')
diff --git a/policy/modules/contrib/skype.te b/policy/modules/contrib/skype.te
index 6b4ca34..4c71730 100644
--- a/policy/modules/contrib/skype.te
+++ b/policy/modules/contrib/skype.te
@@ -112,10 +112,6 @@ tunable_policy(`skype_manage_user_content',`
')
optional_policy(`
- alsa_domain(skype_t, skype_tmpfs_t)
-')
-
-optional_policy(`
dbus_system_bus_client(skype_t)
dbus_all_session_bus_client(skype_t)
')
@@ -123,3 +119,9 @@ optional_policy(`
optional_policy(`
xdg_manage_config_home(skype_t)
')
+
+ifdef(`use_alsa',`
+ optional_policy(`
+ alsa_domain(skype_t, skype_tmpfs_t)
+ ')
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-03-30 8:56 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-03-30 8:56 UTC (permalink / raw
To: gentoo-commits
commit: f8b0c787a9141006afde81ea2b37df96abd12863
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 30 08:56:35 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 30 08:56:35 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f8b0c787
Moving to USE flag triggered alsa support
---
policy/modules/contrib/mozilla.te | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index f08179d..b8d8c30 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -690,9 +690,11 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
')
')
- optional_policy(`
- # HTML5 support is built-in (no plugin) - bug 464398
- alsa_domain(mozilla_t, mozilla_tmpfs_t)
+ ifdef(`use_alsa',`
+ optional_policy(`
+ # HTML5 support is built-in (no plugin) - bug 464398
+ alsa_domain(mozilla_t, mozilla_tmpfs_t)
+ ')
')
optional_policy(`
@@ -738,8 +740,10 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
corenet_dontaudit_tcp_connect_all_unreserved_ports(mozilla_plugin_t)
')
- optional_policy(`
- alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t)
+ ifdef(`use_alsa',`
+ optional_policy(`
+ alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t)
+ ')
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-03-19 18:32 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-03-19 18:32 UTC (permalink / raw
To: gentoo-commits
commit: 3441c5ec064547ac1a06fe8ae5bf2b20bdb6d56b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar 19 18:30:26 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Mar 19 18:30:26 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3441c5ec
Need to manage downloads as Chromium does renames and such
---
policy/modules/contrib/chromium.te | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 23d799d..3585ae8 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -157,8 +157,7 @@ userdom_use_user_terminals(chromium_t)
xdg_create_cache_home_dirs(chromium_t)
xdg_create_config_home_dirs(chromium_t)
xdg_create_data_home_dirs(chromium_t)
-xdg_create_downloads_home(chromium_t)
-xdg_write_downloads_home(chromium_t)
+xdg_manage_downloads_home(chromium_t)
xdg_read_config_home_files(chromium_t)
xdg_read_data_home_files(chromium_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-03-17 8:24 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-03-17 8:24 UTC (permalink / raw
To: gentoo-commits
commit: 08d9e0c76aab780e86b792787e450898218fa773
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Mar 14 15:12:10 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 17 08:17:22 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=08d9e0c7
Module version bump for ntp fc entries from Laurent Bigonville.
---
policy/modules/contrib/ntp.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 79dc252..c37385e 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.12.0)
+policy_module(ntp, 1.12.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-03-17 8:24 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-03-17 8:24 UTC (permalink / raw
To: gentoo-commits
commit: dd21f805d627381c801497ffe1f48004bf20511a
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Mar 11 12:16:57 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 17 08:17:15 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dd21f805
Bump module versions for release.
---
policy/modules/contrib/abrt.te | 2 +-
policy/modules/contrib/aide.te | 2 +-
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apm.te | 2 +-
policy/modules/contrib/apt.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/backup.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/boinc.te | 2 +-
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/colord.te | 2 +-
policy/modules/contrib/condor.te | 2 +-
policy/modules/contrib/couchdb.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/ctdb.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/cvs.te | 2 +-
policy/modules/contrib/cyrus.te | 2 +-
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/dmidecode.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/dovecot.te | 2 +-
policy/modules/contrib/dpkg.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/fetchmail.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/gdomap.te | 2 +-
policy/modules/contrib/git.te | 2 +-
policy/modules/contrib/glusterfs.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/irc.te | 2 +-
policy/modules/contrib/irqbalance.te | 2 +-
policy/modules/contrib/ksmtuned.te | 2 +-
policy/modules/contrib/ktalk.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/logwatch.te | 2 +-
policy/modules/contrib/mandb.te | 2 +-
policy/modules/contrib/mcelog.te | 2 +-
policy/modules/contrib/memcached.te | 2 +-
policy/modules/contrib/minissdpd.te | 2 +-
policy/modules/contrib/modemmanager.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mta.te | 2 +-
policy/modules/contrib/munin.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nslcd.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/openct.te | 2 +-
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/openvswitch.te | 2 +-
policy/modules/contrib/passenger.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
policy/modules/contrib/pegasus.te | 2 +-
policy/modules/contrib/pkcs.te | 2 +-
policy/modules/contrib/polipo.te | 2 +-
policy/modules/contrib/postfix.te | 2 +-
policy/modules/contrib/procmail.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/qmail.te | 2 +-
policy/modules/contrib/rabbitmq.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/redis.te | 2 +-
policy/modules/contrib/rgmanager.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/rhsmcertd.te | 2 +-
policy/modules/contrib/rlogin.te | 2 +-
policy/modules/contrib/rngd.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rshd.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/sasl.te | 2 +-
policy/modules/contrib/screen.te | 2 +-
policy/modules/contrib/sendmail.te | 2 +-
policy/modules/contrib/setroubleshoot.te | 2 +-
policy/modules/contrib/slocate.te | 2 +-
policy/modules/contrib/smoltclient.te | 2 +-
policy/modules/contrib/sosreport.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/tcsd.te | 2 +-
policy/modules/contrib/telepathy.te | 2 +-
policy/modules/contrib/telnet.te | 2 +-
policy/modules/contrib/tgtd.te | 2 +-
policy/modules/contrib/tmpreaper.te | 2 +-
policy/modules/contrib/userhelper.te | 2 +-
policy/modules/contrib/vdagent.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/wm.te | 2 +-
policy/modules/contrib/zabbix.te | 2 +-
99 files changed, 99 insertions(+), 99 deletions(-)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index eb50f07..f60f9c1 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.4.1)
+policy_module(abrt, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/aide.te b/policy/modules/contrib/aide.te
index 03831e6..9d3c19c 100644
--- a/policy/modules/contrib/aide.te
+++ b/policy/modules/contrib/aide.te
@@ -1,4 +1,4 @@
-policy_module(aide, 1.7.1)
+policy_module(aide, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index ee2c99b..054cbe9 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.12.3)
+policy_module(alsa, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 5608148..102d5a8 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.7.3)
+policy_module(apache, 2.8.0)
########################################
#
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index 287f00f..b9919b5 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.12.1)
+policy_module(apm, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index d9265ae..6b2f022 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.8.2)
+policy_module(apt, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index 7e41350..e1ec6bb 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.12.1)
+policy_module(asterisk, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index 140e876..969be75 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.14.2)
+policy_module(automount, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index 0b1e5f6..02b2b78 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.14.2)
+policy_module(avahi, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/backup.te b/policy/modules/contrib/backup.te
index 7811450..c207d5a 100644
--- a/policy/modules/contrib/backup.te
+++ b/policy/modules/contrib/backup.te
@@ -1,4 +1,4 @@
-policy_module(backup, 1.6.2)
+policy_module(backup, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 1241123..796c270 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.13.1)
+policy_module(bind, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te
index 687d4c4..8402248 100644
--- a/policy/modules/contrib/boinc.te
+++ b/policy/modules/contrib/boinc.te
@@ -1,4 +1,4 @@
-policy_module(boinc, 1.1.1)
+policy_module(boinc, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index 53e86f6..849873d 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.6.1)
+policy_module(ccs, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te
index 7d0bd8e..f3eca54 100644
--- a/policy/modules/contrib/colord.te
+++ b/policy/modules/contrib/colord.te
@@ -1,4 +1,4 @@
-policy_module(colord, 1.1.1)
+policy_module(colord, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index ce9f040..3787034 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -1,4 +1,4 @@
-policy_module(condor, 1.0.1)
+policy_module(condor, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/couchdb.te b/policy/modules/contrib/couchdb.te
index 04e0bbb..9469b57 100644
--- a/policy/modules/contrib/couchdb.te
+++ b/policy/modules/contrib/couchdb.te
@@ -1,4 +1,4 @@
-policy_module(couchdb, 1.1.2)
+policy_module(couchdb, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 6cd8495..4ab10d8 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.6.3)
+policy_module(cron, 2.7.0)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/ctdb.te b/policy/modules/contrib/ctdb.te
index e5f8c77..7be0106 100644
--- a/policy/modules/contrib/ctdb.te
+++ b/policy/modules/contrib/ctdb.te
@@ -1,4 +1,4 @@
-policy_module(ctdb, 1.1.1)
+policy_module(ctdb, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 57ea587..5b06ce2 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.16.3)
+policy_module(cups, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
index 0f77550..3d27f73 100644
--- a/policy/modules/contrib/cvs.te
+++ b/policy/modules/contrib/cvs.te
@@ -1,4 +1,4 @@
-policy_module(cvs, 1.10.2)
+policy_module(cvs, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
index 4283f2d..d451d1f 100644
--- a/policy/modules/contrib/cyrus.te
+++ b/policy/modules/contrib/cyrus.te
@@ -1,4 +1,4 @@
-policy_module(cyrus, 1.13.1)
+policy_module(cyrus, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 5320321..910c0fe 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.3.3)
+policy_module(devicekit, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te
index aa0ef6e..aa8e3e6 100644
--- a/policy/modules/contrib/dmidecode.te
+++ b/policy/modules/contrib/dmidecode.te
@@ -1,4 +1,4 @@
-policy_module(dmidecode, 1.5.1)
+policy_module(dmidecode, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 0c058c1..f1fdee0 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.10.1)
+policy_module(dnsmasq, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index 0aabc7e..f43d9e8 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.16.1)
+policy_module(dovecot, 1.17.0)
########################################
#
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 2d8434d..31c8884 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.10.2)
+policy_module(dpkg, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 7641c93..b6a7fb3 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.6.2)
+policy_module(exim, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te
index 742559a..7a3ea93 100644
--- a/policy/modules/contrib/fetchmail.te
+++ b/policy/modules/contrib/fetchmail.te
@@ -1,4 +1,4 @@
-policy_module(fetchmail, 1.13.2)
+policy_module(fetchmail, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index c54025f..8897cfd 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.1.2)
+policy_module(firewalld, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 36838c2..33cda5e 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.15.1)
+policy_module(ftp, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/gdomap.te b/policy/modules/contrib/gdomap.te
index 9004ce7..f3d070c 100644
--- a/policy/modules/contrib/gdomap.te
+++ b/policy/modules/contrib/gdomap.te
@@ -1,4 +1,4 @@
-policy_module(gdomap, 1.0.2)
+policy_module(gdomap, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 111d200..653392c 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -1,4 +1,4 @@
-policy_module(git, 1.3.5)
+policy_module(git, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index 4e95c7e..f336604 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -1,4 +1,4 @@
-policy_module(glusterfs, 1.1.2)
+policy_module(glusterfs, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index e2510d3..0b45360 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.3.1)
+policy_module(gnome, 2.4.0)
##############################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 11e8b20..748f143 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.8.3)
+policy_module(gpg, 2.9.0)
########################################
#
diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
index 2636503..070c5c6 100644
--- a/policy/modules/contrib/irc.te
+++ b/policy/modules/contrib/irc.te
@@ -1,4 +1,4 @@
-policy_module(irc, 2.3.1)
+policy_module(irc, 2.4.0)
########################################
#
diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te
index 80984f3..22ef537 100644
--- a/policy/modules/contrib/irqbalance.te
+++ b/policy/modules/contrib/irqbalance.te
@@ -1,4 +1,4 @@
-policy_module(irqbalance, 1.6.1)
+policy_module(irqbalance, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/ksmtuned.te b/policy/modules/contrib/ksmtuned.te
index 8eef134..2e93115 100644
--- a/policy/modules/contrib/ksmtuned.te
+++ b/policy/modules/contrib/ksmtuned.te
@@ -1,4 +1,4 @@
-policy_module(ksmtuned, 1.1.1)
+policy_module(ksmtuned, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/ktalk.te b/policy/modules/contrib/ktalk.te
index c5548c5..52f3be7 100644
--- a/policy/modules/contrib/ktalk.te
+++ b/policy/modules/contrib/ktalk.te
@@ -1,4 +1,4 @@
-policy_module(ktalk, 1.9.2)
+policy_module(ktalk, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index bcd398c..b1628ad 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -1,4 +1,4 @@
-policy_module(kudzu, 1.9.1)
+policy_module(kudzu, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 768093d..0f65384 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.11.1)
+policy_module(ldap, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 3968c77..62b05af 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.15.1)
+policy_module(logrotate, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
index ab65034..42cd294 100644
--- a/policy/modules/contrib/logwatch.te
+++ b/policy/modules/contrib/logwatch.te
@@ -1,4 +1,4 @@
-policy_module(logwatch, 1.12.2)
+policy_module(logwatch, 1.13.0)
#################################
#
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index cdb19c5..e29882f 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.1.2)
+policy_module(mandb, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te
index 0e893ee..a9265c8 100644
--- a/policy/modules/contrib/mcelog.te
+++ b/policy/modules/contrib/mcelog.te
@@ -1,4 +1,4 @@
-policy_module(mcelog, 1.2.1)
+policy_module(mcelog, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/memcached.te b/policy/modules/contrib/memcached.te
index 29b7521..cf01235 100644
--- a/policy/modules/contrib/memcached.te
+++ b/policy/modules/contrib/memcached.te
@@ -1,4 +1,4 @@
-policy_module(memcached, 1.3.1)
+policy_module(memcached, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te
index 6b58d5d..c80d861 100644
--- a/policy/modules/contrib/minissdpd.te
+++ b/policy/modules/contrib/minissdpd.te
@@ -1,4 +1,4 @@
-policy_module(minissdpd, 1.0.1)
+policy_module(minissdpd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te
index d15eb5b..67c67f2 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -1,4 +1,4 @@
-policy_module(modemmanager, 1.2.1)
+policy_module(modemmanager, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index fe72523..9029996 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -1,4 +1,4 @@
-policy_module(mpd, 1.1.1)
+policy_module(mpd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index f46fcde..51b3bbb 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.7.3)
+policy_module(mta, 2.8.0)
########################################
#
diff --git a/policy/modules/contrib/munin.te b/policy/modules/contrib/munin.te
index b708708..c48f60c 100644
--- a/policy/modules/contrib/munin.te
+++ b/policy/modules/contrib/munin.te
@@ -1,4 +1,4 @@
-policy_module(munin, 1.9.1)
+policy_module(munin, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 7584bbe..80d2c6f 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.14.1)
+policy_module(mysql, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 7173fa4..a4a45c0 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.15.3)
+policy_module(networkmanager, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te
index 421bf1a..985823c 100644
--- a/policy/modules/contrib/nslcd.te
+++ b/policy/modules/contrib/nslcd.te
@@ -1,4 +1,4 @@
-policy_module(nslcd, 1.4.1)
+policy_module(nslcd, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index b2b20ba..79dc252 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.11.1)
+policy_module(ntp, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/openct.te b/policy/modules/contrib/openct.te
index 3b6920e..2ecffe3 100644
--- a/policy/modules/contrib/openct.te
+++ b/policy/modules/contrib/openct.te
@@ -1,4 +1,4 @@
-policy_module(openct, 1.6.1)
+policy_module(openct, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index 63957a3..f9d58cc 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.12.2)
+policy_module(openvpn, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te
index 44dbc99..5885f67 100644
--- a/policy/modules/contrib/openvswitch.te
+++ b/policy/modules/contrib/openvswitch.te
@@ -1,4 +1,4 @@
-policy_module(openvswitch, 1.1.1)
+policy_module(openvswitch, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/passenger.te b/policy/modules/contrib/passenger.te
index ca3de26..c80cb2a 100644
--- a/policy/modules/contrib/passenger.te
+++ b/policy/modules/contrib/passenger.te
@@ -1,4 +1,4 @@
-policy_module(passenger, 1.1.1)
+policy_module(passenger, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index 8deec64..1af594e 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.8.1)
+policy_module(pcscd, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te
index fd70362..742fe1d 100644
--- a/policy/modules/contrib/pegasus.te
+++ b/policy/modules/contrib/pegasus.te
@@ -1,4 +1,4 @@
-policy_module(pegasus, 1.9.1)
+policy_module(pegasus, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index 8eb3f7b..1e1a490 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -1,4 +1,4 @@
-policy_module(pkcs, 1.0.1)
+policy_module(pkcs, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/polipo.te b/policy/modules/contrib/polipo.te
index 9764bfe..baa9b4b 100644
--- a/policy/modules/contrib/polipo.te
+++ b/policy/modules/contrib/polipo.te
@@ -1,4 +1,4 @@
-policy_module(polipo, 1.1.1)
+policy_module(polipo, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 4ffca8f..afc1fde 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.15.3)
+policy_module(postfix, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te
index cc426e6..a4fa22b 100644
--- a/policy/modules/contrib/procmail.te
+++ b/policy/modules/contrib/procmail.te
@@ -1,4 +1,4 @@
-policy_module(procmail, 1.13.1)
+policy_module(procmail, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 4b1bbc1..4665af2 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.6.1)
+policy_module(pulseaudio, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te
index 8742944..a40ba2a 100644
--- a/policy/modules/contrib/qmail.te
+++ b/policy/modules/contrib/qmail.te
@@ -1,4 +1,4 @@
-policy_module(qmail, 1.6.1)
+policy_module(qmail, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/rabbitmq.te b/policy/modules/contrib/rabbitmq.te
index dc3b0ed..cced9c3 100644
--- a/policy/modules/contrib/rabbitmq.te
+++ b/policy/modules/contrib/rabbitmq.te
@@ -1,4 +1,4 @@
-policy_module(rabbitmq, 1.0.2)
+policy_module(rabbitmq, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index c99753f..a9ebb52 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.13.1)
+policy_module(raid, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index 25cd417..d2eecfe 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.0.1)
+policy_module(redis, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te
index 44500cf..147ce0c 100644
--- a/policy/modules/contrib/rgmanager.te
+++ b/policy/modules/contrib/rgmanager.te
@@ -1,4 +1,4 @@
-policy_module(rgmanager, 1.3.1)
+policy_module(rgmanager, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 6cf79c4..16f1a23 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -1,4 +1,4 @@
-policy_module(rhcs, 1.2.1)
+policy_module(rhcs, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/rhsmcertd.te b/policy/modules/contrib/rhsmcertd.te
index d32e1a2..8de4907 100644
--- a/policy/modules/contrib/rhsmcertd.te
+++ b/policy/modules/contrib/rhsmcertd.te
@@ -1,4 +1,4 @@
-policy_module(rhsmcertd, 1.1.1)
+policy_module(rhsmcertd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te
index ee27948..0714e38 100644
--- a/policy/modules/contrib/rlogin.te
+++ b/policy/modules/contrib/rlogin.te
@@ -1,4 +1,4 @@
-policy_module(rlogin, 1.11.3)
+policy_module(rlogin, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
index dcd1d5a..a4e8a5e 100644
--- a/policy/modules/contrib/rngd.te
+++ b/policy/modules/contrib/rngd.te
@@ -1,4 +1,4 @@
-policy_module(rngd, 1.1.1)
+policy_module(rngd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index ce051c2..d48a946 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.15.2)
+policy_module(rpc, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 814cb46..75f7e70 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.6.2)
+policy_module(rpcbind, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te
index 864e089..5a5f6f7 100644
--- a/policy/modules/contrib/rshd.te
+++ b/policy/modules/contrib/rshd.te
@@ -1,4 +1,4 @@
-policy_module(rshd, 1.8.1)
+policy_module(rshd, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 2b7c441..de3adf2 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.16.3)
+policy_module(samba, 1.17.0)
#################################
#
diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te
index 6c3bc20..9f91f8b 100644
--- a/policy/modules/contrib/sasl.te
+++ b/policy/modules/contrib/sasl.te
@@ -1,4 +1,4 @@
-policy_module(sasl, 1.15.1)
+policy_module(sasl, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
index fd341cf..7ff572c 100644
--- a/policy/modules/contrib/screen.te
+++ b/policy/modules/contrib/screen.te
@@ -1,4 +1,4 @@
-policy_module(screen, 2.6.1)
+policy_module(screen, 2.7.0)
########################################
#
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
index 12700b4..6b30f39 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -1,4 +1,4 @@
-policy_module(sendmail, 1.12.1)
+policy_module(sendmail, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/setroubleshoot.te b/policy/modules/contrib/setroubleshoot.te
index 944c8b6..6f6d668 100644
--- a/policy/modules/contrib/setroubleshoot.te
+++ b/policy/modules/contrib/setroubleshoot.te
@@ -1,4 +1,4 @@
-policy_module(setroubleshoot, 1.12.2)
+policy_module(setroubleshoot, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/slocate.te b/policy/modules/contrib/slocate.te
index 7292dc0..ca595d8 100644
--- a/policy/modules/contrib/slocate.te
+++ b/policy/modules/contrib/slocate.te
@@ -1,4 +1,4 @@
-policy_module(slocate, 1.12.2)
+policy_module(slocate, 1.13.0)
#################################
#
diff --git a/policy/modules/contrib/smoltclient.te b/policy/modules/contrib/smoltclient.te
index d5f64d9..cc9aae0 100644
--- a/policy/modules/contrib/smoltclient.te
+++ b/policy/modules/contrib/smoltclient.te
@@ -1,4 +1,4 @@
-policy_module(smoltclient, 1.2.1)
+policy_module(smoltclient, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te
index 90cf49e..18dca44 100644
--- a/policy/modules/contrib/sosreport.te
+++ b/policy/modules/contrib/sosreport.te
@@ -1,4 +1,4 @@
-policy_module(sosreport, 1.3.2)
+policy_module(sosreport, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index cc58e35..35053ab 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.6.1)
+policy_module(spamassassin, 2.7.0)
########################################
#
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 03472ed..42b6ccf 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.12.1)
+policy_module(squid, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index b26d44a..3fc5fda 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -1,4 +1,4 @@
-policy_module(tcsd, 1.1.1)
+policy_module(tcsd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te
index 9afcbc9..5383971 100644
--- a/policy/modules/contrib/telepathy.te
+++ b/policy/modules/contrib/telepathy.te
@@ -1,4 +1,4 @@
-policy_module(telepathy, 1.4.2)
+policy_module(telepathy, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te
index d7c8633..0e70d1f 100644
--- a/policy/modules/contrib/telnet.te
+++ b/policy/modules/contrib/telnet.te
@@ -1,4 +1,4 @@
-policy_module(telnet, 1.11.3)
+policy_module(telnet, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/tgtd.te b/policy/modules/contrib/tgtd.te
index d010963..931c709 100644
--- a/policy/modules/contrib/tgtd.te
+++ b/policy/modules/contrib/tgtd.te
@@ -1,4 +1,4 @@
-policy_module(tgtd, 1.3.1)
+policy_module(tgtd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/tmpreaper.te b/policy/modules/contrib/tmpreaper.te
index efdb2ab..f96e624 100644
--- a/policy/modules/contrib/tmpreaper.te
+++ b/policy/modules/contrib/tmpreaper.te
@@ -1,4 +1,4 @@
-policy_module(tmpreaper, 1.7.2)
+policy_module(tmpreaper, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index 42cfce0..8dadb4b 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -1,4 +1,4 @@
-policy_module(userhelper, 1.8.1)
+policy_module(userhelper, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te
index 974729e..045124a 100644
--- a/policy/modules/contrib/vdagent.te
+++ b/policy/modules/contrib/vdagent.te
@@ -1,4 +1,4 @@
-policy_module(vdagent, 1.1.2)
+policy_module(vdagent, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index d13ce07..59c0f07 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.7.6)
+policy_module(virt, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 25c70df..1a7ad18 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.8.1)
+policy_module(watchdog, 1.9.0)
#################################
#
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 638d10f..a3861e9 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.3.3)
+policy_module(wm, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index eec1dcb..6ea314a 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.6.1)
+policy_module(zabbix, 1.7.0)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-03-17 8:24 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-03-17 8:24 UTC (permalink / raw
To: gentoo-commits
commit: 6128590ef4c9b7924c09aa2d959419f058a51f14
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Mar 14 15:09:26 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 17 08:17:20 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6128590e
Whitespace fix in ntp.fc.
---
policy/modules/contrib/ntp.fc | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 6682163..147e480 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -1,25 +1,25 @@
/etc/cron\.daily/ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0)
/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
-/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-03-17 8:24 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-03-17 8:24 UTC (permalink / raw
To: gentoo-commits
commit: 8c78a84f3c4c0e2f05458d57e24dcd0335083af3
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Mar 11 12:16:57 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 17 08:17:17 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8c78a84f
Update Changelog for release.
---
policy/modules/contrib/Changelog | 337 +++++++++++++++++++++++++++++++++++++++
1 file changed, 337 insertions(+)
diff --git a/policy/modules/contrib/Changelog b/policy/modules/contrib/Changelog
index 8b9356a..bff3eda 100644
--- a/policy/modules/contrib/Changelog
+++ b/policy/modules/contrib/Changelog
@@ -1,3 +1,340 @@
+* Tue Mar 11 2014 Chris PeBenito <selinux@tresys.com> - 2.20140311
+Chris PeBenito (17):
+ Minor rearrangement of minidlna lines.
+ Module version bump for openvpn tmp files from Sven Vermeulen.
+ Update modules for file_t merge into unlabeled_t.
+ Module version bump for postfix showq fc from Laurent Bigonville.
+ Rename gpg_agent_connect to gpg_stream_connect_agent.
+ Module version bump for gpg agent interface from Luis Ressel.
+ Whitespace fixes in git.fc.
+ Module version bump for debian git fc entries from Laurent Bigonville.
+ Move bin_t fc to corecommands.
+ Move exec/transition lines in couchdb.
+ Add comment about couchdb_js policy.
+ Module version bump for couchdb updates from Luis Ressel.
+ Module version bump for pcscd fix from Luis Ressel.
+ Move screen dontaudit rule.
+ Module version bump for screen fix from Luis Ressel.
+ Module version bump for git fc fix from Nicolas Iooss.
+ Bump module versions for release.
+
+Dan Walsh (28):
+ Allow irc_t to use tcp sockets
+ Add labels for apache logs under miq package
+ Allow smbcontrol to create content in /var/lib/samba
+ Allow ktalkd to bind to the ktalkd_port
+ Allow memcache to read sysfs data
+ Allow mdadm to getattr any file system
+ Allow cupsd_lpd_t to bind to the printer port
+ Allow rlogind to bind to the rlogin_port
+ Allow cvs to bind to the cvs_port
+ svirt domains neeed to create kobject_uevint_sockets
+ Lots of new access required for sosreport
+ Allow tgtd_t to connect to isns ports
+ openct needs to be able to create netlink_object_uevent_sockets
+ Allow glusterd to create sock_file in /run
+ Add support for tmp directories to openvswitch
+ Allow virt_domain with USB devices to look at dos file systems
+ Additional access for MLS
+ Additional access for MLS window manager
+ Additional access for MLS window manager
+ Additional access for MLS window manager
+ Allow rpcbind to use nsswitch
+ Allow gpg_agent to use ssh-add
+ Add apache labeling for glpi
+ Allow pegasus to transition to dmidecode
+ Allow mcelog to use the /dev/cpu device
+ Allow apmd to request the kernel load modules
+ Allow postfix programs to getattr on all executables
+ label mate-keyring-daemon with gkeyringd_exec_t
+
+Dominick Grift (126):
+ Typo fix in ksmtuned_admin() by Shintaro Fujiwara
+ Fix monolithic built
+ Change file context spec for aide log files to catch suffixes
+ Module version bumps for changes in various policy modules by Sven
+ Vermeulen
+ Squid: Use a single pattern for brevity
+ Irc was already allowed to create tcp sockets, it only needed an
+ additional accept, and listen to be able to act as a proxy
+ Its probably a better idea to use the httpd_sys_ra_content_t type sid
+ for logs in these locations
+ Module version bump for changes to the tcsd policy module by Lukas
+ Vrabec
+ Module version bump for changes to various policy modules by Miroslav
+ Grepl
+ Module version bump for changes to the samba policy module by Dan Walsh
+ Module version bump for changes to the telepathy policy module by
+ Miroslav Grepl
+ We do not have a boinc domain type attribute Change boolean
+ description a bit
+ Additional rabbitmq couchdb support
+ Module version bumps for changes to various policy modules by Miroslav
+ Grepl
+ Additional git tcp networking rules
+ Additional ktalkd udp networking rules
+ Module version bump for changes to various policy modules by Dan Walsh
+ Addtional cups ldp tcp networking rules
+ Should be server packets because it is binding, and not connecting
+ Clean up telnet, and rlogin networking rules
+ Additional cvs tcp networking rules
+ Module version bump for changes to various policy modules by Dan Walsh
+ Addtional tgtd tcp networking rules
+ Additional polipo tcp networking rules
+ Fix asterisk files_spool_filetrans()
+ Module version bump for changes to the networkmanager policy module by
+ Lukas Vrabec
+ Additional fs_tmpfs_filetrans() for munin service plugin content on
+ tmpfs
+ Module version bump for changes to various policy modules by Miroslav
+ Grepl
+ Support rlogind, and telnetd as init daemon domains ( i think fedora is
+ campaigning to get rid of (x)?inetd )
+ Support mariadb logging, file context specification for mariadb specific
+ config location
+ Change logwatch boolean identifier to something more self-documenting.
+ Additional tcp networking rules
+ Module version bump for changes to various policy modules by Miroslav
+ Grepl
+ Fix inconsistencies in the pkcs policy module
+ Fix fetchmail inconsistencies
+ Module version bump for changes in various policy modules by Dan Walsh
+ Support for window managers to stream socket connect to pulseaudio
+ Logwatch does not need to be able to bind tcp sockets to generic nodes
+ since its only connecting
+ Adds userhelper_exec_consolehelper for window managers
+ Remove duplicate rules due to addition of auth_use_nsswitch()
+ We dont use the arbt domain types template. Use a more uniform boolean
+ discription
+ Clean up libstoragemngmt policy module We do not yet support systemd
+ Change type from etc_rw to conf for readability admin access to
+ condor_conf_t
+ Hit by a nasty optional policy nesting issue
+ We will find another way to run pa as a system server
+ Module version bump for changes to various policy modules by Miroslav
+ Grepl
+ Clean up hypervkvp policy module (seems incomplete)
+ Clean up initial redis policy module
+ Additional openvpn tcp networking rules
+ redis: allow redis to bind tcp sockets to redis_port_t type ports
+ bluetooth: bluetooth_t acquires org.bluez service on dbus system bus
+ wm: associate wm_exec_t to core command executable files so that initrc_t
+ (/sbin/start-stop-daemon) can access it (metacity)
+ logrotate restarts syslogd via init script in Debian
+ This file is called just man-db in Debian.
+ exim: exim owns directory /var/lib/exim4
+ accountsd: accounts-daemon lists /var/log
+ alsa: alsactl listing /dev/shm alsa: alsactl reading /dev/urandom alsa:
+ alsactl getting attributes of devtmpfs / (/dev) alsa: alsactl maintains
+ a pulseaudio tmpfs file
+ Cron: /sbin/runlevel reads /run/utmp cron: anacron (system_cronjob_t)
+ reading, writing inherited random crond tmp files (/tmp/tmpfk1VT2O)
+ dbus: allow system, and session bus clients to answer to dbus unconfined
+ domains
+ apt: Run apt system cronjobs in the apt_t domain apt: apt system cronjob
+ creates dpkg.status.* files in /var/backup
+ devicekit: upowerd reads own unix stream socket devicekit:
+ devicekit_power_t (runlevel) read /run/utmp
+ mandb: Make the man-db cronjob work on Debian
+ rtkit: traverse /proc to get to process state files
+ networkmanager: NetworkManager reads /run/udev/data/n2 file
+ avahi: create a avahi_initrc_domtrans for udev_t: udev runs a avahi dns
+ check script which does, i guess, a dns check. If needed it starts, or
+ stops avahi via its init script. I also created a
+ avahi_manage_pid_files() for udev_t because the script manages a file
+ called "checked_nameservers.*" in /run/avahi-daemon
+ Cleanups of various modules with regard to regular expressions and white
+ space
+ apt: As it turns out the /var/backups directory is labeled in the backup
+ module (which i incidentally did not have installed earlier). Instead
+ of creating this file with a file type transition to
+ apt_var_cache_t, allow apt_t to manage backup_store files
+ mta: this needs to be verified again, it should just have been running
+ in exim_t. I might have taken this from old logs
+ mandb: /etc/cron.daily/man-db executes dpkg, reads dpkg db on Debian
+ slocate: catch /usr/bin/updatedb.mlocate, and /etc/cron.daily/mlocate on
+ Debian
+ dpkg: catch /etc/cron.daily/dpkg on Debian dpkg: allow
+ /etc/cron.daily/dpkg to manage backup store files on Debian
+ cron: consistent usage of regular expressions cron: prelink no longer
+ runs in the system cronjob domain
+ alsa: alsactl wants to associate pulse-shm-.* to device_t type
+ filesystems. This happens early on but i do not understand how that
+ (/dev) relates to /dev/shm in this regard
+ devicekit: reads udev pid files modemmanager: reads udev pid files
+ vdagent: spice-vdagentd uses /dev/vport1p1 virtio console
+ tmpreaper: mountall-bootcl in the tmpreaper_t domain reads, writes
+ /dev/pts/0 inherited from init script
+ revert regular expressions
+ wm: allow $1_wm_t to stream connect to $1_gkeyringd_t
+ mta: allow system_mail_t (user_mail_domains) to read kernel sysctls and
+ to read exim var lib files.
+ mta: These are duplicates because system_mail_t is a user_mail_domain,
+ as it is based off of the mta_base_mail_template() which assigns that
+ type attribute
+ locate: extra rules needed by debian /etc/cron.daily/locate script
+ backup: in Debian /etc/cron.daily/passwd backs-up shadow, passwd etc to
+ /var/backups
+ avahi: create interfaces that will allow calles to create avahi pid dirs
+ and create specifc avahi pid objects with a type transition (for
+ udev, which runs: /usr/lib/avahi/avahi-daemon-check-dns.sh in
+ Debian
+ Initial gdomap policy module
+ Initial minissdpd policy module
+ alsa: due to a bug in gnome 3.4, in debian, alsactl does all kinds of
+ weird things related to pulseaudio
+ various: revert regex fixes: fcsort does not want this now
+ gdomap: gdomap_port_t is now available, gdomap binds tcp, and udp socket
+ to it
+ alsa: make alsa_t and pulseaudio_client so that pulseaudio_client rules
+ apply to it. alsactl does not actually run pulseaudio it seems though.
+ pulseaudio: allow all pulseaudio_client to send null signals to
+ unconfined_t, since unconfined_t is not actually a pulseaudio_client (
+ unconfined_t runs pulseaudio without a domain transition)
+ avahi: create avahi_setattr_pid_dirs() for udev (avahi dns check script
+ run by udev in Debian)
+ These { read write } tty_device_t chr files on boot up in Debian
+ colord: colord executable file locations in Debian
+ colord: reads /proc/1, reads /run/udev files
+ vdagent: read/write mtrr file
+ mandb: dpkg running in the mandb_t domain in Debian (mandb cronjob)
+ traverses /root
+ exim: traverses sysfs, uses system cronjob file descriptors (/dev/null) in
+ Debian (/etc/cron.daily/exim)
+ minissdpd fixes
+ devicekit: disk reads /proc/sys/vm/overcommit_memory
+ devicekit: edit devicekit_append_inherited_log_files to include get
+ attribute permission so that it can be also used for fsadm
+ devicekit: 95hdparm-apm (devicekit_power_t) gets attributes of /dev/sda
+ (fixed_disk_device_t)
+ networkmanager: added interfaces that fedora calls for dhcpc. In Debian it
+ was confirmed that at least dhclient manages
+ /var/lib/NetworkManager/dhclient-eth0.conf
+ firewalld: various fixes that i borrowed from Fedora but that also apply
+ to Debian (confirmed)
+ firewalld: interfaces created for iptables
+ irqbalance: getsched from Debian
+ colord: colord reads /proc/3412/cmdline (cupsd state files)
+ virt: libvirtd reads /run/udev/data/+input:input3
+ firewalld: traverses / on sysfs
+ rngd: needs ipc_lock capability, maintains /run/rngd.pid
+ tmpreaper: mountall-bootcl executes /bin/plymouth on Debian
+ minissdpd: deal with assertion violation (sys_module)
+ gdomap: missing networking rules, it traverses /tmp for some reason
+ ntp: create ntp_read_drift_files() for dhclient
+ dpkg: allow dpkg, and dpkg script to domain transition to initrc_t on any
+ init script file type rather than only the generic initrc_exec_t init
+ script file type
+ exim: exim4 reads online
+ apt: apt runs /usr/bin/apt-get apt: on_ac_power (apt_t) lists
+ /sys/class/power_supply
+ exim: exim_manage_var_lib_files created for init: init script runs helper
+ apps that create/manage /var/lib/exim4/config.autogenerated.tmp
+ gdomap/minissdpd: create read_config interfaces for initrc_t
+ exim: make exim init script create /var/run/exim4 with a proper context
+ pulseaudio: pulsaudio_t needs to be able to read user_tmpfs_files
+ (/run/shm/pulse-shm-.*)
+ dnsmasq: add support for /etc/dnsmasq.d/
+ Module version bumps for various policy modules
+ Module version bump for changes to the logrotate module by Luis Ressel
+ Git: git daemons can list and read git personal repositories
+ Module version bumps for changes to various policy modules by Fedora
+ redis, lsm: typo fixes
+ userhelper: append newline
+
+James Carter (8):
+ - Fixed typo in contrib/avahi.if
+ - Fixed typo in contrib/glusterfs.te
+ - Fixed typo in contrib/jabber.if
+ - Fixed typo in contrib/keystone.if
+ - Fixed typo in contrib/mailscanner.if
+ - Fixed typo in contrib/qpid.if
+ - Fixed typo in contrib/readahead.fc.
+ - Fixed typo in contrib/rpm.if.
+
+Laurent Bigonville (2):
+ Label /usr/lib/postfix/showq as postfix_showq_exec_t
+ Properly label git-daemon and gitweb.cgi on Debian
+
+Luis Ressel (10):
+ Allow initrc_t to create /var/run/opendkim
+ Label /etc/cron.daily/logrotate correctly.
+ gpg: Create gpg_agent_connect interface
+ Minor updates to couchdb policy
+ couchdb: Add separate domain for couchjs
+ couchdb: Dontaudit denials caused by Erlang's disksup
+ Reformat couchdb.fc
+ pcscd.if: Permit access to pid files inside /var/run/pcscd/.
+ Allow gpg-agent's scdaemon to connect to pcscd.
+ Dontaudit screen asking for the sys_tty_config capability
+
+Lukas Vrabec (8):
+ Allow tcsd to read utmp file
+ fix boinc policy
+ Add support for couchdb in rabbitmq policy
+ Fix transition rules in asterisk policy
+ Add fowner capability to networkmanager policy
+ Add policy for lsmd
+ Add policy for hypervkvpd
+ Add policy for redis-server
+
+Mika Pflüger (1):
+ Correct typo in passenger module name
+
+Miroslav Grepl (40):
+ Allow passenger to execute ifconfig
+ Allow mpd setcap which is needed by pulseaudio
+ Allow block_suspend cap for samba-net
+ Allow t-mission-control to manage gabble cache files
+ Allow nslcd to read /sys/devices/system/cpu
+ Add labeling for ~/.cache/telepathy/avatars/gabble
+ Allow firewalld to read NM state
+ Allow systemd running as git_systemd to bind git port
+ Fix labeling for fetchmail pid files/dirs
+ Fix polipo.te
+ Fix cupsd.te
+ Allow munin service plugins to manage own tmpfs files/dirs
+ Make ktalk as init domain
+ Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb
+ Add logwatch_can_sendmail boolean
+ Allow rhsmcertd to read init state
+ Allow fsetid for pkcsslotd
+ Allow fetchmail to create own pid with correct labeling
+ Fix rhcs_domain_template()
+ Add support for abrt-upload-watch
+ Allow virtd to relabel unix stream socket
+ Fix lsm.fc for pid files
+ Also sock_file trans rule is needed in lsm
+ Update condor_master rules to allow read system state info and allow
+ logging
+ Add labeling for /etc/condor and allow condor domain to write it (bug)
+ Allow condor domains to manage own logs
+ Allow glusterd to read domains state
+ Add openvpn_can_network_connect() boolean
+ Fix minissdpd_admin()
+ Allow ctdb to getattr on al filesystems
+ Watchdog opens the raw socket
+ Allow watchdog to read network state info
+ Add setroubleshoot_signull() interface
+ Allow sosreport to send signull to setroubleshootd
+ Allow sosreport all signal perms
+ Allow sosreport to dbus chat with rpm
+ Allow zabbix_agentd to read all domain state
+ Allow smoltclient to execute ldconfig
+ Allow sosreport to request the kernel to load a module
+ Allow setpgid for sosreport
+
+Nicolas Iooss (1):
+ git: fix file pattern after whitespace fixes
+
+Sven Vermeulen (6):
+ Add minidlna policy
+ Allow openvpn temporary files
+ Add aide bin /usr/bin and mark /var/lib/aide
+ Provide alsa_write_lib interface
+ Run dmidecode after newrole or on terminals
+ Grant write privileges to squid on its log files
+
* Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424
Chris PeBenito (18):
Rewrite of mcelog module from Guido Trentalancia
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-03-17 8:24 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-03-17 8:24 UTC (permalink / raw
To: gentoo-commits
commit: 1e65313c840ddcb30577cc8bc51859e0a0717378
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Mar 3 22:59:40 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 17 08:17:19 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1e65313c
Add several fcontext for debian specific paths for ntp
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740656
---
policy/modules/contrib/ntp.fc | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index af3c91e..6682163 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -1,13 +1,15 @@
+/etc/cron\.daily/ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/ntp\.conf -- gen_context(system_u:object_r:ntp_conf_t,s0)
/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-03-10 18:19 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-03-10 18:19 UTC (permalink / raw
To: gentoo-commits
commit: 654653698a35d23f51d490a83f61b4a57af8b22c
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Fri Feb 28 18:19:11 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 10 18:17:15 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=65465369
git: fix file pattern after whitespace fixes
Commit bb7d721c "Whitespace fixes in git.fc." removed the last letter of a
file pattern in git.fc. This patch adds the letter back.
---
policy/modules/contrib/git.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/git.fc b/policy/modules/contrib/git.fc
index c583ce1..d8a3f8e 100644
--- a/policy/modules/contrib/git.fc
+++ b/policy/modules/contrib/git.fc
@@ -14,4 +14,4 @@ HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-/var/www/gitweb-caching/gitweb\.cg -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-03-10 18:19 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-03-10 18:19 UTC (permalink / raw
To: gentoo-commits
commit: 7e346191bd6b17e8320d2d47f6da442696512737
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Mar 10 14:24:43 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 10 18:17:17 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7e346191
Module version bump for git fc fix from Nicolas Iooss.
---
policy/modules/contrib/git.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 814d441..111d200 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -1,4 +1,4 @@
-policy_module(git, 1.3.4)
+policy_module(git, 1.3.5)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-03-04 15:30 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-03-04 15:30 UTC (permalink / raw
To: gentoo-commits
commit: 78d4bf98ca3ffc9ec4447a9bace3c8683f3174f4
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sun Feb 16 14:18:14 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Mar 4 15:28:48 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=78d4bf98
Dontaudit screen asking for the sys_tty_config capability
This avc shows up when using screen as root, however screen seems to
work fine without that permission.
---
policy/modules/contrib/screen.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/screen.if b/policy/modules/contrib/screen.if
index be5cce2..08c8978 100644
--- a/policy/modules/contrib/screen.if
+++ b/policy/modules/contrib/screen.if
@@ -54,6 +54,8 @@ template(`screen_role_template',`
dontaudit $3 $1_screen_t:unix_stream_socket { read write };
allow $1_screen_t $3:process signal;
+ dontaudit $1_screen_t self:capability sys_tty_config;
+
allow $3 screen_tmp_t:dir { manage_dir_perms relabel_dir_perms };
allow $3 screen_tmp_t:file { manage_file_perms relabel_file_perms };
allow $3 screen_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-03-04 15:30 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-03-04 15:30 UTC (permalink / raw
To: gentoo-commits
commit: d2f246c5272f0a7df178b119e0f72e04ce483be7
Author: Chris PeBenito <pebenito <AT> gentoo <DOT> org>
AuthorDate: Mon Mar 3 14:05:40 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Mar 4 15:28:51 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d2f246c5
Module version bump for screen fix from Luis Ressel.
---
policy/modules/contrib/screen.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
index 7da9b3d..fd341cf 100644
--- a/policy/modules/contrib/screen.te
+++ b/policy/modules/contrib/screen.te
@@ -1,4 +1,4 @@
-policy_module(screen, 2.6.0)
+policy_module(screen, 2.6.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-03-04 15:30 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-03-04 15:30 UTC (permalink / raw
To: gentoo-commits
commit: 4607df07ecea8c109ef784297f568b5a564f582b
Author: Chris PeBenito <pebenito <AT> gentoo <DOT> org>
AuthorDate: Mon Mar 3 13:48:20 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Mar 4 15:28:50 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4607df07
Move screen dontaudit rule.
---
policy/modules/contrib/screen.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/screen.if b/policy/modules/contrib/screen.if
index 08c8978..2795f69 100644
--- a/policy/modules/contrib/screen.if
+++ b/policy/modules/contrib/screen.if
@@ -46,6 +46,8 @@ template(`screen_role_template',`
# Local policy
#
+ dontaudit $1_screen_t self:capability sys_tty_config;
+
domtrans_pattern($3, screen_exec_t, $1_screen_t)
ps_process_pattern($3, $1_screen_t)
@@ -54,8 +56,6 @@ template(`screen_role_template',`
dontaudit $3 $1_screen_t:unix_stream_socket { read write };
allow $1_screen_t $3:process signal;
- dontaudit $1_screen_t self:capability sys_tty_config;
-
allow $3 screen_tmp_t:dir { manage_dir_perms relabel_dir_perms };
allow $3 screen_tmp_t:file { manage_file_perms relabel_file_perms };
allow $3 screen_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-02-17 20:54 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-02-17 20:54 UTC (permalink / raw
To: gentoo-commits
commit: c861070d8bc839eba9e45a5240fa2eb1b2870eca
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Feb 17 20:53:26 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Feb 17 20:53:26 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c861070d
Update comment and remove whitespace (thanks to Luis Ressel)
---
policy/modules/contrib/portage.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 64ed670..640a63b 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -163,8 +163,8 @@ interface(`portage_compile_domain',`
files_exec_etc_files($1)
files_exec_usr_src_files($1)
- # Fix bug #496328
- fs_getattr_tmpfs($1)
+ # Came up with bug #496328
+ fs_getattr_tmpfs($1)
fs_getattr_xattr_fs($1)
fs_list_noxattr_fs($1)
fs_read_noxattr_fs_files($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-02-17 19:55 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-02-17 19:55 UTC (permalink / raw
To: gentoo-commits
commit: 2fb604ffe3ff4adde1b11c450e638c310ec7741a
Author: Chris PeBenito <pebenito <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 15 20:03:19 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Feb 17 19:46:22 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2fb604ff
Module version bump for pcscd fix from Luis Ressel.
---
policy/modules/contrib/pcscd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index 1fb1964..8deec64 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.8.0)
+policy_module(pcscd, 1.8.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-02-17 19:55 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-02-17 19:55 UTC (permalink / raw
To: gentoo-commits
commit: 55ada8c7213d784e90f9e9aed48e7379cbdd8eee
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Fri Feb 14 19:35:49 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Feb 17 19:46:21 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=55ada8c7
Allow gpg-agent's scdaemon to connect to pcscd.
---
policy/modules/contrib/gpg.te | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 6405e2e..11e8b20 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.8.2)
+policy_module(gpg, 2.8.3)
########################################
#
@@ -273,6 +273,10 @@ optional_policy(`
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
')
+optional_policy(`
+ pcscd_stream_connect(gpg_agent_t)
+')
+
##############################
#
# Pinentry local policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-02-17 19:55 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-02-17 19:55 UTC (permalink / raw
To: gentoo-commits
commit: 69c810d8042573cb1a1771d7191a5e7685a8e388
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Fri Feb 14 19:35:48 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Feb 17 19:45:18 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=69c810d8
pcscd.if: Permit access to pid files inside /var/run/pcscd/.
Gentoo places pcscd's pid file in /var/run/pcscd/ instead of /var/run/,
but pcscd_read_pid_files() doesn't grant enough permissions for this.
---
policy/modules/contrib/pcscd.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pcscd.if b/policy/modules/contrib/pcscd.if
index 43d50f9..7f77d32 100644
--- a/policy/modules/contrib/pcscd.if
+++ b/policy/modules/contrib/pcscd.if
@@ -50,7 +50,7 @@ interface(`pcscd_read_pid_files',`
')
files_search_pids($1)
- allow $1 pcscd_var_run_t:file read_file_perms;
+ read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-02-15 9:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-02-15 9:45 UTC (permalink / raw
To: gentoo-commits
commit: 78f390bf6e83e1b24be5c2cc19693afba138ec0a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Feb 15 09:43:59 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 09:44:12 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=78f390bf
Fix bug #496328 - Allow conftest in portage sandbox to check for sem_open
Patch provided by Luis Ressel
---
policy/modules/contrib/portage.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index d58af63..64ed670 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -163,6 +163,8 @@ interface(`portage_compile_domain',`
files_exec_etc_files($1)
files_exec_usr_src_files($1)
+ # Fix bug #496328
+ fs_getattr_tmpfs($1)
fs_getattr_xattr_fs($1)
fs_list_noxattr_fs($1)
fs_read_noxattr_fs_files($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-02-09 10:54 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-02-09 10:54 UTC (permalink / raw
To: gentoo-commits
commit: eefedf42792afe7062c103cb8df70816296b14ed
Author: Chris PeBenito <pebenito <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 8 14:24:02 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb 9 10:48:38 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=eefedf42
Add comment about couchdb_js policy.
---
policy/modules/contrib/couchdb.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/couchdb.te b/policy/modules/contrib/couchdb.te
index 390c8cb..0688856 100644
--- a/policy/modules/contrib/couchdb.te
+++ b/policy/modules/contrib/couchdb.te
@@ -105,6 +105,8 @@ miscfiles_read_localization(couchdb_t)
# couchdb_js policy
#
+# this is a complete policy. It processes the javascript
+# ouside the main process, passing data via FIFO.
allow couchdb_js_t self:process { execmem getsched setsched };
files_read_usr_files(couchdb_js_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-02-09 10:54 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-02-09 10:54 UTC (permalink / raw
To: gentoo-commits
commit: 87deab528f341daa6e0c1e70c1351cc5e72a924f
Author: Chris PeBenito <pebenito <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 8 14:24:59 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb 9 10:48:39 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=87deab52
Module version bump for couchdb updates from Luis Ressel.
---
policy/modules/contrib/couchdb.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/couchdb.te b/policy/modules/contrib/couchdb.te
index 0688856..04e0bbb 100644
--- a/policy/modules/contrib/couchdb.te
+++ b/policy/modules/contrib/couchdb.te
@@ -1,4 +1,4 @@
-policy_module(couchdb, 1.1.1)
+policy_module(couchdb, 1.1.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-02-09 10:54 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-02-09 10:54 UTC (permalink / raw
To: gentoo-commits
commit: 73cf057f886490de96018eef40a4b2362e0946f2
Author: Chris PeBenito <pebenito <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 8 14:22:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb 9 10:48:35 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=73cf057f
Move exec/transition lines in couchdb.
---
policy/modules/contrib/couchdb.te | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/couchdb.te b/policy/modules/contrib/couchdb.te
index 62f5db1..390c8cb 100644
--- a/policy/modules/contrib/couchdb.te
+++ b/policy/modules/contrib/couchdb.te
@@ -45,6 +45,10 @@ allow couchdb_t self:tcp_socket { accept listen };
allow couchdb_t couchdb_conf_t:dir list_dir_perms;
allow couchdb_t couchdb_conf_t:file read_file_perms;
+can_exec(couchdb_t, couchdb_exec_t)
+
+domtrans_pattern(couchdb_t, couchdb_js_exec_t, couchdb_js_t)
+
manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
create_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
@@ -63,8 +67,6 @@ manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
files_pid_filetrans(couchdb_t, couchdb_var_run_t, dir)
-can_exec(couchdb_t, couchdb_exec_t)
-
kernel_read_system_state(couchdb_t)
corecmd_exec_bin(couchdb_t)
@@ -98,8 +100,6 @@ auth_use_nsswitch(couchdb_t)
miscfiles_read_localization(couchdb_t)
-domtrans_pattern(couchdb_t, couchdb_js_exec_t, couchdb_js_t)
-
########################################
#
# couchdb_js policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-02-01 11:37 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-02-01 11:37 UTC (permalink / raw
To: gentoo-commits
commit: dde05ceb3056e00a2bff6e089fc0caa5d784d700
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Feb 1 11:35:03 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Feb 1 11:35:34 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dde05ceb
Fix bug 496328 - Properly handle chroots
Thanks to Luis Ressel for the patch.
---
policy/modules/contrib/portage.if | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index fe656fa..d58af63 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -203,6 +203,11 @@ interface(`portage_compile_domain',`
allow $1 xdm_xserver_tmp_t:sock_file { create_file_perms delete_file_perms write_file_perms };
')
') dnl end TODO
+
+ ifdef(`distro_gentoo',`
+ # Fix bug 496328
+ fs_getattr_tmpfs($1)
+ ')
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-02-01 10:00 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-02-01 10:00 UTC (permalink / raw
To: gentoo-commits
commit: 5aa3b64013455ae513d1a9d92701ab6546a795d3
Author: Chris PeBenito <pebenito <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 1 03:53:53 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Feb 1 09:57:26 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5aa3b640
Module version bump for postfix showq fc from Laurent Bigonville.
---
policy/modules/contrib/postfix.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 03a0092..4ffca8f 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.15.2)
+policy_module(postfix, 1.15.3)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-02-01 10:00 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-02-01 10:00 UTC (permalink / raw
To: gentoo-commits
commit: 63fcf01dc21cd1d091cec1892a6ec4697e7dd550
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Thu Jan 30 19:26:01 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Feb 1 09:57:23 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=63fcf01d
Label /usr/lib/postfix/showq as postfix_showq_exec_t
---
policy/modules/contrib/postfix.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc
index c0e8785..da1791b 100644
--- a/policy/modules/contrib/postfix.fc
+++ b/policy/modules/contrib/postfix.fc
@@ -10,6 +10,7 @@
/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-01-23 19:54 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-01-23 19:54 UTC (permalink / raw
To: gentoo-commits
commit: 94da5be65c23b53ef62d05e4c9f1efe773e7b8c6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jan 23 19:53:57 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 23 19:53:57 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=94da5be6
Fix bug #498578 - Support mplayer2 and mpv
---
policy/modules/contrib/mplayer.fc | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/policy/modules/contrib/mplayer.fc b/policy/modules/contrib/mplayer.fc
index 755ebe2..03ace71 100644
--- a/policy/modules/contrib/mplayer.fc
+++ b/policy/modules/contrib/mplayer.fc
@@ -6,3 +6,12 @@ HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0)
/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
/usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0)
/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+HOME_DIR/\.mpv(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0)
+
+/etc/mpv(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0)
+
+/usr/bin/mplayer2 -- gen_context(system_u:object_r:mplayer_exec_t,s0)
+/usr/bin/mpv -- gen_context(system_u:object_r:mplayer_exec_t,s0)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-01-20 20:33 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-01-20 20:33 UTC (permalink / raw
To: gentoo-commits
commit: 966f8dfaae29ab6192222828a396ca3f38458f6b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Jan 20 20:32:27 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Jan 20 20:32:27 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=966f8dfa
Fix bug #497986 - Scripts provided by consolekit should be bin_t
---
policy/modules/contrib/consolekit.fc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/consolekit.fc b/policy/modules/contrib/consolekit.fc
index 23c9558..0ce1e53 100644
--- a/policy/modules/contrib/consolekit.fc
+++ b/policy/modules/contrib/consolekit.fc
@@ -5,3 +5,8 @@
/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+# Bug 497986
+/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-01-19 19:08 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2014-01-19 19:08 UTC (permalink / raw
To: gentoo-commits
commit: ee0f927388a2046653008fea0bf2ccbd5580243c
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Jan 16 14:05:59 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 19 19:07:31 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ee0f9273
Update modules for file_t merge into unlabeled_t.
---
policy/modules/contrib/automount.te | 4 ++--
policy/modules/contrib/ccs.te | 4 ++--
policy/modules/contrib/devicekit.te | 4 ++--
policy/modules/contrib/kudzu.te | 4 ++--
policy/modules/contrib/rgmanager.te | 4 ++--
policy/modules/contrib/virt.te | 4 ++--
6 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index 27d2f40..140e876 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.14.1)
+policy_module(automount, 1.14.2)
########################################
#
@@ -62,6 +62,7 @@ kernel_read_proc_symlinks(automount_t)
kernel_read_system_state(automount_t)
kernel_read_network_state(automount_t)
kernel_list_proc(automount_t)
+kernel_getattr_unlabeled_dirs(automount_t)
kernel_dontaudit_search_xen_state(automount_t)
corecmd_exec_bin(automount_t)
@@ -93,7 +94,6 @@ files_dontaudit_write_var_dirs(automount_t)
files_getattr_all_dirs(automount_t)
files_getattr_default_dirs(automount_t)
files_getattr_home_dir(automount_t)
-files_getattr_isid_type_dirs(automount_t)
files_exec_etc_files(automount_t)
files_list_mnt(automount_t)
files_manage_non_security_dirs(automount_t)
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index 658134d..53e86f6 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.6.0)
+policy_module(ccs, 1.6.1)
########################################
#
@@ -110,8 +110,8 @@ userdom_manage_unpriv_user_shared_mem(ccs_t)
userdom_manage_unpriv_user_semaphores(ccs_t)
ifdef(`hide_broken_symptoms',`
+ kernel_manage_unlabeled_files(ccs_t)
corecmd_dontaudit_write_bin_dirs(ccs_t)
- files_manage_isid_type_files(ccs_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 010f7fb..5320321 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.3.2)
+policy_module(devicekit, 1.3.3)
########################################
#
@@ -92,6 +92,7 @@ kernel_read_system_state(devicekit_disk_t)
kernel_read_vm_sysctls(devicekit_disk_t)
kernel_request_load_module(devicekit_disk_t)
kernel_setsched(devicekit_disk_t)
+kernel_manage_unlabeled_dirs(devicekit_disk_t)
corecmd_exec_bin(devicekit_disk_t)
corecmd_exec_shell(devicekit_disk_t)
@@ -115,7 +116,6 @@ files_getattr_all_dirs(devicekit_disk_t)
files_getattr_all_files(devicekit_disk_t)
files_getattr_all_pipes(devicekit_disk_t)
files_manage_boot_dirs(devicekit_disk_t)
-files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_runtime_files(devicekit_disk_t)
files_read_usr_files(devicekit_disk_t)
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index 1664036..bcd398c 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -1,4 +1,4 @@
-policy_module(kudzu, 1.9.0)
+policy_module(kudzu, 1.9.1)
########################################
#
@@ -49,6 +49,7 @@ kernel_read_network_state(kudzu_t)
kernel_read_system_state(kudzu_t)
kernel_rw_hotplug_sysctls(kudzu_t)
kernel_rw_kernel_sysctl(kudzu_t)
+kernel_dontaudit_search_unlabeled(kudzu_t)
corecmd_exec_all_executables(kudzu_t)
@@ -71,7 +72,6 @@ files_etc_filetrans_etc_runtime(kudzu_t, file)
files_manage_mnt_files(kudzu_t)
files_manage_mnt_symlinks(kudzu_t)
files_dontaudit_search_src(kudzu_t)
-files_dontaudit_search_isid_type_dirs(kudzu_t)
fs_search_auto_mountpoints(kudzu_t)
fs_write_ramfs_sockets(kudzu_t)
diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te
index c8a1e16..44500cf 100644
--- a/policy/modules/contrib/rgmanager.te
+++ b/policy/modules/contrib/rgmanager.te
@@ -1,4 +1,4 @@
-policy_module(rgmanager, 1.3.0)
+policy_module(rgmanager, 1.3.1)
########################################
#
@@ -63,6 +63,7 @@ kernel_read_system_state(rgmanager_t)
kernel_rw_rpc_sysctls(rgmanager_t)
kernel_search_debugfs(rgmanager_t)
kernel_search_network_state(rgmanager_t)
+kernel_manage_unlabeled_dirs(rgmanager_t)
corenet_all_recvfrom_unlabeled(rgmanager_t)
corenet_all_recvfrom_netlabel(rgmanager_t)
@@ -83,7 +84,6 @@ domain_dontaudit_ptrace_all_domains(rgmanager_t)
files_list_all(rgmanager_t)
files_getattr_all_symlinks(rgmanager_t)
files_manage_mnt_dirs(rgmanager_t)
-files_manage_isid_type_dirs(rgmanager_t)
files_read_non_security_files(rgmanager_t)
fs_getattr_all_fs(rgmanager_t)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 590ad2a..d13ce07 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.7.5)
+policy_module(virt, 1.7.6)
########################################
#
@@ -935,6 +935,7 @@ storage_manage_fixed_disk(virtd_lxc_t)
kernel_read_all_sysctls(virtd_lxc_t)
kernel_read_network_state(virtd_lxc_t)
kernel_read_system_state(virtd_lxc_t)
+kernel_list_unlabeled(virtd_lxc_t)
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
@@ -954,7 +955,6 @@ files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
files_unmount_all_file_type_fs(virtd_lxc_t)
-files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
fs_getattr_all_fs(virtd_lxc_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-12-20 21:00 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-12-20 21:00 UTC (permalink / raw
To: gentoo-commits
commit: 335d18800165139ef3cd2ec012f43f6239fe775d
Author: Mika Pflüger <mika <AT> mikapflueger <DOT> de>
AuthorDate: Mon Dec 16 00:51:32 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 20:58:05 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=335d1880
Correct typo in passenger module name
---
policy/modules/contrib/passenger.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/passenger.te b/policy/modules/contrib/passenger.te
index 08ec33b..ca3de26 100644
--- a/policy/modules/contrib/passenger.te
+++ b/policy/modules/contrib/passenger.te
@@ -1,4 +1,4 @@
-policy_module(passanger, 1.1.1)
+policy_module(passenger, 1.1.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-12-18 8:16 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-12-18 8:16 UTC (permalink / raw
To: gentoo-commits
commit: 910dc9c588c6a0af4b2abc7b009b72c6393a29d6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Dec 18 08:15:07 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Dec 18 08:15:07 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=910dc9c5
Remove duplicate file transition
---
policy/modules/contrib/mysql.te | 4 ----
1 file changed, 4 deletions(-)
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index d425838..7584bbe 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -258,7 +258,3 @@ files_search_var_lib(mysqlmanagerd_t)
miscfiles_read_localization(mysqlmanagerd_t)
userdom_search_user_home_dirs(mysqlmanagerd_t)
-
-ifdef(`distro_gentoo',`
- init_daemon_run_dir(mysqld_var_run_t, "mysqld")
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-12-18 8:06 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-12-18 8:06 UTC (permalink / raw
To: gentoo-commits
commit: ef8b075dd66d969312a54f2cc36dbf91d0017cb1
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Dec 18 08:04:39 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Dec 18 08:04:39 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ef8b075d
Typo in init_daemon_run(_)dir call
---
policy/modules/contrib/ldap.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index d2d5e94..768093d 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -150,7 +150,7 @@ optional_policy(`
')
ifdef(`distro_gentoo',`
- init_daemon_rundir(slapd_var_run_t, "openldap")
+ init_daemon_run_dir(slapd_var_run_t, "openldap")
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-12-17 8:52 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-12-17 8:52 UTC (permalink / raw
To: gentoo-commits
commit: d9c93e2772405ded03cb478b07bec4cfdbe9c23d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Dec 17 08:48:06 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Dec 17 08:48:06 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d9c93e27
Move gentoo stuff below
---
policy/modules/contrib/ldap.te | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 131dc88..7629d1e 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -128,13 +128,6 @@ miscfiles_read_localization(slapd_t)
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
userdom_dontaudit_search_user_home_dirs(slapd_t)
-ifdef(`distro_gentoo',`
- allow slapd_t self:process signal;
- allow slapd_t self:unix_stream_socket listen;
-
- userdom_use_user_terminals(slapd_t)
-')
-
optional_policy(`
kerberos_manage_host_rcache(slapd_t)
kerberos_read_keytab(slapd_t)
@@ -155,3 +148,10 @@ optional_policy(`
optional_policy(`
udev_read_db(slapd_t)
')
+
+ifdef(`distro_gentoo',`
+ allow slapd_t self:process signal;
+ allow slapd_t self:unix_stream_socket listen;
+
+ userdom_use_user_terminals(slapd_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-12-17 8:12 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-12-17 8:12 UTC (permalink / raw
To: gentoo-commits
commit: 09f37279cf3542096882231e571f2286b1b883ab
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sun Dec 15 19:09:33 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Dec 17 08:10:20 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=09f37279
userhelper: append newline
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/userhelper.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/userhelper.fc b/policy/modules/contrib/userhelper.fc
index c416a83..9fe1258 100644
--- a/policy/modules/contrib/userhelper.fc
+++ b/policy/modules/contrib/userhelper.fc
@@ -2,4 +2,4 @@
/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
-/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
\ No newline at end of file
+/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-12-16 14:14 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-12-16 14:14 UTC (permalink / raw
To: gentoo-commits
commit: f7816680a18cda6052a7f0077623bf1daf68928a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Dec 16 14:10:14 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 14:10:14 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f7816680
Fix bug #488692 - Support portage_mount_fs
Portage might want to mount /boot in order to install new kernel
information. This is optional and users can disable this behavior by
setting DONT_MOUNT_BOOT.
For those users that do want Portage to mount /boot, they can now toggle
portage_mount_fs to allow this SELinux-wise.
https://bugs.gentoo.org/show_bug.cgi?id=488692
---
policy/modules/contrib/portage.te | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 5a161e5..d5b29d6 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -350,6 +350,14 @@ ifdef(`hide_broken_symptoms',`
ifdef(`distro_gentoo',`
+## <desc>
+## <p>
+## Determine whether portage can mount file systems (used to mount /boot for instance).
+## </p>
+## </desc>
+gen_tunable(portage_mount_fs, false)
+
+
##########################################
#
# Type declarations
@@ -423,6 +431,12 @@ ifdef(`distro_gentoo',`
libs_relabel_lib_dirs(portage_t)
libs_relabel_lib_files(portage_t)
+ optional_policy(`
+ tunable_policy(`portage_mount_fs',`
+ mount_domtrans(portage_t)
+ ')
+ ')
+
##########################################
#
# Portage sandbox local policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-12-08 13:16 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-12-08 13:16 UTC (permalink / raw
To: gentoo-commits
commit: 324328767d6cd1cfbe6df9122c3131a3f1707f7f
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Dec 7 17:17:30 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Dec 8 13:14:31 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=32432876
redis, lsm: typo fixes
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/lsm.if | 2 +-
policy/modules/contrib/redis.if | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/lsm.if b/policy/modules/contrib/lsm.if
index d314333..365ab6f 100644
--- a/policy/modules/contrib/lsm.if
+++ b/policy/modules/contrib/lsm.if
@@ -19,7 +19,7 @@
#
interface(`lsmd_admin',`
gen_require(`
- type lsmd_t, type lsmd_var_run_t;
+ type lsmd_t, lsmd_var_run_t;
')
allow $1 lsmd_t:process { ptrace signal_perms };
diff --git a/policy/modules/contrib/redis.if b/policy/modules/contrib/redis.if
index 16c8ecb..3969450 100644
--- a/policy/modules/contrib/redis.if
+++ b/policy/modules/contrib/redis.if
@@ -32,7 +32,7 @@ interface(`redis_admin',`
allow $2 system_r;
logging_search_logs($1)
- admin_pattern($!, redis_log_t)
+ admin_pattern($1, redis_log_t)
files_search_var_lib($1)
admin_pattern($1, redis_var_lib_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: b224ad2401c34b81a9d3b00dc96c7c704c9b2b90
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Nov 26 13:53:50 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:03:15 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b224ad24
Module version bumps for changes to various policy modules by Fedora
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apm.te | 2 +-
policy/modules/contrib/ctdb.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/mcelog.te | 2 +-
policy/modules/contrib/pegasus.te | 2 +-
policy/modules/contrib/postfix.te | 2 +-
policy/modules/contrib/setroubleshoot.te | 2 +-
policy/modules/contrib/smoltclient.te | 2 +-
policy/modules/contrib/sosreport.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/zabbix.te | 2 +-
13 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index b911cb9..4960a8b 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.7.2)
+policy_module(apache, 2.7.3)
########################################
#
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index f8b0221..287f00f 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.12.0)
+policy_module(apm, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/ctdb.te b/policy/modules/contrib/ctdb.te
index 50e9960..e5f8c77 100644
--- a/policy/modules/contrib/ctdb.te
+++ b/policy/modules/contrib/ctdb.te
@@ -1,4 +1,4 @@
-policy_module(ctdb, 1.1.0)
+policy_module(ctdb, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 37970df..e2510d3 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.3.0)
+policy_module(gnome, 2.3.1)
##############################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 36c63b3..140e889 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.8.0)
+policy_module(gpg, 2.8.1)
########################################
#
diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te
index d205da8..0e893ee 100644
--- a/policy/modules/contrib/mcelog.te
+++ b/policy/modules/contrib/mcelog.te
@@ -1,4 +1,4 @@
-policy_module(mcelog, 1.2.0)
+policy_module(mcelog, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te
index 266c176..fd70362 100644
--- a/policy/modules/contrib/pegasus.te
+++ b/policy/modules/contrib/pegasus.te
@@ -1,4 +1,4 @@
-policy_module(pegasus, 1.9.0)
+policy_module(pegasus, 1.9.1)
########################################
#
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 7f6687b..03a0092 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.15.1)
+policy_module(postfix, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/setroubleshoot.te b/policy/modules/contrib/setroubleshoot.te
index ce67935..944c8b6 100644
--- a/policy/modules/contrib/setroubleshoot.te
+++ b/policy/modules/contrib/setroubleshoot.te
@@ -1,4 +1,4 @@
-policy_module(setroubleshoot, 1.12.1)
+policy_module(setroubleshoot, 1.12.2)
########################################
#
diff --git a/policy/modules/contrib/smoltclient.te b/policy/modules/contrib/smoltclient.te
index ab6009f..d5f64d9 100644
--- a/policy/modules/contrib/smoltclient.te
+++ b/policy/modules/contrib/smoltclient.te
@@ -1,4 +1,4 @@
-policy_module(smoltclient, 1.2.0)
+policy_module(smoltclient, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te
index de9ce16..90cf49e 100644
--- a/policy/modules/contrib/sosreport.te
+++ b/policy/modules/contrib/sosreport.te
@@ -1,4 +1,4 @@
-policy_module(sosreport, 1.3.1)
+policy_module(sosreport, 1.3.2)
########################################
#
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 3a65089..25c70df 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.8.0)
+policy_module(watchdog, 1.8.1)
#################################
#
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index 159b5cf..eec1dcb 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.6.0)
+policy_module(zabbix, 1.6.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 517ad665066571c4a9c27ea3466897818dc4f93d
Author: Dan Walsh <dwalsh <AT> redhat <DOT> com>
AuthorDate: Thu Nov 21 15:29:31 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:01:50 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=517ad665
Add apache labeling for glpi
---
policy/modules/contrib/apache.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index 70cf26b..69d89db 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -7,6 +7,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:objec
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -64,6 +65,7 @@ ifdef(`distro_suse',`
/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -102,6 +104,7 @@ ifdef(`distro_suse',`
/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -120,6 +123,7 @@ ifdef(`distro_suse',`
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 468f0734235b38414fc8be4750cf95eac324d406
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Wed Nov 20 13:28:46 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:01:55 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=468f0734
Allow setpgid for sosreport
---
policy/modules/contrib/sosreport.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te
index 1e5be0c..de9ce16 100644
--- a/policy/modules/contrib/sosreport.te
+++ b/policy/modules/contrib/sosreport.te
@@ -33,7 +33,7 @@ optional_policy(`
allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
dontaudit sosreport_t self:capability sys_ptrace;
-allow sosreport_t self:process { setsched signal_perms };
+allow sosreport_t self:process { setsched setpgid signal_perms };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket { accept listen };
allow sosreport_t self:unix_stream_socket { accept listen };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 5b228de5b99214bd7d3fced3c681a6def296d2ca
Author: Dan Walsh <dwalsh <AT> redhat <DOT> com>
AuthorDate: Mon Nov 18 16:44:40 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:03:09 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5b228de5
label mate-keyring-daemon with gkeyringd_exec_t
---
policy/modules/contrib/gnome.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index c922144..209314b 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -12,5 +12,6 @@ HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+/usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 22977b4e2ffaa47081454bd94351cc6cd19daad6
Author: Dan Walsh <dwalsh <AT> redhat <DOT> com>
AuthorDate: Mon Nov 18 16:49:41 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:02:01 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=22977b4e
Allow postfix programs to getattr on all executables
---
policy/modules/contrib/postfix.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index dd7259f..7f6687b 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -144,6 +144,7 @@ fs_rw_anon_inodefs_files(postfix_domain)
term_dontaudit_use_console(postfix_domain)
corecmd_exec_shell(postfix_domain)
+corecmd_getattr_all_executables(postfix_domain)
files_read_etc_runtime_files(postfix_domain)
files_read_usr_files(postfix_domain)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: c9f1f3206c9026fa56ba928f6c567b1232a4776e
Author: Dan Walsh <dwalsh <AT> redhat <DOT> com>
AuthorDate: Thu Nov 21 15:17:21 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:01:53 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c9f1f320
Allow pegasus to transition to dmidecode
---
policy/modules/contrib/pegasus.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te
index 608f454..266c176 100644
--- a/policy/modules/contrib/pegasus.te
+++ b/policy/modules/contrib/pegasus.te
@@ -143,6 +143,10 @@ optional_policy(`
')
optional_policy(`
+ dmidecode_domtrans(pegasus_t)
+')
+
+optional_policy(`
hostname_exec(pegasus_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 2711da8e5cee2c1e5de1b7aa1fb4628762e5f2c1
Author: Dan Walsh <dwalsh <AT> redhat <DOT> com>
AuthorDate: Wed Nov 20 14:23:41 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:01:57 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2711da8e
Allow mcelog to use the /dev/cpu device
---
policy/modules/contrib/mcelog.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te
index 59b3b3d..d205da8 100644
--- a/policy/modules/contrib/mcelog.te
+++ b/policy/modules/contrib/mcelog.te
@@ -86,6 +86,7 @@ kernel_read_system_state(mcelog_t)
dev_read_raw_memory(mcelog_t)
dev_read_kmsg(mcelog_t)
+dev_rw_cpu_microcode(mcelog_t)
dev_rw_sysfs(mcelog_t)
files_read_etc_files(mcelog_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 258963e67e1e0c59ea28d8f852ceb2bcf67a517b
Author: Dan Walsh <dwalsh <AT> redhat <DOT> com>
AuthorDate: Mon Nov 18 17:29:57 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:01:59 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=258963e6
Allow apmd to request the kernel load modules
---
policy/modules/contrib/apm.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index 7fd431b..f8b0221 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -90,6 +90,7 @@ kernel_read_kernel_sysctls(apmd_t)
kernel_rw_all_sysctls(apmd_t)
kernel_read_system_state(apmd_t)
kernel_write_proc_files(apmd_t)
+kernel_request_load_module(apmd_t)
dev_read_input(apmd_t)
dev_read_mouse(apmd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 996cb21a3c261e9d5617709b05f495284ad5cb66
Author: Dan Walsh <dwalsh <AT> redhat <DOT> com>
AuthorDate: Mon Nov 25 15:09:29 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:01:49 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=996cb21a
Allow gpg_agent to use ssh-add
---
policy/modules/contrib/gpg.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index a8bad37..36c63b3 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -210,7 +210,7 @@ tunable_policy(`use_samba_home_dirs',`
# Agent local policy
#
-allow gpg_agent_t self:process setrlimit;
+allow gpg_agent_t self:process { setrlimit signal_perms };
allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
@@ -229,7 +229,10 @@ filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-so
domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
kernel_dontaudit_search_sysctl(gpg_agent_t)
+kernel_read_core_if(gpg_agent_t)
+kernel_read_system_state(gpg_agent_t)
+corecmd_exec_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
dev_read_rand(gpg_agent_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 05ce8bd48d6021e62a1164d8cf677ef808aa9541
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Mon Nov 25 10:09:57 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:01:39 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=05ce8bd4
Allow sosreport all signal perms
---
policy/modules/contrib/sosreport.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te
index 21972f1..8521083 100644
--- a/policy/modules/contrib/sosreport.te
+++ b/policy/modules/contrib/sosreport.te
@@ -33,7 +33,7 @@ optional_policy(`
allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
dontaudit sosreport_t self:capability sys_ptrace;
-allow sosreport_t self:process { setsched signull };
+allow sosreport_t self:process { setsched signal_perms };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket { accept listen };
allow sosreport_t self:unix_stream_socket { accept listen };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 5955e8de89ae9baaee6fd3a952a2d38f7cb7f398
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Fri Nov 22 11:05:57 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:01:45 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5955e8de
Allow smoltclient to execute ldconfig
---
policy/modules/contrib/smoltclient.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/smoltclient.te b/policy/modules/contrib/smoltclient.te
index b3f2c6f..ab6009f 100644
--- a/policy/modules/contrib/smoltclient.te
+++ b/policy/modules/contrib/smoltclient.te
@@ -77,6 +77,10 @@ optional_policy(`
')
optional_policy(`
+ libs_exec_ldconfig(smoltclient_t)
+')
+
+optional_policy(`
rpm_exec(smoltclient_t)
rpm_read_db(smoltclient_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 57fe113391ac54fc8e2c03b38a6bf35a87b8aae2
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Mon Nov 25 08:39:11 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:01:43 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=57fe1133
Allow zabbix_agentd to read all domain state
---
policy/modules/contrib/zabbix.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index 7f496c6..159b5cf 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -177,7 +177,7 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
dev_getattr_all_blk_files(zabbix_agent_t)
dev_getattr_all_chr_files(zabbix_agent_t)
-domain_search_all_domains_state(zabbix_agent_t)
+domain_read_all_domains_state(zabbix_agent_t)
files_getattr_all_dirs(zabbix_agent_t)
files_getattr_all_files(zabbix_agent_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: e14af72bda55082f4228717f1ef45d456bf625b6
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Fri Nov 22 10:08:46 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:01:47 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e14af72b
Allow sosreport to request the kernel to load a module
---
policy/modules/contrib/sosreport.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te
index 577908a..1e5be0c 100644
--- a/policy/modules/contrib/sosreport.te
+++ b/policy/modules/contrib/sosreport.te
@@ -58,6 +58,7 @@ kernel_read_all_sysctls(sosreport_t)
kernel_read_software_raid_state(sosreport_t)
kernel_search_debugfs(sosreport_t)
kernel_read_messages(sosreport_t)
+kernel_request_load_module(sosreport_t)
corecmd_exec_all_executables(sosreport_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: f75ae3be0b9303f294ab1adbfaeb3178b9d5fddd
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Mon Nov 25 10:18:34 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:01:37 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f75ae3be
Allow sosreport to send signull to setroubleshootd
---
policy/modules/contrib/sosreport.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te
index f2f507d..21972f1 100644
--- a/policy/modules/contrib/sosreport.te
+++ b/policy/modules/contrib/sosreport.te
@@ -157,5 +157,9 @@ optional_policy(`
')
optional_policy(`
+ setroubleshoot_signull(sosreport_t)
+')
+
+optional_policy(`
xserver_stream_connect(sosreport_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 89835ea3aa0be924bf572477761d1320ca20377e
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Mon Nov 25 10:06:56 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:01:41 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=89835ea3
Allow sosreport to dbus chat with rpm
---
policy/modules/contrib/sosreport.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te
index 8521083..577908a 100644
--- a/policy/modules/contrib/sosreport.te
+++ b/policy/modules/contrib/sosreport.te
@@ -136,6 +136,10 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(sosreport_t)
')
+
+ optional_policy(`
+ rpm_dbus_chat(sosreport_t)
+ ')
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 4fb568ad47d81809ce9b3820fbfa8489d7a2f47c
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 30 14:59:35 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 14:59:35 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4fb568ad
Add permissions for new portage features
Portage 2.2 introduces the new features "cgroup", "ipc-sandbox" and
"network-sandbox" for better sandboxing of the build phase.
Signed-off-by: Luis Ressel <aranea <AT> aixah.de>
---
policy/modules/contrib/portage.te | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 5230679..5a161e5 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -393,6 +393,10 @@ ifdef(`distro_gentoo',`
#
# Portage local policy
#
+
+ # Support ipc-sandbox and network-sandbox FEATURES
+ allow portage_t self:capability { net_admin sys_admin };
+
allow portage_t self:capability2 block_suspend;
# Support self-update of Portage
@@ -410,6 +414,10 @@ ifdef(`distro_gentoo',`
auth_use_nsswitch(portage_t)
+ # Support cgroup FEATURES
+ fs_mount_cgroup(portage_t)
+ fs_mounton_cgroup(portage_t)
+
libs_generic_etc_filetrans_ld_so_cache(portage_t, file, "ld.so.cache~")
# Support self-update of Portage
libs_relabel_lib_dirs(portage_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 504ddb3df9bc759ece6a4ce53de413a210af2999
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Mon Nov 25 10:18:05 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:01:35 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=504ddb3d
Add setroubleshoot_signull() interface
---
policy/modules/contrib/setroubleshoot.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/contrib/setroubleshoot.if b/policy/modules/contrib/setroubleshoot.if
index 3a9a70b..800b545 100644
--- a/policy/modules/contrib/setroubleshoot.if
+++ b/policy/modules/contrib/setroubleshoot.if
@@ -42,6 +42,24 @@ interface(`setroubleshoot_dontaudit_stream_connect',`
dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
')
+#######################################
+## <summary>
+## Send null signals to setroubleshoot.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_signull',`
+ gen_require(`
+ type setroubleshootd_t;
+ ')
+
+ allow $1 setroubleshootd_t:process signull;
+')
+
########################################
## <summary>
## Send and receive messages from
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 50a8968a965d48faff55154136dc10c1d4dd2cdc
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Mon Nov 25 13:09:03 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:01:32 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=50a8968a
Watchdog opens the raw socket
---
policy/modules/contrib/watchdog.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 3548317..b32e643 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -23,10 +23,11 @@ files_pid_file(watchdog_var_run_t)
# Local policy
#
-allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
+allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource net_raw };
dontaudit watchdog_t self:capability sys_tty_config;
allow watchdog_t self:process { setsched signal_perms };
allow watchdog_t self:fifo_file rw_fifo_file_perms;
+allow watchdog_t self:rawip_socket create_socket_perms;
allow watchdog_t self:tcp_socket { accept listen };
allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 72706d9d9f1c9984e032746b526f2eecb3799f65
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Mon Nov 25 14:09:56 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:01:27 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=72706d9d
Allow ctdb to getattr on al filesystems
---
policy/modules/contrib/ctdb.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/ctdb.te b/policy/modules/contrib/ctdb.te
index 001b502..50e9960 100644
--- a/policy/modules/contrib/ctdb.te
+++ b/policy/modules/contrib/ctdb.te
@@ -88,6 +88,8 @@ domain_dontaudit_read_all_domains_state(ctdbd_t)
files_read_etc_files(ctdbd_t)
files_search_all_mountpoints(ctdbd_t)
+fs_getattr_all_fs(ctdbd_t)
+
logging_send_syslog_msg(ctdbd_t)
miscfiles_read_localization(ctdbd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: f900225645648b8e375758837d484f1ff900186d
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Mon Nov 25 13:07:20 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:01:33 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f9002256
Allow watchdog to read network state info
---
policy/modules/contrib/watchdog.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index b32e643..3a65089 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -36,6 +36,7 @@ logging_log_filetrans(watchdog_t, watchdog_log_t, file)
manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
+kernel_read_network_state(watchdog_t)
kernel_read_system_state(watchdog_t)
kernel_read_kernel_sysctls(watchdog_t)
kernel_unmount_proc(watchdog_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-30 15:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-30 15:05 UTC (permalink / raw
To: gentoo-commits
commit: 93bbe230db810b0d76f93de2e0e668425ee9741b
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Nov 26 12:42:58 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 15:01:26 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=93bbe230
Git: git daemons can list and read git personal repositories
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/git.te | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index dc49c71..8fdbfef 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -1,4 +1,4 @@
-policy_module(git, 1.3.2)
+policy_module(git, 1.3.3)
########################################
#
@@ -106,8 +106,6 @@ userdom_user_home_content(git_user_content_t)
allow git_session_t self:tcp_socket { accept listen };
-list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
-read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs(git_session_t)
corenet_all_recvfrom_netlabel(git_session_t)
@@ -266,6 +264,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
+list_dirs_pattern(git_daemon, git_user_content_t, git_user_content_t)
+read_files_pattern(git_daemon, git_user_content_t, git_user_content_t)
+
kernel_read_system_state(git_daemon)
corecmd_exec_bin(git_daemon)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-25 19:16 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-25 19:16 UTC (permalink / raw
To: gentoo-commits
commit: bfa6b5d9134d2d9b721a94d9ef74f3698eab0fa4
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Nov 14 13:36:07 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 25 19:14:38 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bfa6b5d9
Module version bumps for various policy modules
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/apt.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/colord.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/dpkg.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/gdomap.te | 2 +-
policy/modules/contrib/irqbalance.te | 2 +-
policy/modules/contrib/mandb.te | 2 +-
policy/modules/contrib/minissdpd.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/rngd.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/tmpreaper.te | 2 +-
policy/modules/contrib/vdagent.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
22 files changed, 22 insertions(+), 22 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 75817d2..ee2c99b 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.12.2)
+policy_module(alsa, 1.12.3)
########################################
#
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index efa8530..d9265ae 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.8.1)
+policy_module(apt, 1.8.2)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index b8355b3..0b1e5f6 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.14.1)
+policy_module(avahi, 1.14.2)
########################################
#
diff --git a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te
index 9f2dfb2..7d0bd8e 100644
--- a/policy/modules/contrib/colord.te
+++ b/policy/modules/contrib/colord.te
@@ -1,4 +1,4 @@
-policy_module(colord, 1.1.0)
+policy_module(colord, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index c91813c..57ea587 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.16.2)
+policy_module(cups, 1.16.3)
########################################
#
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 77a5003..010f7fb 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.3.1)
+policy_module(devicekit, 1.3.2)
########################################
#
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 50af48c..2d8434d 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.10.1)
+policy_module(dpkg, 1.10.2)
########################################
#
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 4086c51..7641c93 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.6.1)
+policy_module(exim, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 98072a3..c54025f 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.1.1)
+policy_module(firewalld, 1.1.2)
########################################
#
diff --git a/policy/modules/contrib/gdomap.te b/policy/modules/contrib/gdomap.te
index db7b56c..9004ce7 100644
--- a/policy/modules/contrib/gdomap.te
+++ b/policy/modules/contrib/gdomap.te
@@ -1,4 +1,4 @@
-policy_module(gdomap, 1.0.1)
+policy_module(gdomap, 1.0.2)
########################################
#
diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te
index e1f302d..80984f3 100644
--- a/policy/modules/contrib/irqbalance.te
+++ b/policy/modules/contrib/irqbalance.te
@@ -1,4 +1,4 @@
-policy_module(irqbalance, 1.6.0)
+policy_module(irqbalance, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index e6136fd..cdb19c5 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.1.1)
+policy_module(mandb, 1.1.2)
########################################
#
diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te
index 34d75a7..6b58d5d 100644
--- a/policy/modules/contrib/minissdpd.te
+++ b/policy/modules/contrib/minissdpd.te
@@ -1,4 +1,4 @@
-policy_module(minissdpd, 1.0.0)
+policy_module(minissdpd, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index c27e24b..7173fa4 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.15.2)
+policy_module(networkmanager, 1.15.3)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index f81b113..b2b20ba 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.11.0)
+policy_module(ntp, 1.11.1)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 6643b49..4b1bbc1 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.6.0)
+policy_module(pulseaudio, 1.6.1)
########################################
#
diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
index a7b7717..dcd1d5a 100644
--- a/policy/modules/contrib/rngd.te
+++ b/policy/modules/contrib/rngd.te
@@ -1,4 +1,4 @@
-policy_module(rngd, 1.1.0)
+policy_module(rngd, 1.1.1)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 37001dc..ce051c2 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.15.1)
+policy_module(rpc, 1.15.2)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 54de77c..814cb46 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.6.1)
+policy_module(rpcbind, 1.6.2)
########################################
#
diff --git a/policy/modules/contrib/tmpreaper.te b/policy/modules/contrib/tmpreaper.te
index 585a77f..efdb2ab 100644
--- a/policy/modules/contrib/tmpreaper.te
+++ b/policy/modules/contrib/tmpreaper.te
@@ -1,4 +1,4 @@
-policy_module(tmpreaper, 1.7.1)
+policy_module(tmpreaper, 1.7.2)
########################################
#
diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te
index 87da8a2..974729e 100644
--- a/policy/modules/contrib/vdagent.te
+++ b/policy/modules/contrib/vdagent.te
@@ -1,4 +1,4 @@
-policy_module(vdagent, 1.1.1)
+policy_module(vdagent, 1.1.2)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 08c818d..590ad2a 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.7.4)
+policy_module(virt, 1.7.5)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-25 19:16 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-25 19:16 UTC (permalink / raw
To: gentoo-commits
commit: 81ba44cd97e9e66522f60c883d94c190dc4ed16e
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Nov 14 13:25:19 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 25 19:14:35 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=81ba44cd
dnsmasq: add support for /etc/dnsmasq.d/
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/dnsmasq.fc | 1 +
policy/modules/contrib/dnsmasq.te | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc
index 23ab808..6bc891a 100644
--- a/policy/modules/contrib/dnsmasq.fc
+++ b/policy/modules/contrib/dnsmasq.fc
@@ -1,4 +1,5 @@
/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t,s0)
+/etc/dnsmasq\.d(/.*)? gen_context(system_u:object_r:dnsmasq_etc_t,s0)
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 66aa6d7..0c058c1 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.10.0)
+policy_module(dnsmasq, 1.10.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-25 19:16 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-25 19:16 UTC (permalink / raw
To: gentoo-commits
commit: c0bf911c7cde2a7746f3ee475626d3e078789c36
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Nov 19 08:36:22 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 25 19:14:40 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c0bf911c
Module version bump for changes to the logrotate module by Luis Ressel
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/logrotate.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 8e871fe..3968c77 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.15.0)
+policy_module(logrotate, 1.15.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-25 19:16 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-25 19:16 UTC (permalink / raw
To: gentoo-commits
commit: 4da95bcbc783096eee848f78e13e673d33c4e785
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sun Nov 17 12:53:07 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 25 19:14:39 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4da95bcb
Label /etc/cron.daily/logrotate correctly.
This is used at least on Gentoo, but I could imagine this also exists on
other distros.
---
policy/modules/contrib/logrotate.fc | 1 +
policy/modules/contrib/logrotate.te | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/logrotate.fc b/policy/modules/contrib/logrotate.fc
index a11d5be..207ec10 100644
--- a/policy/modules/contrib/logrotate.fc
+++ b/policy/modules/contrib/logrotate.fc
@@ -1,3 +1,4 @@
+/etc/cron\.(daily|weekly)/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index be0ab84..8e871fe 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -57,7 +57,7 @@ manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
-can_exec(logrotate_t, logrotate_tmp_t)
+can_exec(logrotate_t, { logrotate_exec_t logrotate_tmp_t })
kernel_read_system_state(logrotate_t)
kernel_read_kernel_sysctls(logrotate_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-25 17:25 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-25 17:25 UTC (permalink / raw
To: gentoo-commits
commit: 1b3c2a4cd3001474e3068bb3dc9a91181e7db187
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Nov 25 17:24:23 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 25 17:24:23 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1b3c2a4c
Allow webcam detection
Without getattr rights on /dev/initctl, the Google Talk plugin does not
detect any webcams. Once enabled, the detection works again.
---
policy/modules/contrib/googletalk.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/googletalk.te b/policy/modules/contrib/googletalk.te
index fdc24fc..5a71f60 100644
--- a/policy/modules/contrib/googletalk.te
+++ b/policy/modules/contrib/googletalk.te
@@ -65,6 +65,9 @@ fs_getattr_tmpfs(googletalk_plugin_t)
term_dontaudit_getattr_unallocated_ttys(googletalk_plugin_t)
+# Needed to find video device?
+init_getattr_initctl(googletalk_plugin_t)
+
logging_send_syslog_msg(googletalk_plugin_t)
miscfiles_read_localization(googletalk_plugin_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-17 17:26 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-17 17:26 UTC (permalink / raw
To: gentoo-commits
commit: fe13dade470726433df03df4ffa9f5429a253b25
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Wed Nov 13 15:14:44 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 17 17:21:17 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fe13dade
Fix minissdpd_admin()
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/minissdpd.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/minissdpd.if b/policy/modules/contrib/minissdpd.if
index b330161..f37a116 100644
--- a/policy/modules/contrib/minissdpd.if
+++ b/policy/modules/contrib/minissdpd.if
@@ -39,7 +39,7 @@ interface(`minissdpd_read_config',`
interface(`minissdpd_admin',`
gen_require(`
type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t;
- type minissdpd_var_run_t
+ type minissdpd_var_run_t;
')
allow $1 minissdpd_t:process { ptrace signal_perms };
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: 19a625eecb2bb54d48adad40c6d53c996fce5101
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Oct 7 10:44:31 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:44:09 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=19a625ee
pulseaudio: pulsaudio_t needs to be able to read user_tmpfs_files (/run/shm/pulse-shm-.*)
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/pulseaudio.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 14ce04c..6643b49 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -126,6 +126,8 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
+userdom_read_user_tmpfs_files(pulseaudio_t)
+
userdom_search_user_home_dirs(pulseaudio_t)
userdom_write_user_tmp_sockets(pulseaudio_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: 6608c64f3fad38df1e005f1f42b0b5d5d983b47c
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Oct 4 17:16:28 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:44:00 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6608c64f
dpkg: allow dpkg, and dpkg script to domain transition to initrc_t on any init script file type rather than only the generic initrc_exec_t init script file type
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/dpkg.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 62d99a9..50af48c 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -137,7 +137,7 @@ storage_raw_read_fixed_disk(dpkg_t)
auth_dontaudit_read_shadow(dpkg_t)
-init_domtrans_script(dpkg_t)
+init_all_labeled_script_domtrans(dpkg_t)
init_use_script_ptys(dpkg_t)
libs_exec_ld_so(dpkg_t)
@@ -276,7 +276,7 @@ term_use_all_terms(dpkg_script_t)
auth_dontaudit_getattr_shadow(dpkg_script_t)
files_manage_non_auth_files(dpkg_script_t)
-init_domtrans_script(dpkg_script_t)
+init_all_labeled_script_domtrans(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
libs_exec_ld_so(dpkg_script_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: 2b202c3b27e579927438597246ed13401226d2fc
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Oct 7 08:15:20 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:44:04 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2b202c3b
apt: apt runs /usr/bin/apt-get apt: on_ac_power (apt_t) lists /sys/class/power_supply
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/apt.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index e423967..efa8530 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -77,6 +77,8 @@ files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
allow apt_t apt_var_log_t:file manage_file_perms;
logging_log_filetrans(apt_t, apt_var_log_t, file)
+can_exec(apt_t, apt_exec_t)
+
kernel_read_system_state(apt_t)
kernel_read_kernel_sysctls(apt_t)
@@ -92,6 +94,7 @@ corenet_tcp_sendrecv_all_ports(apt_t)
corenet_sendrecv_all_client_packets(apt_t)
corenet_tcp_connect_all_ports(apt_t)
+dev_list_sysfs(apt_t)
dev_read_urand(apt_t)
domain_getattr_all_domains(apt_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: 1548a6c7fe0ba3eac47b0b063986d0ec4140314c
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Oct 7 08:31:25 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:44:06 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1548a6c7
exim: exim_manage_var_lib_files created for init: init script runs helper apps that create/manage /var/lib/exim4/config.autogenerated.tmp
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/exim.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
index 7e78b7b..9bbc690 100644
--- a/policy/modules/contrib/exim.if
+++ b/policy/modules/contrib/exim.if
@@ -244,6 +244,25 @@ interface(`exim_read_var_lib_files',`
########################################
## <summary>
+## Create, read, and write exim var lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_manage_var_lib_files',`
+ gen_require(`
+ type exim_var_lib_t;
+ ')
+
+ manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an exim environment.
## </summary>
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: c1241fb7d4e4642b9f638d59183997b39edede26
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Oct 7 09:11:33 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:44:08 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c1241fb7
exim: make exim init script create /var/run/exim4 with a proper context
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/exim.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 8123377..4086c51 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -63,6 +63,10 @@ files_tmp_file(exim_tmp_t)
type exim_var_run_t;
files_pid_file(exim_var_run_t)
+ifdef(`distro_debian',`
+ init_daemon_run_dir(exim_var_run_t, "exim4")
+')
+
########################################
#
# Local policy
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: dd44390965241248a3ff3e5caaba451b6925e789
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sun Oct 6 19:20:02 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:44:02 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dd443909
exim: exim4 reads online
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/exim.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index c2d95f4..8123377 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -134,7 +134,7 @@ corenet_tcp_connect_spamd_port(exim_t)
dev_read_rand(exim_t)
dev_read_urand(exim_t)
-dev_search_sysfs(exim_t)
+dev_read_sysfs(exim_t)
domain_use_interactive_fds(exim_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: 153cbe093296b68012a5195b14013e3f5d3cb409
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Oct 7 08:44:51 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:44:07 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=153cbe09
gdomap/minissdpd: create read_config interfaces for initrc_t
these are really environment files in /etc/default, however we need to
label the with a private type for confined administration ( we dont want
confined admins to be able to manage generic etc_t files )
However creating private environ_t files for this seems overengineering
since init script usually only need to read environ files, so by
allowing this we also allow initrc_t to read other gdomap/minissdpd
confgi files (which in this case arent any)
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/gdomap.if | 19 +++++++++++++++++++
policy/modules/contrib/minissdpd.if | 19 +++++++++++++++++++
2 files changed, 38 insertions(+)
diff --git a/policy/modules/contrib/gdomap.if b/policy/modules/contrib/gdomap.if
index f2cf3ad..7d6b6b7 100644
--- a/policy/modules/contrib/gdomap.if
+++ b/policy/modules/contrib/gdomap.if
@@ -2,6 +2,25 @@
########################################
## <summary>
+## Read gdomap configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gdomap_read_config',`
+ gen_require(`
+ type gdomap_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 gdomap_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an gdomap environment.
## </summary>
diff --git a/policy/modules/contrib/minissdpd.if b/policy/modules/contrib/minissdpd.if
index 20de8ef..b330161 100644
--- a/policy/modules/contrib/minissdpd.if
+++ b/policy/modules/contrib/minissdpd.if
@@ -2,6 +2,25 @@
########################################
## <summary>
+## Read minissdpd configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`minissdpd_read_config',`
+ gen_require(`
+ type minissdpd_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 minissdpd_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an minissdpd environment.
## </summary>
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: 4ed0f5b3992d47fb6e1906224cce8d1cae478e80
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sun Sep 29 17:10:41 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:43:51 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4ed0f5b3
firewalld: traverses / on sysfs
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/firewalld.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 7ac9b31..98072a3 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -59,6 +59,7 @@ corecmd_exec_bin(firewalld_t)
corecmd_exec_shell(firewalld_t)
dev_read_urand(firewalld_t)
+dev_search_sysfs(firewalld_t)
domain_use_interactive_fds(firewalld_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: 3aef2c36314c2db8370c67fcb00916ae1d5e45d0
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Sep 30 11:04:46 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:43:55 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3aef2c36
minissdpd: deal with assertion violation (sys_module)
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/minissdpd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te
index f8c84f0..34d75a7 100644
--- a/policy/modules/contrib/minissdpd.te
+++ b/policy/modules/contrib/minissdpd.te
@@ -32,6 +32,7 @@ allow minissdpd_t minissdpd_var_run_t:file manage_file_perms;
allow minissdpd_t minissdpd_var_run_t:sock_file manage_sock_file_perms;
files_pid_filetrans(minissdpd_t, minissdpd_var_run_t, { file sock_file })
+kernel_load_module(minissdpd_t)
kernel_read_network_state(minissdpd_t)
kernel_request_load_module(minissdpd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: 5944d174884857e6373738cf376fb54f26a50e89
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Sep 30 11:12:34 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:43:57 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5944d174
gdomap: missing networking rules, it traverses /tmp for some reason
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/gdomap.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/gdomap.te b/policy/modules/contrib/gdomap.te
index 8abc63d..db7b56c 100644
--- a/policy/modules/contrib/gdomap.te
+++ b/policy/modules/contrib/gdomap.te
@@ -30,13 +30,17 @@ allow gdomap_t gdomap_var_run_t:file manage_file_perms;
files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
corenet_sendrecv_gdomap_server_packets(gdomap_t)
+corenet_tcp_bind_generic_node(gdomap_t)
corenet_tcp_bind_gdomap_port(gdomap_t)
corenet_tcp_sendrecv_gdomap_port(gdomap_t)
+corenet_udp_bind_generic_node(gdomap_t)
corenet_udp_bind_gdomap_port(gdomap_t)
corenet_udp_sendrecv_gdomap_port(gdomap_t)
domain_use_interactive_fds(gdomap_t)
+files_search_tmp(gdomap_t)
+
auth_use_nsswitch(gdomap_t)
logging_send_syslog_msg(gdomap_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: 7af65e2b2fb6ee5ec18a7d355c2c977f8054602d
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sun Sep 29 17:20:13 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:43:54 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7af65e2b
tmpreaper: mountall-bootcl executes /bin/plymouth on Debian
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/tmpreaper.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/tmpreaper.te b/policy/modules/contrib/tmpreaper.te
index 45654cb..585a77f 100644
--- a/policy/modules/contrib/tmpreaper.te
+++ b/policy/modules/contrib/tmpreaper.te
@@ -83,5 +83,9 @@ optional_policy(`
')
optional_policy(`
+ plymouthd_exec_plymouth(tmpreaper_t)
+')
+
+optional_policy(`
rpm_manage_cache(tmpreaper_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: 89fb790db2c8061dd1c5855245feed2f5e38af29
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sun Sep 29 17:08:43 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:43:50 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=89fb790d
virt: libvirtd reads /run/udev/data/+input:input3
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 7afd03d..08c818d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -747,6 +747,7 @@ optional_policy(`
optional_policy(`
udev_domtrans(virtd_t)
udev_read_db(virtd_t)
+ udev_read_pid_files(virtd_t)
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: 529ba597e915733eda496321125caa01dec3a934
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sun Sep 29 17:15:47 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:43:53 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=529ba597
rngd: needs ipc_lock capability, maintains /run/rngd.pid
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/rngd.fc | 2 ++
policy/modules/contrib/rngd.if | 5 ++++-
policy/modules/contrib/rngd.te | 8 +++++++-
3 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/rngd.fc b/policy/modules/contrib/rngd.fc
index 5dd779e..fa19aa8 100644
--- a/policy/modules/contrib/rngd.fc
+++ b/policy/modules/contrib/rngd.fc
@@ -1,3 +1,5 @@
/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
+
+/var/run/rngd\.pid -- gen_context(system_u:object_r:rngd_var_run_t,s0)
diff --git a/policy/modules/contrib/rngd.if b/policy/modules/contrib/rngd.if
index 0e759a2..13f788f 100644
--- a/policy/modules/contrib/rngd.if
+++ b/policy/modules/contrib/rngd.if
@@ -19,7 +19,7 @@
#
interface(`rngd_admin',`
gen_require(`
- type rngd_t, rngd_initrc_exec_t;
+ type rngd_t, rngd_initrc_exec_t, rngd_var_run_t;
')
allow $1 rngd_t:process { ptrace signal_perms };
@@ -29,4 +29,7 @@ interface(`rngd_admin',`
domain_system_change_exemption($1)
role_transition $2 rngd_initrc_exec_t system_r;
allow $2 system_r;
+
+ files_search_pids($1)
+ admin_pattern($1, rngd_var_run_t)
')
diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
index 4ab4eb5..a7b7717 100644
--- a/policy/modules/contrib/rngd.te
+++ b/policy/modules/contrib/rngd.te
@@ -12,16 +12,22 @@ init_daemon_domain(rngd_t, rngd_exec_t)
type rngd_initrc_exec_t;
init_script_file(rngd_initrc_exec_t)
+type rngd_var_run_t;
+files_pid_file(rngd_var_run_t)
+
########################################
#
# Local policy
#
-allow rngd_t self:capability sys_admin;
+allow rngd_t self:capability { ipc_lock sys_admin };
allow rngd_t self:process signal;
allow rngd_t self:fifo_file rw_fifo_file_perms;
allow rngd_t self:unix_stream_socket { accept listen };
+allow rngd_t rngd_var_run_t:file manage_file_perms;
+files_pid_filetrans(rngd_t, rngd_var_run_t, file, "rngd.pid")
+
kernel_rw_kernel_sysctl(rngd_t)
dev_read_rand(rngd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: 0c56b588f99a890de5117d0af762a70a0289bc07
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Oct 4 17:06:10 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:43:58 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0c56b588
ntp: create ntp_read_drift_files() for dhclient
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/ntp.if | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index b59196f..e96a309 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -100,6 +100,25 @@ interface(`ntp_initrc_domtrans',`
########################################
## <summary>
+## Read ntp drift files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_read_drift_files',`
+ gen_require(`
+ type ntp_drift_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, ntp_drift_t, ntp_drift_t)
+')
+
+########################################
+## <summary>
## Read and write ntpd shared memory.
## </summary>
## <param name="domain">
@@ -153,7 +172,7 @@ interface(`ntp_admin',`
allow $2 system_r;
files_list_etc($1)
- admin_pattern($1, { ntpd_key_t ntp_conf_t ntp_drift_t })
+ admin_pattern($1, { ntpd_key_t ntp_conf_t })
logging_list_logs($1)
admin_pattern($1, ntpd_log_t)
@@ -161,6 +180,9 @@ interface(`ntp_admin',`
files_list_tmp($1)
admin_pattern($1, ntpd_tmp_t)
+ files_list_var_lib($1)
+ admin_pattern($1, ntp_drift_t)
+
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: b7f2cb1528eb9c41bfc7c7f17a6a75fbbc86876b
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sun Sep 29 16:42:52 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:43:39 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b7f2cb15
networkmanager: added interfaces that fedora calls for dhcpc. In Debian it was confirmed that at least dhclient manages /var/lib/NetworkManager/dhclient-eth0.conf
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/networkmanager.if | 40 ++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index d1785e5..5bf874a 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -173,6 +173,26 @@ interface(`networkmanager_signal',`
########################################
## <summary>
+## Create, read, and write
+## networkmanager library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_manage_lib_files',`
+ gen_require(`
+ type NetworkManager_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+')
+
+########################################
+## <summary>
## Read networkmanager lib files.
## </summary>
## <param name="domain">
@@ -230,6 +250,26 @@ interface(`networkmanager_read_pid_files',`
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
+####################################
+## <summary>
+## Connect to networkmanager over
+## a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_stream_connect',`
+ gen_require(`
+ type NetworkManager_t, NetworkManager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
+')
+
########################################
## <summary>
## All of the rules required to
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: 5554c42c7ea509fb7b329a9692d0a5c67239b0f6
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sun Sep 29 17:01:33 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:43:47 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5554c42c
irqbalance: getsched from Debian
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/irqbalance.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te
index c09b2c1..e1f302d 100644
--- a/policy/modules/contrib/irqbalance.te
+++ b/policy/modules/contrib/irqbalance.te
@@ -22,7 +22,7 @@ files_pid_file(irqbalance_var_run_t)
allow irqbalance_t self:capability { setpcap net_admin };
dontaudit irqbalance_t self:capability sys_tty_config;
-allow irqbalance_t self:process { getcap setcap signal_perms };
+allow irqbalance_t self:process { getcap getsched setcap signal_perms };
allow irqbalance_t self:udp_socket create_socket_perms;
manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: 4bba66cf7c223e568bed0e4b5703e223bcaf4d5b
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sun Sep 29 16:31:25 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:43:37 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4bba66cf
devicekit: 95hdparm-apm (devicekit_power_t) gets attributes of /dev/sda (fixed_disk_device_t)
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/devicekit.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 18c2f8b..77a5003 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -241,6 +241,7 @@ dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
dev_read_rand(devicekit_power_t)
+dev_getattr_all_blk_files(devicekit_power_t)
dev_getattr_all_chr_files(devicekit_power_t)
domain_read_all_domains_state(devicekit_power_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: 88bdb45627be10d49a73fc5bf56faf7a89352852
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sun Sep 29 17:06:26 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:43:48 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=88bdb456
colord: colord reads /proc/3412/cmdline (cupsd state files)
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/colord.te | 1 +
policy/modules/contrib/cups.if | 20 ++++++++++++++++++++
2 files changed, 21 insertions(+)
diff --git a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te
index 56e88b9..9f2dfb2 100644
--- a/policy/modules/contrib/colord.te
+++ b/policy/modules/contrib/colord.te
@@ -117,6 +117,7 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
cups_read_config(colord_t)
cups_read_rw_config(colord_t)
+ cups_read_state(colord_t)
cups_stream_connect(colord_t)
cups_dbus_chat(colord_t)
')
diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index 06da9a0..3023be7 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -306,6 +306,26 @@ interface(`cups_stream_connect_ptal',`
########################################
## <summary>
+## Read the process state (/proc/pid) of cupsd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_read_state',`
+ gen_require(`
+ type cupsd_t;
+ ')
+
+ allow $1 cupsd_t:dir search_dir_perms;
+ allow $1 cupsd_t:file read_file_perms;
+ allow $1 cupsd_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an cups environment.
## </summary>
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: cb4a0a66bde58802004df513668571c834c0f015
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sun Sep 29 16:24:11 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:43:35 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cb4a0a66
devicekit: edit devicekit_append_inherited_log_files to include get attribute permission so that it can be also used for fsadm
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/devicekit.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/devicekit.if b/policy/modules/contrib/devicekit.if
index b1c7ef3..8ce99ff 100644
--- a/policy/modules/contrib/devicekit.if
+++ b/policy/modules/contrib/devicekit.if
@@ -155,7 +155,7 @@ interface(`devicekit_append_inherited_log_files',`
')
logging_search_logs($1)
- allow $1 devicekit_var_log_t:file append;
+ allow $1 devicekit_var_log_t:file { getattr_file_perms append };
devicekit_use_fds_power($1)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: f105c2dfe80ce51bc995708a270068308dbaedfb
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sun Sep 29 16:14:09 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:43:34 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f105c2df
devicekit: disk reads /proc/sys/vm/overcommit_memory
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/devicekit.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index de5e2fa..18c2f8b 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -89,6 +89,7 @@ kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
kernel_read_system_state(devicekit_disk_t)
+kernel_read_vm_sysctls(devicekit_disk_t)
kernel_request_load_module(devicekit_disk_t)
kernel_setsched(devicekit_disk_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: 0fd8e6e812723212e1af6fb5f893e85d35f2cb31
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sun Sep 29 16:50:30 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:43:43 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0fd8e6e8
firewalld: various fixes that i borrowed from Fedora but that also apply to Debian (confirmed)
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/firewalld.te | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 1628a6d..7ac9b31 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -18,6 +18,9 @@ files_config_file(firewalld_etc_rw_t)
type firewalld_var_log_t;
logging_log_file(firewalld_var_log_t)
+type firewalld_tmp_t;
+files_tmp_file(firewalld_tmp_t)
+
type firewalld_var_run_t;
files_pid_file(firewalld_var_run_t)
@@ -26,6 +29,7 @@ files_pid_file(firewalld_var_run_t)
# Local policy
#
+allow firewalld_t self:capability { dac_override net_admin };
dontaudit firewalld_t self:capability sys_tty_config;
allow firewalld_t self:fifo_file rw_fifo_file_perms;
allow firewalld_t self:unix_stream_socket { accept listen };
@@ -40,11 +44,16 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
+manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
+files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
+allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
+
manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
+kernel_rw_net_sysctls(firewalld_t)
corecmd_exec_bin(firewalld_t)
corecmd_exec_shell(firewalld_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: 72dc48a79ab4fc6c06813c142fec78891228e1e1
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sun Sep 29 16:56:32 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:43:45 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=72dc48a7
firewalld: interfaces created for iptables
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/firewalld.if | 38 +++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/policy/modules/contrib/firewalld.if b/policy/modules/contrib/firewalld.if
index 5cf6ac6..c62c567 100644
--- a/policy/modules/contrib/firewalld.if
+++ b/policy/modules/contrib/firewalld.if
@@ -2,6 +2,25 @@
########################################
## <summary>
+## Read firewalld configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`firewalld_read_config_files',`
+ gen_require(`
+ type firewalld_etc_rw_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t)
+')
+
+########################################
+## <summary>
## Send and receive messages from
## firewalld over dbus.
## </summary>
@@ -23,6 +42,25 @@ interface(`firewalld_dbus_chat',`
########################################
## <summary>
+## Do not audit attempts to read, snd
+## write firewalld temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`firewalld_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type firewalld_tmp_t;
+ ')
+
+ dontaudit $1 firewalld_tmp_t:file { read write };
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an firewalld environment.
## </summary>
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: e4da644c95b8e70c1461c60e964261b6daa482de
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sun Sep 29 15:53:56 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:43:32 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e4da644c
exim: traverses sysfs, uses system cronjob file descriptors (/dev/null) in Debian (/etc/cron.daily/exim)
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/exim.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 88896fd..c2d95f4 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -134,6 +134,7 @@ corenet_tcp_connect_spamd_port(exim_t)
dev_read_rand(exim_t)
dev_read_urand(exim_t)
+dev_search_sysfs(exim_t)
domain_use_interactive_fds(exim_t)
@@ -188,6 +189,7 @@ optional_policy(`
optional_policy(`
cron_read_pipes(exim_t)
cron_rw_system_job_pipes(exim_t)
+ cron_use_system_job_fds(exim_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-11 13:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-11 13:45 UTC (permalink / raw
To: gentoo-commits
commit: e5df1b7b150717ce66017ca50e715ca1733bbdea
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sun Sep 29 16:10:01 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 13:43:33 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e5df1b7b
minissdpd fixes
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/minissdpd.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/minissdpd.te b/policy/modules/contrib/minissdpd.te
index ae9004b..f8c84f0 100644
--- a/policy/modules/contrib/minissdpd.te
+++ b/policy/modules/contrib/minissdpd.te
@@ -44,3 +44,7 @@ corenet_udp_bind_generic_node(minissdpd_t)
corenet_sendrecv_ssdp_server_packets(minissdpd_t)
corenet_udp_bind_ssdp_port(minissdpd_t)
corenet_udp_sendrecv_ssdp_port(minissdpd_t)
+
+logging_send_syslog_msg(minissdpd_t)
+
+miscfiles_read_localization(minissdpd_t)
\ No newline at end of file
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-11-03 11:19 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-11-03 11:19 UTC (permalink / raw
To: gentoo-commits
commit: ee154a5d02d8ee55ec048796017ec187ad888b43
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Nov 3 11:16:14 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 3 11:16:14 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ee154a5d
Support self-update of Portage
When Portage is asked to update itself, it triggers a specific procedure
(in portage/pym/portage/package/ebuild/doebuild.py, a method called
_prepare_self_update).
In this method, it will create a temporary copy of PORTAGE_BIN_PATH and
PORTAGE_PYM_PATH (which are bin_t, lib_t and some specific Portage
types).
During this copy, it needs to set the proper labels on the files, which
is why we now allow the various relabel operations.
---
policy/modules/contrib/portage.te | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 533919c..5230679 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -395,12 +395,25 @@ ifdef(`distro_gentoo',`
#
allow portage_t self:capability2 block_suspend;
+ # Support self-update of Portage
+ allow portage_t portage_tmp_t:dir relabel_dir_perms;
+ allow portage_t portage_tmp_t:lnk_file relabel_lnk_file_perms;
+ allow portage_t portage_exec_t:file relabel_file_perms;
+ allow portage_t portage_fetch_exec_t:file relabel_file_perms;
+
# Portage is selinuxaware, transitions on calling ebuild, now marked as bin_t
corecmd_bin_entry_type(portage_t)
+ # Support self-update of Portage
+ corecmd_relabel_bin_dirs(portage_t)
+ corecmd_relabel_bin_files(portage_t)
+ corecmd_relabel_bin_lnk_files(portage_t)
auth_use_nsswitch(portage_t)
libs_generic_etc_filetrans_ld_so_cache(portage_t, file, "ld.so.cache~")
+ # Support self-update of Portage
+ libs_relabel_lib_dirs(portage_t)
+ libs_relabel_lib_files(portage_t)
##########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: 36e2216f82192660d063012e69281f27ba20864b
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 27 21:33:49 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:03:08 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=36e2216f
various: revert regex fixes: fcsort does not want this now
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/aide.fc | 3 ++-
policy/modules/contrib/amtu.fc | 3 ++-
policy/modules/contrib/ircd.fc | 4 +++-
policy/modules/contrib/nagios.fc | 7 +++++--
policy/modules/contrib/networkmanager.fc | 14 +++++++++-----
policy/modules/contrib/puppet.fc | 10 +++++++---
policy/modules/contrib/snort.fc | 4 +++-
policy/modules/contrib/tor.fc | 3 ++-
policy/modules/contrib/zabbix.fc | 13 ++++++++-----
9 files changed, 41 insertions(+), 20 deletions(-)
diff --git a/policy/modules/contrib/aide.fc b/policy/modules/contrib/aide.fc
index 06f050f..b2f47de 100644
--- a/policy/modules/contrib/aide.fc
+++ b/policy/modules/contrib/aide.fc
@@ -1,4 +1,5 @@
-/usr/(s)?bin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
+/usr/bin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
+/usr/sbin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
/var/lib/aide(/.*)? gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
diff --git a/policy/modules/contrib/amtu.fc b/policy/modules/contrib/amtu.fc
index 305a1a0..b21a14a 100644
--- a/policy/modules/contrib/amtu.fc
+++ b/policy/modules/contrib/amtu.fc
@@ -1,3 +1,4 @@
/etc/rc\.d/init\.d/amtu -- gen_context(system_u:object_r:amtu_initrc_exec_t,s0)
-/usr/(s)?bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)
+/usr/bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)
+/usr/sbin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)
diff --git a/policy/modules/contrib/ircd.fc b/policy/modules/contrib/ircd.fc
index 8060f08..f37eed8 100644
--- a/policy/modules/contrib/ircd.fc
+++ b/policy/modules/contrib/ircd.fc
@@ -5,8 +5,10 @@
/etc/rc\.d/init\.d/((ircd)|(ngircd)|(dancer-ircd)) -- gen_context(system_u:object_r:ircd_initrc_exec_t,s0)
+/usr/bin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
+
/usr/sbin/dancer-ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
-/usr/(s)?bin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
+/usr/sbin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
/usr/sbin/ngircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
/var/lib/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_lib_t,s0)
diff --git a/policy/modules/contrib/nagios.fc b/policy/modules/contrib/nagios.fc
index 5e47e3f..d78dfc3 100644
--- a/policy/modules/contrib/nagios.fc
+++ b/policy/modules/contrib/nagios.fc
@@ -4,8 +4,11 @@
/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/usr/(s)?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/(s)?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index a697d60..7b80c1e 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -16,15 +16,19 @@
/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/(s)?bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/(s)?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/(s)?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+/usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/(s)?bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/usr/(s)?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+/usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
diff --git a/policy/modules/contrib/puppet.fc b/policy/modules/contrib/puppet.fc
index 5a6da67..d68e26d 100644
--- a/policy/modules/contrib/puppet.fc
+++ b/policy/modules/contrib/puppet.fc
@@ -3,9 +3,13 @@
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
-/usr/(s)?bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/(s)?bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/(s)?bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
+/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc
index aae25d9..591b9a1 100644
--- a/policy/modules/contrib/snort.fc
+++ b/policy/modules/contrib/snort.fc
@@ -2,7 +2,9 @@
/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
-/usr/(s)?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+
/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
diff --git a/policy/modules/contrib/tor.fc b/policy/modules/contrib/tor.fc
index 14a355a..dce42ec 100644
--- a/policy/modules/contrib/tor.fc
+++ b/policy/modules/contrib/tor.fc
@@ -2,7 +2,8 @@
/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0)
-/usr/(s)?bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
diff --git a/policy/modules/contrib/zabbix.fc b/policy/modules/contrib/zabbix.fc
index f83008c..c3b5a81 100644
--- a/policy/modules/contrib/zabbix.fc
+++ b/policy/modules/contrib/zabbix.fc
@@ -1,11 +1,14 @@
/etc/rc\.d/init\.d/(zabbix|zabbix-server) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
-/usr/s?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-/usr/s?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
-/usr/s?bin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-/usr/s?bin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-/usr/s?bin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
+
+/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
+/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: 9816ecb58b14813d55811e0fa9f54d50324216c3
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 27 16:28:52 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:03:06 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9816ecb5
alsa: due to a bug in gnome 3.4, in debian, alsactl does all kinds of weird things related to pulseaudio
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/alsa.fc | 4 ++++
policy/modules/contrib/alsa.te | 25 +++++++++++++++++++------
2 files changed, 23 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index 5de1e01..33d9d31 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -1,5 +1,9 @@
HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
+ifdef(`distro_debian',`
+/\.config(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+')
+
/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 595a217..78d134a 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -20,8 +20,6 @@ files_tmp_file(alsa_tmp_t)
type alsa_tmpfs_t;
files_tmpfs_file(alsa_tmpfs_t)
-pulseaudio_tmpfs_content(alsa_tmpfs_t)
-dev_associate(alsa_tmpfs_t)
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
@@ -72,8 +70,6 @@ dev_write_sound(alsa_t)
files_read_usr_files(alsa_t)
files_search_var_lib(alsa_t)
-fs_list_tmpfs(alsa_t)
-
term_dontaudit_use_console(alsa_t)
term_dontaudit_use_generic_ptys(alsa_t)
term_dontaudit_use_all_ptys(alsa_t)
@@ -90,8 +86,25 @@ userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
-optional_policy(`
- dbus_read_lib_files(alsa_t)
+ifdef(`distro_debian',`
+ # Gnome 3.4 bug
+ dev_associate(alsa_tmpfs_t)
+
+ allow alsa_t self:capability kill;
+
+ manage_lnk_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+ files_root_filetrans(alsa_t, alsa_var_lib_t, dir, ".config")
+
+ fs_getattr_tmpfs(alsa_t)
+ fs_list_tmpfs(alsa_t)
+
+ optional_policy(`
+ dbus_read_lib_files(alsa_t)
+ ')
+
+ optional_policy(`
+ pulseaudio_tmpfs_content(alsa_tmpfs_t)
+ ')
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: ec0e6b22204db40b529d177c927979f43be4f934
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 27 08:16:02 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:02:59 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ec0e6b22
backup: in Debian /etc/cron.daily/passwd backs-up shadow, passwd etc to /var/backups
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/backup.fc | 1 +
policy/modules/contrib/backup.te | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/backup.fc b/policy/modules/contrib/backup.fc
index 075621d..349c26f 100644
--- a/policy/modules/contrib/backup.fc
+++ b/policy/modules/contrib/backup.fc
@@ -1,4 +1,5 @@
/etc/cron\.daily/aptitude -- gen_context(system_u:object_r:backup_exec_t,s0)
+/etc/cron\.daily/passwd -- gen_context(system_u:object_r:backup_exec_t,s0)
/etc/cron\.daily/standard -- gen_context(system_u:object_r:backup_exec_t,s0)
/var/backups(/.*)? gen_context(system_u:object_r:backup_store_t,s0)
diff --git a/policy/modules/contrib/backup.te b/policy/modules/contrib/backup.te
index 1bb1e7f..7811450 100644
--- a/policy/modules/contrib/backup.te
+++ b/policy/modules/contrib/backup.te
@@ -1,4 +1,4 @@
-policy_module(backup, 1.6.1)
+policy_module(backup, 1.6.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: 6331107c32431e0b3872e255a7f494314206c1d1
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 27 07:33:10 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:02:55 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6331107c
mta: allow system_mail_t (user_mail_domains) to read kernel sysctls and to read exim var lib files.
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/mta.te | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index a36599f..ab24c49 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.7.2)
+policy_module(mta, 2.7.3)
########################################
#
@@ -78,6 +78,7 @@ allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t })
+kernel_read_crypto_sysctls(user_mail_domain)
kernel_read_system_state(user_mail_domain)
kernel_read_kernel_sysctls(user_mail_domain)
kernel_read_network_state(user_mail_domain)
@@ -132,6 +133,7 @@ optional_policy(`
exim_domtrans(user_mail_domain)
exim_manage_log(user_mail_domain)
exim_manage_spool_files(user_mail_domain)
+ exim_read_var_lib_files(user_mail_domain)
')
optional_policy(`
@@ -245,11 +247,6 @@ optional_policy(`
')
optional_policy(`
- exim_domtrans(system_mail_t)
- exim_manage_log(system_mail_t)
-')
-
-optional_policy(`
fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
fail2ban_append_log(system_mail_t)
fail2ban_rw_inherited_tmp_files(system_mail_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: 3f2fdd88b576d2fe658d89a2d972dc928147c73e
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 27 07:47:37 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:02:58 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3f2fdd88
locate: extra rules needed by debian /etc/cron.daily/locate script
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/slocate.fc | 2 ++
policy/modules/contrib/slocate.te | 13 +++++++++++--
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/slocate.fc b/policy/modules/contrib/slocate.fc
index 19dbf4f..5844628 100644
--- a/policy/modules/contrib/slocate.fc
+++ b/policy/modules/contrib/slocate.fc
@@ -3,3 +3,5 @@
/usr/bin/updatedb.* -- gen_context(system_u:object_r:locate_exec_t,s0)
/var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0)
+
+/var/run/mlocate\.daily\.lock -- gen_context(system_u:object_r:locate_var_run_t,s0)
diff --git a/policy/modules/contrib/slocate.te b/policy/modules/contrib/slocate.te
index b362a61..7292dc0 100644
--- a/policy/modules/contrib/slocate.te
+++ b/policy/modules/contrib/slocate.te
@@ -1,4 +1,4 @@
-policy_module(slocate, 1.12.1)
+policy_module(slocate, 1.12.2)
#################################
#
@@ -12,24 +12,33 @@ init_system_domain(locate_t, locate_exec_t)
type locate_var_lib_t;
files_type(locate_var_lib_t)
+type locate_var_run_t;
+files_pid_file(locate_var_run_t)
+
########################################
#
# Local policy
#
allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
-allow locate_t self:process { execmem execheap execstack signal };
+allow locate_t self:process { execmem execheap execstack signal setsched };
allow locate_t self:fifo_file rw_fifo_file_perms;
allow locate_t self:unix_stream_socket create_socket_perms;
manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
+allow locate_t locate_var_run_t:file manage_file_perms;
+files_pid_filetrans(locate_t, locate_var_run_t, file, "mlocate.daily.lock")
+
+can_exec(locate_t, locate_exec_t)
+
kernel_read_system_state(locate_t)
kernel_dontaudit_search_network_state(locate_t)
kernel_dontaudit_search_sysctl(locate_t)
corecmd_exec_bin(locate_t)
+corecmd_exec_shell(locate_t)
dev_getattr_all_blk_files(locate_t)
dev_getattr_all_chr_files(locate_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: 81f9ac7f2f2dfcbfed6cbb1840afe9779cfcba22
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 27 07:37:22 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:02:57 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=81f9ac7f
mta: These are duplicates because system_mail_t is a user_mail_domain, as it is based off of the mta_base_mail_template() which assigns that type attribute
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/mta.te | 3 ---
1 file changed, 3 deletions(-)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index ab24c49..f46fcde 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -237,9 +237,6 @@ optional_policy(`
optional_policy(`
courier_stream_connect_authdaemon(system_mail_t)
- courier_manage_spool_dirs(system_mail_t)
- courier_manage_spool_files(system_mail_t)
- courier_rw_spool_pipes(system_mail_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: 011a837a11fe04fbf66f9c7f473f24b03e652a47
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 27 09:53:55 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:03:01 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=011a837a
avahi: create interfaces that will allow calles to create avahi pid dirs and create specifc avahi pid objects with a type transition (for udev, which runs: /usr/lib/avahi/avahi-daemon-check-dns.sh in Debian
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/avahi.if | 48 +++++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/avahi.te | 2 +-
2 files changed, 49 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if
index ce712af..769c51f 100644
--- a/policy/modules/contrib/avahi.if
+++ b/policy/modules/contrib/avahi.if
@@ -135,6 +135,25 @@ interface(`avahi_stream_connect',`
########################################
## <summary>
+## Create avahi pid directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`avahi_create_pid_dirs',`
+ gen_require(`
+ type avahi_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 avahi_var_run_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
## Create, read, and write avahi pid files.
## </summary>
## <param name="domain">
@@ -173,6 +192,35 @@ interface(`avahi_dontaudit_search_pid',`
########################################
## <summary>
+## Create specified objects in generic
+## pid directories with the avahi pid file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`avahi_filetrans_pid',`
+ gen_require(`
+ type avahi_var_run_t;
+ ')
+
+ files_pid_filetrans($1, avahi_var_run_t, $2, $3)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an avahi environment.
## </summary>
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index 95ae264..b8355b3 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.14.0)
+policy_module(avahi, 1.14.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: bd27cdedb28bc2557e402b02fcd00abcb85543cd
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 26 21:51:03 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:02:54 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bd27cded
wm: allow $1_wm_t to stream connect to $1_gkeyringd_t
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/wm.if | 6 +++---
policy/modules/contrib/wm.te | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
index fbd84ba..95f888d 100644
--- a/policy/modules/contrib/wm.if
+++ b/policy/modules/contrib/wm.if
@@ -80,9 +80,9 @@ template(`wm_role_template',`
')
')
- # optional_policy(`
- # gnome_stream_connect_gkeyringd($1, $1_wm_t)
- # ')
+ optional_policy(`
+ gnome_stream_connect_gkeyringd($1, $1_wm_t)
+ ')
optional_policy(`
pulseaudio_run($1_wm_t, $2)
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 9d2e935..638d10f 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.3.2)
+policy_module(wm, 1.3.3)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: 4b108396078378833c8aff9fc860bf35576b7923
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 26 06:42:55 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:00:59 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4b108396
dpkg: catch /etc/cron.daily/dpkg on Debian dpkg: allow /etc/cron.daily/dpkg to manage backup store files on Debian
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/dpkg.fc | 2 ++
policy/modules/contrib/dpkg.te | 6 +++++-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dpkg.fc b/policy/modules/contrib/dpkg.fc
index 751c251..eec3c48 100644
--- a/policy/modules/contrib/dpkg.fc
+++ b/policy/modules/contrib/dpkg.fc
@@ -1,3 +1,5 @@
+/etc/cron\.daily/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+
/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0)
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 998d765..62d99a9 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.10.0)
+policy_module(dpkg, 1.10.1)
########################################
#
@@ -161,6 +161,10 @@ optional_policy(`
')
optional_policy(`
+ backup_manage_store_files(dpkg_t)
+')
+
+optional_policy(`
cron_system_entry(dpkg_t, dpkg_exec_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: f70791c2ada8040fc3788a8da002435193ce015a
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 26 07:02:23 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:02:07 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f70791c2
alsa: alsactl wants to associate pulse-shm-.* to device_t type filesystems. This happens early on but i do not understand how that (/dev) relates to /dev/shm in this regard
alsa: alsactl reads /var/lib/dbus/machine-id
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/alsa.te | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index db4a986..595a217 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.12.1)
+policy_module(alsa, 1.12.2)
########################################
#
@@ -21,6 +21,7 @@ files_tmp_file(alsa_tmp_t)
type alsa_tmpfs_t;
files_tmpfs_file(alsa_tmpfs_t)
pulseaudio_tmpfs_content(alsa_tmpfs_t)
+dev_associate(alsa_tmpfs_t)
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
@@ -90,6 +91,10 @@ userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
optional_policy(`
+ dbus_read_lib_files(alsa_t)
+')
+
+optional_policy(`
hal_use_fds(alsa_t)
hal_write_log(alsa_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: b49d468c7748f31d90a1227b23516589e45c4bcf
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Sep 24 07:09:19 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:02:12 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b49d468c
vdagent: spice-vdagentd uses /dev/vport1p1 virtio console
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/vdagent.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te
index 947c70a..d4124f5 100644
--- a/policy/modules/contrib/vdagent.te
+++ b/policy/modules/contrib/vdagent.te
@@ -1,4 +1,4 @@
-policy_module(vdagent, 1.1.0)
+policy_module(vdagent, 1.1.1)
########################################
#
@@ -45,6 +45,8 @@ dev_dontaudit_write_mtrr(vdagent_t)
files_read_etc_files(vdagent_t)
+term_use_virtio_console(vdagent_t)
+
init_read_state(vdagent_t)
logging_send_syslog_msg(vdagent_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: 427a4405fcf5c368d286ae4be7ab87aca9464903
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Wed Sep 25 15:07:18 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:01:59 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=427a4405
cron: consistent usage of regular expressions cron: prelink no longer runs in the system cronjob domain
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/cron.fc | 4 ++--
policy/modules/contrib/cron.te | 10 +---------
2 files changed, 3 insertions(+), 11 deletions(-)
diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
index d41ecce..3d06fed 100644
--- a/policy/modules/contrib/cron.fc
+++ b/policy/modules/contrib/cron.fc
@@ -20,8 +20,8 @@
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/cron(d)?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/cron(d)?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 3776173..6cd8495 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.6.2)
+policy_module(cron, 2.6.3)
gen_require(`
class passwd rootok;
@@ -602,14 +602,6 @@ optional_policy(`
')
optional_policy(`
- prelink_delete_cache(system_cronjob_t)
- prelink_manage_lib(system_cronjob_t)
- prelink_manage_log(system_cronjob_t)
- prelink_read_cache(system_cronjob_t)
- prelink_relabelfrom_lib(system_cronjob_t)
-')
-
-optional_policy(`
samba_read_config(system_cronjob_t)
samba_read_log(system_cronjob_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: 3f61533949b93aa16fe98837bd3aa6c86cb40abd
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Sep 24 10:02:43 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:02:14 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3f615339
tmpreaper: mountall-bootcl in the tmpreaper_t domain reads, writes /dev/pts/0 inherited from init script
tmpreaper: mountall-bootcl reads pipe:[5519] on pipefs
tmpreaper: mountall-bootcl executes /bin/cat
tmpreaper: mountall-bootcl executes /bin/dash
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/tmpreaper.te | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/tmpreaper.te b/policy/modules/contrib/tmpreaper.te
index 00bd63c..539a616 100644
--- a/policy/modules/contrib/tmpreaper.te
+++ b/policy/modules/contrib/tmpreaper.te
@@ -1,4 +1,4 @@
-policy_module(tmpreaper, 1.7.0)
+policy_module(tmpreaper, 1.7.1)
########################################
#
@@ -15,12 +15,16 @@ init_system_domain(tmpreaper_t, tmpreaper_exec_t)
#
allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+allow tmpreaper_t self:fifo_file rw_fifo_file_perms;
kernel_list_unlabeled(tmpreaper_t)
kernel_read_system_state(tmpreaper_t)
dev_read_urand(tmpreaper_t)
+corecmd_exec_bin(tmpreaper_t)
+corecmd_exec_shell(tmpreaper_t)
+
fs_getattr_xattr_fs(tmpreaper_t)
fs_list_all(tmpreaper_t)
@@ -37,6 +41,8 @@ mls_file_write_all_levels(tmpreaper_t)
auth_use_nsswitch(tmpreaper_t)
+init_use_inherited_script_ptys(tmpreaper_t)
+
logging_send_syslog_msg(tmpreaper_t)
miscfiles_read_localization(tmpreaper_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: 3e31d710ac06f96cb6fb59c86feab351f8268f09
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 26 08:08:35 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:02:10 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3e31d710
devicekit: reads udev pid files modemmanager: reads udev pid files
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/devicekit.te | 3 ++-
policy/modules/contrib/modemmanager.te | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 215c724..de5e2fa 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.3.0)
+policy_module(devicekit, 1.3.1)
########################################
#
@@ -335,6 +335,7 @@ optional_policy(`
optional_policy(`
udev_read_db(devicekit_power_t)
+ udev_manage_pid_files(devicekit_power_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te
index 4b30bf3..d15eb5b 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -1,4 +1,4 @@
-policy_module(modemmanager, 1.2.0)
+policy_module(modemmanager, 1.2.1)
########################################
#
@@ -54,4 +54,5 @@ optional_policy(`
optional_policy(`
udev_read_db(modemmanager_t)
+ udev_manage_pid_files(modemmanager_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: dbba0b6ab4505e103c539802dab362c9e695d9dd
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 26 21:36:48 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:02:50 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dbba0b6a
revert regular expressions
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/aide.fc | 2 +-
policy/modules/contrib/amtu.fc | 2 +-
policy/modules/contrib/cron.fc | 2 +-
policy/modules/contrib/finger.fc | 4 ++--
policy/modules/contrib/inetd.fc | 6 +++---
policy/modules/contrib/ircd.fc | 2 +-
policy/modules/contrib/nagios.fc | 4 ++--
policy/modules/contrib/networkmanager.fc | 10 +++++-----
policy/modules/contrib/puppet.fc | 6 +++---
policy/modules/contrib/snort.fc | 2 +-
policy/modules/contrib/tftp.fc | 2 +-
policy/modules/contrib/tor.fc | 2 +-
12 files changed, 22 insertions(+), 22 deletions(-)
diff --git a/policy/modules/contrib/aide.fc b/policy/modules/contrib/aide.fc
index 15eb282..06f050f 100644
--- a/policy/modules/contrib/aide.fc
+++ b/policy/modules/contrib/aide.fc
@@ -1,4 +1,4 @@
-/usr/s?bin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
+/usr/(s)?bin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
/var/lib/aide(/.*)? gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
diff --git a/policy/modules/contrib/amtu.fc b/policy/modules/contrib/amtu.fc
index 6392306..305a1a0 100644
--- a/policy/modules/contrib/amtu.fc
+++ b/policy/modules/contrib/amtu.fc
@@ -1,3 +1,3 @@
/etc/rc\.d/init\.d/amtu -- gen_context(system_u:object_r:amtu_initrc_exec_t,s0)
-/usr/s?bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)
+/usr/(s)?bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)
diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
index 3d06fed..266a439 100644
--- a/policy/modules/contrib/cron.fc
+++ b/policy/modules/contrib/cron.fc
@@ -4,7 +4,7 @@
/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-/usr/bin/f?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
diff --git a/policy/modules/contrib/finger.fc b/policy/modules/contrib/finger.fc
index 5df3720..843940b 100644
--- a/policy/modules/contrib/finger.fc
+++ b/policy/modules/contrib/finger.fc
@@ -1,8 +1,8 @@
/etc/cfingerd(/.*)? gen_context(system_u:object_r:fingerd_etc_t,s0)
-/etc/cron\.weekly/c?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
-/usr/sbin/in\.x?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+/usr/sbin/in\.(x)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0)
diff --git a/policy/modules/contrib/inetd.fc b/policy/modules/contrib/inetd.fc
index d00440b..0374509 100644
--- a/policy/modules/contrib/inetd.fc
+++ b/policy/modules/contrib/inetd.fc
@@ -6,8 +6,8 @@
/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
-/usr/sbin/x?inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+/usr/sbin/(x)?inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
-/var/log/x?inetd\.log.* -- gen_context(system_u:object_r:inetd_log_t,s0)
+/var/log/(x)?inetd\.log.* -- gen_context(system_u:object_r:inetd_log_t,s0)
-/var/run/x?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
+/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
diff --git a/policy/modules/contrib/ircd.fc b/policy/modules/contrib/ircd.fc
index 0f0e648..8060f08 100644
--- a/policy/modules/contrib/ircd.fc
+++ b/policy/modules/contrib/ircd.fc
@@ -6,7 +6,7 @@
/etc/rc\.d/init\.d/((ircd)|(ngircd)|(dancer-ircd)) -- gen_context(system_u:object_r:ircd_initrc_exec_t,s0)
/usr/sbin/dancer-ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
-/usr/s?bin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
+/usr/(s)?bin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
/usr/sbin/ngircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
/var/lib/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_lib_t,s0)
diff --git a/policy/modules/contrib/nagios.fc b/policy/modules/contrib/nagios.fc
index 431ce38..5e47e3f 100644
--- a/policy/modules/contrib/nagios.fc
+++ b/policy/modules/contrib/nagios.fc
@@ -4,8 +4,8 @@
/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+/usr/(s)?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/(s)?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index 4751a7b..a697d60 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -16,15 +16,15 @@
/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/s?bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/(s)?bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+/(s)?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/(s)?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/s?bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/(s)?bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+/usr/(s)?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
diff --git a/policy/modules/contrib/puppet.fc b/policy/modules/contrib/puppet.fc
index 9468048..5a6da67 100644
--- a/policy/modules/contrib/puppet.fc
+++ b/policy/modules/contrib/puppet.fc
@@ -3,9 +3,9 @@
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
-/usr/s?bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/s?bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/s?bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/usr/(s)?bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/(s)?bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+/usr/(s)?bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc
index f85247b..aae25d9 100644
--- a/policy/modules/contrib/snort.fc
+++ b/policy/modules/contrib/snort.fc
@@ -2,7 +2,7 @@
/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
-/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/(s)?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
diff --git a/policy/modules/contrib/tftp.fc b/policy/modules/contrib/tftp.fc
index cd569af..3dd87da 100644
--- a/policy/modules/contrib/tftp.fc
+++ b/policy/modules/contrib/tftp.fc
@@ -1,4 +1,4 @@
-/etc/x?inetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0)
+/etc/(x)?inetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0)
/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
diff --git a/policy/modules/contrib/tor.fc b/policy/modules/contrib/tor.fc
index 420a5ee..14a355a 100644
--- a/policy/modules/contrib/tor.fc
+++ b/policy/modules/contrib/tor.fc
@@ -2,7 +2,7 @@
/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0)
-/usr/s?bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+/usr/(s)?bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: ddd5723692850dcd882d3466d65b2be7a65908d0
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 26 06:37:45 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:00:57 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ddd57236
slocate: catch /usr/bin/updatedb.mlocate, and /etc/cron.daily/mlocate on Debian
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/slocate.fc | 4 +++-
policy/modules/contrib/slocate.te | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/slocate.fc b/policy/modules/contrib/slocate.fc
index 6eede98..19dbf4f 100644
--- a/policy/modules/contrib/slocate.fc
+++ b/policy/modules/contrib/slocate.fc
@@ -1,3 +1,5 @@
-/usr/bin/updatedb -- gen_context(system_u:object_r:locate_exec_t, s0)
+/etc/cron\.daily/[sm]locate -- gen_context(system_u:object_r:locate_exec_t,s0)
+
+/usr/bin/updatedb.* -- gen_context(system_u:object_r:locate_exec_t,s0)
/var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0)
diff --git a/policy/modules/contrib/slocate.te b/policy/modules/contrib/slocate.te
index 4df4417..b362a61 100644
--- a/policy/modules/contrib/slocate.te
+++ b/policy/modules/contrib/slocate.te
@@ -1,4 +1,4 @@
-policy_module(slocate, 1.12.0)
+policy_module(slocate, 1.12.1)
#################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: 4f4a207906eee4cf7ac4c0d538750c64e1f10cc3
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Wed Sep 25 22:15:18 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:00:54 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4f4a2079
mta: this needs to be verified again, it should just have been running in exim_t. I might have taken this from old logs
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/mta.te | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 2ac5012..a36599f 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.7.0)
+policy_module(mta, 2.7.2)
########################################
#
@@ -245,10 +245,8 @@ optional_policy(`
')
optional_policy(`
- kernel_read_crypto_sysctls(system_mail_t)
exim_domtrans(system_mail_t)
exim_manage_log(system_mail_t)
- exim_read_var_lib_files(system_mail_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: f4fe0ad50474a788016bffa6dfc9afee4a080c8c
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 26 06:34:23 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:00:56 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f4fe0ad5
mandb: /etc/cron.daily/man-db executes dpkg, reads dpkg db on Debian
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/dpkg.if | 19 +++++++++++++++++++
policy/modules/contrib/mandb.te | 7 ++++++-
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if
index 9aa68a6..fdc06d6 100644
--- a/policy/modules/contrib/dpkg.if
+++ b/policy/modules/contrib/dpkg.if
@@ -21,6 +21,25 @@ interface(`dpkg_domtrans',`
########################################
## <summary>
+## Execute the dkpg in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_exec',`
+ gen_require(`
+ type dpkg_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, dpkg_exec_t)
+')
+
+########################################
+## <summary>
## Execute dpkg_script programs in
## the dpkg_script domain.
## </summary>
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 0fb1897..1465f27 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.1.0)
+policy_module(mandb, 1.1.1)
########################################
#
@@ -47,3 +47,8 @@ optional_policy(`
optional_policy(`
cron_system_entry(mandb_t, mandb_exec_t)
')
+
+optional_policy(`
+ dpkg_exec(mandb_t)
+ dpkg_read_db(mandb_t)
+')
\ No newline at end of file
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: 35a8e7e6fe55cadb8bb8d163e9beb2c69e4e534b
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Wed Sep 25 15:44:30 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:00:52 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=35a8e7e6
apt: As it turns out the /var/backups directory is labeled in the backup module (which i incidentally did not have installed earlier). Instead of creating this file with a file type transition to apt_var_cache_t, allow apt_t to manage backup_store files
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/apt.fc | 2 --
policy/modules/contrib/apt.te | 6 +++++-
policy/modules/contrib/backup.if | 20 ++++++++++++++++++++
policy/modules/contrib/backup.te | 2 +-
4 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/apt.fc b/policy/modules/contrib/apt.fc
index edb4fd4..7b20801 100644
--- a/policy/modules/contrib/apt.fc
+++ b/policy/modules/contrib/apt.fc
@@ -10,8 +10,6 @@ ifndef(`distro_redhat',`
/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
')
-/var/backups/dpkg.* -- gen_context(system_u:object_r:apt_var_cache_t,s0)
-
/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index 90c630d..e423967 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.8.0)
+policy_module(apt, 1.8.1)
########################################
#
@@ -121,6 +121,10 @@ sysnet_read_config(apt_t)
userdom_use_user_terminals(apt_t)
optional_policy(`
+ backup_manage_store_files(apt_t)
+')
+
+optional_policy(`
cron_system_entry(apt_t, apt_exec_t)
')
diff --git a/policy/modules/contrib/backup.if b/policy/modules/contrib/backup.if
index 894810e..fe3f740 100644
--- a/policy/modules/contrib/backup.if
+++ b/policy/modules/contrib/backup.if
@@ -45,3 +45,23 @@ interface(`backup_run',`
backup_domtrans($1)
roleattribute $2 backup_roles;
')
+
+########################################
+## <summary>
+## Create, read, and write backup
+## store files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`backup_manage_store_files',`
+ gen_require(`
+ type backup_store_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, backup_store_t, backup_store_t)
+')
diff --git a/policy/modules/contrib/backup.te b/policy/modules/contrib/backup.te
index b9f8b55..1bb1e7f 100644
--- a/policy/modules/contrib/backup.te
+++ b/policy/modules/contrib/backup.te
@@ -1,4 +1,4 @@
-policy_module(backup, 1.6.0)
+policy_module(backup, 1.6.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-27 6:50 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-27 6:50 UTC (permalink / raw
To: gentoo-commits
commit: 4e710235ceb2d01aa852456a7be29e8be727947a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Sep 27 06:50:07 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 06:50:07 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4e710235
Do not audit connects to unreserved ports if boolean is off
---
policy/modules/contrib/mozilla.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 5e89868..f08179d 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -734,6 +734,8 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
tunable_policy(`mozilla_plugin_connect_all_unreserved', `
corenet_sendrecv_all_client_packets(mozilla_plugin_t)
corenet_tcp_connect_all_unreserved_ports(mozilla_plugin_t)
+ ',`
+ corenet_dontaudit_tcp_connect_all_unreserved_ports(mozilla_plugin_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-26 18:47 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-26 18:47 UTC (permalink / raw
To: gentoo-commits
commit: 7d060f2880ed17e2ab15ae44eed7028fc96fa07f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Sep 26 18:47:33 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Sep 26 18:47:33 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7d060f28
Fix bug #486088 - Correct file context for sandbox binary
---
policy/modules/contrib/chromium.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/chromium.fc b/policy/modules/contrib/chromium.fc
index defd4f1..86bac46 100644
--- a/policy/modules/contrib/chromium.fc
+++ b/policy/modules/contrib/chromium.fc
@@ -1,5 +1,6 @@
/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
/usr/lib/chromium-browser/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
/usr/lib/chromium-browser/chromium-launcher\.sh -- gen_context(system_u:object_r:chromium_exec_t,s0)
/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 18:05 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 18:05 UTC (permalink / raw
To: gentoo-commits
commit: c2d10ed6ad80c4c442bc939a97996159b8eec3c3
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Sep 25 18:04:33 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 18:04:33 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c2d10ed6
Add portage_ro_role to allow read-only access to Portage files
The portage_ro_role() can be assigned to users who are allowed to view
Portage related files but not touch them or switch to the portage
domains.
Patch initially brought forward by Luis Ressel, adapted to match coding
style & separate dontaudit into its own interface.
---
policy/modules/contrib/portage.if | 61 +++++++++++++++++++++++++++++++++++++++
1 file changed, 61 insertions(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index fd1ae2a..fe656fa 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -385,6 +385,49 @@ interface(`portage_eselect_module',`
########################################
## <summary>
+## Read all portage files
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_ro_role',`
+ portage_read_cache($1)
+ portage_read_config($1)
+ portage_read_db($1)
+ portage_read_ebuild($1)
+ portage_dontaudit_write_cache($1)
+')
+
+########################################
+## <summary>
+## Read portage db files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_read_db',`
+ gen_require(`
+ type portage_db_t;
+ ')
+
+ files_search_var($1)
+ list_dirs_pattern($1, portage_db_t, portage_db_t)
+ read_files_pattern($1, portage_db_t, portage_db_t)
+')
+
+########################################
+## <summary>
## Read portage cache files
## </summary>
## <param name="domain">
@@ -446,3 +489,21 @@ interface(`portage_read_ebuild',`
read_lnk_files_pattern($1, portage_ebuild_t, portage_ebuild_t)
')
+########################################
+## <summary>
+## Do not audit writing portage cache files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_dontaudit_write_cache',`
+ gen_require(`
+ type portage_cache_t;
+ ')
+
+ dontaudit $1 portage_cache_t:dir { write };
+')
+
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 17:50 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 17:50 UTC (permalink / raw
To: gentoo-commits
commit: e26d881593866de2d16eebdb7b5330dc90912492
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Wed Sep 25 11:49:18 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 17:49:46 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e26d8815
Cleanups of various modules with regard to regular expressions and white space
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/aide.fc | 3 +-
policy/modules/contrib/amtu.fc | 4 +--
policy/modules/contrib/apt.fc | 4 +--
policy/modules/contrib/cron.fc | 61 ++++++++++++++++----------------
policy/modules/contrib/dbskk.fc | 1 -
policy/modules/contrib/dhcp.fc | 8 ++---
policy/modules/contrib/entropyd.fc | 2 +-
policy/modules/contrib/finger.fc | 4 +--
policy/modules/contrib/firewallgui.fc | 2 +-
policy/modules/contrib/hal.fc | 6 ++--
policy/modules/contrib/inetd.fc | 7 ++--
policy/modules/contrib/ircd.fc | 4 +--
policy/modules/contrib/mailman.fc | 3 +-
policy/modules/contrib/mandb.fc | 3 +-
policy/modules/contrib/minidlna.fc | 6 ++--
policy/modules/contrib/nagios.fc | 7 ++--
policy/modules/contrib/networkmanager.fc | 14 +++-----
policy/modules/contrib/puppet.fc | 10 ++----
policy/modules/contrib/radius.fc | 2 +-
policy/modules/contrib/smoltclient.fc | 2 +-
policy/modules/contrib/smstools.fc | 2 +-
policy/modules/contrib/snmp.fc | 2 +-
policy/modules/contrib/snort.fc | 4 +--
policy/modules/contrib/tcsd.fc | 3 +-
policy/modules/contrib/tftp.fc | 2 +-
policy/modules/contrib/tmpreaper.fc | 4 +--
policy/modules/contrib/tor.fc | 4 +--
policy/modules/contrib/tuned.fc | 2 +-
policy/modules/contrib/uwimap.fc | 2 +-
policy/modules/contrib/virt.fc | 5 ++-
policy/modules/contrib/w3c.fc | 2 +-
policy/modules/contrib/zabbix.fc | 15 ++++----
32 files changed, 85 insertions(+), 115 deletions(-)
diff --git a/policy/modules/contrib/aide.fc b/policy/modules/contrib/aide.fc
index b2f47de..15eb282 100644
--- a/policy/modules/contrib/aide.fc
+++ b/policy/modules/contrib/aide.fc
@@ -1,5 +1,4 @@
-/usr/bin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
-/usr/sbin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
+/usr/s?bin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
/var/lib/aide(/.*)? gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
diff --git a/policy/modules/contrib/amtu.fc b/policy/modules/contrib/amtu.fc
index 67e5f70..6392306 100644
--- a/policy/modules/contrib/amtu.fc
+++ b/policy/modules/contrib/amtu.fc
@@ -1,5 +1,3 @@
/etc/rc\.d/init\.d/amtu -- gen_context(system_u:object_r:amtu_initrc_exec_t,s0)
-/usr/bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)
-
-/usr/sbin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)
+/usr/s?bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)
diff --git a/policy/modules/contrib/apt.fc b/policy/modules/contrib/apt.fc
index 19418b5..edb4fd4 100644
--- a/policy/modules/contrib/apt.fc
+++ b/policy/modules/contrib/apt.fc
@@ -1,12 +1,10 @@
/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
+ifndef(`distro_redhat',`
/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
-
/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
-
-ifndef(`distro_redhat',`
/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
index 0e0c1f4..d41ecce 100644
--- a/policy/modules/contrib/cron.fc
+++ b/policy/modules/contrib/cron.fc
@@ -1,61 +1,62 @@
-/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
-/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-
/etc/rc\.d/init\.d/anacron -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
-/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+
+/usr/bin/f?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
-/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
+/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
-/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
-/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
-#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-/var/spool/cron/[^/]* -- <<none>>
+/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
+#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+/var/spool/cron/[^/]* -- <<none>>
/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/cron/crontabs/.* -- <<none>>
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/fcron/.* <<none>>
+/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/fcron/.* <<none>>
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab\.tmp -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/rm\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
ifdef(`distro_debian',`
-/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/cron/atjobs/[^/]* -- <<none>>
-/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
')
ifdef(`distro_gentoo',`
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <<none>>
')
ifdef(`distro_suse',`
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <<none>>
-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
')
diff --git a/policy/modules/contrib/dbskk.fc b/policy/modules/contrib/dbskk.fc
index 7af2590..6fb8fea 100644
--- a/policy/modules/contrib/dbskk.fc
+++ b/policy/modules/contrib/dbskk.fc
@@ -1,2 +1 @@
-
/usr/sbin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0)
diff --git a/policy/modules/contrib/dhcp.fc b/policy/modules/contrib/dhcp.fc
index 7956248..8182c48 100644
--- a/policy/modules/contrib/dhcp.fc
+++ b/policy/modules/contrib/dhcp.fc
@@ -1,8 +1,8 @@
/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
-/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
-/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
-/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
+/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
+/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
-/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
+/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/policy/modules/contrib/entropyd.fc b/policy/modules/contrib/entropyd.fc
index c698711..ee38542 100644
--- a/policy/modules/contrib/entropyd.fc
+++ b/policy/modules/contrib/entropyd.fc
@@ -4,4 +4,4 @@
/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
-/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
+/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
diff --git a/policy/modules/contrib/finger.fc b/policy/modules/contrib/finger.fc
index 843940b..5df3720 100644
--- a/policy/modules/contrib/finger.fc
+++ b/policy/modules/contrib/finger.fc
@@ -1,8 +1,8 @@
/etc/cfingerd(/.*)? gen_context(system_u:object_r:fingerd_etc_t,s0)
-/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+/etc/cron\.weekly/c?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
-/usr/sbin/in\.(x)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+/usr/sbin/in\.x?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0)
diff --git a/policy/modules/contrib/firewallgui.fc b/policy/modules/contrib/firewallgui.fc
index ef1f43d..94ab048 100644
--- a/policy/modules/contrib/firewallgui.fc
+++ b/policy/modules/contrib/firewallgui.fc
@@ -1 +1 @@
-/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
+/usr/share/system-config-firewall/system-config-firewall-mechanism\.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
diff --git a/policy/modules/contrib/hal.fc b/policy/modules/contrib/hal.fc
index 2899bad..c9f4520 100644
--- a/policy/modules/contrib/hal.fc
+++ b/policy/modules/contrib/hal.fc
@@ -1,5 +1,5 @@
-/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
+/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0)
@@ -9,14 +9,14 @@
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
-/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
+/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
/var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
-/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
+/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
diff --git a/policy/modules/contrib/inetd.fc b/policy/modules/contrib/inetd.fc
index 2a5a686..d00440b 100644
--- a/policy/modules/contrib/inetd.fc
+++ b/policy/modules/contrib/inetd.fc
@@ -5,10 +5,9 @@
/usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
-/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
-/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+/usr/sbin/x?inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
-/var/log/(x)?inetd\.log.* -- gen_context(system_u:object_r:inetd_log_t,s0)
+/var/log/x?inetd\.log.* -- gen_context(system_u:object_r:inetd_log_t,s0)
-/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
+/var/run/x?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
diff --git a/policy/modules/contrib/ircd.fc b/policy/modules/contrib/ircd.fc
index f37eed8..0f0e648 100644
--- a/policy/modules/contrib/ircd.fc
+++ b/policy/modules/contrib/ircd.fc
@@ -5,10 +5,8 @@
/etc/rc\.d/init\.d/((ircd)|(ngircd)|(dancer-ircd)) -- gen_context(system_u:object_r:ircd_initrc_exec_t,s0)
-/usr/bin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
-
/usr/sbin/dancer-ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
-/usr/sbin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
+/usr/s?bin/ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
/usr/sbin/ngircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
/var/lib/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_lib_t,s0)
diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc
index 7fa381b..995d0a5 100644
--- a/policy/modules/contrib/mailman.fc
+++ b/policy/modules/contrib/mailman.fc
@@ -1,5 +1,4 @@
-/etc/cron\.daily/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/etc/cron\.monthly/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/etc/cron\.(daily|monthly)/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
diff --git a/policy/modules/contrib/mandb.fc b/policy/modules/contrib/mandb.fc
index 7f47aca..8ae78b5 100644
--- a/policy/modules/contrib/mandb.fc
+++ b/policy/modules/contrib/mandb.fc
@@ -1,2 +1 @@
-/etc/cron\.daily/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
-/etc/cron\.weekly/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
+/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
diff --git a/policy/modules/contrib/minidlna.fc b/policy/modules/contrib/minidlna.fc
index 9d4cd52..02c1b50 100644
--- a/policy/modules/contrib/minidlna.fc
+++ b/policy/modules/contrib/minidlna.fc
@@ -6,9 +6,9 @@
/var/cache/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
-/var/lib/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
+/var/lib/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
-/var/log/minidlna(/.*)? gen_context(system_u:object_r:minidlna_log_t,s0)
+/var/log/minidlna(/.*)? gen_context(system_u:object_r:minidlna_log_t,s0)
/var/log/minidlna\.log.* -- gen_context(system_u:object_r:minidlna_log_t,s0)
-/var/run/minidlna(/.*)? gen_context(system_u:object_r:minidlna_var_run_t,s0)
+/var/run/minidlna(/.*)? gen_context(system_u:object_r:minidlna_var_run_t,s0)
diff --git a/policy/modules/contrib/nagios.fc b/policy/modules/contrib/nagios.fc
index d78dfc3..431ce38 100644
--- a/policy/modules/contrib/nagios.fc
+++ b/policy/modules/contrib/nagios.fc
@@ -4,11 +4,8 @@
/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-
-/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index 7b80c1e..4751a7b 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -16,19 +16,15 @@
/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/s?bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-
-/usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/s?bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
diff --git a/policy/modules/contrib/puppet.fc b/policy/modules/contrib/puppet.fc
index d68e26d..9468048 100644
--- a/policy/modules/contrib/puppet.fc
+++ b/policy/modules/contrib/puppet.fc
@@ -3,13 +3,9 @@
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
-/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
-
-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/usr/s?bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/s?bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+/usr/s?bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
diff --git a/policy/modules/contrib/radius.fc b/policy/modules/contrib/radius.fc
index c84b7ae..d447e85 100644
--- a/policy/modules/contrib/radius.fc
+++ b/policy/modules/contrib/radius.fc
@@ -1,5 +1,5 @@
/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
-/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/etc/cron\.((daily)|(weekly)|(monthly))/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0)
diff --git a/policy/modules/contrib/smoltclient.fc b/policy/modules/contrib/smoltclient.fc
index 27ddf8d..1ff2958 100644
--- a/policy/modules/contrib/smoltclient.fc
+++ b/policy/modules/contrib/smoltclient.fc
@@ -1 +1 @@
-/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0)
+/usr/share/smolt/client/sendProfile\.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0)
diff --git a/policy/modules/contrib/smstools.fc b/policy/modules/contrib/smstools.fc
index 8e7d825..4afc690 100644
--- a/policy/modules/contrib/smstools.fc
+++ b/policy/modules/contrib/smstools.fc
@@ -1,6 +1,6 @@
/etc/smsd\.conf -- gen_context(system_u:object_r:smsd_conf_t,s0)
-/etc/rc\.d/init\.d/((smsd)|(smstools)) -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/(smsd|smstools) -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0)
/usr/sbin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0)
diff --git a/policy/modules/contrib/snmp.fc b/policy/modules/contrib/snmp.fc
index c73fa24..2f0a2f2 100644
--- a/policy/modules/contrib/snmp.fc
+++ b/policy/modules/contrib/snmp.fc
@@ -1,4 +1,4 @@
-/etc/rc\.d/init\.d/((snmpd)|(snmptrapd)) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/(snmpd|snmptrapd) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0)
/usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc
index 24a8e1b..f85247b 100644
--- a/policy/modules/contrib/snort.fc
+++ b/policy/modules/contrib/snort.fc
@@ -2,9 +2,7 @@
/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
-/usr/bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
-
-/usr/sbin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
diff --git a/policy/modules/contrib/tcsd.fc b/policy/modules/contrib/tcsd.fc
index a38b954..c2c2636 100644
--- a/policy/modules/contrib/tcsd.fc
+++ b/policy/modules/contrib/tcsd.fc
@@ -1,5 +1,4 @@
-/etc/rc\.d/init\.d/tcsd -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/trousers -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/(tcsd|trousers) -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0)
diff --git a/policy/modules/contrib/tftp.fc b/policy/modules/contrib/tftp.fc
index 93a5bf4..cd569af 100644
--- a/policy/modules/contrib/tftp.fc
+++ b/policy/modules/contrib/tftp.fc
@@ -1,4 +1,4 @@
-/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0)
+/etc/x?inetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0)
/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
diff --git a/policy/modules/contrib/tmpreaper.fc b/policy/modules/contrib/tmpreaper.fc
index ed08c94..d19a6cf 100644
--- a/policy/modules/contrib/tmpreaper.fc
+++ b/policy/modules/contrib/tmpreaper.fc
@@ -1,5 +1,5 @@
-/etc/rc\.d/init\.d/mountall-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
-/etc/rc\.d/init\.d/mountnfs-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/etc/rc\.d/init\.d/mountall-bootclean\.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/etc/rc\.d/init\.d/mountnfs-bootclean\.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
diff --git a/policy/modules/contrib/tor.fc b/policy/modules/contrib/tor.fc
index 6b9d449..420a5ee 100644
--- a/policy/modules/contrib/tor.fc
+++ b/policy/modules/contrib/tor.fc
@@ -2,9 +2,7 @@
/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0)
-/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
-
-/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+/usr/s?bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
diff --git a/policy/modules/contrib/tuned.fc b/policy/modules/contrib/tuned.fc
index 23ba272..956587a 100644
--- a/policy/modules/contrib/tuned.fc
+++ b/policy/modules/contrib/tuned.fc
@@ -1,6 +1,6 @@
/etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0)
-/etc/tuned(/.)? gen_context(system_u:object_r:tuned_etc_t,s0)
+/etc/tuned(/.*)? gen_context(system_u:object_r:tuned_etc_t,s0)
/etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0)
/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
diff --git a/policy/modules/contrib/uwimap.fc b/policy/modules/contrib/uwimap.fc
index 3c504c6..e85c4ae 100644
--- a/policy/modules/contrib/uwimap.fc
+++ b/policy/modules/contrib/uwimap.fc
@@ -1,3 +1,3 @@
-/usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0)
+/usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0)
/var/run/imapd\.pid -- gen_context(system_u:object_r:imapd_var_run_t,s0)
diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index c30da4c..a4f20bc 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -9,8 +9,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
-/etc/rc\.d/init\.d/libvirt-bin -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/(libvirt-bin|libvirtd) -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
@@ -44,7 +43,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
diff --git a/policy/modules/contrib/w3c.fc b/policy/modules/contrib/w3c.fc
index 4834796..463c799 100644
--- a/policy/modules/contrib/w3c.fc
+++ b/policy/modules/contrib/w3c.fc
@@ -1,4 +1,4 @@
-/usr/lib/cgi-bin/check gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
+/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
diff --git a/policy/modules/contrib/zabbix.fc b/policy/modules/contrib/zabbix.fc
index ce10cb1..f83008c 100644
--- a/policy/modules/contrib/zabbix.fc
+++ b/policy/modules/contrib/zabbix.fc
@@ -1,14 +1,11 @@
-/etc/rc\.d/init\.d/((zabbix)|(zabbix-server)) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/(zabbix|zabbix-server) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
-/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-/usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
-
-/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-/usr/sbin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
-/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/s?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/s?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
+/usr/s?bin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/s?bin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/s?bin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 9:49 UTC (permalink / raw
To: gentoo-commits
commit: 27872daba81b0e4b1075dfa01c83175b424a3141
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Sep 23 07:37:26 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 09:48:44 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=27872dab
devicekit: upowerd reads own unix stream socket devicekit: devicekit_power_t (runlevel) read /run/utmp
devicekit: udisksd reads /run/udev/data/b253:0
devicekit: udisksd sends messages to syslogd
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/devicekit.if | 2 +-
policy/modules/contrib/devicekit.te | 5 +++++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/devicekit.if b/policy/modules/contrib/devicekit.if
index f1271ae..b1c7ef3 100644
--- a/policy/modules/contrib/devicekit.if
+++ b/policy/modules/contrib/devicekit.if
@@ -155,7 +155,7 @@ interface(`devicekit_append_inherited_log_files',`
')
logging_search_logs($1)
- allow $1 devicekit_log_t:file append;
+ allow $1 devicekit_var_log_t:file append;
devicekit_use_fds_power($1)
')
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 7b1ca51..215c724 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -138,6 +138,8 @@ term_use_all_terms(devicekit_disk_t)
auth_use_nsswitch(devicekit_disk_t)
+logging_send_syslog_msg(devicekit_disk_t)
+
miscfiles_read_localization(devicekit_disk_t)
userdom_read_all_users_state(devicekit_disk_t)
@@ -182,6 +184,7 @@ optional_policy(`
optional_policy(`
udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t)
+ udev_read_pid_files(devicekit_disk_t)
')
optional_policy(`
@@ -197,6 +200,7 @@ allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_t
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+allow devicekit_power_t self:unix_stream_socket create_socket_perms;
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
@@ -253,6 +257,7 @@ term_use_all_terms(devicekit_power_t)
auth_use_nsswitch(devicekit_power_t)
init_all_labeled_script_domtrans(devicekit_power_t)
+init_read_utmp(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 9:49 UTC (permalink / raw
To: gentoo-commits
commit: e6bd7d69262d7f78547f4949e5a7b017b67e7a67
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Sep 24 10:46:08 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 09:43:55 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e6bd7d69
avahi: create a avahi_initrc_domtrans for udev_t: udev runs a avahi dns check script which does, i guess, a dns check. If needed it starts, or stops avahi via its init script. I also created a avahi_manage_pid_files() for udev_t because the script manages a file called "checked_nameservers.*" in /run/avahi-daemon
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/avahi.if | 40 +++++++++++++++++++++++++++++++++++++++-
1 file changed, 39 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if
index b834cd0..ce712af 100644
--- a/policy/modules/contrib/avahi.if
+++ b/policy/modules/contrib/avahi.if
@@ -21,6 +21,25 @@ interface(`avahi_domtrans',`
########################################
## <summary>
+## Execute avahi init scripts in the
+## init script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`avahi_initrc_domtrans',`
+ gen_require(`
+ type avahi_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+')
+
+########################################
+## <summary>
## Send generic signals to avahi.
## </summary>
## <param name="domain">
@@ -116,6 +135,25 @@ interface(`avahi_stream_connect',`
########################################
## <summary>
+## Create, read, and write avahi pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`avahi_manage_pid_files',`
+ gen_require(`
+ type avahi_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, avahi_var_run_t, avahi_var_run_t)
+')
+
+########################################
+## <summary>
## Do not audit attempts to search
## avahi pid directories.
## </summary>
@@ -159,7 +197,7 @@ interface(`avahi_admin',`
allow $1 avahi_t:process { ptrace signal_perms };
ps_process_pattern($1, avahi_t)
- init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+ avahi_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 avahi_initrc_exec_t system_r;
allow $2 system_r;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 9:49 UTC (permalink / raw
To: gentoo-commits
commit: 0fdabf2b4d8de0a4cbfaa1a6a59611e222a822a2
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Sep 23 08:21:34 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 09:48:24 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0fdabf2b
Cron: /sbin/runlevel reads /run/utmp cron: anacron (system_cronjob_t) reading, writing inherited random crond tmp files (/tmp/tmpfk1VT2O)
Cron: anacron inheriting/using /dev/null
cron: label anacron init script with cron init script file type
devicekit: allow devicekit power to run all init scripts in the initrc_t
domain
These are pre/post suspend/resume scriptlets running in the devicekit
power domain starting, and stopping all kinds of services on suspect,
and resume respectively
cron: anacron reads /run/pm-utils/locks/pm-powersave.lock
basically devicekit_power runs anacron init script with a domain
transition to initrc_t, and then anacron does its thing related to
suspend/resume, or other power management
cron: anacrom appends to /var/log/pm-powersave.log fd that it inherited
from devicekit_power_t
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/cron.fc | 2 ++
policy/modules/contrib/cron.te | 11 +++++++++-
policy/modules/contrib/devicekit.if | 40 +++++++++++++++++++++++++++++++++++++
policy/modules/contrib/devicekit.te | 6 ++----
4 files changed, 54 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
index 62764aa..0e0c1f4 100644
--- a/policy/modules/contrib/cron.fc
+++ b/policy/modules/contrib/cron.fc
@@ -1,6 +1,8 @@
/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/etc/rc\.d/init\.d/anacron -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 7c58f47..3776173 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -422,6 +422,7 @@ optional_policy(`
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
allow system_cronjob_t self:process { signal_perms getsched setsched };
+allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
@@ -453,6 +454,8 @@ allow system_cronjob_t crond_t:process sigchld;
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
+allow system_cronjob_t crond_tmp_t:file { read write };
+
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
@@ -500,8 +503,9 @@ files_create_boot_flag(system_cronjob_t)
mls_file_read_to_clearance(system_cronjob_t)
-init_use_script_fds(system_cronjob_t)
init_domtrans_script(system_cronjob_t)
+init_read_utmp(system_cronjob_t)
+init_use_script_fds(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
@@ -554,6 +558,11 @@ optional_policy(`
')
optional_policy(`
+ devicekit_read_pid_files(system_cronjob_t)
+ devicekit_append_inherited_log_files(system_cronjob_t)
+')
+
+optional_policy(`
exim_read_spool_files(system_cronjob_t)
')
diff --git a/policy/modules/contrib/devicekit.if b/policy/modules/contrib/devicekit.if
index d294865..f1271ae 100644
--- a/policy/modules/contrib/devicekit.if
+++ b/policy/modules/contrib/devicekit.if
@@ -122,6 +122,46 @@ interface(`devicekit_dbus_chat_power',`
########################################
## <summary>
+## Use and inherit devicekit power
+## file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_use_fds_power',`
+ gen_require(`
+ type devicekit_power_t;
+ ')
+
+ allow $1 devicekit_power_t:fd use;
+')
+
+########################################
+## <summary>
+## Append inherited devicekit log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_append_inherited_log_files',`
+ gen_require(`
+ type devicekit_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 devicekit_log_t:file append;
+
+ devicekit_use_fds_power($1)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## devicekit log files.
## </summary>
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 0e6fbcd..7b1ca51 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -252,6 +252,8 @@ term_use_all_terms(devicekit_power_t)
auth_use_nsswitch(devicekit_power_t)
+init_all_labeled_script_domtrans(devicekit_power_t)
+
miscfiles_read_localization(devicekit_power_t)
sysnet_domtrans_ifconfig(devicekit_power_t)
@@ -268,10 +270,6 @@ optional_policy(`
')
optional_policy(`
- cron_initrc_domtrans(devicekit_power_t)
-')
-
-optional_policy(`
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 9:49 UTC (permalink / raw
To: gentoo-commits
commit: e123a6a37b8a136e36d96b8e09ff75f01502d46b
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Sep 23 11:15:37 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 09:42:31 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e123a6a3
accountsd: accounts-daemon lists /var/log
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/accountsd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/accountsd.te b/policy/modules/contrib/accountsd.te
index 352c36e..3593510 100644
--- a/policy/modules/contrib/accountsd.te
+++ b/policy/modules/contrib/accountsd.te
@@ -50,6 +50,7 @@ auth_read_shadow(accountsd_t)
miscfiles_read_localization(accountsd_t)
+logging_list_logs(accountsd_t)
logging_send_syslog_msg(accountsd_t)
logging_set_loginuid(accountsd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 9:49 UTC (permalink / raw
To: gentoo-commits
commit: 007126b0264ce8c8c55522d41e5440dc5431326f
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Sep 24 10:14:15 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 09:43:47 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=007126b0
networkmanager: NetworkManager reads /run/udev/data/n2 file
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/networkmanager.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 8ad1da6..c27e24b 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -327,6 +327,7 @@ optional_policy(`
optional_policy(`
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
+ udev_read_pid_files(NetworkManager_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 9:49 UTC (permalink / raw
To: gentoo-commits
commit: 794cd62d84988f4bffb0f25d1634cd98105df03d
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Sep 23 09:02:44 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 09:43:19 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=794cd62d
apt: Run apt system cronjobs in the apt_t domain apt: apt system cronjob creates dpkg.status.* files in /var/backup
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/apt.fc | 10 ++++++++--
policy/modules/contrib/apt.te | 2 +-
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/apt.fc b/policy/modules/contrib/apt.fc
index 1fd6888..19418b5 100644
--- a/policy/modules/contrib/apt.fc
+++ b/policy/modules/contrib/apt.fc
@@ -1,13 +1,19 @@
-ifndef(`distro_redhat',`
+/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
+
/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
-/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
+
/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
+
+ifndef(`distro_redhat',`
+/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
')
+/var/backups/dpkg.* -- gen_context(system_u:object_r:apt_var_cache_t,s0)
+
/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index 60a475d..90c630d 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -125,7 +125,7 @@ optional_policy(`
')
optional_policy(`
- dbus_system_domain(apt_t, apt_exec_t)
+ dbus_system_domain(apt_t, apt_exec_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 9:49 UTC (permalink / raw
To: gentoo-commits
commit: 8450705117277a6d9f7d9f5d99ae7c54f59440a7
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Sep 24 07:43:32 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 09:43:45 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=84507051
rtkit: traverse /proc to get to process state files
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/rtkit.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/rtkit.if b/policy/modules/contrib/rtkit.if
index bd35afe..e904ec4 100644
--- a/policy/modules/contrib/rtkit.if
+++ b/policy/modules/contrib/rtkit.if
@@ -57,6 +57,7 @@ interface(`rtkit_scheduled',`
allow rtkit_daemon_t $1:process { getsched setsched };
+ kernel_search_proc($1)
ps_process_pattern(rtkit_daemon_t, $1)
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 9:49 UTC (permalink / raw
To: gentoo-commits
commit: 776cae9bb9dd4d03be66d4108cab99c030937e48
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Sep 23 14:37:00 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 09:43:17 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=776cae9b
dbus: allow system, and session bus clients to answer to dbus unconfined domains
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/dbus.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index dda231b..b9838d1 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -256,5 +256,5 @@ optional_policy(`
# Unconfined access to this module
#
-allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
-allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
+allow dbusd_unconfined { system_dbusd_t session_bus_type dbusd_session_bus_client dbusd_system_bus_client }:dbus all_dbus_perms;
+allow { dbusd_session_bus_client dbusd_system_bus_client } dbusd_unconfined:dbus send_msg;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 9:49 UTC (permalink / raw
To: gentoo-commits
commit: b814864e552994f1145780b333ff8eee4dc53098
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Sep 24 07:40:07 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 09:43:43 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b814864e
mandb: Make the man-db cronjob work on Debian
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/apt.if | 19 +++++++++++++++++++
policy/modules/contrib/mandb.te | 14 +++++++++++++-
2 files changed, 32 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if
index e2414c4..cde81d2 100644
--- a/policy/modules/contrib/apt.if
+++ b/policy/modules/contrib/apt.if
@@ -21,6 +21,25 @@ interface(`apt_domtrans',`
########################################
## <summary>
+## Execute the apt in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apt_exec',`
+ gen_require(`
+ type apt_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, apt_exec_t)
+')
+
+########################################
+## <summary>
## Execute apt programs in the apt domain.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 9e6239c..0fb1897 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -18,19 +18,31 @@ role mandb_roles types mandb_t;
# Local policy
#
-allow mandb_t self:process signal;
+allow mandb_t self:capability { setuid setgid };
+allow mandb_t self:process { setsched signal };
allow mandb_t self:fifo_file rw_fifo_file_perms;
allow mandb_t self:unix_stream_socket create_stream_socket_perms;
+kernel_read_kernel_sysctls(mandb_t)
kernel_read_system_state(mandb_t)
corecmd_exec_bin(mandb_t)
+corecmd_exec_shell(mandb_t)
+
+dev_search_sysfs(mandb_t)
domain_use_interactive_fds(mandb_t)
files_read_etc_files(mandb_t)
miscfiles_manage_man_cache(mandb_t)
+miscfiles_read_man_pages(mandb_t)
+miscfiles_read_localization(mandb_t)
+
+optional_policy(`
+ apt_exec(mandb_t)
+ apt_read_db(mandb_t)
+')
optional_policy(`
cron_system_entry(mandb_t, mandb_exec_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 9:49 UTC (permalink / raw
To: gentoo-commits
commit: 7e400cb31a04dd642b0387c2b6976f60873d7f4f
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Sep 23 13:31:36 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 09:42:35 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7e400cb3
alsa: alsactl listing /dev/shm alsa: alsactl reading /dev/urandom alsa: alsactl getting attributes of devtmpfs / (/dev) alsa: alsactl maintains a pulseaudio tmpfs file
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/alsa.te | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 4056063..db4a986 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -18,6 +18,10 @@ files_config_file(alsa_etc_rw_t)
type alsa_tmp_t;
files_tmp_file(alsa_tmp_t)
+type alsa_tmpfs_t;
+files_tmpfs_file(alsa_tmpfs_t)
+pulseaudio_tmpfs_content(alsa_tmpfs_t)
+
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
@@ -48,6 +52,9 @@ manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+allow alsa_t alsa_tmpfs_t:file manage_file_perms;
+fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
+
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
@@ -55,13 +62,17 @@ kernel_read_system_state(alsa_t)
corecmd_exec_bin(alsa_t)
+dev_getattr_fs(alsa_t)
dev_read_sound(alsa_t)
dev_read_sysfs(alsa_t)
+dev_read_urand(alsa_t)
dev_write_sound(alsa_t)
files_read_usr_files(alsa_t)
files_search_var_lib(alsa_t)
+fs_list_tmpfs(alsa_t)
+
term_dontaudit_use_console(alsa_t)
term_dontaudit_use_generic_ptys(alsa_t)
term_dontaudit_use_all_ptys(alsa_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 9:49 UTC (permalink / raw
To: gentoo-commits
commit: 71aa5510fa86ccf931d681201a070de5124d55f4
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Sep 24 11:31:19 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 09:42:15 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=71aa5510
redis: allow redis to bind tcp sockets to redis_port_t type ports
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/redis.te | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index f98e40e..25cd417 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.0.0)
+policy_module(redis, 1.0.1)
########################################
#
@@ -51,9 +51,9 @@ corenet_tcp_sendrecv_generic_if(redis_t)
corenet_tcp_sendrecv_generic_node(redis_t)
corenet_tcp_bind_generic_node(redis_t)
-# corenet_sendrecv_redis_server_packets(redis_t)
-# corenet_tcp_bind_redis_port(redis_t)
-# corenet_tcp_sendrecv_redis_port(redis_t)
+corenet_sendrecv_redis_server_packets(redis_t)
+corenet_tcp_bind_redis_port(redis_t)
+corenet_tcp_sendrecv_redis_port(redis_t)
dev_read_sysfs(redis_t)
dev_read_urand(redis_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 9:49 UTC (permalink / raw
To: gentoo-commits
commit: dcc4d7193a9af4feb3502c5c8c49abccb880e20a
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Sep 23 09:33:10 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 09:42:29 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dcc4d719
exim: exim owns directory /var/lib/exim4
mta: this is strange, although there is a domtrans from system_mail_t to
exim_t, at some point exim running in the system_mail_t domain wants to
read /var/lib/exim4/config.autogenerated.tmp, a second later exim in the
exim_t domain does the same
mta: the kernel_read_crypto_sysctls is also exim running in the
system_mail_t domain
exim: exim_t (exim4) reads kernel crypto sysctls
(/proc/sys/crypto/fips_enabled) in Debian
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/exim.fc | 2 ++
policy/modules/contrib/exim.if | 19 +++++++++++++++++++
policy/modules/contrib/exim.te | 6 ++++++
policy/modules/contrib/mta.te | 2 ++
4 files changed, 29 insertions(+)
diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc
index dc0254b..9df498d 100644
--- a/policy/modules/contrib/exim.fc
+++ b/policy/modules/contrib/exim.fc
@@ -3,6 +3,8 @@
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
+/var/lib/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_lib_t,s0)
+
/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
/var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
index 94a8269..7e78b7b 100644
--- a/policy/modules/contrib/exim.if
+++ b/policy/modules/contrib/exim.if
@@ -225,6 +225,25 @@ interface(`exim_manage_spool_files',`
########################################
## <summary>
+## Read exim var lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_read_var_lib_files',`
+ gen_require(`
+ type exim_var_lib_t;
+ ')
+
+ read_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an exim environment.
## </summary>
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 7e8cf42..88896fd 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -48,6 +48,9 @@ init_script_file(exim_initrc_exec_t)
type exim_keytab_t;
files_type(exim_keytab_t)
+type exim_var_lib_t;
+files_type(exim_var_lib_t)
+
type exim_log_t;
logging_log_file(exim_log_t)
@@ -73,6 +76,8 @@ allow exim_t self:tcp_socket { accept listen };
allow exim_t exim_keytab_t:file read_file_perms;
+manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
+
append_files_pattern(exim_t, exim_log_t, exim_log_t)
create_files_pattern(exim_t, exim_log_t, exim_log_t)
setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
@@ -93,6 +98,7 @@ files_pid_filetrans(exim_t, exim_var_run_t, { dir file })
can_exec(exim_t, exim_exec_t)
+kernel_read_crypto_sysctls(exim_t)
kernel_read_kernel_sysctls(exim_t)
kernel_read_network_state(exim_t)
kernel_dontaudit_read_system_state(exim_t)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 75635b3..2ac5012 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -245,8 +245,10 @@ optional_policy(`
')
optional_policy(`
+ kernel_read_crypto_sysctls(system_mail_t)
exim_domtrans(system_mail_t)
exim_manage_log(system_mail_t)
+ exim_read_var_lib_files(system_mail_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 9:49 UTC (permalink / raw
To: gentoo-commits
commit: e69756835f938299389a3f86132bbc76918a444a
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Sep 23 10:11:43 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 09:42:25 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e6975683
logrotate restarts syslogd via init script in Debian
Probably want logrotate to be able to run any labeled init script in the
initrc_t domain rather than only generic init scripts since it is pretty
common for logrotate to restart a service after its log file is rotated
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/logrotate.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 739fb6d..be0ab84 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -98,7 +98,7 @@ selinux_get_enforce_mode(logrotate_t)
auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
-init_domtrans_script(logrotate_t)
+init_all_labeled_script_domtrans(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 9:49 UTC (permalink / raw
To: gentoo-commits
commit: cd4594f418e9034b79d2f778b3308fd942085818
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Sep 23 08:29:52 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 09:42:18 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cd4594f4
wm: associate wm_exec_t to core command executable files so that initrc_t (/sbin/start-stop-daemon) can access it (metacity)
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/wm.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index ffe166f..9d2e935 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -8,6 +8,7 @@ policy_module(wm, 1.3.2)
attribute wm_domain;
type wm_exec_t;
+corecmd_executable_file(wm_exec_t)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 9:49 UTC (permalink / raw
To: gentoo-commits
commit: 1d12ddc899e9cd641c8b002a5dc50469bf60b6e5
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Sep 23 08:04:31 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 09:42:16 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1d12ddc8
bluetooth: bluetooth_t acquires org.bluez service on dbus system bus
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/bluetooth.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index 15f5a95..851769e 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -132,6 +132,7 @@ userdom_dontaudit_search_user_home_dirs(bluetooth_t)
optional_policy(`
dbus_system_bus_client(bluetooth_t)
+ dbus_connect_system_bus(bluetooth_t)
optional_policy(`
cups_dbus_chat(bluetooth_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-25 9:49 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-25 9:49 UTC (permalink / raw
To: gentoo-commits
commit: b1eed098b560b17b5825236bd1d1f29b74245f16
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Sep 23 10:21:20 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 09:42:27 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b1eed098
This file is called just man-db in Debian.
Catch all scripts in /etc/cron.daily, and cron.weekly with man-db prefix
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/mandb.fc | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/mandb.fc b/policy/modules/contrib/mandb.fc
index 2de0f64..7f47aca 100644
--- a/policy/modules/contrib/mandb.fc
+++ b/policy/modules/contrib/mandb.fc
@@ -1 +1,2 @@
-/etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0)
+/etc/cron\.daily/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
+/etc/cron\.weekly/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-23 13:31 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: 8313772124285241a40d56a7030ba9c4dc5431b3
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 20 07:41:07 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:28:43 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=83137721
Additional openvpn tcp networking rules
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/openvpn.te | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index 5816817..63957a3 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.12.1)
+policy_module(openvpn, 1.12.2)
########################################
#
@@ -14,10 +14,10 @@ policy_module(openvpn, 1.12.1)
gen_tunable(openvpn_enable_homedirs, false)
## <desc>
-## <p>
-## Determine whether openvpn can
-## connect to the TCP network.
-## </p>
+## <p>
+## Determine whether openvpn can
+## connect to the TCP network.
+## </p>
## </desc>
gen_tunable(openvpn_can_network_connect, false)
@@ -158,7 +158,9 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
')
tunable_policy(`openvpn_can_network_connect',`
- corenet_tcp_connect_all_ports(openvpn_t)
+ corenet_sendrecv_all_client_packets(openvpn_t)
+ corenet_tcp_connect_all_ports(openvpn_t)
+ corenet_tcp_sendrecv_all_ports(openvpn_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-23 13:31 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: 1885a6b8dbea8123e438d8b17ceb6aaf80bca8f8
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Tue Aug 20 09:09:06 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:28:41 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1885a6b8
Add openvpn_can_network_connect() boolean
---
policy/modules/contrib/openvpn.te | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index 1c3599a..5816817 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -13,6 +13,14 @@ policy_module(openvpn, 1.12.1)
## </desc>
gen_tunable(openvpn_enable_homedirs, false)
+## <desc>
+## <p>
+## Determine whether openvpn can
+## connect to the TCP network.
+## </p>
+## </desc>
+gen_tunable(openvpn_can_network_connect, false)
+
attribute_role openvpn_roles;
type openvpn_t;
@@ -149,6 +157,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(openvpn_t)
')
+tunable_policy(`openvpn_can_network_connect',`
+ corenet_tcp_connect_all_ports(openvpn_t)
+')
+
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-23 13:31 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: 0a54a711c81b74e91cc633b005b28cb71170d960
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 12:45:01 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:38 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0a54a711
Module version bump for changes to various policy modules by Miroslav Grepl
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/condor.te | 2 +-
policy/modules/contrib/glusterfs.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 32b299a..ce9f040 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -1,4 +1,4 @@
-policy_module(condor, 1.0.0)
+policy_module(condor, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index 0a8e91e..4e95c7e 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -1,4 +1,4 @@
-policy_module(glusterfs, 1.1.1)
+policy_module(glusterfs, 1.1.2)
########################################
#
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 7f87224..6cf79c4 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -1,4 +1,4 @@
-policy_module(rhcs, 1.2.0)
+policy_module(rhcs, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3f48d7f..7afd03d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.7.3)
+policy_module(virt, 1.7.4)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-23 13:31 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: 5562e1cd22a89358906eb674325fb40a10cf9ae2
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:54:51 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:28 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5562e1cd
Change type from etc_rw to conf for readability admin access to condor_conf_t
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/condor.fc | 2 +-
policy/modules/contrib/condor.if | 5 ++++-
policy/modules/contrib/condor.te | 6 +++---
3 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/condor.fc b/policy/modules/contrib/condor.fc
index 543321b..ad2b696 100644
--- a/policy/modules/contrib/condor.fc
+++ b/policy/modules/contrib/condor.fc
@@ -1,4 +1,4 @@
-/etc/condor(/.*)? gen_context(system_u:object_r:condor_etc_rw_t,s0)
+/etc/condor(/.*)? gen_context(system_u:object_r:condor_conf_t,s0)
/etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
diff --git a/policy/modules/contrib/condor.if b/policy/modules/contrib/condor.if
index 3fe3cb8..881d92f 100644
--- a/policy/modules/contrib/condor.if
+++ b/policy/modules/contrib/condor.if
@@ -60,7 +60,7 @@ interface(`condor_admin',`
attribute condor_domain;
type condor_initrc_exec_config_t, condor_log_t;
type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
- type condor_var_run_t, condor_startd_tmp_t;
+ type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
')
allow $1 condor_domain:process { ptrace signal_perms };
@@ -71,6 +71,9 @@ interface(`condor_admin',`
role_transition $2 condor_initrc_exec_t system_r;
allow $2 system_r;
+ files_search_etc($1)
+ admin_pattern($1, condor_conf_t)
+
logging_search_logs($1)
admin_pattern($1, condor_log_t)
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 7666be4..5fd1388 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -34,8 +34,8 @@ files_tmp_file(condor_startd_tmp_t)
type condor_startd_tmpfs_t;
files_tmpfs_file(condor_startd_tmpfs_t)
-type condor_etc_rw_t;
-files_config_file(condor_etc_rw_t)
+type condor_conf_t;
+files_config_file(condor_conf_t)
type condor_log_t;
logging_log_file(condor_log_t)
@@ -65,7 +65,7 @@ allow condor_domain self:fifo_file rw_fifo_file_perms;
allow condor_domain self:tcp_socket { accept listen };
allow condor_domain self:unix_stream_socket { accept listen };
-rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
+rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
append_files_pattern(condor_domain, condor_log_t, condor_log_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-23 13:31 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: 2aab42920d3153bffa3f3b618c622c709bb762f3
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Wed Sep 4 10:28:28 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:20 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2aab4292
Fix lsm.fc for pid files
---
policy/modules/contrib/lsm.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/lsm.fc b/policy/modules/contrib/lsm.fc
index 51777c1..c455730 100644
--- a/policy/modules/contrib/lsm.fc
+++ b/policy/modules/contrib/lsm.fc
@@ -1,3 +1,3 @@
/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
-/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0)
+/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-23 13:31 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: 6e23089d1f62f91276576f9038553bba5dd232bd
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:59:43 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:30 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6e23089d
Hit by a nasty optional policy nesting issue
Basically gnome keyring daemon depends on a window manager, and window
managers depend on dbus
Thus for restricted xwindows users, the gnome_per_role_template optional
policy needs to be nested in the wm_per_role_template optional policy,
which needs to be nested in the dbus_per_role_template optional policy
I tried to get dbus out of the equation but was not able to
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/gnome.if | 4 +++-
policy/modules/contrib/wm.if | 12 +++++++-----
policy/modules/contrib/wm.te | 4 ----
3 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index d03fd43..ab09d61 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -111,7 +111,9 @@ template(`gnome_role_template',`
optional_policy(`
dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
- gnome_dbus_chat_gkeyringd($1, $3)
+ optional_policy(`
+ gnome_dbus_chat_gkeyringd($1, $3)
+ ')
')
')
diff --git a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
index 25b702d..fbd84ba 100644
--- a/policy/modules/contrib/wm.if
+++ b/policy/modules/contrib/wm.if
@@ -68,6 +68,9 @@ template(`wm_role_template',`
auth_use_nsswitch($1_wm_t)
+ xserver_role($2, $1_wm_t)
+ xserver_manage_core_devices($1_wm_t)
+
optional_policy(`
dbus_spec_session_bus_client($1, $1_wm_t)
dbus_system_bus_client($1_wm_t)
@@ -77,13 +80,12 @@ template(`wm_role_template',`
')
')
- optional_policy(`
- pulseaudio_run($1_wm_t, $2)
- ')
+ # optional_policy(`
+ # gnome_stream_connect_gkeyringd($1, $1_wm_t)
+ # ')
optional_policy(`
- xserver_role($2, $1_wm_t)
- xserver_manage_core_devices($1_wm_t)
+ pulseaudio_run($1_wm_t, $2)
')
')
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 0f5148e..ffe166f 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -57,10 +57,6 @@ optional_policy(`
')
optional_policy(`
- gnome_stream_connect_gkeyringd(wm_domain)
-')
-
-optional_policy(`
networkmanager_dbus_chat(wm_domain)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-23 13:31 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: c285f2ef655360833348a3d57ec2962c0a818194
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Tue Sep 3 14:44:31 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:24 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c285f2ef
Also sock_file trans rule is needed in lsm
Conflicts:
lsm.te
---
policy/modules/contrib/lsm.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/lsm.te b/policy/modules/contrib/lsm.te
index 7f0ca47..4ec0eea 100644
--- a/policy/modules/contrib/lsm.te
+++ b/policy/modules/contrib/lsm.te
@@ -24,5 +24,6 @@ manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
logging_send_syslog_msg(lsmd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-23 13:31 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: 9c2fcb4cc9c84006d9cb99e67d2ecf56570ea440
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Fri Aug 23 08:14:08 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:26:45 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9c2fcb4c
Allow virtd to relabel unix stream socket
---
policy/modules/contrib/virt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 65ede42..3f48d7f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -418,7 +418,7 @@ corenet_tcp_connect_all_ports(svirt_t)
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
-allow virtd_t self:unix_stream_socket { accept connectto listen };
+allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
allow virtd_t self:tcp_socket { accept listen };
allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow virtd_t self:rawip_socket create_socket_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-23 13:31 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: 1306dae79c45f570f9c5ecec1fbf2788a2f96ea6
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:11:58 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:26:37 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1306dae7
Remove duplicate rules due to addition of auth_use_nsswitch()
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/rpcbind.te | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 31d9287..bad1939 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.6.0)
+policy_module(rpcbind, 1.6.1)
########################################
#
@@ -62,7 +62,6 @@ corecmd_exec_shell(rpcbind_t)
domain_use_interactive_fds(rpcbind_t)
-files_read_etc_files(rpcbind_t)
files_read_etc_runtime_files(rpcbind_t)
auth_use_nsswitch(rpcbind_t)
@@ -70,9 +69,3 @@ auth_use_nsswitch(rpcbind_t)
logging_send_syslog_msg(rpcbind_t)
miscfiles_read_localization(rpcbind_t)
-
-sysnet_dns_name_resolve(rpcbind_t)
-
-optional_policy(`
- nis_use_ypbind(rpcbind_t)
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: f32d2da8b2f3a4cbaf11f9eb0a1c27d1678ce4d5
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 20 07:12:29 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:28:03 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f32d2da8
Clean up hypervkvp policy module (seems incomplete)
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/hypervkvp.fc | 4 ++--
policy/modules/contrib/hypervkvp.if | 31 +++++++++++++++++++++----------
policy/modules/contrib/hypervkvp.te | 24 +++++++++++-------------
3 files changed, 34 insertions(+), 25 deletions(-)
diff --git a/policy/modules/contrib/hypervkvp.fc b/policy/modules/contrib/hypervkvp.fc
index 2a69ee4..b46130e 100644
--- a/policy/modules/contrib/hypervkvp.fc
+++ b/policy/modules/contrib/hypervkvp.fc
@@ -1,3 +1,3 @@
-/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
-/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
+/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
diff --git a/policy/modules/contrib/hypervkvp.if b/policy/modules/contrib/hypervkvp.if
index 7743be5..6517fad 100644
--- a/policy/modules/contrib/hypervkvp.if
+++ b/policy/modules/contrib/hypervkvp.if
@@ -1,21 +1,32 @@
-
-## <summary>policy for hypervkvp</summary>
+## <summary>HyperV key value pair (KVP).</summary>
########################################
## <summary>
-## Execute TEMPLATE in the hypervkvp domin.
+## All of the rules required to
+## administrate an hypervkvp environment.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
#
-interface(`hypervkvp_domtrans',`
+interface(`hypervkvp_admin',`
gen_require(`
- type hypervkvp_t, hypervkvp_exec_t;
+ type hypervkvpd_t, hypervkvpd_initrc_exec_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t)
+ allow $1 hypervkvpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, hypervkvpd_t)
+
+ init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 hypervkvpd_initrc_exec_t system_r;
+ allow $2 system_r;
')
diff --git a/policy/modules/contrib/hypervkvp.te b/policy/modules/contrib/hypervkvp.te
index 631ed79..4eb7041 100644
--- a/policy/modules/contrib/hypervkvp.te
+++ b/policy/modules/contrib/hypervkvp.te
@@ -5,26 +5,24 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
-type hypervkvp_t;
-type hypervkvp_exec_t;
-init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)
-
-type hypervkvp_initrc_exec_t;
-init_script_file(hypervkvp_initrc_exec_t)
+type hypervkvpd_t;
+type hypervkvpd_exec_t;
+init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t)
+type hypervkvpd_initrc_exec_t;
+init_script_file(hypervkvpd_initrc_exec_t)
########################################
#
-# hypervkvp local policy
+# Local policy
#
#
-allow hypervkvp_t self:fifo_file rw_fifo_file_perms;
-allow hypervkvp_t self:unix_stream_socket create_stream_socket_perms;
-domain_use_interactive_fds(hypervkvp_t)
+allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
+allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
-logging_send_syslog_msg(hypervkvp_t)
+logging_send_syslog_msg(hypervkvpd_t)
-miscfiles_read_localization(hypervkvp_t)
+miscfiles_read_localization(hypervkvpd_t)
-sysnet_dns_name_resolve(hypervkvp_t)
+sysnet_dns_name_resolve(hypervkvpd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
@ 2013-09-23 13:31 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: f32d2da8b2f3a4cbaf11f9eb0a1c27d1678ce4d5
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 20 07:12:29 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:28:03 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f32d2da8
Clean up hypervkvp policy module (seems incomplete)
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/hypervkvp.fc | 4 ++--
policy/modules/contrib/hypervkvp.if | 31 +++++++++++++++++++++----------
policy/modules/contrib/hypervkvp.te | 24 +++++++++++-------------
3 files changed, 34 insertions(+), 25 deletions(-)
diff --git a/policy/modules/contrib/hypervkvp.fc b/policy/modules/contrib/hypervkvp.fc
index 2a69ee4..b46130e 100644
--- a/policy/modules/contrib/hypervkvp.fc
+++ b/policy/modules/contrib/hypervkvp.fc
@@ -1,3 +1,3 @@
-/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
-/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
+/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
diff --git a/policy/modules/contrib/hypervkvp.if b/policy/modules/contrib/hypervkvp.if
index 7743be5..6517fad 100644
--- a/policy/modules/contrib/hypervkvp.if
+++ b/policy/modules/contrib/hypervkvp.if
@@ -1,21 +1,32 @@
-
-## <summary>policy for hypervkvp</summary>
+## <summary>HyperV key value pair (KVP).</summary>
########################################
## <summary>
-## Execute TEMPLATE in the hypervkvp domin.
+## All of the rules required to
+## administrate an hypervkvp environment.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
#
-interface(`hypervkvp_domtrans',`
+interface(`hypervkvp_admin',`
gen_require(`
- type hypervkvp_t, hypervkvp_exec_t;
+ type hypervkvpd_t, hypervkvpd_initrc_exec_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t)
+ allow $1 hypervkvpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, hypervkvpd_t)
+
+ init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 hypervkvpd_initrc_exec_t system_r;
+ allow $2 system_r;
')
diff --git a/policy/modules/contrib/hypervkvp.te b/policy/modules/contrib/hypervkvp.te
index 631ed79..4eb7041 100644
--- a/policy/modules/contrib/hypervkvp.te
+++ b/policy/modules/contrib/hypervkvp.te
@@ -5,26 +5,24 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
-type hypervkvp_t;
-type hypervkvp_exec_t;
-init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)
-
-type hypervkvp_initrc_exec_t;
-init_script_file(hypervkvp_initrc_exec_t)
+type hypervkvpd_t;
+type hypervkvpd_exec_t;
+init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t)
+type hypervkvpd_initrc_exec_t;
+init_script_file(hypervkvpd_initrc_exec_t)
########################################
#
-# hypervkvp local policy
+# Local policy
#
#
-allow hypervkvp_t self:fifo_file rw_fifo_file_perms;
-allow hypervkvp_t self:unix_stream_socket create_stream_socket_perms;
-domain_use_interactive_fds(hypervkvp_t)
+allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
+allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
-logging_send_syslog_msg(hypervkvp_t)
+logging_send_syslog_msg(hypervkvpd_t)
-miscfiles_read_localization(hypervkvp_t)
+miscfiles_read_localization(hypervkvpd_t)
-sysnet_dns_name_resolve(hypervkvp_t)
+sysnet_dns_name_resolve(hypervkvpd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 1e570633210d20c462a98fdfa0c3a23e9a2652ec
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 20 07:28:45 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:28:39 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1e570633
Clean up initial redis policy module
Need a redis port type
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/redis.fc | 10 +-
policy/modules/contrib/redis.if | 243 ++--------------------------------------
policy/modules/contrib/redis.te | 15 ++-
3 files changed, 20 insertions(+), 248 deletions(-)
diff --git a/policy/modules/contrib/redis.fc b/policy/modules/contrib/redis.fc
index 638d6b4..e240ac9 100644
--- a/policy/modules/contrib/redis.fc
+++ b/policy/modules/contrib/redis.fc
@@ -1,11 +1,9 @@
/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
-/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
+/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
-/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
+/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
-/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
+/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
-/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
-
-/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
diff --git a/policy/modules/contrib/redis.if b/policy/modules/contrib/redis.if
index e3efff0..16c8ecb 100644
--- a/policy/modules/contrib/redis.if
+++ b/policy/modules/contrib/redis.if
@@ -1,226 +1,9 @@
-
-## <summary>policy for redis</summary>
-
-########################################
-## <summary>
-## Execute TEMPLATE in the redis domin.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`redis_domtrans',`
- gen_require(`
- type redis_t, redis_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, redis_exec_t, redis_t)
-')
-
-########################################
-## <summary>
-## Execute redis server in the redis domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_initrc_domtrans',`
- gen_require(`
- type redis_initrc_exec_t;
- ')
-
- init_labeled_script_domtrans($1, redis_initrc_exec_t)
-')
-########################################
-## <summary>
-## Read redis's log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`redis_read_log',`
- gen_require(`
- type redis_log_t;
- ')
-
- logging_search_logs($1)
- read_files_pattern($1, redis_log_t, redis_log_t)
-')
-
-########################################
-## <summary>
-## Append to redis log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_append_log',`
- gen_require(`
- type redis_log_t;
- ')
-
- logging_search_logs($1)
- append_files_pattern($1, redis_log_t, redis_log_t)
-')
-
-########################################
-## <summary>
-## Manage redis log files
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_manage_log',`
- gen_require(`
- type redis_log_t;
- ')
-
- logging_search_logs($1)
- manage_dirs_pattern($1, redis_log_t, redis_log_t)
- manage_files_pattern($1, redis_log_t, redis_log_t)
- manage_lnk_files_pattern($1, redis_log_t, redis_log_t)
-')
-
-########################################
-## <summary>
-## Search redis lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_search_lib',`
- gen_require(`
- type redis_var_lib_t;
- ')
-
- allow $1 redis_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
-')
-
-########################################
-## <summary>
-## Read redis lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_read_lib_files',`
- gen_require(`
- type redis_var_lib_t;
- ')
-
- files_search_var_lib($1)
- read_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
-')
-
-########################################
-## <summary>
-## Manage redis lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_manage_lib_files',`
- gen_require(`
- type redis_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
-')
-
-########################################
-## <summary>
-## Manage redis lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_manage_lib_dirs',`
- gen_require(`
- type redis_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t)
-')
-
-########################################
-## <summary>
-## Read redis PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_read_pid_files',`
- gen_require(`
- type redis_var_run_t;
- ')
-
- files_search_pids($1)
- read_files_pattern($1, redis_var_run_t, redis_var_run_t)
-')
+## <summary>Advanced key-value store.</summary>
########################################
## <summary>
-## Execute redis server in the redis domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`redis_systemctl',`
- gen_require(`
- type redis_t;
- type redis_unit_file_t;
- ')
-
- systemd_exec_systemctl($1)
- systemd_read_fifo_file_password_run($1)
- allow $1 redis_unit_file_t:file read_file_perms;
- allow $1 redis_unit_file_t:service manage_service_perms;
-
- ps_process_pattern($1, redis_t)
-')
-
-
-########################################
-## <summary>
-## All of the rules required to administrate
-## an redis environment
+## All of the rules required to
+## administrate an redis environment.
## </summary>
## <param name="domain">
## <summary>
@@ -236,36 +19,24 @@ interface(`redis_systemctl',`
#
interface(`redis_admin',`
gen_require(`
- type redis_t;
- type redis_initrc_exec_t;
- type redis_log_t;
- type redis_var_lib_t;
- type redis_var_run_t;
- type redis_unit_file_t;
+ type redis_t, redis_initrc_exec_t, redis_var_lib_t;
+ type redis_log_t, redis_var_run_t;
')
allow $1 redis_t:process { ptrace signal_perms };
ps_process_pattern($1, redis_t)
- redis_initrc_domtrans($1)
+ init_labeled_script_domtrans($1, redis_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 redis_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
- admin_pattern($1, redis_log_t)
+ admin_pattern($!, redis_log_t)
files_search_var_lib($1)
admin_pattern($1, redis_var_lib_t)
files_search_pids($1)
admin_pattern($1, redis_var_run_t)
-
- redis_systemctl($1)
- admin_pattern($1, redis_unit_file_t)
- allow $1 redis_unit_file_t:service all_service_perms;
- optional_policy(`
- systemd_passwd_agent_exec($1)
- systemd_read_fifo_file_passwd_run($1)
- ')
')
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index e5e9cf7..f98e40e 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -21,12 +21,9 @@ files_type(redis_var_lib_t)
type redis_var_run_t;
files_pid_file(redis_var_run_t)
-type redis_unit_file_t;
-systemd_unit_file(redis_unit_file_t)
-
########################################
#
-# redis local policy
+# Local policy
#
allow redis_t self:process { setrlimit signal_perms };
@@ -48,8 +45,15 @@ manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
kernel_read_system_state(redis_t)
+corenet_all_recvfrom_unlabeled(redis_t)
+corenet_all_recvfrom_netlabel(redis_t)
+corenet_tcp_sendrecv_generic_if(redis_t)
+corenet_tcp_sendrecv_generic_node(redis_t)
corenet_tcp_bind_generic_node(redis_t)
-corenet_tcp_bind_redis_port(redis_t)
+
+# corenet_sendrecv_redis_server_packets(redis_t)
+# corenet_tcp_bind_redis_port(redis_t)
+# corenet_tcp_sendrecv_redis_port(redis_t)
dev_read_sysfs(redis_t)
dev_read_urand(redis_t)
@@ -59,4 +63,3 @@ logging_send_syslog_msg(redis_t)
miscfiles_read_localization(redis_t)
sysnet_dns_name_resolve(redis_t)
-
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
@ 2013-09-23 13:31 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: 1e570633210d20c462a98fdfa0c3a23e9a2652ec
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 20 07:28:45 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:28:39 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1e570633
Clean up initial redis policy module
Need a redis port type
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/redis.fc | 10 +-
policy/modules/contrib/redis.if | 243 ++--------------------------------------
policy/modules/contrib/redis.te | 15 ++-
3 files changed, 20 insertions(+), 248 deletions(-)
diff --git a/policy/modules/contrib/redis.fc b/policy/modules/contrib/redis.fc
index 638d6b4..e240ac9 100644
--- a/policy/modules/contrib/redis.fc
+++ b/policy/modules/contrib/redis.fc
@@ -1,11 +1,9 @@
/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
-/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
+/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
-/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
+/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
-/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
+/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
-/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
-
-/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
diff --git a/policy/modules/contrib/redis.if b/policy/modules/contrib/redis.if
index e3efff0..16c8ecb 100644
--- a/policy/modules/contrib/redis.if
+++ b/policy/modules/contrib/redis.if
@@ -1,226 +1,9 @@
-
-## <summary>policy for redis</summary>
-
-########################################
-## <summary>
-## Execute TEMPLATE in the redis domin.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`redis_domtrans',`
- gen_require(`
- type redis_t, redis_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, redis_exec_t, redis_t)
-')
-
-########################################
-## <summary>
-## Execute redis server in the redis domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_initrc_domtrans',`
- gen_require(`
- type redis_initrc_exec_t;
- ')
-
- init_labeled_script_domtrans($1, redis_initrc_exec_t)
-')
-########################################
-## <summary>
-## Read redis's log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`redis_read_log',`
- gen_require(`
- type redis_log_t;
- ')
-
- logging_search_logs($1)
- read_files_pattern($1, redis_log_t, redis_log_t)
-')
-
-########################################
-## <summary>
-## Append to redis log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_append_log',`
- gen_require(`
- type redis_log_t;
- ')
-
- logging_search_logs($1)
- append_files_pattern($1, redis_log_t, redis_log_t)
-')
-
-########################################
-## <summary>
-## Manage redis log files
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_manage_log',`
- gen_require(`
- type redis_log_t;
- ')
-
- logging_search_logs($1)
- manage_dirs_pattern($1, redis_log_t, redis_log_t)
- manage_files_pattern($1, redis_log_t, redis_log_t)
- manage_lnk_files_pattern($1, redis_log_t, redis_log_t)
-')
-
-########################################
-## <summary>
-## Search redis lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_search_lib',`
- gen_require(`
- type redis_var_lib_t;
- ')
-
- allow $1 redis_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
-')
-
-########################################
-## <summary>
-## Read redis lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_read_lib_files',`
- gen_require(`
- type redis_var_lib_t;
- ')
-
- files_search_var_lib($1)
- read_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
-')
-
-########################################
-## <summary>
-## Manage redis lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_manage_lib_files',`
- gen_require(`
- type redis_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
-')
-
-########################################
-## <summary>
-## Manage redis lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_manage_lib_dirs',`
- gen_require(`
- type redis_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t)
-')
-
-########################################
-## <summary>
-## Read redis PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_read_pid_files',`
- gen_require(`
- type redis_var_run_t;
- ')
-
- files_search_pids($1)
- read_files_pattern($1, redis_var_run_t, redis_var_run_t)
-')
+## <summary>Advanced key-value store.</summary>
########################################
## <summary>
-## Execute redis server in the redis domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`redis_systemctl',`
- gen_require(`
- type redis_t;
- type redis_unit_file_t;
- ')
-
- systemd_exec_systemctl($1)
- systemd_read_fifo_file_password_run($1)
- allow $1 redis_unit_file_t:file read_file_perms;
- allow $1 redis_unit_file_t:service manage_service_perms;
-
- ps_process_pattern($1, redis_t)
-')
-
-
-########################################
-## <summary>
-## All of the rules required to administrate
-## an redis environment
+## All of the rules required to
+## administrate an redis environment.
## </summary>
## <param name="domain">
## <summary>
@@ -236,36 +19,24 @@ interface(`redis_systemctl',`
#
interface(`redis_admin',`
gen_require(`
- type redis_t;
- type redis_initrc_exec_t;
- type redis_log_t;
- type redis_var_lib_t;
- type redis_var_run_t;
- type redis_unit_file_t;
+ type redis_t, redis_initrc_exec_t, redis_var_lib_t;
+ type redis_log_t, redis_var_run_t;
')
allow $1 redis_t:process { ptrace signal_perms };
ps_process_pattern($1, redis_t)
- redis_initrc_domtrans($1)
+ init_labeled_script_domtrans($1, redis_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 redis_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
- admin_pattern($1, redis_log_t)
+ admin_pattern($!, redis_log_t)
files_search_var_lib($1)
admin_pattern($1, redis_var_lib_t)
files_search_pids($1)
admin_pattern($1, redis_var_run_t)
-
- redis_systemctl($1)
- admin_pattern($1, redis_unit_file_t)
- allow $1 redis_unit_file_t:service all_service_perms;
- optional_policy(`
- systemd_passwd_agent_exec($1)
- systemd_read_fifo_file_passwd_run($1)
- ')
')
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index e5e9cf7..f98e40e 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -21,12 +21,9 @@ files_type(redis_var_lib_t)
type redis_var_run_t;
files_pid_file(redis_var_run_t)
-type redis_unit_file_t;
-systemd_unit_file(redis_unit_file_t)
-
########################################
#
-# redis local policy
+# Local policy
#
allow redis_t self:process { setrlimit signal_perms };
@@ -48,8 +45,15 @@ manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
kernel_read_system_state(redis_t)
+corenet_all_recvfrom_unlabeled(redis_t)
+corenet_all_recvfrom_netlabel(redis_t)
+corenet_tcp_sendrecv_generic_if(redis_t)
+corenet_tcp_sendrecv_generic_node(redis_t)
corenet_tcp_bind_generic_node(redis_t)
-corenet_tcp_bind_redis_port(redis_t)
+
+# corenet_sendrecv_redis_server_packets(redis_t)
+# corenet_tcp_bind_redis_port(redis_t)
+# corenet_tcp_sendrecv_redis_port(redis_t)
dev_read_sysfs(redis_t)
dev_read_urand(redis_t)
@@ -59,4 +63,3 @@ logging_send_syslog_msg(redis_t)
miscfiles_read_localization(redis_t)
sysnet_dns_name_resolve(redis_t)
-
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: ece5508dd2c59b8100fdcea7032a0b927069b222
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 20 06:51:35 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:32 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ece5508d
We will find another way to run pa as a system server
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/pulseaudio.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 643d58e..fca8b1d 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -12,7 +12,7 @@ attribute_role pulseaudio_roles;
type pulseaudio_t;
type pulseaudio_exec_t;
-init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
+# init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
role pulseaudio_roles types pulseaudio_t;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 0afa74b4db3fc54e1d1e5937667246cb6621df3e
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Thu Aug 22 11:10:10 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:27 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0afa74b4
Add labeling for /etc/condor and allow condor domain to write it (bug)
---
policy/modules/contrib/condor.fc | 2 ++
policy/modules/contrib/condor.te | 7 +++++++
2 files changed, 9 insertions(+)
diff --git a/policy/modules/contrib/condor.fc b/policy/modules/contrib/condor.fc
index 23dc348..543321b 100644
--- a/policy/modules/contrib/condor.fc
+++ b/policy/modules/contrib/condor.fc
@@ -1,3 +1,5 @@
+/etc/condor(/.*)? gen_context(system_u:object_r:condor_etc_rw_t,s0)
+
/etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 4ca829b..7666be4 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
type condor_startd_tmpfs_t;
files_tmpfs_file(condor_startd_tmpfs_t)
+type condor_etc_rw_t;
+files_config_file(condor_etc_rw_t)
+
type condor_log_t;
logging_log_file(condor_log_t)
@@ -62,6 +65,8 @@ allow condor_domain self:fifo_file rw_fifo_file_perms;
allow condor_domain self:tcp_socket { accept listen };
allow condor_domain self:unix_stream_socket { accept listen };
+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
+
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
append_files_pattern(condor_domain, condor_log_t, condor_log_t)
create_files_pattern(condor_domain, condor_log_t, condor_log_t)
@@ -110,6 +115,8 @@ logging_send_syslog_msg(condor_domain)
miscfiles_read_localization(condor_domain)
+sysnet_dns_name_resolve(condor_domain)
+
tunable_policy(`condor_tcp_network_connect',`
corenet_sendrecv_all_client_packets(condor_domain)
corenet_tcp_connect_all_ports(condor_domain)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
@ 2013-09-23 13:31 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: 0afa74b4db3fc54e1d1e5937667246cb6621df3e
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Thu Aug 22 11:10:10 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:27 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0afa74b4
Add labeling for /etc/condor and allow condor domain to write it (bug)
---
policy/modules/contrib/condor.fc | 2 ++
policy/modules/contrib/condor.te | 7 +++++++
2 files changed, 9 insertions(+)
diff --git a/policy/modules/contrib/condor.fc b/policy/modules/contrib/condor.fc
index 23dc348..543321b 100644
--- a/policy/modules/contrib/condor.fc
+++ b/policy/modules/contrib/condor.fc
@@ -1,3 +1,5 @@
+/etc/condor(/.*)? gen_context(system_u:object_r:condor_etc_rw_t,s0)
+
/etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 4ca829b..7666be4 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
type condor_startd_tmpfs_t;
files_tmpfs_file(condor_startd_tmpfs_t)
+type condor_etc_rw_t;
+files_config_file(condor_etc_rw_t)
+
type condor_log_t;
logging_log_file(condor_log_t)
@@ -62,6 +65,8 @@ allow condor_domain self:fifo_file rw_fifo_file_perms;
allow condor_domain self:tcp_socket { accept listen };
allow condor_domain self:unix_stream_socket { accept listen };
+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
+
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
append_files_pattern(condor_domain, condor_log_t, condor_log_t)
create_files_pattern(condor_domain, condor_log_t, condor_log_t)
@@ -110,6 +115,8 @@ logging_send_syslog_msg(condor_domain)
miscfiles_read_localization(condor_domain)
+sysnet_dns_name_resolve(condor_domain)
+
tunable_policy(`condor_tcp_network_connect',`
corenet_sendrecv_all_client_packets(condor_domain)
corenet_tcp_connect_all_ports(condor_domain)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 71888201c517f31907207e0060d1809dd5c8b6ed
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Thu Aug 22 09:13:26 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:36 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=71888201
Allow glusterd to read domains state
---
policy/modules/contrib/glusterfs.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index d9f8ec1..0a8e91e 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -92,6 +92,8 @@ corenet_tcp_connect_all_unreserved_ports(glusterd_t)
dev_read_sysfs(glusterd_t)
dev_read_urand(glusterd_t)
+domain_read_all_domains_state(glusterd_t)
+
domain_use_interactive_fds(glusterd_t)
files_read_usr_files(glusterd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 433ae56729bc46e1888bace2d296927d2b4bcffd
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Thu Aug 22 11:03:42 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:34 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=433ae567
Allow condor domains to manage own logs
---
policy/modules/contrib/condor.te | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 5fd1388..32b299a 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -68,9 +68,7 @@ allow condor_domain self:unix_stream_socket { accept listen };
rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
-append_files_pattern(condor_domain, condor_log_t, condor_log_t)
-create_files_pattern(condor_domain, condor_log_t, condor_log_t)
-getattr_files_pattern(condor_domain, condor_log_t, condor_log_t)
+manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
logging_log_filetrans(condor_domain, condor_log_t, { dir file })
manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
@ 2013-09-23 13:31 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: 433ae56729bc46e1888bace2d296927d2b4bcffd
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Thu Aug 22 11:03:42 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:34 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=433ae567
Allow condor domains to manage own logs
---
policy/modules/contrib/condor.te | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 5fd1388..32b299a 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -68,9 +68,7 @@ allow condor_domain self:unix_stream_socket { accept listen };
rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
-append_files_pattern(condor_domain, condor_log_t, condor_log_t)
-create_files_pattern(condor_domain, condor_log_t, condor_log_t)
-getattr_files_pattern(condor_domain, condor_log_t, condor_log_t)
+manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
logging_log_filetrans(condor_domain, condor_log_t, { dir file })
manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 259ffaed9af0165011cc36ed38c140d9f007cd94
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Thu Aug 22 11:25:49 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:26 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=259ffaed
Update condor_master rules to allow read system state info and allow logging
---
policy/modules/contrib/condor.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 3f2b672..4ca829b 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -185,7 +185,7 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
-allow condor_procd_t condor_startd_t:process sigkill;
+allow condor_procd_t condor_domain:process sigkill;
domain_read_all_domains_state(condor_procd_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: d8ad674f9b897235cd243b9a37543bcfedb71d6e
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:39:39 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:19 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d8ad674f
Clean up libstoragemngmt policy module We do not yet support systemd
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/lsm.fc | 4 +--
policy/modules/contrib/lsm.if | 79 ++-----------------------------------------
policy/modules/contrib/lsm.te | 9 ++---
3 files changed, 7 insertions(+), 85 deletions(-)
diff --git a/policy/modules/contrib/lsm.fc b/policy/modules/contrib/lsm.fc
index 711c04b..51777c1 100644
--- a/policy/modules/contrib/lsm.fc
+++ b/policy/modules/contrib/lsm.fc
@@ -1,5 +1,3 @@
-/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
-
-/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/policy/modules/contrib/lsm.if b/policy/modules/contrib/lsm.if
index f3e94d7..d314333 100644
--- a/policy/modules/contrib/lsm.if
+++ b/policy/modules/contrib/lsm.if
@@ -1,72 +1,9 @@
-
-## <summary>lsmd SELINUX policy </summary>
-
-########################################
-## <summary>
-## Execute TEMPLATE in the lsmd domin.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`lsmd_domtrans',`
- gen_require(`
- type lsmd_t, lsmd_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, lsmd_exec_t, lsmd_t)
-')
-########################################
-## <summary>
-## Read lsmd PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`lsmd_read_pid_files',`
- gen_require(`
- type lsmd_var_run_t;
- ')
-
- files_search_pids($1)
- read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t)
-')
-
-########################################
-## <summary>
-## Execute lsmd server in the lsmd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`lsmd_systemctl',`
- gen_require(`
- type lsmd_t;
- type lsmd_unit_file_t;
- ')
-
- systemd_exec_systemctl($1)
- systemd_read_fifo_file_password_run($1)
- allow $1 lsmd_unit_file_t:file read_file_perms;
- allow $1 lsmd_unit_file_t:service manage_service_perms;
-
- ps_process_pattern($1, lsmd_t)
-')
-
+## <summary>Storage array management library.</summary>
########################################
## <summary>
## All of the rules required to administrate
-## an lsmd environment
+## an lsmd environment.
## </summary>
## <param name="domain">
## <summary>
@@ -82,9 +19,7 @@ interface(`lsmd_systemctl',`
#
interface(`lsmd_admin',`
gen_require(`
- type lsmd_t;
- type lsmd_var_run_t;
- type lsmd_unit_file_t;
+ type lsmd_t, type lsmd_var_run_t;
')
allow $1 lsmd_t:process { ptrace signal_perms };
@@ -92,12 +27,4 @@ interface(`lsmd_admin',`
files_search_pids($1)
admin_pattern($1, lsmd_var_run_t)
-
- lsmd_systemctl($1)
- admin_pattern($1, lsmd_unit_file_t)
- allow $1 lsmd_unit_file_t:service all_service_perms;
- optional_policy(`
- systemd_passwd_agent_exec($1)
- systemd_read_fifo_file_passwd_run($1)
- ')
')
diff --git a/policy/modules/contrib/lsm.te b/policy/modules/contrib/lsm.te
index 14fe4d7..7f0ca47 100644
--- a/policy/modules/contrib/lsm.te
+++ b/policy/modules/contrib/lsm.te
@@ -12,15 +12,12 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
type lsmd_var_run_t;
files_pid_file(lsmd_var_run_t)
-type lsmd_unit_file_t;
-systemd_unit_file(lsmd_unit_file_t)
-
########################################
#
-# lsmd local policy
+# Local policy
#
-allow lsmd_t self:capability { setgid };
-allow lsmd_t self:process { fork };
+
+allow lsmd_t self:capability setgid;
allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
@ 2013-09-23 13:31 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: d8ad674f9b897235cd243b9a37543bcfedb71d6e
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:39:39 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:19 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d8ad674f
Clean up libstoragemngmt policy module We do not yet support systemd
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/lsm.fc | 4 +--
policy/modules/contrib/lsm.if | 79 ++-----------------------------------------
policy/modules/contrib/lsm.te | 9 ++---
3 files changed, 7 insertions(+), 85 deletions(-)
diff --git a/policy/modules/contrib/lsm.fc b/policy/modules/contrib/lsm.fc
index 711c04b..51777c1 100644
--- a/policy/modules/contrib/lsm.fc
+++ b/policy/modules/contrib/lsm.fc
@@ -1,5 +1,3 @@
-/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
-
-/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/policy/modules/contrib/lsm.if b/policy/modules/contrib/lsm.if
index f3e94d7..d314333 100644
--- a/policy/modules/contrib/lsm.if
+++ b/policy/modules/contrib/lsm.if
@@ -1,72 +1,9 @@
-
-## <summary>lsmd SELINUX policy </summary>
-
-########################################
-## <summary>
-## Execute TEMPLATE in the lsmd domin.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`lsmd_domtrans',`
- gen_require(`
- type lsmd_t, lsmd_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, lsmd_exec_t, lsmd_t)
-')
-########################################
-## <summary>
-## Read lsmd PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`lsmd_read_pid_files',`
- gen_require(`
- type lsmd_var_run_t;
- ')
-
- files_search_pids($1)
- read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t)
-')
-
-########################################
-## <summary>
-## Execute lsmd server in the lsmd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`lsmd_systemctl',`
- gen_require(`
- type lsmd_t;
- type lsmd_unit_file_t;
- ')
-
- systemd_exec_systemctl($1)
- systemd_read_fifo_file_password_run($1)
- allow $1 lsmd_unit_file_t:file read_file_perms;
- allow $1 lsmd_unit_file_t:service manage_service_perms;
-
- ps_process_pattern($1, lsmd_t)
-')
-
+## <summary>Storage array management library.</summary>
########################################
## <summary>
## All of the rules required to administrate
-## an lsmd environment
+## an lsmd environment.
## </summary>
## <param name="domain">
## <summary>
@@ -82,9 +19,7 @@ interface(`lsmd_systemctl',`
#
interface(`lsmd_admin',`
gen_require(`
- type lsmd_t;
- type lsmd_var_run_t;
- type lsmd_unit_file_t;
+ type lsmd_t, type lsmd_var_run_t;
')
allow $1 lsmd_t:process { ptrace signal_perms };
@@ -92,12 +27,4 @@ interface(`lsmd_admin',`
files_search_pids($1)
admin_pattern($1, lsmd_var_run_t)
-
- lsmd_systemctl($1)
- admin_pattern($1, lsmd_unit_file_t)
- allow $1 lsmd_unit_file_t:service all_service_perms;
- optional_policy(`
- systemd_passwd_agent_exec($1)
- systemd_read_fifo_file_passwd_run($1)
- ')
')
diff --git a/policy/modules/contrib/lsm.te b/policy/modules/contrib/lsm.te
index 14fe4d7..7f0ca47 100644
--- a/policy/modules/contrib/lsm.te
+++ b/policy/modules/contrib/lsm.te
@@ -12,15 +12,12 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
type lsmd_var_run_t;
files_pid_file(lsmd_var_run_t)
-type lsmd_unit_file_t;
-systemd_unit_file(lsmd_unit_file_t)
-
########################################
#
-# lsmd local policy
+# Local policy
#
-allow lsmd_t self:capability { setgid };
-allow lsmd_t self:process { fork };
+
+allow lsmd_t self:capability setgid;
allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: da10fcbc0b173d636603c46203a47ef2ca51f74c
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:25:11 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:26:40 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=da10fcbc
We dont use the arbt domain types template. Use a more uniform boolean discription
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/abrt.te | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index de3f140..eb50f07 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.4.0)
+policy_module(abrt, 1.4.1)
########################################
#
@@ -15,10 +15,11 @@ policy_module(abrt, 1.4.0)
gen_tunable(abrt_anon_write, false)
## <desc>
-## <p>
-## Allow abrt-handle-upload to modify public files
-## used for public file transfer services in /var/spool/abrt-upload/.
-## </p>
+## <p>
+## Determine whether abrt-handle-upload
+## can modify public files used for public file
+## transfer services in /var/spool/abrt-upload/.
+## </p>
## </desc>
gen_tunable(abrt_upload_watch_anon_write, true)
@@ -95,8 +96,8 @@ type abrt_watch_log_t, abrt_domain;
type abrt_watch_log_exec_t;
init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
-# Support for abrt-upload-watch
-abrt_basic_types_template(abrt_upload_watch)
+type abrt_upload_watch_t, abrt_domain;
+type abrt_upload_watch_exec_t;
init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
ifdef(`enable_mcs',`
@@ -415,7 +416,7 @@ logging_read_all_logs(abrt_watch_log_t)
#######################################
#
-# abrt-upload-watch local policy
+# Upload watch local policy
#
corecmd_exec_bin(abrt_upload_watch_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
@ 2013-09-23 13:31 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: da10fcbc0b173d636603c46203a47ef2ca51f74c
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:25:11 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:26:40 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=da10fcbc
We dont use the arbt domain types template. Use a more uniform boolean discription
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/abrt.te | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index de3f140..eb50f07 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.4.0)
+policy_module(abrt, 1.4.1)
########################################
#
@@ -15,10 +15,11 @@ policy_module(abrt, 1.4.0)
gen_tunable(abrt_anon_write, false)
## <desc>
-## <p>
-## Allow abrt-handle-upload to modify public files
-## used for public file transfer services in /var/spool/abrt-upload/.
-## </p>
+## <p>
+## Determine whether abrt-handle-upload
+## can modify public files used for public file
+## transfer services in /var/spool/abrt-upload/.
+## </p>
## </desc>
gen_tunable(abrt_upload_watch_anon_write, true)
@@ -95,8 +96,8 @@ type abrt_watch_log_t, abrt_domain;
type abrt_watch_log_exec_t;
init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
-# Support for abrt-upload-watch
-abrt_basic_types_template(abrt_upload_watch)
+type abrt_upload_watch_t, abrt_domain;
+type abrt_upload_watch_exec_t;
init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
ifdef(`enable_mcs',`
@@ -415,7 +416,7 @@ logging_read_all_logs(abrt_watch_log_t)
#######################################
#
-# abrt-upload-watch local policy
+# Upload watch local policy
#
corecmd_exec_bin(abrt_upload_watch_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: ca18cb22cf84906139910c600d5bb2afd4bae1a1
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Fri Aug 23 08:27:18 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:26:38 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ca18cb22
Add support for abrt-upload-watch
---
policy/modules/contrib/abrt.fc | 1 +
policy/modules/contrib/abrt.te | 23 +++++++++++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/policy/modules/contrib/abrt.fc b/policy/modules/contrib/abrt.fc
index e4f84de..1a93dc5 100644
--- a/policy/modules/contrib/abrt.fc
+++ b/policy/modules/contrib/abrt.fc
@@ -12,6 +12,7 @@
/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index 09a02b2..de3f140 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -15,6 +15,14 @@ policy_module(abrt, 1.4.0)
gen_tunable(abrt_anon_write, false)
## <desc>
+## <p>
+## Allow abrt-handle-upload to modify public files
+## used for public file transfer services in /var/spool/abrt-upload/.
+## </p>
+## </desc>
+gen_tunable(abrt_upload_watch_anon_write, true)
+
+## <desc>
## <p>
## Determine whether ABRT can run in
## the abrt_handle_event_t domain to
@@ -87,6 +95,10 @@ type abrt_watch_log_t, abrt_domain;
type abrt_watch_log_exec_t;
init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
+# Support for abrt-upload-watch
+abrt_basic_types_template(abrt_upload_watch)
+init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -403,6 +415,17 @@ logging_read_all_logs(abrt_watch_log_t)
#######################################
#
+# abrt-upload-watch local policy
+#
+
+corecmd_exec_bin(abrt_upload_watch_t)
+
+tunable_policy(`abrt_upload_watch_anon_write',`
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
+
+#######################################
+#
# Global local policy
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
@ 2013-09-23 13:31 ` Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: ca18cb22cf84906139910c600d5bb2afd4bae1a1
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Fri Aug 23 08:27:18 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:26:38 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ca18cb22
Add support for abrt-upload-watch
---
policy/modules/contrib/abrt.fc | 1 +
policy/modules/contrib/abrt.te | 23 +++++++++++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/policy/modules/contrib/abrt.fc b/policy/modules/contrib/abrt.fc
index e4f84de..1a93dc5 100644
--- a/policy/modules/contrib/abrt.fc
+++ b/policy/modules/contrib/abrt.fc
@@ -12,6 +12,7 @@
/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index 09a02b2..de3f140 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -15,6 +15,14 @@ policy_module(abrt, 1.4.0)
gen_tunable(abrt_anon_write, false)
## <desc>
+## <p>
+## Allow abrt-handle-upload to modify public files
+## used for public file transfer services in /var/spool/abrt-upload/.
+## </p>
+## </desc>
+gen_tunable(abrt_upload_watch_anon_write, true)
+
+## <desc>
## <p>
## Determine whether ABRT can run in
## the abrt_handle_event_t domain to
@@ -87,6 +95,10 @@ type abrt_watch_log_t, abrt_domain;
type abrt_watch_log_exec_t;
init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
+# Support for abrt-upload-watch
+abrt_basic_types_template(abrt_upload_watch)
+init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -403,6 +415,17 @@ logging_read_all_logs(abrt_watch_log_t)
#######################################
#
+# abrt-upload-watch local policy
+#
+
+corecmd_exec_bin(abrt_upload_watch_t)
+
+tunable_policy(`abrt_upload_watch_anon_write',`
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
+
+#######################################
+#
# Global local policy
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-18 8:58 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-18 8:58 UTC (permalink / raw
To: gentoo-commits
commit: f17ac6042cb379306950cb2ea6d21492e82ec00b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Sep 18 08:58:20 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Sep 18 08:58:20 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f17ac604
GPG agent looks for files in ~/.local, grant it read rights
---
policy/modules/contrib/gpg.te | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index cc6522b..a8bad37 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -345,3 +345,12 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
')
+
+ifdef(`distro_gentoo',`
+ #########################################
+ #
+ # gpg_pinentry_t policy
+ #
+
+ xdg_read_data_home_files(gpg_pinentry_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-18 8:58 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-18 8:58 UTC (permalink / raw
To: gentoo-commits
commit: c8dac85b28937570df596a1dbc3c5e34fa87cfb9
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Sep 16 13:39:19 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 16 13:39:19 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c8dac85b
Fix bug 482196 - Support emerge --config
Currently, running "emerge --config" transitions the command to portage_t, which
does not have the necessary permissions SELinux-wise to do its usual things
(--config is meant to configure the system outside Portage sandboxing).
With these changes, we can have users run "emerge --config" using runcon:
~# runcon -t sysadm_t emerge --config ...
We mark ebuild and ebuild.sh as bin_t so no automatic transitions occur anymore.
Also, portage_t now has bin_t as a valid entrypoint as Portage is SELinux-aware
and calls setexeccon() upon calling ebuild and ebuild.sh to transition to
portage_t.
---
policy/modules/contrib/portage.fc | 5 +++--
policy/modules/contrib/portage.if | 3 +++
policy/modules/contrib/portage.te | 3 +++
3 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/portage.fc b/policy/modules/contrib/portage.fc
index 8584af4..a2738ea 100644
--- a/policy/modules/contrib/portage.fc
+++ b/policy/modules/contrib/portage.fc
@@ -8,12 +8,13 @@
/usr/bin/glsa-check -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/bin/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib/portage/bin/ebuild -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/usr/lib/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 06655e1..fd1ae2a 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -13,10 +13,13 @@
interface(`portage_domtrans',`
gen_require(`
type portage_t, portage_exec_t;
+ type portage_tmp_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, portage_exec_t, portage_t)
+
+ can_exec($1, portage_tmp_t) # Portage does exectest
')
########################################
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 20da39d..533919c 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -395,6 +395,9 @@ ifdef(`distro_gentoo',`
#
allow portage_t self:capability2 block_suspend;
+ # Portage is selinuxaware, transitions on calling ebuild, now marked as bin_t
+ corecmd_bin_entry_type(portage_t)
+
auth_use_nsswitch(portage_t)
libs_generic_etc_filetrans_ld_so_cache(portage_t, file, "ld.so.cache~")
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-09-16 9:26 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-09-16 9:26 UTC (permalink / raw
To: gentoo-commits
commit: 8baddf136477d1744838b8b76f6c326f746edcdc
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Aug 27 10:47:17 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Aug 27 10:47:17 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8baddf13
Allow qemu to launch VNC
When running qemu/kvm with the -vnc option, no VNC server seems to be running. A
denial is shown that mentions qemu_t is trying to create a udp_socket.
Allowing create_socket_perms on the udp_socket is sufficient to get VNC to work
properly again.
---
policy/modules/contrib/qemu.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 2995e8a..9a6a082 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -63,6 +63,7 @@ ifdef(`distro_gentoo',`
# Local policy
#
allow qemu_t self:tcp_socket create_stream_socket_perms;
+ allow qemu_t self:udp_socket create_socket_perms;
optional_policy(`
vde_connect(qemu_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-27 10:33 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-27 10:33 UTC (permalink / raw
To: gentoo-commits
commit: f5c8676f3ab615cc127e962d9f45fad1dfddd595
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Aug 27 10:22:24 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Aug 27 10:22:24 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f5c8676f
Recent firefox requires execmem (again)
---
policy/modules/contrib/mozilla.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index aedcc00..5e89868 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -634,6 +634,7 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
allow mozilla_t mozilla_exec_t:file { execute_no_trans };
allow mozilla_t mozilla_plugin_t:process { rlimitinh siginh noatsecure };
+ allow mozilla_t self:process execmem; # Startup of firefox (otherwise immediately killed)
manage_fifo_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
@@ -709,6 +710,7 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow mozilla_plugin_t self:udp_socket create_socket_perms;
+ allow mozilla_plugin_t self:process execmem; # Needed for flash plugin
read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-24 15:36 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-24 15:36 UTC (permalink / raw
To: gentoo-commits
commit: 1913081c1b985586a2c80362d59d65abdcd22d6d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 24 15:35:20 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Aug 24 15:35:20 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1913081c
Creation of .config is implied in xdg_config_home_filetrans call
---
policy/modules/contrib/chromium.te | 1 -
1 file changed, 1 deletion(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 666a899..23d799d 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -157,7 +157,6 @@ userdom_use_user_terminals(chromium_t)
xdg_create_cache_home_dirs(chromium_t)
xdg_create_config_home_dirs(chromium_t)
xdg_create_data_home_dirs(chromium_t)
-xdg_generic_user_home_dir_filetrans_config_home(chromium_t, dir, ".config")
xdg_create_downloads_home(chromium_t)
xdg_write_downloads_home(chromium_t)
xdg_read_config_home_files(chromium_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-17 8:26 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-17 8:26 UTC (permalink / raw
To: gentoo-commits
commit: 6cf06e8d90f350c570413b8caf6ddefe63c53b12
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 17 08:24:47 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Aug 17 08:24:47 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6cf06e8d
Revert change - is handled through nscd_use_shm boolean
---
policy/modules/contrib/webalizer.te | 6 ------
1 file changed, 6 deletions(-)
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index b6f0641..ae919b9 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -73,12 +73,6 @@ userdom_use_user_terminals(webalizer_t)
userdom_use_unpriv_users_fds(webalizer_t)
userdom_dontaudit_search_user_home_content(webalizer_t)
-ifdef(`distro_gentoo',`
- optional_policy(`
- nscd_socket_use(webalizer_t)
- ')
-')
-
optional_policy(`
apache_read_log(webalizer_t)
apache_content_template(webalizer)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 14:01 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 14:01 UTC (permalink / raw
To: gentoo-commits
commit: a3c2f6fdbcfb1aa3338e1c9be143baa2417f31bd
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 16 13:59:53 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 13:59:53 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a3c2f6fd
Fix typo in type dependency
---
policy/modules/contrib/googletalk.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/googletalk.if b/policy/modules/contrib/googletalk.if
index 872ae31..a88dccc 100644
--- a/policy/modules/contrib/googletalk.if
+++ b/policy/modules/contrib/googletalk.if
@@ -17,7 +17,7 @@
interface(`googletalk_plugin_domain',`
gen_require(`
type googletalk_plugin_t;
- type googetalk_plugin_xdg_config_t;
+ type googletalk_plugin_xdg_config_t;
')
allow $1 googletalk_plugin_t:fd use;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 13:59 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 13:59 UTC (permalink / raw
To: gentoo-commits
commit: 38a6ee195e3bb0ab515f23dd2173fea25b082d2b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 16 13:58:22 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 13:58:22 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=38a6ee19
Merged with main
---
policy/modules/contrib/aide.fc | 2 +-
policy/modules/contrib/dmidecode.te | 9 ---------
policy/modules/contrib/squid.te | 10 ----------
3 files changed, 1 insertion(+), 20 deletions(-)
diff --git a/policy/modules/contrib/aide.fc b/policy/modules/contrib/aide.fc
index 6037ccc..b2f47de 100644
--- a/policy/modules/contrib/aide.fc
+++ b/policy/modules/contrib/aide.fc
@@ -4,4 +4,4 @@
/var/lib/aide(/.*)? gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
-/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
+/var/log/aide\.log.* -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te
index ace469c..aa0ef6e 100644
--- a/policy/modules/contrib/dmidecode.te
+++ b/policy/modules/contrib/dmidecode.te
@@ -32,12 +32,3 @@ mls_file_read_all_levels(dmidecode_t)
locallogin_use_fds(dmidecode_t)
userdom_use_user_terminals(dmidecode_t)
-
-ifdef(`distro_gentoo',`
- ###########################
- #
- # Local policy
- #
-
- domain_use_interactive_fds(dmidecode_t)
-')
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 2251e28..03472ed 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -236,13 +236,3 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
-
-ifdef(`distro_gentoo',`
- ###################################
- #
- # Local policy
- #
-
- # Instead of append, see bug #466156
- write_files_pattern(squid_t, squid_log_t, squid_log_t)
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 13:59 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 13:59 UTC (permalink / raw
To: gentoo-commits
commit: 7cd2c37e2b13713dbc4708ff9285cb1c9b863873
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 16 13:56:17 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 13:56:17 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7cd2c37e
Merge collision fixup
---
policy/modules/contrib/aide.fc | 6 ------
policy/modules/contrib/alsa.if | 19 -------------------
2 files changed, 25 deletions(-)
diff --git a/policy/modules/contrib/aide.fc b/policy/modules/contrib/aide.fc
index 4dbd2b7..6037ccc 100644
--- a/policy/modules/contrib/aide.fc
+++ b/policy/modules/contrib/aide.fc
@@ -5,9 +5,3 @@
/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
-
-ifdef(`distro_gentoo',`
-/usr/bin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
-
-/var/lib/aide(/.*)? gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
-')
diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index 14204f1..0de51d3 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -302,22 +302,3 @@ interface(`alsa_write_lib',`
files_search_var_lib($1)
write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
')
-
-#########################################
-## <summary>
-## Write Alsa lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`alsa_write_lib',`
- gen_require(`
- type alsa_var_lib_t;
- ')
-
- files_search_var_lib($1)
- write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 13:59 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 13:59 UTC (permalink / raw
To: gentoo-commits
commit: 7f630247624bdbf3ca4dd3995d3d8f4eb9c90594
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 16 06:21:45 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 13:54:24 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7f630247
Grant write privileges to squid on its log files
The squid daemon currently seems to require write privileges on the files
(squid_log_t) - append no longer cuts it. This is confirmed for both the
cache.log file as well as the netdb.state file.
Switching append_files_pattern to write_files_pattern.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/squid.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index a68b5c4..eadd503 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -74,7 +74,7 @@ allow squid_t squid_conf_t:file read_file_perms;
allow squid_t squid_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
-append_files_pattern(squid_t, squid_log_t, squid_log_t)
+write_files_pattern(squid_t, squid_log_t, squid_log_t)
create_files_pattern(squid_t, squid_log_t, squid_log_t)
setattr_files_pattern(squid_t, squid_log_t, squid_log_t)
manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 13:59 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 13:59 UTC (permalink / raw
To: gentoo-commits
commit: 0a3d17a9f57eaa55d141fb9884556e80d605711d
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Aug 16 11:26:09 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 13:54:27 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0a3d17a9
Squid: Use a single pattern for brevity
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/squid.te | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index eadd503..2251e28 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.12.0)
+policy_module(squid, 1.12.1)
########################################
#
@@ -74,9 +74,7 @@ allow squid_t squid_conf_t:file read_file_perms;
allow squid_t squid_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
-write_files_pattern(squid_t, squid_log_t, squid_log_t)
-create_files_pattern(squid_t, squid_log_t, squid_log_t)
-setattr_files_pattern(squid_t, squid_log_t, squid_log_t)
+manage_files_pattern(squid_t, squid_log_t, squid_log_t)
manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
logging_log_filetrans(squid_t, squid_log_t, { file dir })
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 13:59 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 13:59 UTC (permalink / raw
To: gentoo-commits
commit: a3622e144c4cb30c4a4d5c20c17f92b4648e5452
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Aug 16 11:24:38 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 13:54:25 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a3622e14
Module version bumps for changes in various policy modules by Sven Vermeulen
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/dmidecode.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 2ac9f38..4056063 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.12.0)
+policy_module(alsa, 1.12.1)
########################################
#
diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te
index bb43004..ace469c 100644
--- a/policy/modules/contrib/dmidecode.te
+++ b/policy/modules/contrib/dmidecode.te
@@ -1,4 +1,4 @@
-policy_module(dmidecode, 1.5.0)
+policy_module(dmidecode, 1.5.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 13:59 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 13:59 UTC (permalink / raw
To: gentoo-commits
commit: 29b02737ce4b41ef9cdd6e144eb9b57c3dc6d4df
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 15 18:15:09 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 13:53:38 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=29b02737
Add aide bin /usr/bin and mark /var/lib/aide
In Gentoo, the aide binary is at /usr/bin/aide.
Also, the /var/lib/aide directory itself is best labeled as aide_db_t as well to
allow aide to handle its contents.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/aide.fc | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/aide.fc b/policy/modules/contrib/aide.fc
index d16a605..4dbd2b7 100644
--- a/policy/modules/contrib/aide.fc
+++ b/policy/modules/contrib/aide.fc
@@ -1,6 +1,7 @@
+/usr/bin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
/usr/sbin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
-/var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
+/var/lib/aide(/.*)? gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 13:59 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 13:59 UTC (permalink / raw
To: gentoo-commits
commit: 259b3a3832f93ae2e52fd42084faadf6801a4a57
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 15 18:15:11 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 13:54:21 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=259b3a38
Run dmidecode after newrole or on terminals
The dmidecode application needs to use the file descriptors often owned by the
switching process (like newrole_t after switching roles with newrole), commonly
done by administrators.
Grant this through domain_use_interactive_fds(), allowing output for dmidecode
to be displayed on such terminals.
Also update style a bit to be confirm the coding style for refpolicy.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/aide.te | 2 +-
policy/modules/contrib/alsa.if | 19 +++++++++++++++++++
policy/modules/contrib/dmidecode.te | 6 ++++--
3 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/aide.te b/policy/modules/contrib/aide.te
index b41a1b1..03831e6 100644
--- a/policy/modules/contrib/aide.te
+++ b/policy/modules/contrib/aide.te
@@ -1,4 +1,4 @@
-policy_module(aide, 1.7.0)
+policy_module(aide, 1.7.1)
########################################
#
diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index 0de51d3..14204f1 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -302,3 +302,22 @@ interface(`alsa_write_lib',`
files_search_var_lib($1)
write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
')
+
+#########################################
+## <summary>
+## Write Alsa lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_write_lib',`
+ gen_require(`
+ type alsa_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+')
diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te
index 3e34d4f..bb43004 100644
--- a/policy/modules/contrib/dmidecode.te
+++ b/policy/modules/contrib/dmidecode.te
@@ -20,13 +20,15 @@ role dmidecode_roles types dmidecode_t;
allow dmidecode_t self:capability sys_rawio;
-dev_read_sysfs(dmidecode_t)
dev_read_raw_memory(dmidecode_t)
+dev_read_sysfs(dmidecode_t)
-mls_file_read_all_levels(dmidecode_t)
+domain_use_interactive_fds(dmidecode_t)
files_list_usr(dmidecode_t)
+mls_file_read_all_levels(dmidecode_t)
+
locallogin_use_fds(dmidecode_t)
userdom_use_user_terminals(dmidecode_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 13:53 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 13:53 UTC (permalink / raw
To: gentoo-commits
commit: b6e8219543a765d1ecf4130c81b17d829f928902
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 16 13:47:46 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 13:47:46 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b6e82195
Create googletalk_plugin_domain interface
The googletalk_plugin_domain interface is meant to assign the right set of
privileges to web server domains that invoke and interact with the GoogleTalk
plugin.
---
policy/modules/contrib/googletalk.if | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/policy/modules/contrib/googletalk.if b/policy/modules/contrib/googletalk.if
index 356f592..5035980 100644
--- a/policy/modules/contrib/googletalk.if
+++ b/policy/modules/contrib/googletalk.if
@@ -2,6 +2,36 @@
## Google Talk
## </summary>
+##########################################
+## <summary>
+## Grant the plugin domain the needed privileges to launch and
+## interact with the GoogleTalk application. Used for web browser
+## plugin domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`googletalk_plugin_domain',`
+ gen_require(`
+ type googletalk_plugin_t;
+ type googetalk_plugin_xdg_config_t;
+ ')
+
+ allow $1 googletalk_plugin_t:fd use;
+ allow $1 googletalk_plugin_t:unix_stream_socket { read write };
+
+ googletalk_domtrans_plugin($1)
+
+ # Create .config/google-googletalkplugin with correct type
+ manage_dirs_pattern($1, googletalk_plugin_xdg_config_t, googletalk_plugin_xdg_config_t)
+ manage_files_pattern($1, googletalk_plugin_xdg_config_t, googletalk_plugin_xdg_config_t)
+ xdg_config_home_filetrans($1, googletalk_plugin_xdg_config_t, dir, "google-googletalkplugin")
+ xdg_search_config_home_dirs($1)
+')
+
#######################################
## <summary>
## Execute Google talk plugin in the Google talk plugin domain
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 13:53 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 13:53 UTC (permalink / raw
To: gentoo-commits
commit: 119b2210a07f26df46e80d5aa1734b01f7813904
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 16 13:52:20 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 13:52:20 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=119b2210
Put dgram sendto also in googletalk_plugin_domain interface
---
policy/modules/contrib/googletalk.if | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/googletalk.if b/policy/modules/contrib/googletalk.if
index 5035980..872ae31 100644
--- a/policy/modules/contrib/googletalk.if
+++ b/policy/modules/contrib/googletalk.if
@@ -23,6 +23,12 @@ interface(`googletalk_plugin_domain',`
allow $1 googletalk_plugin_t:fd use;
allow $1 googletalk_plugin_t:unix_stream_socket { read write };
+ allow googletalk_plugin_t $1:unix_dgram_socket sendto;
+
+ # GoogleTalk process binds on an unreserved port, the client (plugin)
+ # then connects to this port
+ corenet_tcp_connect_all_unreserved_ports($1)
+
googletalk_domtrans_plugin($1)
# Create .config/google-googletalkplugin with correct type
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 13:24 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 13:24 UTC (permalink / raw
To: gentoo-commits
commit: 5f387de3fcf4b582ce317fd3e9c491aa2865dd60
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 16 13:23:28 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 13:23:28 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5f387de3
Allow googletalk to display info on terminal in case of errors
---
policy/modules/contrib/googletalk.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/googletalk.te b/policy/modules/contrib/googletalk.te
index c61f13b..fdc24fc 100644
--- a/policy/modules/contrib/googletalk.te
+++ b/policy/modules/contrib/googletalk.te
@@ -72,6 +72,7 @@ miscfiles_read_localization(googletalk_plugin_t)
sysnet_read_config(googletalk_plugin_t)
userdom_search_user_home_content(googletalk_plugin_t)
+userdom_use_user_terminals(googletalk_plugin_t)
googletalk_generic_xdg_config_home_filetrans_plugin_xdg_config(googletalk_plugin_t, dir, "google-googletalkplugin")
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 11:26 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 11:26 UTC (permalink / raw
To: gentoo-commits
commit: 19d02e1f859cde73e6118fda6f458699e8cc79eb
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 16 11:24:52 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 11:24:52 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=19d02e1f
Filetrans is now in xdg_cache_home_filetrans
---
policy/modules/contrib/chromium.te | 1 -
1 file changed, 1 deletion(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index ec816e4..666a899 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -157,7 +157,6 @@ userdom_use_user_terminals(chromium_t)
xdg_create_cache_home_dirs(chromium_t)
xdg_create_config_home_dirs(chromium_t)
xdg_create_data_home_dirs(chromium_t)
-xdg_generic_user_home_dir_filetrans_cache_home(chromium_t, dir, ".cache")
xdg_generic_user_home_dir_filetrans_config_home(chromium_t, dir, ".config")
xdg_create_downloads_home(chromium_t)
xdg_write_downloads_home(chromium_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 11:12 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 11:12 UTC (permalink / raw
To: gentoo-commits
commit: 86500de7af2c9aa53db816dfcd507333b9faa6f4
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Aug 16 07:07:37 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 11:10:04 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=86500de7
Fix monolithic built
Make unconfined_cronjob_t declaration mandatory, because else monolithic
built fails due to duplicate declaration
Deprecate kerberos_keytab_template:
Keytab type declarations have to be mandatory, because else monolithic
built fails due to out-of-scope
This keytab solution does not make sense in its current implementation,
as many corresponding file context specs are missing, and there are no
type transtion rules
Replaced two deprecated interface calls
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/apache.if | 6 +++---
policy/modules/contrib/apache.te | 10 ++++++++--
policy/modules/contrib/automount.if | 4 ++++
policy/modules/contrib/automount.te | 14 ++++++++++----
policy/modules/contrib/bind.if | 3 ++-
policy/modules/contrib/bind.te | 12 +++++++++---
policy/modules/contrib/cron.te | 32 ++++++++++++++++----------------
policy/modules/contrib/cvs.if | 5 ++++-
policy/modules/contrib/cvs.te | 10 ++++++++--
policy/modules/contrib/cyrus.if | 4 ++++
policy/modules/contrib/cyrus.te | 10 ++++++++--
policy/modules/contrib/dovecot.if | 3 ++-
policy/modules/contrib/dovecot.te | 10 ++++++++--
policy/modules/contrib/exim.if | 4 ++++
policy/modules/contrib/exim.te | 10 ++++++++--
policy/modules/contrib/ftp.if | 3 ++-
policy/modules/contrib/ftp.te | 10 ++++++++--
policy/modules/contrib/kerberos.if | 17 +----------------
policy/modules/contrib/ldap.if | 4 ++--
policy/modules/contrib/ldap.te | 10 ++++++++--
policy/modules/contrib/postfix.if | 3 ++-
policy/modules/contrib/postfix.te | 10 ++++++++--
policy/modules/contrib/procmail.te | 4 ++--
policy/modules/contrib/qmail.te | 10 ++++++++--
policy/modules/contrib/rlogin.te | 10 ++++++++--
policy/modules/contrib/rpc.if | 4 ++--
policy/modules/contrib/rpc.te | 10 ++++++++--
policy/modules/contrib/rshd.te | 10 ++++++++--
policy/modules/contrib/samba.if | 3 ++-
policy/modules/contrib/samba.te | 9 +++++++--
policy/modules/contrib/sasl.if | 4 ++++
policy/modules/contrib/sasl.te | 10 ++++++++--
policy/modules/contrib/sendmail.if | 4 ++++
policy/modules/contrib/sendmail.te | 10 ++++++++--
policy/modules/contrib/spamassassin.te | 4 ++--
policy/modules/contrib/telnet.te | 10 ++++++++--
policy/modules/contrib/virt.if | 4 ++--
policy/modules/contrib/virt.te | 10 ++++++++--
38 files changed, 218 insertions(+), 92 deletions(-)
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index a1d1131..655cbe1 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -1203,9 +1203,9 @@ interface(`apache_admin',`
attribute httpd_script_domains, httpd_htaccess_type;
type httpd_t, httpd_config_t, httpd_log_t;
type httpd_modules_t, httpd_lock_t, httpd_helper_t;
- type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t;
+ type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t;
type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
- type httpd_initrc_exec_t, httpd_suexec_t;
+ type httpd_initrc_exec_t, httpd_keytab_t;
')
allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
@@ -1222,7 +1222,7 @@ interface(`apache_admin',`
miscfiles_manage_public_files($1)
files_search_etc($1)
- admin_pattern($1, { httpd_config_t httpd_keytab_t })
+ admin_pattern($1, { httpd_keytab_t httpd_config_t })
logging_search_logs($1)
admin_pattern($1, httpd_log_t)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 0da7cc3..99bb9b5 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.7.0)
+policy_module(apache, 2.7.1)
########################################
#
@@ -283,6 +283,9 @@ role httpd_helper_roles types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
+type httpd_keytab_t;
+files_type(httpd_keytab_t)
+
type httpd_lock_t;
files_lock_file(httpd_lock_t)
@@ -391,6 +394,8 @@ allow httpd_t httpd_config_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+allow httpd_t httpd_keytab_t:file read_file_perms;
+
allow httpd_t httpd_lock_t:file manage_file_perms;
files_lock_filetrans(httpd_t, httpd_lock_t, file)
@@ -781,10 +786,11 @@ optional_policy(`
')
optional_policy(`
- kerberos_keytab_template(httpd, httpd_t)
kerberos_manage_host_rcache(httpd_t)
+ kerberos_read_keytab(httpd_t)
kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
+ kerberos_use(httpd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/automount.if b/policy/modules/contrib/automount.if
index 089430a..f24e369 100644
--- a/policy/modules/contrib/automount.if
+++ b/policy/modules/contrib/automount.if
@@ -153,6 +153,7 @@ interface(`automount_admin',`
gen_require(`
type automount_t, automount_lock_t, automount_tmp_t;
type automount_var_run_t, automount_initrc_exec_t;
+ type automount_keytab_t;
')
allow $1 automount_t:process { ptrace signal_perms };
@@ -163,6 +164,9 @@ interface(`automount_admin',`
role_transition $2 automount_initrc_exec_t system_r;
allow $2 system_r;
+ files_list_etc($1)
+ admin_pattern($1, automount_keytab_t)
+
files_list_var($1)
admin_pattern($1, automount_lock_t)
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index d4e58ea..27d2f40 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.14.0)
+policy_module(automount, 1.14.1)
########################################
#
@@ -12,8 +12,8 @@ init_daemon_domain(automount_t, automount_exec_t)
type automount_initrc_exec_t;
init_script_file(automount_initrc_exec_t)
-type automount_var_run_t;
-files_pid_file(automount_var_run_t)
+type automount_keytab_t;
+files_type(automount_keytab_t)
type automount_lock_t;
files_lock_file(automount_lock_t)
@@ -22,6 +22,9 @@ type automount_tmp_t;
files_tmp_file(automount_tmp_t)
files_mountpoint(automount_tmp_t)
+type automount_var_run_t;
+files_pid_file(automount_var_run_t)
+
########################################
#
# Local policy
@@ -36,6 +39,8 @@ allow automount_t self:rawip_socket create_socket_perms;
can_exec(automount_t, automount_exec_t)
+allow automount_t automount_keytab_t:file read_file_perms;
+
allow automount_t automount_lock_t:file manage_file_perms;
files_lock_filetrans(automount_t, automount_lock_t, file)
@@ -143,8 +148,9 @@ optional_policy(`
')
optional_policy(`
- kerberos_keytab_template(automount, automount_t)
kerberos_read_config(automount_t)
+ kerberos_read_keytab(automount_t)
+ kerberos_use(automount_t)
kerberos_dontaudit_write_config(automount_t)
')
diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if
index 866a1e2..531a8f2 100644
--- a/policy/modules/contrib/bind.if
+++ b/policy/modules/contrib/bind.if
@@ -364,6 +364,7 @@ interface(`bind_admin',`
type named_t, named_tmp_t, named_log_t;
type named_cache_t, named_zone_t, named_initrc_exec_t;
type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
+ type named_keytab_t;
')
allow $1 { named_t ndc_t }:process { ptrace signal_perms };
@@ -381,7 +382,7 @@ interface(`bind_admin',`
admin_pattern($1, named_log_t)
files_list_etc($1)
- admin_pattern($1, named_conf_t)
+ admin_pattern($1, { named_keytab_t named_conf_t })
files_list_var($1)
admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index b01e493..1241123 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.13.0)
+policy_module(bind, 1.13.1)
########################################
#
@@ -44,6 +44,9 @@ files_type(named_cache_t)
type named_initrc_exec_t;
init_script_file(named_initrc_exec_t)
+type named_keytab_t;
+files_type(named_keytab_t)
+
type named_log_t;
logging_log_file(named_log_t)
@@ -84,7 +87,7 @@ read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
manage_files_pattern(named_t, named_cache_t, named_cache_t)
manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
-can_exec(named_t, named_exec_t)
+allow named_t named_keytab_t:file read_file_perms;
append_files_pattern(named_t, named_log_t, named_log_t)
create_files_pattern(named_t, named_log_t, named_log_t)
@@ -100,6 +103,8 @@ manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
files_pid_filetrans(named_t, named_var_run_t, { dir file sock_file })
+can_exec(named_t, named_exec_t)
+
allow named_t named_zone_t:dir list_dir_perms;
read_files_pattern(named_t, named_zone_t, named_zone_t)
read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
@@ -182,7 +187,8 @@ optional_policy(`
')
optional_policy(`
- kerberos_keytab_template(named, named_t)
+ kerberos_read_keytab(named_t)
+ kerberos_use(named_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index d865049..41bb279 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.6.0)
+policy_module(cron, 2.6.1)
gen_require(`
class passwd rootok;
@@ -701,22 +701,22 @@ optional_policy(`
# Unconfined local policy
#
-optional_policy(`
- type unconfined_cronjob_t;
- domain_type(unconfined_cronjob_t)
- domain_cron_exemption_target(unconfined_cronjob_t)
+type unconfined_cronjob_t;
+domain_type(unconfined_cronjob_t)
+domain_cron_exemption_target(unconfined_cronjob_t)
- dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
+dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
- unconfined_domain(unconfined_cronjob_t)
+tunable_policy(`cron_userdomain_transition',`
+ dontaudit crond_t unconfined_cronjob_t:process transition;
+ dontaudit crond_t unconfined_cronjob_t:fd use;
+ dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
+',`
+ allow crond_t unconfined_cronjob_t:process transition;
+ allow crond_t unconfined_cronjob_t:fd use;
+ allow crond_t unconfined_cronjob_t:key manage_key_perms;
+')
- tunable_policy(`cron_userdomain_transition',`
- dontaudit crond_t unconfined_cronjob_t:process transition;
- dontaudit crond_t unconfined_cronjob_t:fd use;
- dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
- ',`
- allow crond_t unconfined_cronjob_t:process transition;
- allow crond_t unconfined_cronjob_t:fd use;
- allow crond_t unconfined_cronjob_t:key manage_key_perms;
- ')
+optional_policy(`
+ unconfined_domain(unconfined_cronjob_t)
')
diff --git a/policy/modules/contrib/cvs.if b/policy/modules/contrib/cvs.if
index 9fa7ffb..64775fd 100644
--- a/policy/modules/contrib/cvs.if
+++ b/policy/modules/contrib/cvs.if
@@ -59,7 +59,7 @@ interface(`cvs_exec',`
interface(`cvs_admin',`
gen_require(`
type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
- type cvs_data_t, cvs_var_run_t;
+ type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
')
allow $1 cvs_t:process { ptrace signal_perms };
@@ -70,6 +70,9 @@ interface(`cvs_admin',`
role_transition $2 cvs_initrc_exec_t system_r;
allow $2 system_r;
+ files_search_etc($1)
+ admin_pattern($1, cvs_keytab_t)
+
files_list_tmp($1)
admin_pattern($1, cvs_tmp_t)
diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
index 6c544e5..17df324 100644
--- a/policy/modules/contrib/cvs.te
+++ b/policy/modules/contrib/cvs.te
@@ -1,4 +1,4 @@
-policy_module(cvs, 1.10.0)
+policy_module(cvs, 1.10.1)
########################################
#
@@ -24,6 +24,9 @@ files_type(cvs_data_t)
type cvs_initrc_exec_t;
init_script_file(cvs_initrc_exec_t)
+type cvs_keytab_t;
+files_type(cvs_keytab_t)
+
type cvs_tmp_t;
files_tmp_file(cvs_tmp_t)
@@ -44,6 +47,8 @@ manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+allow cvs_t cvs_keytab_t:file read_file_perms;
+
manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
files_tmp_filetrans(cvs_t, cvs_tmp_t, { dir file })
@@ -87,8 +92,9 @@ tunable_policy(`allow_cvs_read_shadow',`
')
optional_policy(`
- kerberos_keytab_template(cvs, cvs_t)
kerberos_read_config(cvs_t)
+ kerberos_read_keytab(cvs_t)
+ kerberos_use(cvs_t)
kerberos_dontaudit_write_config(cvs_t)
')
diff --git a/policy/modules/contrib/cyrus.if b/policy/modules/contrib/cyrus.if
index 6508280..83bfda6 100644
--- a/policy/modules/contrib/cyrus.if
+++ b/policy/modules/contrib/cyrus.if
@@ -61,6 +61,7 @@ interface(`cyrus_admin',`
gen_require(`
type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
type cyrus_var_run_t, cyrus_initrc_exec_t;
+ type cyrus_keytab_t;
')
allow $1 cyrus_t:process { ptrace signal_perms };
@@ -71,6 +72,9 @@ interface(`cyrus_admin',`
role_transition $2 cyrus_initrc_exec_t system_r;
allow $2 system_r;
+ files_list_etc($1)
+ admin_pattern($1, cyrus_keytab_t)
+
files_list_tmp($1)
admin_pattern($1, cyrus_tmp_t)
diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
index 0cef3ef..4283f2d 100644
--- a/policy/modules/contrib/cyrus.te
+++ b/policy/modules/contrib/cyrus.te
@@ -1,4 +1,4 @@
-policy_module(cyrus, 1.13.0)
+policy_module(cyrus, 1.13.1)
########################################
#
@@ -12,6 +12,9 @@ init_daemon_domain(cyrus_t, cyrus_exec_t)
type cyrus_initrc_exec_t;
init_script_file(cyrus_initrc_exec_t)
+type cyrus_keytab_t;
+files_type(cyrus_keytab_t)
+
type cyrus_tmp_t;
files_tmp_file(cyrus_tmp_t)
@@ -41,6 +44,8 @@ allow cyrus_t self:unix_dgram_socket sendto;
allow cyrus_t self:unix_stream_socket { accept connectto listen };
allow cyrus_t self:tcp_socket { accept listen };
+allow cyrus_t cyrus_keytab_t:file read_file_perms;
+
manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { dir file })
@@ -116,7 +121,8 @@ optional_policy(`
')
optional_policy(`
- kerberos_keytab_template(cyrus, cyrus_t)
+ kerberos_read_keytab(cyrus_t)
+ kerberos_use(cyrus_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if
index dbcac59..d5badb7 100644
--- a/policy/modules/contrib/dovecot.if
+++ b/policy/modules/contrib/dovecot.if
@@ -143,6 +143,7 @@ interface(`dovecot_admin',`
type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t;
type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t;
type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t;
+ type dovecot_keytab_t;
')
allow $1 dovecot_t:process { ptrace signal_perms };
@@ -154,7 +155,7 @@ interface(`dovecot_admin',`
allow $2 system_r;
files_list_etc($1)
- admin_pattern($1, dovecot_etc_t)
+ admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
logging_list_logs($1)
admin_pattern($1, dovecot_var_log_t)
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index 3a6e733..0aabc7e 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.16.0)
+policy_module(dovecot, 1.16.1)
########################################
#
@@ -38,6 +38,9 @@ files_config_file(dovecot_etc_t)
type dovecot_initrc_exec_t;
init_script_file(dovecot_initrc_exec_t)
+type dovecot_keytab_t;
+files_type(dovecot_keytab_t)
+
type dovecot_passwd_t;
files_type(dovecot_passwd_t)
@@ -99,6 +102,8 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
allow dovecot_t dovecot_cert_t:file read_file_perms;
allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;
+allow dovecot_t dovecot_keytab_t:file read_file_perms;
+
manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
@@ -182,9 +187,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- kerberos_keytab_template(dovecot, dovecot_t)
kerberos_manage_host_rcache(dovecot_t)
+ kerberos_read_keytab(dovecot_t)
kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
+ kerberos_use(dovecot_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
index 6041113..94a8269 100644
--- a/policy/modules/contrib/exim.if
+++ b/policy/modules/contrib/exim.if
@@ -244,6 +244,7 @@ interface(`exim_admin',`
gen_require(`
type exim_t, exim_spool_t, exim_log_t;
type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
+ type exim_keytab_t;
')
allow $1 exim_t:process { ptrace signal_perms };
@@ -254,6 +255,9 @@ interface(`exim_admin',`
role_transition $2 exim_initrc_exec_t system_r;
allow $2 system_r;
+ files_search_etc($1)
+ admin_pattern($1, exim_keytab_t)
+
files_search_spool($1)
admin_pattern($1, exim_spool_t)
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index c9c04ee..7e8cf42 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.6.0)
+policy_module(exim, 1.6.1)
########################################
#
@@ -45,6 +45,9 @@ mta_agent_executable(exim_exec_t)
type exim_initrc_exec_t;
init_script_file(exim_initrc_exec_t)
+type exim_keytab_t;
+files_type(exim_keytab_t)
+
type exim_log_t;
logging_log_file(exim_log_t)
@@ -68,6 +71,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms;
allow exim_t self:unix_stream_socket { accept listen };
allow exim_t self:tcp_socket { accept listen };
+allow exim_t exim_keytab_t:file read_file_perms;
+
append_files_pattern(exim_t, exim_log_t, exim_log_t)
create_files_pattern(exim_t, exim_log_t, exim_log_t)
setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
@@ -188,7 +193,8 @@ optional_policy(`
')
optional_policy(`
- kerberos_keytab_template(exim, exim_t)
+ kerberos_read_keytab(exim_t)
+ kerberos_use(exim_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
index d062080..4498143 100644
--- a/policy/modules/contrib/ftp.if
+++ b/policy/modules/contrib/ftp.if
@@ -176,6 +176,7 @@ interface(`ftp_admin',`
type ftpd_etc_t, ftpd_lock_t, sftpd_t;
type ftpd_var_run_t, xferlog_t, anon_sftpd_t;
type ftpd_initrc_exec_t, ftpdctl_tmp_t;
+ type ftpd_keytab_t;
')
allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
@@ -192,7 +193,7 @@ interface(`ftp_admin',`
admin_pattern($1, { ftpd_tmp_t ftpdctl_tmp_t })
files_list_etc($1)
- admin_pattern($1, ftpd_etc_t)
+ admin_pattern($1, { ftpd_etc_t ftpd_keytab_t })
files_list_var($1)
admin_pattern($1, ftpd_lock_t)
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 544c512..36838c2 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.15.0)
+policy_module(ftp, 1.15.1)
########################################
#
@@ -124,6 +124,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
+type ftpd_keytab_t;
+files_type(ftpd_keytab_t)
+
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
@@ -176,6 +179,8 @@ allow ftpd_t self:key manage_key_perms;
allow ftpd_t ftpd_etc_t:file read_file_perms;
+allow ftpd_t ftpd_keytab_t:file read_file_perms;
+
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
@@ -359,8 +364,9 @@ optional_policy(`
optional_policy(`
selinux_validate_context(ftpd_t)
- kerberos_keytab_template(ftpd, ftpd_t)
+ kerberos_read_keytab(ftpd_t)
kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0")
+ kerberos_use(ftpd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
index f9de9fc..f6c00d8 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -354,22 +354,7 @@ interface(`kerberos_etc_filetrans_keytab',`
## </param>
#
template(`kerberos_keytab_template',`
-
- ########################################
- #
- # Declarations
- #
-
- type $1_keytab_t;
- files_type($1_keytab_t)
-
- ########################################
- #
- # Policy
- #
-
- allow $2 $1_keytab_t:file read_file_perms;
-
+ refpolicywarn(`$0($*) has been deprecated.')
kerberos_read_keytab($2)
kerberos_use($2)
')
diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if
index de2508e..7f09b4a 100644
--- a/policy/modules/contrib/ldap.if
+++ b/policy/modules/contrib/ldap.if
@@ -116,7 +116,7 @@ interface(`ldap_admin',`
type slapd_t, slapd_tmp_t, slapd_replog_t;
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
- type slapd_db_t;
+ type slapd_db_t, slapd_keytab_t;
')
allow $1 slapd_t:process { ptrace signal_perms };
@@ -128,7 +128,7 @@ interface(`ldap_admin',`
allow $2 system_r;
files_list_etc($1)
- admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t })
+ admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
files_list_locks($1)
admin_pattern($1, slapd_lock_t)
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 71b00f8..131dc88 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.11.0)
+policy_module(ldap, 1.11.1)
########################################
#
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
type slapd_initrc_exec_t;
init_script_file(slapd_initrc_exec_t)
+type slapd_keytab_t;
+files_type(slapd_keytab_t)
+
type slapd_lock_t;
files_lock_file(slapd_lock_t)
@@ -60,6 +63,8 @@ manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
allow slapd_t slapd_etc_t:file read_file_perms;
+allow slapd_t slapd_keytab_t:file read_file_perms;
+
allow slapd_t slapd_lock_t:file manage_file_perms;
files_lock_filetrans(slapd_t, slapd_lock_t, file)
@@ -131,11 +136,12 @@ ifdef(`distro_gentoo',`
')
optional_policy(`
- kerberos_keytab_template(slapd, slapd_t)
kerberos_manage_host_rcache(slapd_t)
+ kerberos_read_keytab(slapd_t)
kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0")
kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487")
kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55")
+ kerberos_use(slapd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index 6e26d71..8e7d1e7 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -714,6 +714,7 @@ interface(`postfix_admin',`
type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
type postfix_data_t, postfix_var_run_t, postfix_public_t;
type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
+ type postfix_keytab_t;
')
allow $1 postfix_domain:process { ptrace signal_perms };
@@ -725,7 +726,7 @@ interface(`postfix_admin',`
allow $2 system_r;
files_search_etc($1)
- admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t })
+ admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
files_search_spool($1)
admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type })
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 0cb7938..dd7259f 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.15.0)
+policy_module(postfix, 1.15.1)
########################################
#
@@ -36,6 +36,9 @@ files_config_file(postfix_etc_t)
type postfix_exec_t;
application_executable_file(postfix_exec_t)
+type postfix_keytab_t;
+files_type(postfix_keytab_t)
+
postfix_server_domain_template(local)
mta_mailserver_delivery(postfix_local_t)
@@ -209,6 +212,8 @@ allow postfix_master_t postfix_etc_t:file rw_file_perms;
allow postfix_master_t postfix_data_t:dir manage_dir_perms;
allow postfix_master_t postfix_data_t:file manage_file_perms;
+allow postfix_master_t postfix_keytab_t:file read_file_perms;
+
allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
@@ -314,7 +319,8 @@ optional_policy(`
')
optional_policy(`
- kerberos_keytab_template(postfix, postfix_t)
+ kerberos_read_keytab(postfix_master_t)
+ kerberos_use(postfix_master_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te
index fbbc398..cc426e6 100644
--- a/policy/modules/contrib/procmail.te
+++ b/policy/modules/contrib/procmail.te
@@ -1,4 +1,4 @@
-policy_module(procmail, 1.13.0)
+policy_module(procmail, 1.13.1)
########################################
#
@@ -122,7 +122,7 @@ optional_policy(`
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
- postfix_rw_master_pipes(procmail_t)
+ postfix_rw_inherited_master_pipes(procmail_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te
index 83cccf9..8742944 100644
--- a/policy/modules/contrib/qmail.te
+++ b/policy/modules/contrib/qmail.te
@@ -1,4 +1,4 @@
-policy_module(qmail, 1.6.0)
+policy_module(qmail, 1.6.1)
########################################
#
@@ -42,6 +42,9 @@ qmail_child_domain_template(qmail_send, qmail_start_t)
qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
qmail_child_domain_template(qmail_splogger, qmail_start_t)
+type qmail_keytab_t;
+files_type(qmail_keytab_t)
+
type qmail_spool_t;
files_type(qmail_spool_t)
@@ -241,6 +244,8 @@ allow qmail_smtpd_t self:process signal_perms;
allow qmail_smtpd_t self:fifo_file write_fifo_file_perms;
allow qmail_smtpd_t self:tcp_socket create_socket_perms;
+allow qmail_smtpd_t qmail_keytab_t:file read_file_perms;
+
allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms;
dev_read_rand(qmail_smtpd_t)
@@ -253,7 +258,8 @@ optional_policy(`
')
optional_policy(`
- kerberos_keytab_template(qmail, qmail_smtpd_t)
+ kerberos_read_keytab(qmail_smtpd_t)
+ kerberos_use(qmail_smtpd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te
index 20696cc..5916f81 100644
--- a/policy/modules/contrib/rlogin.te
+++ b/policy/modules/contrib/rlogin.te
@@ -1,4 +1,4 @@
-policy_module(rlogin, 1.11.0)
+policy_module(rlogin, 1.11.1)
########################################
#
@@ -16,6 +16,9 @@ term_login_pty(rlogind_devpts_t)
type rlogind_home_t;
userdom_user_home_content(rlogind_home_t)
+type rlogind_keytab_t;
+files_type(rlogind_keytab_t)
+
type rlogind_tmp_t;
files_tmp_file(rlogind_tmp_t)
@@ -37,6 +40,8 @@ term_create_pty(rlogind_t, rlogind_devpts_t)
allow rlogind_t rlogind_home_t:file read_file_perms;
+allow rlogind_t rlogind_keytab_t:file read_file_perms;
+
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file })
@@ -98,9 +103,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- kerberos_keytab_template(rlogind, rlogind_t)
+ kerberos_read_keytab(rlogind_t)
kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0")
kerberos_manage_host_rcache(rlogind_t)
+ kerberos_use(rlogind_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if
index 07f5eb0..157afd9 100644
--- a/policy/modules/contrib/rpc.if
+++ b/policy/modules/contrib/rpc.if
@@ -394,7 +394,7 @@ interface(`rpc_admin',`
attribute rpc_domain;
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
- type nfsd_ro_t, nfsd_rw_t;
+ type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t;
')
allow $1 rpc_domain:process { ptrace signal_perms };
@@ -406,7 +406,7 @@ interface(`rpc_admin',`
allow $2 system_r;
files_list_etc($1)
- admin_pattern($1, exports_t)
+ admin_pattern($1, { gssd_keytab_t exports_t })
files_list_var_lib($1)
admin_pattern($1, var_lib_nfs_t)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 1e6b44d..a8de8bd 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.15.0)
+policy_module(rpc, 1.15.1)
########################################
#
@@ -30,6 +30,9 @@ files_config_file(exports_t)
rpc_domain_template(gssd)
+type gssd_keytab_t;
+files_type(gssd_keytab_t)
+
type gssd_tmp_t;
files_tmp_file(gssd_tmp_t)
@@ -271,6 +274,8 @@ allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
+allow gssd_t gssd_keytab_t:file read_file_perms;
+
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -309,9 +314,10 @@ optional_policy(`
')
optional_policy(`
- kerberos_keytab_template(gssd, gssd_t)
kerberos_manage_host_rcache(gssd_t)
+ kerberos_read_keytab(gssd_t)
kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
+ kerberos_use(gssd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te
index 575e3e3..864e089 100644
--- a/policy/modules/contrib/rshd.te
+++ b/policy/modules/contrib/rshd.te
@@ -1,4 +1,4 @@
-policy_module(rshd, 1.8.0)
+policy_module(rshd, 1.8.1)
########################################
#
@@ -10,6 +10,9 @@ type rshd_exec_t;
auth_login_pgm_domain(rshd_t)
inetd_tcp_service_domain(rshd_t, rshd_exec_t)
+type rshd_keytab_t;
+files_type(rshd_keytab_t)
+
########################################
#
# Local policy
@@ -20,6 +23,8 @@ allow rshd_t self:process { signal_perms setsched setpgid setexec };
allow rshd_t self:fifo_file rw_fifo_file_perms;
allow rshd_t self:tcp_socket create_stream_socket_perms;
+allow rshd_t rshd_keytab_t:file read_file_perms;
+
kernel_read_kernel_sysctls(rshd_t)
corenet_all_recvfrom_unlabeled(rshd_t)
@@ -54,9 +59,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- kerberos_keytab_template(rshd, rshd_t)
kerberos_manage_host_rcache(rshd_t)
+ kerberos_read_keytab(rshd_t)
kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0")
+ kerberos_use(rshd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
index aee75af..50d07fb 100644
--- a/policy/modules/contrib/samba.if
+++ b/policy/modules/contrib/samba.if
@@ -689,6 +689,7 @@ interface(`samba_admin',`
type samba_etc_t, samba_share_t, samba_initrc_exec_t;
type swat_var_run_t, swat_tmp_t, winbind_log_t;
type winbind_var_run_t, winbind_tmp_t;
+ type smbd_keytab_t;
')
allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
@@ -700,7 +701,7 @@ interface(`samba_admin',`
allow $2 system_r;
files_list_etc($1)
- admin_pattern($1, samba_etc_t)
+ admin_pattern($1, { samba_etc_t smbd_keytab_t })
logging_list_logs($1)
admin_pattern($1, { samba_log_t winbind_log_t })
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 54b89a6..98daaef 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.16.0)
+policy_module(samba, 1.16.1)
#################################
#
@@ -142,6 +142,9 @@ type smbd_t;
type smbd_exec_t;
init_daemon_domain(smbd_t, smbd_exec_t)
+type smbd_keytab_t;
+files_type(smbd_keytab_t)
+
type smbd_tmp_t;
files_tmp_file(smbd_tmp_t)
@@ -271,6 +274,8 @@ allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull }
allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };
+allow smbd_t smbd_keytab_t:file read_file_perms;
+
manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
append_files_pattern(smbd_t, samba_log_t, samba_log_t)
create_files_pattern(smbd_t, samba_log_t, samba_log_t)
@@ -468,8 +473,8 @@ optional_policy(`
')
optional_policy(`
+ kerberos_read_keytab(smbd_t)
kerberos_use(smbd_t)
- kerberos_keytab_template(smbd, smbd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/sasl.if b/policy/modules/contrib/sasl.if
index b2f388a..8c3c151 100644
--- a/policy/modules/contrib/sasl.if
+++ b/policy/modules/contrib/sasl.if
@@ -39,6 +39,7 @@ interface(`sasl_connect',`
interface(`sasl_admin',`
gen_require(`
type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t;
+ type saslauthd_keytab_t;
')
allow $1 saslauthd_t:process { ptrace signal_perms };
@@ -49,6 +50,9 @@ interface(`sasl_admin',`
role_transition $2 saslauthd_initrc_exec_t system_r;
allow $2 system_r;
+ files_list_etc($1)
+ admin_pattern($1, saslauthd_keytab_t)
+
files_list_pids($1)
admin_pattern($1, saslauthd_var_run_t)
')
diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te
index 20ebffb..6c3bc20 100644
--- a/policy/modules/contrib/sasl.te
+++ b/policy/modules/contrib/sasl.te
@@ -1,4 +1,4 @@
-policy_module(sasl, 1.15.0)
+policy_module(sasl, 1.15.1)
########################################
#
@@ -20,6 +20,9 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
type saslauthd_initrc_exec_t;
init_script_file(saslauthd_initrc_exec_t)
+type saslauthd_keytab_t;
+files_type(saslauthd_keytab_t)
+
type saslauthd_var_run_t;
files_pid_file(saslauthd_var_run_t)
@@ -34,6 +37,8 @@ allow saslauthd_t self:process { setsched signal_perms };
allow saslauthd_t self:fifo_file rw_fifo_file_perms;
allow saslauthd_t self:unix_stream_socket { accept listen };
+allow saslauthd_t saslauthd_keytab_t:file read_file_perms;
+
manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
@@ -92,9 +97,10 @@ tunable_policy(`allow_saslauthd_read_shadow',`
')
optional_policy(`
- kerberos_keytab_template(saslauthd, saslauthd_t)
+ kerberos_read_keytab(saslauthd_t)
kerberos_manage_host_rcache(saslauthd_t)
kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0")
+ kerberos_use(saslauthd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/sendmail.if b/policy/modules/contrib/sendmail.if
index 88e753f..35ad2a7 100644
--- a/policy/modules/contrib/sendmail.if
+++ b/policy/modules/contrib/sendmail.if
@@ -354,6 +354,7 @@ interface(`sendmail_admin',`
gen_require(`
type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
+ type sendmail_keytab_t;
')
allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms };
@@ -363,6 +364,9 @@ interface(`sendmail_admin',`
domain_system_change_exemption($1)
role_transition $2 sendmail_initrc_exec_t system_r;
+ files_list_etc($1)
+ admin_pattern($1, sendmail_keytab_t)
+
logging_list_logs($1)
admin_pattern($1, sendmail_log_t)
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
index 320db21..12700b4 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -1,4 +1,4 @@
-policy_module(sendmail, 1.12.0)
+policy_module(sendmail, 1.12.1)
########################################
#
@@ -13,6 +13,9 @@ roleattribute system_r sendmail_unconfined_roles;
type sendmail_initrc_exec_t;
init_script_file(sendmail_initrc_exec_t)
+type sendmail_keytab_t;
+files_type(sendmail_keytab_t)
+
type sendmail_log_t;
logging_log_file(sendmail_log_t)
@@ -43,6 +46,8 @@ allow sendmail_t self:fifo_file rw_fifo_file_perms;
allow sendmail_t self:unix_stream_socket { accept listen };
allow sendmail_t self:tcp_socket { accept listen };
+allow sendmail_t sendmail_keytab_t:file read_file_perms;
+
allow sendmail_t sendmail_log_t:dir setattr_dir_perms;
append_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
create_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
@@ -154,7 +159,8 @@ optional_policy(`
')
optional_policy(`
- kerberos_keytab_template(sendmail, sendmail_t)
+ kerberos_read_keytab(sendmail_t)
+ kerberos_use(sendmail_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 02fba54..cc58e35 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.6.0)
+policy_module(spamassassin, 2.6.1)
########################################
#
@@ -262,7 +262,7 @@ optional_policy(`
postfix_domtrans_postdrop(spamc_t)
postfix_search_spool(spamc_t)
postfix_rw_local_pipes(spamc_t)
- postfix_rw_master_pipes(spamc_t)
+ postfix_rw_inherited_master_pipes(spamc_t)
')
########################################
diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te
index b9e2061..bcef8b5 100644
--- a/policy/modules/contrib/telnet.te
+++ b/policy/modules/contrib/telnet.te
@@ -1,4 +1,4 @@
-policy_module(telnet, 1.11.0)
+policy_module(telnet, 1.11.1)
########################################
#
@@ -12,6 +12,9 @@ inetd_service_domain(telnetd_t, telnetd_exec_t)
type telnetd_devpts_t;
term_login_pty(telnetd_devpts_t)
+type telnetd_keytab_t;
+files_type(telnetd_keytab_t)
+
type telnetd_tmp_t;
files_tmp_file(telnetd_tmp_t)
@@ -30,6 +33,8 @@ allow telnetd_t self:fifo_file rw_fifo_file_perms;
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(telnetd_t, telnetd_devpts_t)
+allow telnetd_t telnetd_keytab_t:file read_file_perms;
+
manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
@@ -85,9 +90,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- kerberos_keytab_template(telnetd, telnetd_t)
+ kerberos_read_keytab(telnetd_t)
kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0")
kerberos_manage_host_rcache(telnetd_t)
+ kerberos_use(telnetd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
index e30a42e..c8bc302 100644
--- a/policy/modules/contrib/virt.if
+++ b/policy/modules/contrib/virt.if
@@ -1148,7 +1148,7 @@ interface(`virt_admin',`
type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;
type virt_var_run_t, virt_tmp_t, virt_log_t;
type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
- type virt_etc_t, svirt_cache_t;
+ type virt_etc_t, svirt_cache_t, virtd_keytab_t;
')
allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
@@ -1168,7 +1168,7 @@ interface(`virt_admin',`
admin_pattern($1, { virt_tmp_type virt_tmp_t })
files_search_etc($1)
- admin_pattern($1, { virt_etc_t virt_etc_rw_t })
+ admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
logging_search_logs($1)
admin_pattern($1, virt_log_t)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 9230f0d..f2916f7 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.7.0)
+policy_module(virt, 1.7.1)
########################################
#
@@ -142,6 +142,9 @@ domain_subj_id_change_exemption(virtd_t)
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
+type virtd_keytab_t;
+files_type(virtd_keytab_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
@@ -438,6 +441,8 @@ manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
+allow virtd_t virtd_keytab_t:file read_file_perms;
+
allow virtd_t svirt_var_run_t:file relabel_file_perms;
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
@@ -700,7 +705,8 @@ optional_policy(`
')
optional_policy(`
- kerberos_keytab_template(virtd, virtd_t)
+ kerberos_read_keytab(virtd_t)
+ kerberos_use(virtd_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 10:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 10:45 UTC (permalink / raw
To: gentoo-commits
commit: 35760a038313754248d3049d7f187cf9a4f400db
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 16 10:44:36 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 10:44:36 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=35760a03
Creating XDG directories also implies creating the master XDG directories
---
policy/modules/contrib/xdg.if | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if
index 8d508bd..2bf63c9 100644
--- a/policy/modules/contrib/xdg.if
+++ b/policy/modules/contrib/xdg.if
@@ -159,6 +159,9 @@ interface(`xdg_cache_home_filetrans',`
userdom_search_user_home_dirs($1)
filetrans_pattern($1, xdg_cache_home_t, $2, $3, $4)
+
+ xdg_create_cache_home_dirs($1)
+ xdg_generic_user_home_dir_filetrans_cache_home($1, dir, ".cache")
')
########################################
@@ -400,6 +403,10 @@ interface(`xdg_config_home_filetrans',`
userdom_search_user_home_dirs($1)
filetrans_pattern($1, xdg_config_home_t, $2, $3, $4)
+
+ xdg_create_config_home_dirs($1)
+ xdg_generic_user_home_dir_filetrans_config_home($1, dir, ".config")
+
')
########################################
@@ -621,6 +628,9 @@ interface(`xdg_data_home_filetrans',`
userdom_search_user_home_dirs($1)
filetrans_pattern($1, xdg_data_home_t, $2, $3, $4)
+
+ xdg_create_data_home_dirs($1)
+ xdg_generic_user_home_dir_filetrans_data_home($1, dir, ".local")
')
########################################
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 10:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 10:45 UTC (permalink / raw
To: gentoo-commits
commit: 2c19e825150dda902062723f45bb74fee6e32544
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 16 07:59:27 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 07:59:27 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2c19e825
Whitespace fixes
---
policy/modules/contrib/mutt.if | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/mutt.if b/policy/modules/contrib/mutt.if
index 5327f86..eabe82e 100644
--- a/policy/modules/contrib/mutt.if
+++ b/policy/modules/contrib/mutt.if
@@ -24,18 +24,18 @@ interface(`mutt_role',`
role $1 types mutt_t;
domtrans_pattern($2, mutt_exec_t, mutt_t)
-
+
allow $2 mutt_t:process { ptrace signal_perms };
manage_dirs_pattern($2, mutt_home_t, mutt_home_t)
manage_files_pattern($2, mutt_home_t, mutt_home_t)
-
+
manage_dirs_pattern($2, mutt_conf_t, mutt_conf_t)
manage_files_pattern($2, mutt_conf_t, mutt_conf_t)
relabel_dirs_pattern($2, mutt_home_t, mutt_home_t)
relabel_files_pattern($2, mutt_home_t, mutt_home_t)
-
+
relabel_dirs_pattern($2, mutt_conf_t, mutt_conf_t)
relabel_files_pattern($2, mutt_conf_t, mutt_conf_t)
@@ -47,7 +47,7 @@ interface(`mutt_role',`
#######################################
## <summary>
-## Allow other domains to read mutt's home files
+## Allow other domains to read mutt's home files
## </summary>
## <param name="domain">
## <summary>
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 10:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 10:45 UTC (permalink / raw
To: gentoo-commits
commit: 239dd07650ca1a23a6adffd815c716a8e5fbe73f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 16 07:43:19 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 07:43:19 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=239dd076
Move to distro_gentoo (man always forget this)
---
policy/modules/contrib/dnsmasq.te | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index f88f752..66aa6d7 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -53,7 +53,6 @@ files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
kernel_read_kernel_sysctls(dnsmasq_t)
kernel_read_network_state(dnsmasq_t)
-kernel_read_net_sysctls(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)
kernel_request_load_module(dnsmasq_t)
@@ -128,3 +127,13 @@ optional_policy(`
virt_read_pid_files(dnsmasq_t)
virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
')
+
+ifdef(`distro_gentoo',`
+ ####################################
+ #
+ # dnsmasq_t policy
+ #
+
+
+ kernel_read_net_sysctls(dnsmasq_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 10:45 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 10:45 UTC (permalink / raw
To: gentoo-commits
commit: a2c39466f3785a931b319605f076e22acd2a3f6d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 16 07:59:02 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 07:59:02 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a2c39466
Logging of mutt through sasl2
When build with sasl2 support, mutt will send logging to the system log.
---
policy/modules/contrib/mutt.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/mutt.te b/policy/modules/contrib/mutt.te
index ea4aecc..f6d3489 100644
--- a/policy/modules/contrib/mutt.te
+++ b/policy/modules/contrib/mutt.te
@@ -72,6 +72,8 @@ files_read_usr_files(mutt_t)
auth_use_nsswitch(mutt_t)
+logging_send_syslog_msg(mutt_t)
+
miscfiles_read_localization(mutt_t)
userdom_search_user_home_content(mutt_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 7:38 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 7:38 UTC (permalink / raw
To: gentoo-commits
commit: 444a58e7c37def0425c75a8a75e02cfd017fc730
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 16 07:32:43 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 07:32:43 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=444a58e7
dnsmasq reads mtu sysctl
In src/radv.c, dnsmasq reads in the value of /proc/sys/net/ipv6/conf/*/mtu.
---
policy/modules/contrib/dnsmasq.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 37a3b7b..f88f752 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -53,6 +53,7 @@ files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
kernel_read_kernel_sysctls(dnsmasq_t)
kernel_read_network_state(dnsmasq_t)
+kernel_read_net_sysctls(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)
kernel_request_load_module(dnsmasq_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-16 6:35 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-16 6:35 UTC (permalink / raw
To: gentoo-commits
commit: 7011814d436c2aa95de7fa62d699f921067be5b8
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 16 06:31:48 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 06:31:48 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7011814d
Merge main
---
policy/modules/contrib/screen.fc | 4 ----
1 file changed, 4 deletions(-)
diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc
index d5fb7d5..e7c2cf7 100644
--- a/policy/modules/contrib/screen.fc
+++ b/policy/modules/contrib/screen.fc
@@ -7,7 +7,3 @@ HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
-
-ifdef(`distro_gentoo',`
-HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-15 18:33 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-15 18:33 UTC (permalink / raw
To: gentoo-commits
commit: eadc40007ed25c93eb07a3036f4ae67deeaa279d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 15 18:07:21 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug 15 18:07:21 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=eadc4000
Merged with main
---
policy/modules/contrib/asterisk.if | 4 ----
1 file changed, 4 deletions(-)
diff --git a/policy/modules/contrib/asterisk.if b/policy/modules/contrib/asterisk.if
index 57e3b8e..2077053 100644
--- a/policy/modules/contrib/asterisk.if
+++ b/policy/modules/contrib/asterisk.if
@@ -151,8 +151,4 @@ interface(`asterisk_admin',`
files_list_pids($1)
admin_pattern($1, asterisk_var_run_t)
-
- ifdef(`distro_gentoo',`
- asterisk_exec($1)
- ')
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-15 7:35 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-15 7:35 UTC (permalink / raw
To: gentoo-commits
commit: a80540439b1794446089ce3da86f257cdfb9f8d8
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 15 07:33:53 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug 15 07:33:53 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a8054043
Improve style
---
policy/modules/contrib/googletalk.te | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/policy/modules/contrib/googletalk.te b/policy/modules/contrib/googletalk.te
index 78074ff..c61f13b 100644
--- a/policy/modules/contrib/googletalk.te
+++ b/policy/modules/contrib/googletalk.te
@@ -38,18 +38,6 @@ manage_files_pattern(googletalk_plugin_t, googletalk_plugin_xdg_config_t, google
kernel_read_system_state(googletalk_plugin_t)
-dev_getattr_all_blk_files(googletalk_plugin_t)
-dev_getattr_all_chr_files(googletalk_plugin_t)
-dev_read_sound(googletalk_plugin_t)
-dev_read_video_dev(googletalk_plugin_t)
-dev_search_sysfs(googletalk_plugin_t)
-dev_write_sound(googletalk_plugin_t)
-dev_write_video_dev(googletalk_plugin_t)
-
-sysnet_read_config(googletalk_plugin_t)
-
-term_dontaudit_getattr_unallocated_ttys(googletalk_plugin_t)
-
corecmd_exec_bin(googletalk_plugin_t)
corecmd_exec_shell(googletalk_plugin_t)
@@ -59,6 +47,14 @@ corenet_tcp_sendrecv_generic_node(googletalk_plugin_t)
corenet_udp_bind_generic_node(googletalk_plugin_t)
+dev_getattr_all_blk_files(googletalk_plugin_t)
+dev_getattr_all_chr_files(googletalk_plugin_t)
+dev_read_sound(googletalk_plugin_t)
+dev_read_video_dev(googletalk_plugin_t)
+dev_search_sysfs(googletalk_plugin_t)
+dev_write_sound(googletalk_plugin_t)
+dev_write_video_dev(googletalk_plugin_t)
+
# It runs find in /etc to find any release file for knowing the distribution it
# runs on. Yes, great isnt it...
files_dontaudit_getattr_all_dirs(googletalk_plugin_t)
@@ -67,10 +63,14 @@ files_read_usr_files(googletalk_plugin_t)
fs_getattr_tmpfs(googletalk_plugin_t)
+term_dontaudit_getattr_unallocated_ttys(googletalk_plugin_t)
+
logging_send_syslog_msg(googletalk_plugin_t)
miscfiles_read_localization(googletalk_plugin_t)
+sysnet_read_config(googletalk_plugin_t)
+
userdom_search_user_home_content(googletalk_plugin_t)
googletalk_generic_xdg_config_home_filetrans_plugin_xdg_config(googletalk_plugin_t, dir, "google-googletalkplugin")
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-08-15 7:32 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-08-15 7:32 UTC (permalink / raw
To: gentoo-commits
commit: 85a8a053c652b0b8e5d3e684d18d43c0f43b447b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 15 07:31:19 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug 15 07:31:19 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=85a8a053
GoogleTalk reads in resolv.conf and hosts file
---
policy/modules/contrib/googletalk.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/googletalk.te b/policy/modules/contrib/googletalk.te
index 6f0910b..78074ff 100644
--- a/policy/modules/contrib/googletalk.te
+++ b/policy/modules/contrib/googletalk.te
@@ -46,6 +46,8 @@ dev_search_sysfs(googletalk_plugin_t)
dev_write_sound(googletalk_plugin_t)
dev_write_video_dev(googletalk_plugin_t)
+sysnet_read_config(googletalk_plugin_t)
+
term_dontaudit_getattr_unallocated_ttys(googletalk_plugin_t)
corecmd_exec_bin(googletalk_plugin_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-07-23 12:02 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-07-23 12:02 UTC (permalink / raw
To: gentoo-commits
commit: 046f5c097799a259c26be52392e57341755badcf
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul 10 18:14:00 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jul 10 18:14:00 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=046f5c09
Fix immediate disconnect
When trying to setup a hangout (video conference), hangout immediately
disconnects with the message that something has occurred that prevented it from
continuing. In the audit logs, we notice that two related processes (same
googletalk_plugin_t context) want to signal each other.
After allowing this, the hangout succeeded.
---
policy/modules/contrib/googletalk.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/googletalk.te b/policy/modules/contrib/googletalk.te
index 1cf8597..6f0910b 100644
--- a/policy/modules/contrib/googletalk.te
+++ b/policy/modules/contrib/googletalk.te
@@ -18,6 +18,7 @@ xdg_config_home_content(googletalk_plugin_xdg_config_t)
# Google talk plugin policy
#
+allow googletalk_plugin_t self:process signal;
allow googletalk_plugin_t self:fifo_file rw_fifo_file_perms;
allow googletalk_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
allow googletalk_plugin_t self:netlink_route_socket create_netlink_socket_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-06-24 20:46 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-06-24 20:46 UTC (permalink / raw
To: gentoo-commits
commit: d9ca2e3eaae36da96fb97aa9873c96b8c7530453
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Jun 24 20:44:37 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Jun 24 20:44:37 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d9ca2e3e
New hangouts use UDP for video
---
policy/modules/contrib/googletalk.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/googletalk.te b/policy/modules/contrib/googletalk.te
index 8e0ee6a..1cf8597 100644
--- a/policy/modules/contrib/googletalk.te
+++ b/policy/modules/contrib/googletalk.te
@@ -22,6 +22,7 @@ allow googletalk_plugin_t self:fifo_file rw_fifo_file_perms;
allow googletalk_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
allow googletalk_plugin_t self:netlink_route_socket create_netlink_socket_perms;
allow googletalk_plugin_t self:tcp_socket create_stream_socket_perms;
+allow googletalk_plugin_t self:udp_socket create_socket_perms;
allow googletalk_plugin_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(googletalk_plugin_t, googletalk_plugin_tmp_t, googletalk_plugin_tmp_t)
@@ -53,6 +54,8 @@ corenet_tcp_bind_generic_node(googletalk_plugin_t)
corenet_tcp_sendrecv_generic_if(googletalk_plugin_t)
corenet_tcp_sendrecv_generic_node(googletalk_plugin_t)
+corenet_udp_bind_generic_node(googletalk_plugin_t)
+
# It runs find in /etc to find any release file for knowing the distribution it
# runs on. Yes, great isnt it...
files_dontaudit_getattr_all_dirs(googletalk_plugin_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-06-22 19:35 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-06-22 19:35 UTC (permalink / raw
To: gentoo-commits
commit: 599135d648102117fc5756f900c855b69b61d2ec
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jun 22 19:33:10 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Jun 22 19:33:10 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=599135d6
Fix bug 471908 - Add support for xdg cache in mozilla
The firefox browser seems to use/support ~/.cache/mozilla now, so we add in a
mozilla_xdg_cache_t type with the proper permissions surrounding it for this
purpose.
---
policy/modules/contrib/mozilla.fc | 1 +
policy/modules/contrib/mozilla.te | 7 +++++++
2 files changed, 8 insertions(+)
diff --git a/policy/modules/contrib/mozilla.fc b/policy/modules/contrib/mozilla.fc
index 9e74bfa..54e1ba4 100644
--- a/policy/modules/contrib/mozilla.fc
+++ b/policy/modules/contrib/mozilla.fc
@@ -1,3 +1,4 @@
+HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_xdg_cache_t,s0)
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 3255a31..aedcc00 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -624,6 +624,9 @@ gen_tunable(mozilla_bind_all_unreserved_ports, false)
## </desc>
gen_tunable(mozilla_plugin_connect_all_unreserved, false)
+ type mozilla_xdg_cache_t;
+ xdg_cache_home_content(mozilla_xdg_cache_t)
+
#####################
#
# Mozilla policy
@@ -634,6 +637,10 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
manage_fifo_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+ manage_files_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t)
+ manage_dirs_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t)
+ xdg_cache_home_filetrans(mozilla_t, mozilla_xdg_cache_t, dir, "mozilla")
+
corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
corenet_sendrecv_tor_client_packets(mozilla_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-06-22 19:00 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-06-22 19:00 UTC (permalink / raw
To: gentoo-commits
commit: fd371b8defdc62ebe7d0bfd71c8ef5fd6747b37a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jun 22 18:57:06 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Jun 22 18:57:06 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fd371b8d
Fix bug 469894 - Update nginx tmp location
The temporary files location for nginx has been moved towards
/var/lib/nginx/tmp, so update the contexts accordingly.
Kept old one in for backwards compatibility.
---
policy/modules/contrib/nginx.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/nginx.fc b/policy/modules/contrib/nginx.fc
index 8a1cc51..62f1262 100644
--- a/policy/modules/contrib/nginx.fc
+++ b/policy/modules/contrib/nginx.fc
@@ -59,5 +59,6 @@
#
# /var
#
+/var/lib/nginx/tmp(/.*)? gen_context(system_u:object_r:nginx_tmp_t,s0)
/var/log/nginx(/.*)? gen_context(system_u:object_r:nginx_log_t,s0)
/var/tmp/nginx(/.*)? gen_context(system_u:object_r:nginx_tmp_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-06-10 18:32 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-06-10 18:32 UTC (permalink / raw
To: gentoo-commits
commit: 053920e766254ae4a6bce6de061204726d4f8824
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Jun 10 18:30:23 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Jun 10 18:30:23 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=053920e7
Fix bug #472902 - Skype startup failures fixed
Skype requires execmod rights on its executable. Also, the application seems to
be going through the installed certificates, so grant it read rights on the
generic certificate stores.
---
policy/modules/contrib/skype.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/skype.te b/policy/modules/contrib/skype.te
index 9d2e9db..6b4ca34 100644
--- a/policy/modules/contrib/skype.te
+++ b/policy/modules/contrib/skype.te
@@ -41,6 +41,8 @@ allow skype_t self:unix_stream_socket create_socket_perms;
allow skype_t self:sem create_sem_perms;
allow skype_t self:tcp_socket create_stream_socket_perms;
+allow skype_t skype_exec_t:file execmod;
+
# Allow skype to work with its ~/.skype location
manage_dirs_pattern(skype_t, skype_home_t, skype_home_t)
manage_files_pattern(skype_t, skype_home_t, skype_home_t)
@@ -96,6 +98,7 @@ fs_dontaudit_getattr_xattr_fs(skype_t)
auth_use_nsswitch(skype_t)
miscfiles_dontaudit_setattr_fonts_dirs(skype_t)
+miscfiles_read_generic_certs(skype_t)
miscfiles_read_localization(skype_t)
userdom_dontaudit_use_user_ttys(skype_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-31 13:48 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-31 13:48 UTC (permalink / raw
To: gentoo-commits
commit: 6d774b8027272fe731e2f2ebc892b9ab6b4ab5c4
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Fri May 17 14:44:58 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri May 31 13:46:54 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6d774b80
- Fixed typo in contrib/mailscanner.if
Added missing ")" for macro call in mailscanner.if.
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
---
policy/modules/contrib/mailscanner.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/mailscanner.if b/policy/modules/contrib/mailscanner.if
index 0293f34..214cb44 100644
--- a/policy/modules/contrib/mailscanner.if
+++ b/policy/modules/contrib/mailscanner.if
@@ -55,7 +55,7 @@ interface(`mscan_admin',`
files_search_etc($1)
admin_pattern($1, mscan_etc_t)
- files_search_pids($1
+ files_search_pids($1)
admin_pattern($1, mscan_var_run_t)
files_search_spool($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-31 13:48 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-31 13:48 UTC (permalink / raw
To: gentoo-commits
commit: ec5b3f15161bd3cd8b9972217b0ad004650a09dc
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Fri May 17 14:45:12 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri May 31 13:47:01 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ec5b3f15
- Fixed typo in contrib/rpm.if.
Added missing ")" for macro call in rpm.if.
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
---
policy/modules/contrib/rpm.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index 0628d50..ef3b225 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -660,7 +660,7 @@ interface(`rpm_admin',`
admin_pattern($1, rpm_var_run_t)
fs_search_tmpfs($1)
- admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t }
+ admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t })
rpm_run($1, $2)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-31 13:48 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-31 13:48 UTC (permalink / raw
To: gentoo-commits
commit: 3f420e7639e5d86061eac611c2fcbfd0d535d632
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Fri May 17 14:45:08 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri May 31 13:46:58 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3f420e76
- Fixed typo in contrib/readahead.fc.
Fixed typo in readahead.fc.
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
---
policy/modules/contrib/readahead.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/readahead.fc b/policy/modules/contrib/readahead.fc
index f307db4..f01b32f 100644
--- a/policy/modules/contrib/readahead.fc
+++ b/policy/modules/contrib/readahead.fc
@@ -4,4 +4,4 @@
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
-/var/run/readahead,* gen_context(system_u:object_r:readahead_var_run_t,s0)
+/var/run/readahead.* gen_context(system_u:object_r:readahead_var_run_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-31 13:48 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-31 13:48 UTC (permalink / raw
To: gentoo-commits
commit: aa195150337005aa3a0ef930cea116dc0235fe83
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Fri May 17 14:45:03 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri May 31 13:46:56 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=aa195150
- Fixed typo in contrib/qpid.if
Fixed typo in qpid.if.
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
---
policy/modules/contrib/qpid.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/qpid.if b/policy/modules/contrib/qpid.if
index cd51b96..fe2adf8 100644
--- a/policy/modules/contrib/qpid.if
+++ b/policy/modules/contrib/qpid.if
@@ -182,7 +182,7 @@ interface(`qpidd_admin',`
role_transition $2 qpidd_initrc_exec_t system_r;
allow $2 system_r;
- files_search_var_lib($1(
+ files_search_var_lib($1)
admin_pattern($1, qpidd_var_lib_t)
files_search_pids($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-31 13:48 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-31 13:48 UTC (permalink / raw
To: gentoo-commits
commit: 8cd7ba4690e06187877dc11cc9cdee52024811cd
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Fri May 17 14:44:26 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri May 31 13:46:48 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8cd7ba46
- Fixed typo in contrib/avahi.if
Fixed typo in avahi.if
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
---
policy/modules/contrib/avahi.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if
index aebe7cb..b834cd0 100644
--- a/policy/modules/contrib/avahi.if
+++ b/policy/modules/contrib/avahi.if
@@ -97,7 +97,7 @@ interface(`avahi_dbus_chat',`
########################################
## <summary>
## Connect to avahi using a unix
-$$ stream socket.
+## stream socket.
## </summary>
## <param name="domain">
## <summary>
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-31 13:48 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-31 13:48 UTC (permalink / raw
To: gentoo-commits
commit: 1f15318f4af32f1a5ff1b84cde6f67a9e13086b4
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Fri May 17 14:44:37 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri May 31 13:46:50 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1f15318f
- Fixed typo in contrib/glusterfs.te
Removed uneeded ";" after macro call in glusterfs.te.
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
---
policy/modules/contrib/glusterfs.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index 868895a..c4deb52 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -25,7 +25,7 @@ type glusterd_var_run_t;
files_pid_file(glusterd_var_run_t)
type glusterd_var_lib_t;
-files_type(glusterd_var_lib_t);
+files_type(glusterd_var_lib_t)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-31 13:48 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-31 13:48 UTC (permalink / raw
To: gentoo-commits
commit: cdc5dbb1195ac5ce27b7ad686b5c605111743ae2
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Fri May 17 14:44:43 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri May 31 13:46:52 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cdc5dbb1
- Fixed typo in contrib/jabber.if
Removed extra ")" from macro call in jabber.if.
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
---
policy/modules/contrib/jabber.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/jabber.if b/policy/modules/contrib/jabber.if
index 16b1666..7eb3811 100644
--- a/policy/modules/contrib/jabber.if
+++ b/policy/modules/contrib/jabber.if
@@ -86,7 +86,7 @@ interface(`jabber_admin',`
role_transition $2 jabberd_initrc_exec_t system_r;
allow $2 system_r;
- files_search_locks($1))
+ files_search_locks($1)
admin_pattern($1, jabberd_lock_t)
logging_search_logs($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-31 13:48 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-31 13:48 UTC (permalink / raw
To: gentoo-commits
commit: b61b18a86ad7dffe2d241d5f85957adfcd2dae47
Author: James Carter <jwcart2 <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Fri May 17 14:44:52 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri May 31 13:46:53 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b61b18a8
- Fixed typo in contrib/keystone.if
Added missing ")" for macro call in keystone.if.
Signed-off-by: James Carter <jwcart2 <AT> tycho.nsa.gov>
---
policy/modules/contrib/keystone.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/keystone.if b/policy/modules/contrib/keystone.if
index d3e7fc9..e88fb16 100644
--- a/policy/modules/contrib/keystone.if
+++ b/policy/modules/contrib/keystone.if
@@ -34,7 +34,7 @@ interface(`keystone_admin',`
logging_search_logs($1)
admin_pattern($1, keystone_log_t)
- files_search_var_lib($1
+ files_search_var_lib($1)
admin_pattern($1, keystone_var_lib_t)
files_search_tmp($1)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-16 9:06 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-16 9:06 UTC (permalink / raw
To: gentoo-commits
commit: d359c43226bd25173279e0bcd784af066510d569
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue May 14 13:58:31 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu May 16 09:05:06 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d359c432
Module version bump for openvpn tmp files from Sven Vermeulen.
---
policy/modules/contrib/openvpn.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index ac11789..1c3599a 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.12.0)
+policy_module(openvpn, 1.12.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-16 9:06 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-16 9:06 UTC (permalink / raw
To: gentoo-commits
commit: fde2d2cf7d021d1e3e0d53a2a68ee91a3b08f365
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu May 9 19:58:43 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu May 16 09:04:58 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fde2d2cf
Allow openvpn temporary files
When launching OpenVPN, it fails to start and the following error
is displayed in the openvpn.log file:
Options error: Temporary directory (--tmp-dir) fails with '/tmp': Permission
denied
The AVC denial shows an attempt to read/write/search in tmp_t directory. A quick
check through the code does not show any attempts to create directories, only
temporary file, so create an openvpn_tmp_t with the proper file transition
towards it.
See also https://bugs.gentoo.org/show_bug.cgi?id=468636
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/openvpn.te | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index ad85917..ac11789 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -32,6 +32,9 @@ init_script_file(openvpn_initrc_exec_t)
type openvpn_status_t;
logging_log_file(openvpn_status_t)
+type openvpn_tmp_t;
+files_tmp_file(openvpn_tmp_t)
+
type openvpn_var_log_t;
logging_log_file(openvpn_var_log_t)
@@ -62,6 +65,9 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_status_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
+allow openvpn_t openvpn_tmp_t:file manage_file_perms;
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+
manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-09 17:14 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-09 17:14 UTC (permalink / raw
To: gentoo-commits
commit: 6d4c69c10e548a5551e0f9e8db4a20de16d32e08
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu May 9 16:17:26 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu May 9 16:18:13 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6d4c69c1
Typo fix in ksmtuned_admin() by Shintaro Fujiwara
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/ksmtuned.if | 2 +-
policy/modules/contrib/ksmtuned.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/ksmtuned.if b/policy/modules/contrib/ksmtuned.if
index c530214..93a64bc 100644
--- a/policy/modules/contrib/ksmtuned.if
+++ b/policy/modules/contrib/ksmtuned.if
@@ -67,7 +67,7 @@ interface(`ksmtuned_admin',`
allow $2 system_r;
allow $1 ksmtuned_t:process { ptrace signal_perms };
- ps_process_pattern(ksmtumed_t)
+ ps_process_pattern($1, ksmtuned_t)
files_list_pids($1)
admin_pattern($1, ksmtuned_var_run_t)
diff --git a/policy/modules/contrib/ksmtuned.te b/policy/modules/contrib/ksmtuned.te
index f01e13e..8eef134 100644
--- a/policy/modules/contrib/ksmtuned.te
+++ b/policy/modules/contrib/ksmtuned.te
@@ -1,4 +1,4 @@
-policy_module(ksmtuned, 1.1.0)
+policy_module(ksmtuned, 1.1.1)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-09 17:14 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-09 17:14 UTC (permalink / raw
To: gentoo-commits
commit: 94a4ba10dd8424756a70495df306589d7d94a462
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu May 9 17:13:20 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu May 9 17:13:20 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=94a4ba10
Move gentoo specifics downwards
---
policy/modules/contrib/minidlna.te | 66 +++++++++++++++++-------------------
1 files changed, 31 insertions(+), 35 deletions(-)
diff --git a/policy/modules/contrib/minidlna.te b/policy/modules/contrib/minidlna.te
index 81a8d4a..541129c 100644
--- a/policy/modules/contrib/minidlna.te
+++ b/policy/modules/contrib/minidlna.te
@@ -12,36 +12,22 @@ policy_module(minidlna, 0.1)
## </desc>
gen_tunable(minidlna_read_generic_user_content, false)
-## <desc>
-## <p>
-## Determine whether minidlna can read all user content.
-## </p>
-## </desc>
-gen_tunable(minidlna_read_all_user_content, false)
-
-## <desc>
-## <p>
-## Determine whether minidlna can read users xdg videos, pictures and music labeled files
-## </p>
-## </desc>
-gen_tunable(minidlna_read_xdg_media_content, false)
-
type minidlna_t;
type minidlna_exec_t;
init_daemon_domain(minidlna_t, minidlna_exec_t)
-type minidlna_initrc_exec_t;
-init_script_file(minidlna_initrc_exec_t)
-
type minidlna_conf_t;
files_config_file(minidlna_conf_t)
-type minidlna_log_t;
-logging_log_file(minidlna_log_t)
-
type minidlna_db_t;
files_type(minidlna_db_t)
+type minidlna_initrc_exec_t;
+init_script_file(minidlna_initrc_exec_t)
+
+type minidlna_log_t;
+logging_log_file(minidlna_log_t)
+
type minidlna_var_run_t;
files_pid_file(minidlna_var_run_t)
@@ -58,19 +44,12 @@ allow minidlna_t minidlna_conf_t:file read_file_perms;
allow minidlna_t minidlna_db_t:dir { create_dir_perms rw_dir_perms };
allow minidlna_t minidlna_db_t:file manage_file_perms;
-#manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
-#create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
-#rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
-#files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)
allow minidlna_t minidlna_log_t:file append_file_perms;
create_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t)
-#append_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t)
allow minidlna_t minidlna_var_run_t:file manage_file_perms;
allow minidlna_t minidlna_var_run_t:dir rw_dir_perms;
-#manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
-#rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
kernel_read_fs_sysctls(minidlna_t)
@@ -122,13 +101,30 @@ tunable_policy(`minidlna_read_generic_user_content',`
userdom_dontaudit_read_user_tmp_files(minidlna_t)
')
-tunable_policy(`minidlna_read_all_user_content',`
- userdom_list_user_tmp(minidlna_t)
- userdom_read_all_user_home_content(minidlna_t)
-')
+ifdef(`distro_gentoo',`
+
+## <desc>
+## <p>
+## Determine whether minidlna can read all user content.
+## </p>
+## </desc>
+gen_tunable(minidlna_read_all_user_content, false)
+
+## <desc>
+## <p>
+## Determine whether minidlna can read users xdg videos, pictures and music labeled files
+## </p>
+## </desc>
+gen_tunable(minidlna_read_xdg_media_content, false)
-tunable_policy(`minidlna_read_xdg_media_content',`
- xdg_read_music_home(minidlna_t)
- xdg_read_pictures_home(minidlna_t)
- xdg_read_videos_home(minidlna_t)
+ tunable_policy(`minidlna_read_all_user_content',`
+ userdom_list_user_tmp(minidlna_t)
+ userdom_read_all_user_home_content(minidlna_t)
+ ')
+
+ tunable_policy(`minidlna_read_xdg_media_content',`
+ xdg_read_music_home(minidlna_t)
+ xdg_read_pictures_home(minidlna_t)
+ xdg_read_videos_home(minidlna_t)
+ ')
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-07 9:46 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-07 9:46 UTC (permalink / raw
To: gentoo-commits
commit: 22cafea7c3487fdb2b35a2499987ead1f9734ed2
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 7 09:45:28 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 7 09:45:28 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=22cafea7
Fix double file contexts
---
policy/modules/contrib/puppet.fc | 5 +----
1 files changed, 1 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/puppet.fc b/policy/modules/contrib/puppet.fc
index c97ac6b..d68e26d 100644
--- a/policy/modules/contrib/puppet.fc
+++ b/policy/modules/contrib/puppet.fc
@@ -1,17 +1,14 @@
/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-02 19:28 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-02 19:28 UTC (permalink / raw
To: gentoo-commits
commit: 8d56426524db24b73db28d14a7415e821c8090e9
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu May 2 19:27:27 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu May 2 19:27:27 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8d564265
Updates on networking as suggested by dgrift
---
policy/modules/contrib/minidlna.te | 14 ++++++++------
1 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/minidlna.te b/policy/modules/contrib/minidlna.te
index e99e5f9..81a8d4a 100644
--- a/policy/modules/contrib/minidlna.te
+++ b/policy/modules/contrib/minidlna.te
@@ -66,7 +66,6 @@ allow minidlna_t minidlna_db_t:file manage_file_perms;
allow minidlna_t minidlna_log_t:file append_file_perms;
create_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t)
#append_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t)
-logging_log_filetrans(minidlna_t, minidlna_log_t, file)
allow minidlna_t minidlna_var_run_t:file manage_file_perms;
allow minidlna_t minidlna_var_run_t:dir rw_dir_perms;
@@ -83,24 +82,27 @@ corecmd_exec_shell(minidlna_t)
corenet_all_recvfrom_netlabel(minidlna_t)
corenet_all_recvfrom_unlabeled(minidlna_t)
-corenet_sendrecv_ssdp_client_packets(minidlna_t)
corenet_sendrecv_ssdp_server_packets(minidlna_t)
+corenet_sendrecv_trivnet1_server_packets(minidlna_t)
corenet_tcp_bind_generic_node(minidlna_t)
+corenet_tcp_bind_trivnet1_port(minidlna_t)
corenet_tcp_sendrecv_generic_if(minidlna_t)
corenet_tcp_sendrecv_generic_node(minidlna_t)
+corenet_tcp_sendrecv_trivnet1_port(minidlna_t)
corenet_udp_bind_generic_node(minidlna_t)
corenet_udp_bind_ssdp_port(minidlna_t)
-
-corenet_sendrecv_trivnet1_client_packets(minidlna_t)
-corenet_sendrecv_trivnet1_server_packets(minidlna_t)
-corenet_tcp_bind_trivnet1_port(minidlna_t)
+corenet_udp_sendrecv_generic_if(minidlna_t)
+corenet_udp_sendrecv_generic_node(minidlna_t)
+corenet_udp_sendrecv_ssdp_port(minidlna_t)
files_search_var_lib(minidlna_t)
auth_use_nsswitch(minidlna_t)
+logging_search_logs(minidlna_t)
+
miscfiles_read_localization(minidlna_t)
miscfiles_read_public_files(minidlna_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-01 20:17 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-01 20:17 UTC (permalink / raw
To: gentoo-commits
commit: cbb10f8faf5d4cb08763d03742f14e4e71372a3b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed May 1 20:16:07 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed May 1 20:16:07 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cbb10f8f
Use auth_use_nsswitch instead of files_read_etc_files
Since the need for reading etc files was for the nsswitch.conf file, we need to
use auth_use_nsswitch as nsswitch might result (depending on the users'
configuration) in more privilege access needs (such as LDAP connectivity).
---
policy/modules/contrib/minidlna.te | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/policy/modules/contrib/minidlna.te b/policy/modules/contrib/minidlna.te
index d3a5978..e99e5f9 100644
--- a/policy/modules/contrib/minidlna.te
+++ b/policy/modules/contrib/minidlna.te
@@ -97,9 +97,10 @@ corenet_sendrecv_trivnet1_client_packets(minidlna_t)
corenet_sendrecv_trivnet1_server_packets(minidlna_t)
corenet_tcp_bind_trivnet1_port(minidlna_t)
-files_read_etc_files(minidlna_t)
files_search_var_lib(minidlna_t)
+auth_use_nsswitch(minidlna_t)
+
miscfiles_read_localization(minidlna_t)
miscfiles_read_public_files(minidlna_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-01 20:11 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-01 20:11 UTC (permalink / raw
To: gentoo-commits
commit: fd7ac272a9fa36d2c0f7b690d022d119488430e8
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed May 1 20:10:25 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed May 1 20:10:25 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fd7ac272
Update policy with suggestions by dgrift
---
policy/modules/contrib/minidlna.fc | 7 ++++-
policy/modules/contrib/minidlna.if | 6 ++--
policy/modules/contrib/minidlna.te | 47 ++++++++++++++++++++---------------
3 files changed, 35 insertions(+), 25 deletions(-)
diff --git a/policy/modules/contrib/minidlna.fc b/policy/modules/contrib/minidlna.fc
index 05ad732..9d4cd52 100644
--- a/policy/modules/contrib/minidlna.fc
+++ b/policy/modules/contrib/minidlna.fc
@@ -1,11 +1,14 @@
/etc/rc\.d/init\.d/minidlna -- gen_context(system_u:object_r:minidlna_initrc_exec_t,s0)
-/etc/minidlna\.conf -- gen_context(system_u:object_r:minidlna_etc_t,s0)
+/etc/minidlna\.conf -- gen_context(system_u:object_r:minidlna_conf_t,s0)
/usr/sbin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0)
+/var/cache/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
+
/var/lib/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
-/var/log/minidlna\.log -- gen_context(system_u:object_r:minidlna_log_t,s0)
+/var/log/minidlna(/.*)? gen_context(system_u:object_r:minidlna_log_t,s0)
+/var/log/minidlna\.log.* -- gen_context(system_u:object_r:minidlna_log_t,s0)
/var/run/minidlna(/.*)? gen_context(system_u:object_r:minidlna_var_run_t,s0)
diff --git a/policy/modules/contrib/minidlna.if b/policy/modules/contrib/minidlna.if
index d27f634..358917a 100644
--- a/policy/modules/contrib/minidlna.if
+++ b/policy/modules/contrib/minidlna.if
@@ -1,4 +1,4 @@
-## <summary>MiniDLNA server</summary>
+## <summary>MiniDLNA lightweight DLNA/UPnP media server</summary>
########################################
## <summary>
@@ -20,7 +20,7 @@
interface(`minidlna_admin',`
gen_require(`
type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t;
- type minidlna_etc_t, minidlna_log_t, minidlna_db_t;
+ type minidlna_conf_t, minidlna_log_t, minidlna_db_t;
')
allow $1 minidlna_t:process { ptrace signal_perms };
@@ -32,7 +32,7 @@ interface(`minidlna_admin',`
allow $2 system_r;
files_search_etc($1)
- admin_pattern($1, minidlna_etc_t)
+ admin_pattern($1, minidlna_conf_t)
logging_search_logs($1)
admin_pattern($1, minidlna_log_t)
diff --git a/policy/modules/contrib/minidlna.te b/policy/modules/contrib/minidlna.te
index 3becc3f..d3a5978 100644
--- a/policy/modules/contrib/minidlna.te
+++ b/policy/modules/contrib/minidlna.te
@@ -7,21 +7,21 @@ policy_module(minidlna, 0.1)
## <desc>
## <p>
-## Allow minidlna to read generic user content
+## Determine whether minidlna can read generic user content.
## </p>
## </desc>
gen_tunable(minidlna_read_generic_user_content, false)
## <desc>
## <p>
-## Allow minidlna to read all user content
+## Determine whether minidlna can read all user content.
## </p>
## </desc>
gen_tunable(minidlna_read_all_user_content, false)
## <desc>
## <p>
-## Allow minidlna to read xdg videos, pictures and music labeled files
+## Determine whether minidlna can read users xdg videos, pictures and music labeled files
## </p>
## </desc>
gen_tunable(minidlna_read_xdg_media_content, false)
@@ -33,8 +33,8 @@ init_daemon_domain(minidlna_t, minidlna_exec_t)
type minidlna_initrc_exec_t;
init_script_file(minidlna_initrc_exec_t)
-type minidlna_etc_t;
-files_config_file(minidlna_etc_t)
+type minidlna_conf_t;
+files_config_file(minidlna_conf_t)
type minidlna_log_t;
logging_log_file(minidlna_log_t)
@@ -50,27 +50,33 @@ files_pid_file(minidlna_var_run_t)
# Local policy
#
-allow minidlna_t self:process { setsched };
+allow minidlna_t self:process setsched;
allow minidlna_t self:tcp_socket create_stream_socket_perms;
-allow minidlna_t self:udp_socket { create_socket_perms node_bind };
-allow minidlna_t self:netlink_route_socket rw_netlink_socket_perms;
-allow minidlna_t minidlna_log_t:file { create_file_perms append_file_perms };
-allow minidlna_t minidlna_etc_t:file read_file_perms;
-
-manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
-create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
-rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
-files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)
-
-manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
-rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
+allow minidlna_t self:udp_socket create_socket_perms;
+allow minidlna_t self:netlink_route_socket r_netlink_socket_perms;
+allow minidlna_t minidlna_conf_t:file read_file_perms;
+
+allow minidlna_t minidlna_db_t:dir { create_dir_perms rw_dir_perms };
+allow minidlna_t minidlna_db_t:file manage_file_perms;
+#manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
+#create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
+#rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
+#files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)
+
+allow minidlna_t minidlna_log_t:file append_file_perms;
+create_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t)
+#append_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t)
+logging_log_filetrans(minidlna_t, minidlna_log_t, file)
+
+allow minidlna_t minidlna_var_run_t:file manage_file_perms;
+allow minidlna_t minidlna_var_run_t:dir rw_dir_perms;
+#manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
+#rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
kernel_read_fs_sysctls(minidlna_t)
kernel_read_system_state(minidlna_t)
-logging_log_filetrans(minidlna_t, minidlna_log_t, file)
-
corecmd_exec_bin(minidlna_t)
corecmd_exec_shell(minidlna_t)
@@ -92,6 +98,7 @@ corenet_sendrecv_trivnet1_server_packets(minidlna_t)
corenet_tcp_bind_trivnet1_port(minidlna_t)
files_read_etc_files(minidlna_t)
+files_search_var_lib(minidlna_t)
miscfiles_read_localization(minidlna_t)
miscfiles_read_public_files(minidlna_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-01 18:42 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-01 18:42 UTC (permalink / raw
To: gentoo-commits
commit: d582c456b350c316060de06812c5b814d610a27e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed May 1 18:41:48 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed May 1 18:41:48 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d582c456
Switch to trivnet1 port instead of the more generic unreserved port
---
policy/modules/contrib/minidlna.te | 8 +++-----
1 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/minidlna.te b/policy/modules/contrib/minidlna.te
index 586d6cc..3becc3f 100644
--- a/policy/modules/contrib/minidlna.te
+++ b/policy/modules/contrib/minidlna.te
@@ -80,8 +80,6 @@ corenet_all_recvfrom_unlabeled(minidlna_t)
corenet_sendrecv_ssdp_client_packets(minidlna_t)
corenet_sendrecv_ssdp_server_packets(minidlna_t)
-# Next can be removed if trivnet1 calls are enabled
-corenet_tcp_bind_all_unreserved_ports(minidlna_t)
corenet_tcp_bind_generic_node(minidlna_t)
corenet_tcp_sendrecv_generic_if(minidlna_t)
corenet_tcp_sendrecv_generic_node(minidlna_t)
@@ -89,9 +87,9 @@ corenet_tcp_sendrecv_generic_node(minidlna_t)
corenet_udp_bind_generic_node(minidlna_t)
corenet_udp_bind_ssdp_port(minidlna_t)
-#corenet_sendrecv_trivnet1_server_packets(minidlna_t)
-#corenet_sendrecv_trivnet1_server_packets(minidlna_t)
-#corenet_tcp_bind_trivnet1_port(minidlna_t)
+corenet_sendrecv_trivnet1_client_packets(minidlna_t)
+corenet_sendrecv_trivnet1_server_packets(minidlna_t)
+corenet_tcp_bind_trivnet1_port(minidlna_t)
files_read_etc_files(minidlna_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-01 18:23 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-01 18:23 UTC (permalink / raw
To: gentoo-commits
commit: e37b822faf448c045ffa4b24f4c28303f14c91ae
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Apr 24 20:14:52 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed May 1 18:21:38 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e37b822f
Bump module versions for release.
---
policy/modules/contrib/abrt.te | 2 +-
policy/modules/contrib/accountsd.te | 2 +-
policy/modules/contrib/acct.te | 2 +-
policy/modules/contrib/ada.te | 2 +-
policy/modules/contrib/afs.te | 2 +-
policy/modules/contrib/aiccu.te | 2 +-
policy/modules/contrib/aide.te | 2 +-
policy/modules/contrib/aisexec.te | 2 +-
policy/modules/contrib/alsa.te | 2 +-
policy/modules/contrib/amanda.te | 2 +-
policy/modules/contrib/amavis.te | 2 +-
policy/modules/contrib/amtu.te | 2 +-
policy/modules/contrib/anaconda.te | 2 +-
policy/modules/contrib/apache.te | 2 +-
policy/modules/contrib/apcupsd.te | 2 +-
policy/modules/contrib/apm.te | 2 +-
policy/modules/contrib/apt.te | 2 +-
policy/modules/contrib/arpwatch.te | 2 +-
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/authbind.te | 2 +-
policy/modules/contrib/automount.te | 2 +-
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/awstats.te | 2 +-
policy/modules/contrib/backup.te | 2 +-
policy/modules/contrib/bacula.te | 2 +-
policy/modules/contrib/bcfg2.te | 2 +-
policy/modules/contrib/bind.te | 2 +-
policy/modules/contrib/bird.te | 2 +-
policy/modules/contrib/bitlbee.te | 2 +-
policy/modules/contrib/blueman.te | 2 +-
policy/modules/contrib/bluetooth.te | 2 +-
policy/modules/contrib/boinc.te | 2 +-
policy/modules/contrib/brctl.te | 2 +-
policy/modules/contrib/bugzilla.te | 2 +-
policy/modules/contrib/cachefilesd.te | 2 +-
policy/modules/contrib/calamaris.te | 2 +-
policy/modules/contrib/callweaver.te | 2 +-
policy/modules/contrib/canna.te | 2 +-
policy/modules/contrib/ccs.te | 2 +-
policy/modules/contrib/cdrecord.te | 2 +-
policy/modules/contrib/certmaster.te | 2 +-
policy/modules/contrib/certmonger.te | 2 +-
policy/modules/contrib/certwatch.te | 2 +-
policy/modules/contrib/cfengine.te | 2 +-
policy/modules/contrib/cgroup.te | 2 +-
policy/modules/contrib/chronyd.te | 2 +-
policy/modules/contrib/cipe.te | 2 +-
policy/modules/contrib/clamav.te | 2 +-
policy/modules/contrib/clockspeed.te | 2 +-
policy/modules/contrib/clogd.te | 2 +-
policy/modules/contrib/cmirrord.te | 2 +-
policy/modules/contrib/cobbler.te | 2 +-
policy/modules/contrib/colord.te | 2 +-
policy/modules/contrib/comsat.te | 2 +-
policy/modules/contrib/consolekit.te | 2 +-
policy/modules/contrib/corosync.te | 2 +-
policy/modules/contrib/couchdb.te | 2 +-
policy/modules/contrib/courier.te | 2 +-
policy/modules/contrib/cpucontrol.te | 2 +-
policy/modules/contrib/cpufreqselector.te | 2 +-
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/ctdb.te | 2 +-
policy/modules/contrib/cups.te | 2 +-
policy/modules/contrib/cvs.te | 2 +-
policy/modules/contrib/cyphesis.te | 2 +-
policy/modules/contrib/cyrus.te | 2 +-
policy/modules/contrib/daemontools.te | 2 +-
policy/modules/contrib/dante.te | 2 +-
policy/modules/contrib/dbadm.te | 2 +-
policy/modules/contrib/dbskk.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/dcc.te | 2 +-
policy/modules/contrib/ddclient.te | 2 +-
policy/modules/contrib/ddcprobe.te | 2 +-
policy/modules/contrib/denyhosts.te | 2 +-
policy/modules/contrib/devicekit.te | 2 +-
policy/modules/contrib/dhcp.te | 2 +-
policy/modules/contrib/dictd.te | 2 +-
policy/modules/contrib/distcc.te | 2 +-
policy/modules/contrib/djbdns.te | 2 +-
policy/modules/contrib/dkim.te | 2 +-
policy/modules/contrib/dmidecode.te | 2 +-
policy/modules/contrib/dnsmasq.te | 2 +-
policy/modules/contrib/dnssectrigger.te | 2 +-
policy/modules/contrib/dovecot.te | 2 +-
policy/modules/contrib/drbd.te | 2 +-
policy/modules/contrib/dspam.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/evolution.te | 2 +-
policy/modules/contrib/exim.te | 2 +-
policy/modules/contrib/fail2ban.te | 2 +-
policy/modules/contrib/fcoe.te | 2 +-
policy/modules/contrib/fetchmail.te | 2 +-
policy/modules/contrib/finger.te | 2 +-
policy/modules/contrib/firewalld.te | 2 +-
policy/modules/contrib/firewallgui.te | 2 +-
policy/modules/contrib/firstboot.te | 2 +-
policy/modules/contrib/fprintd.te | 2 +-
policy/modules/contrib/ftp.te | 2 +-
policy/modules/contrib/games.te | 2 +-
policy/modules/contrib/gatekeeper.te | 2 +-
policy/modules/contrib/gift.te | 2 +-
policy/modules/contrib/git.te | 2 +-
policy/modules/contrib/gitosis.te | 2 +-
policy/modules/contrib/glance.te | 2 +-
policy/modules/contrib/glusterfs.te | 2 +-
policy/modules/contrib/gnome.te | 2 +-
policy/modules/contrib/gnomeclock.te | 2 +-
policy/modules/contrib/gpg.te | 2 +-
policy/modules/contrib/gpm.te | 2 +-
policy/modules/contrib/gpsd.te | 2 +-
policy/modules/contrib/guest.te | 2 +-
policy/modules/contrib/hadoop.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/hddtemp.te | 2 +-
policy/modules/contrib/howl.te | 2 +-
policy/modules/contrib/i18n_input.te | 2 +-
policy/modules/contrib/icecast.te | 2 +-
policy/modules/contrib/ifplugd.te | 2 +-
policy/modules/contrib/imaze.te | 2 +-
policy/modules/contrib/inetd.te | 2 +-
policy/modules/contrib/inn.te | 2 +-
policy/modules/contrib/iodine.te | 2 +-
policy/modules/contrib/irc.te | 2 +-
policy/modules/contrib/ircd.te | 2 +-
policy/modules/contrib/irqbalance.te | 2 +-
policy/modules/contrib/iscsi.te | 2 +-
policy/modules/contrib/jabber.te | 2 +-
policy/modules/contrib/java.te | 2 +-
policy/modules/contrib/kdump.te | 2 +-
policy/modules/contrib/kdumpgui.te | 2 +-
policy/modules/contrib/kerberos.te | 2 +-
policy/modules/contrib/kerneloops.te | 2 +-
policy/modules/contrib/keyboardd.te | 2 +-
policy/modules/contrib/keystone.te | 2 +-
policy/modules/contrib/kismet.te | 2 +-
policy/modules/contrib/ksmtuned.te | 2 +-
policy/modules/contrib/ktalk.te | 2 +-
policy/modules/contrib/kudzu.te | 2 +-
policy/modules/contrib/l2tp.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/lightsquid.te | 2 +-
policy/modules/contrib/likewise.te | 2 +-
policy/modules/contrib/lircd.te | 2 +-
policy/modules/contrib/livecd.te | 2 +-
policy/modules/contrib/lldpad.te | 2 +-
policy/modules/contrib/loadkeys.te | 2 +-
policy/modules/contrib/lockdev.te | 2 +-
policy/modules/contrib/logrotate.te | 2 +-
policy/modules/contrib/logwatch.te | 2 +-
policy/modules/contrib/lpd.te | 2 +-
policy/modules/contrib/mailman.te | 2 +-
policy/modules/contrib/mailscanner.te | 2 +-
policy/modules/contrib/mandb.te | 2 +-
policy/modules/contrib/mcelog.te | 2 +-
policy/modules/contrib/memcached.te | 2 +-
policy/modules/contrib/milter.te | 2 +-
policy/modules/contrib/minidlna.fc | 11 +++
policy/modules/contrib/minidlna.if | 64 +++++++++++++++
policy/modules/contrib/minidlna.te | 126 +++++++++++++++++++++++++++++
policy/modules/contrib/modemmanager.te | 2 +-
policy/modules/contrib/mojomojo.te | 2 +-
policy/modules/contrib/mongodb.te | 2 +-
policy/modules/contrib/mono.te | 2 +-
policy/modules/contrib/monop.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mplayer.te | 2 +-
policy/modules/contrib/mrtg.te | 2 +-
policy/modules/contrib/mta.te | 2 +-
policy/modules/contrib/munin.te | 2 +-
policy/modules/contrib/mysql.te | 2 +-
policy/modules/contrib/nagios.te | 2 +-
policy/modules/contrib/ncftool.te | 2 +-
policy/modules/contrib/nessus.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/nis.te | 2 +-
policy/modules/contrib/nscd.te | 2 +-
policy/modules/contrib/nsd.te | 2 +-
policy/modules/contrib/nslcd.te | 2 +-
policy/modules/contrib/ntop.te | 2 +-
policy/modules/contrib/ntp.te | 2 +-
policy/modules/contrib/numad.te | 2 +-
policy/modules/contrib/nut.te | 2 +-
policy/modules/contrib/nx.te | 2 +-
policy/modules/contrib/oav.te | 2 +-
policy/modules/contrib/oddjob.te | 2 +-
policy/modules/contrib/oident.te | 2 +-
policy/modules/contrib/openca.te | 2 +-
policy/modules/contrib/openct.te | 2 +-
policy/modules/contrib/openhpi.te | 2 +-
policy/modules/contrib/openvpn.te | 2 +-
policy/modules/contrib/openvswitch.te | 2 +-
policy/modules/contrib/pacemaker.te | 2 +-
policy/modules/contrib/pads.te | 2 +-
policy/modules/contrib/passenger.te | 2 +-
policy/modules/contrib/pcmcia.te | 2 +-
policy/modules/contrib/pcscd.te | 2 +-
policy/modules/contrib/pegasus.te | 2 +-
policy/modules/contrib/perdition.te | 2 +-
policy/modules/contrib/pingd.te | 2 +-
policy/modules/contrib/plymouthd.te | 2 +-
policy/modules/contrib/podsleuth.te | 2 +-
policy/modules/contrib/policykit.te | 2 +-
policy/modules/contrib/polipo.te | 2 +-
policy/modules/contrib/portage.te | 2 +-
policy/modules/contrib/portmap.te | 2 +-
policy/modules/contrib/portreserve.te | 2 +-
policy/modules/contrib/portslave.te | 2 +-
policy/modules/contrib/postfix.te | 2 +-
policy/modules/contrib/postfixpolicyd.te | 2 +-
policy/modules/contrib/postgrey.te | 2 +-
policy/modules/contrib/ppp.te | 2 +-
policy/modules/contrib/prelink.te | 2 +-
policy/modules/contrib/prelude.te | 2 +-
policy/modules/contrib/privoxy.te | 2 +-
policy/modules/contrib/procmail.te | 2 +-
policy/modules/contrib/psad.te | 2 +-
policy/modules/contrib/ptchown.te | 2 +-
policy/modules/contrib/publicfile.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/contrib/puppet.te | 2 +-
policy/modules/contrib/pxe.te | 2 +-
policy/modules/contrib/pyicqt.te | 2 +-
policy/modules/contrib/pyzor.te | 2 +-
policy/modules/contrib/qemu.te | 2 +-
policy/modules/contrib/qmail.te | 2 +-
policy/modules/contrib/qpid.te | 2 +-
policy/modules/contrib/quantum.te | 2 +-
policy/modules/contrib/quota.te | 2 +-
policy/modules/contrib/radius.te | 2 +-
policy/modules/contrib/radvd.te | 2 +-
policy/modules/contrib/raid.te | 2 +-
policy/modules/contrib/razor.te | 2 +-
policy/modules/contrib/readahead.te | 2 +-
policy/modules/contrib/realmd.te | 2 +-
policy/modules/contrib/remotelogin.te | 2 +-
policy/modules/contrib/resmgr.te | 2 +-
policy/modules/contrib/rgmanager.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/rhsmcertd.te | 2 +-
policy/modules/contrib/ricci.te | 2 +-
policy/modules/contrib/rlogin.te | 2 +-
policy/modules/contrib/rngd.te | 2 +-
policy/modules/contrib/roundup.te | 2 +-
policy/modules/contrib/rpc.te | 2 +-
policy/modules/contrib/rpcbind.te | 2 +-
policy/modules/contrib/rpm.te | 2 +-
policy/modules/contrib/rshd.te | 2 +-
| 2 +-
policy/modules/contrib/rsync.te | 2 +-
policy/modules/contrib/rtkit.te | 2 +-
policy/modules/contrib/rwho.te | 2 +-
policy/modules/contrib/samba.te | 2 +-
policy/modules/contrib/sambagui.te | 2 +-
policy/modules/contrib/samhain.te | 2 +-
policy/modules/contrib/sanlock.te | 2 +-
policy/modules/contrib/sasl.te | 2 +-
policy/modules/contrib/sblim.te | 2 +-
policy/modules/contrib/screen.te | 2 +-
policy/modules/contrib/sectoolm.te | 2 +-
policy/modules/contrib/sendmail.te | 2 +-
policy/modules/contrib/setroubleshoot.te | 2 +-
policy/modules/contrib/shorewall.te | 2 +-
policy/modules/contrib/shutdown.te | 2 +-
policy/modules/contrib/slocate.te | 2 +-
policy/modules/contrib/slpd.te | 2 +-
policy/modules/contrib/slrnpull.te | 2 +-
policy/modules/contrib/smartmon.te | 2 +-
policy/modules/contrib/smokeping.te | 2 +-
policy/modules/contrib/smoltclient.te | 2 +-
policy/modules/contrib/snmp.te | 2 +-
policy/modules/contrib/snort.te | 2 +-
policy/modules/contrib/sosreport.te | 2 +-
policy/modules/contrib/soundserver.te | 2 +-
policy/modules/contrib/spamassassin.te | 2 +-
policy/modules/contrib/speedtouch.te | 2 +-
policy/modules/contrib/squid.te | 2 +-
policy/modules/contrib/sssd.te | 2 +-
policy/modules/contrib/stunnel.te | 2 +-
policy/modules/contrib/svnserve.te | 2 +-
policy/modules/contrib/sxid.te | 2 +-
policy/modules/contrib/sysstat.te | 2 +-
policy/modules/contrib/systemtap.te | 2 +-
policy/modules/contrib/tcpd.te | 2 +-
policy/modules/contrib/tcsd.te | 2 +-
policy/modules/contrib/telepathy.te | 2 +-
policy/modules/contrib/telnet.te | 2 +-
policy/modules/contrib/tftp.te | 2 +-
policy/modules/contrib/tgtd.te | 2 +-
policy/modules/contrib/thunderbird.te | 2 +-
policy/modules/contrib/timidity.te | 2 +-
policy/modules/contrib/tmpreaper.te | 2 +-
policy/modules/contrib/tor.te | 2 +-
policy/modules/contrib/transproxy.te | 2 +-
policy/modules/contrib/tripwire.te | 2 +-
policy/modules/contrib/tuned.te | 2 +-
policy/modules/contrib/tvtime.te | 2 +-
policy/modules/contrib/tzdata.te | 2 +-
policy/modules/contrib/ucspitcp.te | 2 +-
policy/modules/contrib/ulogd.te | 2 +-
policy/modules/contrib/uml.te | 2 +-
policy/modules/contrib/updfstab.te | 2 +-
policy/modules/contrib/uptime.te | 2 +-
policy/modules/contrib/usbmodules.te | 2 +-
policy/modules/contrib/usbmuxd.te | 2 +-
policy/modules/contrib/userhelper.te | 2 +-
policy/modules/contrib/usernetctl.te | 2 +-
policy/modules/contrib/uucp.te | 2 +-
policy/modules/contrib/uuidd.te | 2 +-
policy/modules/contrib/uwimap.te | 2 +-
policy/modules/contrib/vbetool.te | 2 +-
policy/modules/contrib/vdagent.te | 2 +-
policy/modules/contrib/vhostmd.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
policy/modules/contrib/vlock.te | 2 +-
policy/modules/contrib/vmware.te | 2 +-
policy/modules/contrib/vnstatd.te | 2 +-
policy/modules/contrib/vpn.te | 2 +-
policy/modules/contrib/w3c.te | 2 +-
policy/modules/contrib/watchdog.te | 2 +-
policy/modules/contrib/wdmd.te | 2 +-
policy/modules/contrib/webadm.te | 2 +-
policy/modules/contrib/webalizer.te | 2 +-
policy/modules/contrib/wine.te | 2 +-
policy/modules/contrib/wireshark.te | 2 +-
policy/modules/contrib/wm.te | 2 +-
policy/modules/contrib/xen.te | 2 +-
policy/modules/contrib/xfs.te | 2 +-
policy/modules/contrib/xguest.te | 2 +-
policy/modules/contrib/xscreensaver.te | 2 +-
policy/modules/contrib/yam.te | 2 +-
policy/modules/contrib/zabbix.te | 2 +-
policy/modules/contrib/zarafa.te | 2 +-
policy/modules/contrib/zebra.te | 2 +-
policy/modules/contrib/zosremote.te | 2 +-
336 files changed, 534 insertions(+), 333 deletions(-)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index cc43d25..09a02b2 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.3.4)
+policy_module(abrt, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/accountsd.te b/policy/modules/contrib/accountsd.te
index 313b33f..352c36e 100644
--- a/policy/modules/contrib/accountsd.te
+++ b/policy/modules/contrib/accountsd.te
@@ -1,4 +1,4 @@
-policy_module(accountsd, 1.0.6)
+policy_module(accountsd, 1.1.0)
gen_require(`
class passwd all_passwd_perms;
diff --git a/policy/modules/contrib/acct.te b/policy/modules/contrib/acct.te
index 1a1c91a..8b9ad83 100644
--- a/policy/modules/contrib/acct.te
+++ b/policy/modules/contrib/acct.te
@@ -1,4 +1,4 @@
-policy_module(acct, 1.5.1)
+policy_module(acct, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/ada.te b/policy/modules/contrib/ada.te
index 8b5ad06..8d42c97 100644
--- a/policy/modules/contrib/ada.te
+++ b/policy/modules/contrib/ada.te
@@ -1,4 +1,4 @@
-policy_module(ada, 1.4.1)
+policy_module(ada, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
index 6690cdf..90ce637 100644
--- a/policy/modules/contrib/afs.te
+++ b/policy/modules/contrib/afs.te
@@ -1,4 +1,4 @@
-policy_module(afs, 1.8.2)
+policy_module(afs, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/aiccu.te b/policy/modules/contrib/aiccu.te
index 72c33c2..5d2b90e 100644
--- a/policy/modules/contrib/aiccu.te
+++ b/policy/modules/contrib/aiccu.te
@@ -1,4 +1,4 @@
-policy_module(aiccu, 1.0.2)
+policy_module(aiccu, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/aide.te b/policy/modules/contrib/aide.te
index 4b28ab3..b41a1b1 100644
--- a/policy/modules/contrib/aide.te
+++ b/policy/modules/contrib/aide.te
@@ -1,4 +1,4 @@
-policy_module(aide, 1.6.1)
+policy_module(aide, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/aisexec.te b/policy/modules/contrib/aisexec.te
index 196f7cf..4e4f063 100644
--- a/policy/modules/contrib/aisexec.te
+++ b/policy/modules/contrib/aisexec.te
@@ -1,4 +1,4 @@
-policy_module(aisexec, 1.1.1)
+policy_module(aisexec, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 2a53b69..2ac9f38 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.11.4)
+policy_module(alsa, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/amanda.te b/policy/modules/contrib/amanda.te
index ed45974..519051c 100644
--- a/policy/modules/contrib/amanda.te
+++ b/policy/modules/contrib/amanda.te
@@ -1,4 +1,4 @@
-policy_module(amanda, 1.14.2)
+policy_module(amanda, 1.15.0)
#######################################
#
diff --git a/policy/modules/contrib/amavis.te b/policy/modules/contrib/amavis.te
index ab55ba7..91fa72a 100644
--- a/policy/modules/contrib/amavis.te
+++ b/policy/modules/contrib/amavis.te
@@ -1,4 +1,4 @@
-policy_module(amavis, 1.14.3)
+policy_module(amavis, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/amtu.te b/policy/modules/contrib/amtu.te
index c960f92..16d0d66 100644
--- a/policy/modules/contrib/amtu.te
+++ b/policy/modules/contrib/amtu.te
@@ -1,4 +1,4 @@
-policy_module(amtu, 1.2.3)
+policy_module(amtu, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/anaconda.te b/policy/modules/contrib/anaconda.te
index 6f1384c..aa44abf 100644
--- a/policy/modules/contrib/anaconda.te
+++ b/policy/modules/contrib/anaconda.te
@@ -1,4 +1,4 @@
-policy_module(anaconda, 1.6.1)
+policy_module(anaconda, 1.7.0)
gen_require(`
class passwd all_passwd_perms;
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 0f24dc8..0da7cc3 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.6.10)
+policy_module(apache, 2.7.0)
########################################
#
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index b236327..080bc4d 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -1,4 +1,4 @@
-policy_module(apcupsd, 1.8.4)
+policy_module(apcupsd, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/apm.te b/policy/modules/contrib/apm.te
index 3590e2f..7fd431b 100644
--- a/policy/modules/contrib/apm.te
+++ b/policy/modules/contrib/apm.te
@@ -1,4 +1,4 @@
-policy_module(apm, 1.11.4)
+policy_module(apm, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index e2d8d52..60a475d 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.7.5)
+policy_module(apt, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index fa18c76..2d7bf34 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -1,4 +1,4 @@
-policy_module(arpwatch, 1.10.4)
+policy_module(arpwatch, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index 6811e92..f2f01f5 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.11.5)
+policy_module(asterisk, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/authbind.te b/policy/modules/contrib/authbind.te
index a194e01..dd9d215 100644
--- a/policy/modules/contrib/authbind.te
+++ b/policy/modules/contrib/authbind.te
@@ -1,4 +1,4 @@
-policy_module(authbind, 1.2.1)
+policy_module(authbind, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
index a579c3b..d4e58ea 100644
--- a/policy/modules/contrib/automount.te
+++ b/policy/modules/contrib/automount.te
@@ -1,4 +1,4 @@
-policy_module(automount, 1.13.3)
+policy_module(automount, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
index 60e76be..95ae264 100644
--- a/policy/modules/contrib/avahi.te
+++ b/policy/modules/contrib/avahi.te
@@ -1,4 +1,4 @@
-policy_module(avahi, 1.13.2)
+policy_module(avahi, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/awstats.te b/policy/modules/contrib/awstats.te
index d6ab824..c1b16c3 100644
--- a/policy/modules/contrib/awstats.te
+++ b/policy/modules/contrib/awstats.te
@@ -1,4 +1,4 @@
-policy_module(awstats, 1.4.4)
+policy_module(awstats, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/backup.te b/policy/modules/contrib/backup.te
index d6ceef4..b9f8b55 100644
--- a/policy/modules/contrib/backup.te
+++ b/policy/modules/contrib/backup.te
@@ -1,4 +1,4 @@
-policy_module(backup, 1.5.2)
+policy_module(backup, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/bacula.te b/policy/modules/contrib/bacula.te
index 3beba2f..f16b000 100644
--- a/policy/modules/contrib/bacula.te
+++ b/policy/modules/contrib/bacula.te
@@ -1,4 +1,4 @@
-policy_module(bacula, 1.1.1)
+policy_module(bacula, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/bcfg2.te b/policy/modules/contrib/bcfg2.te
index 536ec3c..c3fd7b1 100644
--- a/policy/modules/contrib/bcfg2.te
+++ b/policy/modules/contrib/bcfg2.te
@@ -1,4 +1,4 @@
-policy_module(bcfg2, 1.0.1)
+policy_module(bcfg2, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 076ffee..b01e493 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.12.8)
+policy_module(bind, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/bird.te b/policy/modules/contrib/bird.te
index d4d71ec..1d60c27 100644
--- a/policy/modules/contrib/bird.te
+++ b/policy/modules/contrib/bird.te
@@ -1,4 +1,4 @@
-policy_module(bird, 1.0.2)
+policy_module(bird, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te
index ac8c91e..f5c1a48 100644
--- a/policy/modules/contrib/bitlbee.te
+++ b/policy/modules/contrib/bitlbee.te
@@ -1,4 +1,4 @@
-policy_module(bitlbee, 1.4.4)
+policy_module(bitlbee, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/blueman.te b/policy/modules/contrib/blueman.te
index bc5c984..3a5032e 100644
--- a/policy/modules/contrib/blueman.te
+++ b/policy/modules/contrib/blueman.te
@@ -1,4 +1,4 @@
-policy_module(blueman, 1.0.4)
+policy_module(blueman, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te
index 6f09d24..15f5a95 100644
--- a/policy/modules/contrib/bluetooth.te
+++ b/policy/modules/contrib/bluetooth.te
@@ -1,4 +1,4 @@
-policy_module(bluetooth, 3.4.5)
+policy_module(bluetooth, 3.5.0)
########################################
#
diff --git a/policy/modules/contrib/boinc.te b/policy/modules/contrib/boinc.te
index 7c92aa1..920e16c 100644
--- a/policy/modules/contrib/boinc.te
+++ b/policy/modules/contrib/boinc.te
@@ -1,4 +1,4 @@
-policy_module(boinc, 1.0.3)
+policy_module(boinc, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/brctl.te b/policy/modules/contrib/brctl.te
index bcd1e87..c5a9113 100644
--- a/policy/modules/contrib/brctl.te
+++ b/policy/modules/contrib/brctl.te
@@ -1,4 +1,4 @@
-policy_module(brctl, 1.6.2)
+policy_module(brctl, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/bugzilla.te b/policy/modules/contrib/bugzilla.te
index 41f8251..18623e3 100644
--- a/policy/modules/contrib/bugzilla.te
+++ b/policy/modules/contrib/bugzilla.te
@@ -1,4 +1,4 @@
-policy_module(bugzilla, 1.0.4)
+policy_module(bugzilla, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index 581c8ef..a3760bc 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.0.1)
+policy_module(cachefilesd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/calamaris.te b/policy/modules/contrib/calamaris.te
index f4f21d3..7e57460 100644
--- a/policy/modules/contrib/calamaris.te
+++ b/policy/modules/contrib/calamaris.te
@@ -1,4 +1,4 @@
-policy_module(calamaris, 1.7.2)
+policy_module(calamaris, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te
index 528051e..0e5be4c 100644
--- a/policy/modules/contrib/callweaver.te
+++ b/policy/modules/contrib/callweaver.te
@@ -1,4 +1,4 @@
-policy_module(callweaver, 1.0.2)
+policy_module(callweaver, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/canna.te b/policy/modules/contrib/canna.te
index 4ec0626..9fe6162 100644
--- a/policy/modules/contrib/canna.te
+++ b/policy/modules/contrib/canna.te
@@ -1,4 +1,4 @@
-policy_module(canna, 1.11.1)
+policy_module(canna, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index b85b53b..658134d 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.5.2)
+policy_module(ccs, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/cdrecord.te b/policy/modules/contrib/cdrecord.te
index 55fb26a..16883c9 100644
--- a/policy/modules/contrib/cdrecord.te
+++ b/policy/modules/contrib/cdrecord.te
@@ -1,4 +1,4 @@
-policy_module(cdrecord, 2.5.2)
+policy_module(cdrecord, 2.6.0)
########################################
#
diff --git a/policy/modules/contrib/certmaster.te b/policy/modules/contrib/certmaster.te
index bf82163..4a87873 100644
--- a/policy/modules/contrib/certmaster.te
+++ b/policy/modules/contrib/certmaster.te
@@ -1,4 +1,4 @@
-policy_module(certmaster, 1.2.1)
+policy_module(certmaster, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
index 2354e21..550b287 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -1,4 +1,4 @@
-policy_module(certmonger, 1.1.5)
+policy_module(certmonger, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/certwatch.te b/policy/modules/contrib/certwatch.te
index 403af41..171fafb 100644
--- a/policy/modules/contrib/certwatch.te
+++ b/policy/modules/contrib/certwatch.te
@@ -1,4 +1,4 @@
-policy_module(certwatch, 1.7.2)
+policy_module(certwatch, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/cfengine.te b/policy/modules/contrib/cfengine.te
index 8af5bbe..fbe3ad9 100644
--- a/policy/modules/contrib/cfengine.te
+++ b/policy/modules/contrib/cfengine.te
@@ -1,4 +1,4 @@
-policy_module(cfengine, 1.0.2)
+policy_module(cfengine, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te
index fdee107..80a88a2 100644
--- a/policy/modules/contrib/cgroup.te
+++ b/policy/modules/contrib/cgroup.te
@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.1.3)
+policy_module(cgroup, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 914ee2d..e5b621c 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.1.4)
+policy_module(chronyd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/cipe.te b/policy/modules/contrib/cipe.te
index 28c8475..a0aa693 100644
--- a/policy/modules/contrib/cipe.te
+++ b/policy/modules/contrib/cipe.te
@@ -1,4 +1,4 @@
-policy_module(cipe, 1.5.1)
+policy_module(cipe, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index 8e1fef9..ce3836a 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.10.6)
+policy_module(clamav, 1.11.0)
## <desc>
## <p>
diff --git a/policy/modules/contrib/clockspeed.te b/policy/modules/contrib/clockspeed.te
index b59c592..d3e2a67 100644
--- a/policy/modules/contrib/clockspeed.te
+++ b/policy/modules/contrib/clockspeed.te
@@ -1,4 +1,4 @@
-policy_module(clockspeed, 1.5.1)
+policy_module(clockspeed, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/clogd.te b/policy/modules/contrib/clogd.te
index 29782b8..4a5b3d1 100644
--- a/policy/modules/contrib/clogd.te
+++ b/policy/modules/contrib/clogd.te
@@ -1,4 +1,4 @@
-policy_module(clogd, 1.0.1)
+policy_module(clogd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te
index d8e9958..bbdd396 100644
--- a/policy/modules/contrib/cmirrord.te
+++ b/policy/modules/contrib/cmirrord.te
@@ -1,4 +1,4 @@
-policy_module(cmirrord, 1.0.1)
+policy_module(cmirrord, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/cobbler.te b/policy/modules/contrib/cobbler.te
index 2a71346..5f306dd 100644
--- a/policy/modules/contrib/cobbler.te
+++ b/policy/modules/contrib/cobbler.te
@@ -1,4 +1,4 @@
-policy_module(cobbler, 1.1.4)
+policy_module(cobbler, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te
index 09f18e2..112600a 100644
--- a/policy/modules/contrib/colord.te
+++ b/policy/modules/contrib/colord.te
@@ -1,4 +1,4 @@
-policy_module(colord, 1.0.2)
+policy_module(colord, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/comsat.te b/policy/modules/contrib/comsat.te
index 3f6e4dc..c63cf85 100644
--- a/policy/modules/contrib/comsat.te
+++ b/policy/modules/contrib/comsat.te
@@ -1,4 +1,4 @@
-policy_module(comsat, 1.7.1)
+policy_module(comsat, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 826e525..bd18063 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -1,4 +1,4 @@
-policy_module(consolekit, 1.8.6)
+policy_module(consolekit, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te
index eeea48d..d5aa1e4 100644
--- a/policy/modules/contrib/corosync.te
+++ b/policy/modules/contrib/corosync.te
@@ -1,4 +1,4 @@
-policy_module(corosync, 1.0.7)
+policy_module(corosync, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/couchdb.te b/policy/modules/contrib/couchdb.te
index 503adab..3f824d6 100644
--- a/policy/modules/contrib/couchdb.te
+++ b/policy/modules/contrib/couchdb.te
@@ -1,4 +1,4 @@
-policy_module(couchdb, 1.0.2)
+policy_module(couchdb, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index ac64d3c..9bd64f5 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -1,4 +1,4 @@
-policy_module(courier, 1.13.3)
+policy_module(courier, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/cpucontrol.te b/policy/modules/contrib/cpucontrol.te
index 2f1aad6..af72c4e 100644
--- a/policy/modules/contrib/cpucontrol.te
+++ b/policy/modules/contrib/cpucontrol.te
@@ -1,4 +1,4 @@
-policy_module(cpucontrol, 1.3.2)
+policy_module(cpucontrol, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/cpufreqselector.te b/policy/modules/contrib/cpufreqselector.te
index a3bbc21..6cedb87 100644
--- a/policy/modules/contrib/cpufreqselector.te
+++ b/policy/modules/contrib/cpufreqselector.te
@@ -1,4 +1,4 @@
-policy_module(cpufreqselector, 1.3.1)
+policy_module(cpufreqselector, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 5c44679..d865049 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.5.11)
+policy_module(cron, 2.6.0)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/ctdb.te b/policy/modules/contrib/ctdb.te
index 6ce66e7..001b502 100644
--- a/policy/modules/contrib/ctdb.te
+++ b/policy/modules/contrib/ctdb.te
@@ -1,4 +1,4 @@
-policy_module(ctdb, 1.0.3)
+policy_module(ctdb, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 9f34c2e..0de93d6 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.15.9)
+policy_module(cups, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
index 53fc3af..6c544e5 100644
--- a/policy/modules/contrib/cvs.te
+++ b/policy/modules/contrib/cvs.te
@@ -1,4 +1,4 @@
-policy_module(cvs, 1.9.1)
+policy_module(cvs, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/cyphesis.te b/policy/modules/contrib/cyphesis.te
index 916427f..77ffc73 100644
--- a/policy/modules/contrib/cyphesis.te
+++ b/policy/modules/contrib/cyphesis.te
@@ -1,4 +1,4 @@
-policy_module(cyphesis, 1.2.2)
+policy_module(cyphesis, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
index 395f97c..0cef3ef 100644
--- a/policy/modules/contrib/cyrus.te
+++ b/policy/modules/contrib/cyrus.te
@@ -1,4 +1,4 @@
-policy_module(cyrus, 1.12.2)
+policy_module(cyrus, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/daemontools.te b/policy/modules/contrib/daemontools.te
index 0165962..ee1b4aa 100644
--- a/policy/modules/contrib/daemontools.te
+++ b/policy/modules/contrib/daemontools.te
@@ -1,4 +1,4 @@
-policy_module(daemontools, 1.2.1)
+policy_module(daemontools, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/dante.te b/policy/modules/contrib/dante.te
index 98a2d6a..5a5e290 100644
--- a/policy/modules/contrib/dante.te
+++ b/policy/modules/contrib/dante.te
@@ -1,4 +1,4 @@
-policy_module(dante, 1.8.2)
+policy_module(dante, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/dbadm.te b/policy/modules/contrib/dbadm.te
index a67870a..b60c464 100644
--- a/policy/modules/contrib/dbadm.te
+++ b/policy/modules/contrib/dbadm.te
@@ -1,4 +1,4 @@
-policy_module(dbadm, 1.0.1)
+policy_module(dbadm, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/dbskk.te b/policy/modules/contrib/dbskk.te
index 188e2e6..f55c420 100644
--- a/policy/modules/contrib/dbskk.te
+++ b/policy/modules/contrib/dbskk.te
@@ -1,4 +1,4 @@
-policy_module(dbskk, 1.5.1)
+policy_module(dbskk, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 41b999f..dda231b 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.18.9)
+policy_module(dbus, 1.19.0)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/contrib/dcc.te b/policy/modules/contrib/dcc.te
index 15d908f..353fa4a 100644
--- a/policy/modules/contrib/dcc.te
+++ b/policy/modules/contrib/dcc.te
@@ -1,4 +1,4 @@
-policy_module(dcc, 1.11.1)
+policy_module(dcc, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/ddclient.te b/policy/modules/contrib/ddclient.te
index 0b4b8b9..a4caa1b 100644
--- a/policy/modules/contrib/ddclient.te
+++ b/policy/modules/contrib/ddclient.te
@@ -1,4 +1,4 @@
-policy_module(ddclient, 1.9.2)
+policy_module(ddclient, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/ddcprobe.te b/policy/modules/contrib/ddcprobe.te
index ceb9bf4..8fa4bb9 100644
--- a/policy/modules/contrib/ddcprobe.te
+++ b/policy/modules/contrib/ddcprobe.te
@@ -1,4 +1,4 @@
-policy_module(ddcprobe, 1.2.1)
+policy_module(ddcprobe, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/denyhosts.te b/policy/modules/contrib/denyhosts.te
index bcb9770..583a527 100644
--- a/policy/modules/contrib/denyhosts.te
+++ b/policy/modules/contrib/denyhosts.te
@@ -1,4 +1,4 @@
-policy_module(denyhosts, 1.0.2)
+policy_module(denyhosts, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index ff933af..0e6fbcd 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.2.1)
+policy_module(devicekit, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index c93c3db..98a24b9 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.10.1)
+policy_module(dhcp, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te
index fd4a602..433d3c5 100644
--- a/policy/modules/contrib/dictd.te
+++ b/policy/modules/contrib/dictd.te
@@ -1,4 +1,4 @@
-policy_module(dictd, 1.7.1)
+policy_module(dictd, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/distcc.te b/policy/modules/contrib/distcc.te
index b441a4d..898b2f4 100644
--- a/policy/modules/contrib/distcc.te
+++ b/policy/modules/contrib/distcc.te
@@ -1,4 +1,4 @@
-policy_module(distcc, 1.8.2)
+policy_module(distcc, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/djbdns.te b/policy/modules/contrib/djbdns.te
index 463d290..87ca536 100644
--- a/policy/modules/contrib/djbdns.te
+++ b/policy/modules/contrib/djbdns.te
@@ -1,4 +1,4 @@
-policy_module(djbdns, 1.5.3)
+policy_module(djbdns, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 0d2eb21..1c3545d 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.1.3)
+policy_module(dkim, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te
index 7f30dce..3e34d4f 100644
--- a/policy/modules/contrib/dmidecode.te
+++ b/policy/modules/contrib/dmidecode.te
@@ -1,4 +1,4 @@
-policy_module(dmidecode, 1.4.1)
+policy_module(dmidecode, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index ba14bcf..37a3b7b 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.9.3)
+policy_module(dnsmasq, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/dnssectrigger.te b/policy/modules/contrib/dnssectrigger.te
index ef36d73..c7bb4e7 100644
--- a/policy/modules/contrib/dnssectrigger.te
+++ b/policy/modules/contrib/dnssectrigger.te
@@ -1,4 +1,4 @@
-policy_module(dnssectrigger, 1.0.1)
+policy_module(dnssectrigger, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index a7bfaf0..3a6e733 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.15.6)
+policy_module(dovecot, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/drbd.te b/policy/modules/contrib/drbd.te
index 8e5ee54..f2516cc 100644
--- a/policy/modules/contrib/drbd.te
+++ b/policy/modules/contrib/drbd.te
@@ -1,4 +1,4 @@
-policy_module(drbd, 1.0.1)
+policy_module(drbd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/dspam.te b/policy/modules/contrib/dspam.te
index 266cb8f..ef62363 100644
--- a/policy/modules/contrib/dspam.te
+++ b/policy/modules/contrib/dspam.te
@@ -1,4 +1,4 @@
-policy_module(dspam, 1.0.5)
+policy_module(dspam, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index a0da189..b8b8328 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.7.2)
+policy_module(entropyd, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
index 94fb625..c99e07c 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.3.7)
+policy_module(evolution, 2.4.0)
########################################
#
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 19325ce..c9c04ee 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.5.4)
+policy_module(exim, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
index ed55dd0..49d0370 100644
--- a/policy/modules/contrib/fail2ban.te
+++ b/policy/modules/contrib/fail2ban.te
@@ -1,4 +1,4 @@
-policy_module(fail2ban, 1.4.10)
+policy_module(fail2ban, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/fcoe.te b/policy/modules/contrib/fcoe.te
index 79b9273..ce358fb 100644
--- a/policy/modules/contrib/fcoe.te
+++ b/policy/modules/contrib/fcoe.te
@@ -1,4 +1,4 @@
-policy_module(fcoe, 1.0.1)
+policy_module(fcoe, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te
index f0388cb..cf9e861 100644
--- a/policy/modules/contrib/fetchmail.te
+++ b/policy/modules/contrib/fetchmail.te
@@ -1,4 +1,4 @@
-policy_module(fetchmail, 1.12.2)
+policy_module(fetchmail, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te
index af4b6d7..35da09d 100644
--- a/policy/modules/contrib/finger.te
+++ b/policy/modules/contrib/finger.te
@@ -1,4 +1,4 @@
-policy_module(finger, 1.9.1)
+policy_module(finger, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index c8014f8..cad4721 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.0.6)
+policy_module(firewalld, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/firewallgui.te b/policy/modules/contrib/firewallgui.te
index c5ceab1..2094546 100644
--- a/policy/modules/contrib/firewallgui.te
+++ b/policy/modules/contrib/firewallgui.te
@@ -1,4 +1,4 @@
-policy_module(firewallgui, 1.0.1)
+policy_module(firewallgui, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/firstboot.te b/policy/modules/contrib/firstboot.te
index c12c067..5010f04 100644
--- a/policy/modules/contrib/firstboot.te
+++ b/policy/modules/contrib/firstboot.te
@@ -1,4 +1,4 @@
-policy_module(firstboot, 1.12.3)
+policy_module(firstboot, 1.13.0)
gen_require(`
class passwd { passwd chfn chsh rootok };
diff --git a/policy/modules/contrib/fprintd.te b/policy/modules/contrib/fprintd.te
index c81b6e8..92a6479 100644
--- a/policy/modules/contrib/fprintd.te
+++ b/policy/modules/contrib/fprintd.te
@@ -1,4 +1,4 @@
-policy_module(fprintd, 1.1.1)
+policy_module(fprintd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index e50f33c..544c512 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.14.1)
+policy_module(ftp, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/games.te b/policy/modules/contrib/games.te
index 572fb12..e5b15fb 100644
--- a/policy/modules/contrib/games.te
+++ b/policy/modules/contrib/games.te
@@ -1,4 +1,4 @@
-policy_module(games, 2.2.4)
+policy_module(games, 2.3.0)
########################################
#
diff --git a/policy/modules/contrib/gatekeeper.te b/policy/modules/contrib/gatekeeper.te
index fc3b036..2820368 100644
--- a/policy/modules/contrib/gatekeeper.te
+++ b/policy/modules/contrib/gatekeeper.te
@@ -1,4 +1,4 @@
-policy_module(gatekeeper, 1.7.1)
+policy_module(gatekeeper, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/gift.te b/policy/modules/contrib/gift.te
index 395238e..8a820fa 100644
--- a/policy/modules/contrib/gift.te
+++ b/policy/modules/contrib/gift.te
@@ -1,4 +1,4 @@
-policy_module(gift, 2.3.4)
+policy_module(gift, 2.4.0)
########################################
#
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 93b0301..b634c79 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -1,4 +1,4 @@
-policy_module(git, 1.2.3)
+policy_module(git, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/gitosis.te b/policy/modules/contrib/gitosis.te
index 3194b76..582db0a 100644
--- a/policy/modules/contrib/gitosis.te
+++ b/policy/modules/contrib/gitosis.te
@@ -1,4 +1,4 @@
-policy_module(gitosis, 1.3.2)
+policy_module(gitosis, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/glance.te b/policy/modules/contrib/glance.te
index e0a4f46..5cd0909 100644
--- a/policy/modules/contrib/glance.te
+++ b/policy/modules/contrib/glance.te
@@ -1,4 +1,4 @@
-policy_module(glance, 1.0.2)
+policy_module(glance, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index fd02acc..868895a 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -1,4 +1,4 @@
-policy_module(glusterfs, 1.0.1)
+policy_module(glusterfs, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index e97cee3..37970df 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.2.5)
+policy_module(gnome, 2.3.0)
##############################
#
diff --git a/policy/modules/contrib/gnomeclock.te b/policy/modules/contrib/gnomeclock.te
index 0a82cf2..7cd7435 100644
--- a/policy/modules/contrib/gnomeclock.te
+++ b/policy/modules/contrib/gnomeclock.te
@@ -1,4 +1,4 @@
-policy_module(gnomeclock, 1.0.6)
+policy_module(gnomeclock, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index e142370..cc6522b 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.7.3)
+policy_module(gpg, 2.8.0)
########################################
#
diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
index 3226f52..69734fd 100644
--- a/policy/modules/contrib/gpm.te
+++ b/policy/modules/contrib/gpm.te
@@ -1,4 +1,4 @@
-policy_module(gpm, 1.8.2)
+policy_module(gpm, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te
index 25f09ae..fe3895e 100644
--- a/policy/modules/contrib/gpsd.te
+++ b/policy/modules/contrib/gpsd.te
@@ -1,4 +1,4 @@
-policy_module(gpsd, 1.1.1)
+policy_module(gpsd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/guest.te b/policy/modules/contrib/guest.te
index d928711..19cdbe1 100644
--- a/policy/modules/contrib/guest.te
+++ b/policy/modules/contrib/guest.te
@@ -1,4 +1,4 @@
-policy_module(guest, 1.2.1)
+policy_module(guest, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/hadoop.te b/policy/modules/contrib/hadoop.te
index e62bcb7..e151378 100644
--- a/policy/modules/contrib/hadoop.te
+++ b/policy/modules/contrib/hadoop.te
@@ -1,4 +1,4 @@
-policy_module(hadoop, 1.2.5)
+policy_module(hadoop, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index 0801fe1..bbccc79 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -1,4 +1,4 @@
-policy_module(hal, 1.14.5)
+policy_module(hal, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/hddtemp.te b/policy/modules/contrib/hddtemp.te
index 18d76bb..9e11b98 100644
--- a/policy/modules/contrib/hddtemp.te
+++ b/policy/modules/contrib/hddtemp.te
@@ -1,4 +1,4 @@
-policy_module(hddtemp, 1.1.1)
+policy_module(hddtemp, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/howl.te b/policy/modules/contrib/howl.te
index e207823..b9e60ec 100644
--- a/policy/modules/contrib/howl.te
+++ b/policy/modules/contrib/howl.te
@@ -1,4 +1,4 @@
-policy_module(howl, 1.9.1)
+policy_module(howl, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/i18n_input.te b/policy/modules/contrib/i18n_input.te
index 3bed8fa..369a056 100644
--- a/policy/modules/contrib/i18n_input.te
+++ b/policy/modules/contrib/i18n_input.te
@@ -1,4 +1,4 @@
-policy_module(i18n_input, 1.8.1)
+policy_module(i18n_input, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/icecast.te b/policy/modules/contrib/icecast.te
index ac6f9d5..a9e573a 100644
--- a/policy/modules/contrib/icecast.te
+++ b/policy/modules/contrib/icecast.te
@@ -1,4 +1,4 @@
-policy_module(icecast, 1.1.1)
+policy_module(icecast, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/ifplugd.te b/policy/modules/contrib/ifplugd.te
index 6910e49..b0546b4 100644
--- a/policy/modules/contrib/ifplugd.te
+++ b/policy/modules/contrib/ifplugd.te
@@ -1,4 +1,4 @@
-policy_module(ifplugd, 1.0.1)
+policy_module(ifplugd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/imaze.te b/policy/modules/contrib/imaze.te
index 05387d1..1eb24d8 100644
--- a/policy/modules/contrib/imaze.te
+++ b/policy/modules/contrib/imaze.te
@@ -1,4 +1,4 @@
-policy_module(imaze, 1.7.1)
+policy_module(imaze, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/inetd.te b/policy/modules/contrib/inetd.te
index 1a5ed62..c6450df 100644
--- a/policy/modules/contrib/inetd.te
+++ b/policy/modules/contrib/inetd.te
@@ -1,4 +1,4 @@
-policy_module(inetd, 1.12.2)
+policy_module(inetd, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/inn.te b/policy/modules/contrib/inn.te
index 56404c5..ae64957 100644
--- a/policy/modules/contrib/inn.te
+++ b/policy/modules/contrib/inn.te
@@ -1,4 +1,4 @@
-policy_module(inn, 1.10.3)
+policy_module(inn, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/iodine.te b/policy/modules/contrib/iodine.te
index 94ec5f8..d443fee 100644
--- a/policy/modules/contrib/iodine.te
+++ b/policy/modules/contrib/iodine.te
@@ -1,4 +1,4 @@
-policy_module(iodine, 1.0.2)
+policy_module(iodine, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
index 7a977d8..eec4a2c 100644
--- a/policy/modules/contrib/irc.te
+++ b/policy/modules/contrib/irc.te
@@ -1,4 +1,4 @@
-policy_module(irc, 2.2.4)
+policy_module(irc, 2.3.0)
########################################
#
diff --git a/policy/modules/contrib/ircd.te b/policy/modules/contrib/ircd.te
index e9f746e..efaf4b1 100644
--- a/policy/modules/contrib/ircd.te
+++ b/policy/modules/contrib/ircd.te
@@ -1,4 +1,4 @@
-policy_module(ircd, 1.7.1)
+policy_module(ircd, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te
index c5a8112..c09b2c1 100644
--- a/policy/modules/contrib/irqbalance.te
+++ b/policy/modules/contrib/irqbalance.te
@@ -1,4 +1,4 @@
-policy_module(irqbalance, 1.5.1)
+policy_module(irqbalance, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index 57304e4..ca020fa 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -1,4 +1,4 @@
-policy_module(iscsi, 1.8.2)
+policy_module(iscsi, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/jabber.te b/policy/modules/contrib/jabber.te
index bb12c90..af67c36 100644
--- a/policy/modules/contrib/jabber.te
+++ b/policy/modules/contrib/jabber.te
@@ -1,4 +1,4 @@
-policy_module(jabber, 1.9.1)
+policy_module(jabber, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 5828d93..d131c8b 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.6.3)
+policy_module(java, 2.7.0)
########################################
#
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 70f3007..715fc21 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -1,4 +1,4 @@
-policy_module(kdump, 1.2.3)
+policy_module(kdump, 1.3.0)
#######################################
#
diff --git a/policy/modules/contrib/kdumpgui.te b/policy/modules/contrib/kdumpgui.te
index e7f5c81..2990962 100644
--- a/policy/modules/contrib/kdumpgui.te
+++ b/policy/modules/contrib/kdumpgui.te
@@ -1,4 +1,4 @@
-policy_module(kdumpgui, 1.1.4)
+policy_module(kdumpgui, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
index 3465a9a..8833d59 100644
--- a/policy/modules/contrib/kerberos.te
+++ b/policy/modules/contrib/kerberos.te
@@ -1,4 +1,4 @@
-policy_module(kerberos, 1.11.7)
+policy_module(kerberos, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/kerneloops.te b/policy/modules/contrib/kerneloops.te
index 1101985..bcdb295 100644
--- a/policy/modules/contrib/kerneloops.te
+++ b/policy/modules/contrib/kerneloops.te
@@ -1,4 +1,4 @@
-policy_module(kerneloops, 1.4.1)
+policy_module(kerneloops, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/keyboardd.te b/policy/modules/contrib/keyboardd.te
index adfe3dc..628b78b 100644
--- a/policy/modules/contrib/keyboardd.te
+++ b/policy/modules/contrib/keyboardd.te
@@ -1,4 +1,4 @@
-policy_module(keyboardd, 1.0.1)
+policy_module(keyboardd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/keystone.te b/policy/modules/contrib/keystone.te
index 3494d9b..9929647 100644
--- a/policy/modules/contrib/keystone.te
+++ b/policy/modules/contrib/keystone.te
@@ -1,4 +1,4 @@
-policy_module(keystone, 1.0.1)
+policy_module(keystone, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/kismet.te b/policy/modules/contrib/kismet.te
index ea64ed5..8ad0d4d 100644
--- a/policy/modules/contrib/kismet.te
+++ b/policy/modules/contrib/kismet.te
@@ -1,4 +1,4 @@
-policy_module(kismet, 1.6.1)
+policy_module(kismet, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/ksmtuned.te b/policy/modules/contrib/ksmtuned.te
index c1539b5..f01e13e 100644
--- a/policy/modules/contrib/ksmtuned.te
+++ b/policy/modules/contrib/ksmtuned.te
@@ -1,4 +1,4 @@
-policy_module(ksmtuned, 1.0.1)
+policy_module(ksmtuned, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/ktalk.te b/policy/modules/contrib/ktalk.te
index 2cf3815..b8e590e 100644
--- a/policy/modules/contrib/ktalk.te
+++ b/policy/modules/contrib/ktalk.te
@@ -1,4 +1,4 @@
-policy_module(ktalk, 1.8.1)
+policy_module(ktalk, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/kudzu.te b/policy/modules/contrib/kudzu.te
index 9725f1a..1664036 100644
--- a/policy/modules/contrib/kudzu.te
+++ b/policy/modules/contrib/kudzu.te
@@ -1,4 +1,4 @@
-policy_module(kudzu, 1.8.2)
+policy_module(kudzu, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/l2tp.te b/policy/modules/contrib/l2tp.te
index 19f2b97..bb06a7f 100644
--- a/policy/modules/contrib/l2tp.te
+++ b/policy/modules/contrib/l2tp.te
@@ -1,4 +1,4 @@
-policy_module(l2tp, 1.0.5)
+policy_module(l2tp, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 62274d9..71b00f8 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.10.3)
+policy_module(ldap, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/lightsquid.te b/policy/modules/contrib/lightsquid.te
index 40a2607..09c4f27 100644
--- a/policy/modules/contrib/lightsquid.te
+++ b/policy/modules/contrib/lightsquid.te
@@ -1,4 +1,4 @@
-policy_module(lightsquid, 1.0.2)
+policy_module(lightsquid, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/likewise.te b/policy/modules/contrib/likewise.te
index 408fbe3..d8c2442 100644
--- a/policy/modules/contrib/likewise.te
+++ b/policy/modules/contrib/likewise.te
@@ -1,4 +1,4 @@
-policy_module(likewise, 1.2.1)
+policy_module(likewise, 1.3.0)
#################################
#
diff --git a/policy/modules/contrib/lircd.te b/policy/modules/contrib/lircd.te
index 98b5405..483c87b 100644
--- a/policy/modules/contrib/lircd.te
+++ b/policy/modules/contrib/lircd.te
@@ -1,4 +1,4 @@
-policy_module(lircd, 1.1.2)
+policy_module(lircd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/livecd.te b/policy/modules/contrib/livecd.te
index 33f64b5..2f974bf 100644
--- a/policy/modules/contrib/livecd.te
+++ b/policy/modules/contrib/livecd.te
@@ -1,4 +1,4 @@
-policy_module(livecd, 1.2.1)
+policy_module(livecd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te
index 648def0..2a491d9 100644
--- a/policy/modules/contrib/lldpad.te
+++ b/policy/modules/contrib/lldpad.te
@@ -1,4 +1,4 @@
-policy_module(lldpad, 1.0.1)
+policy_module(lldpad, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te
index 6cbb977..d2f4643 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -1,4 +1,4 @@
-policy_module(loadkeys, 1.8.1)
+policy_module(loadkeys, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/lockdev.te b/policy/modules/contrib/lockdev.te
index db87831..61db5a0 100644
--- a/policy/modules/contrib/lockdev.te
+++ b/policy/modules/contrib/lockdev.te
@@ -1,4 +1,4 @@
-policy_module(lockdev, 1.4.1)
+policy_module(lockdev, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 7bab8e5..739fb6d 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.14.5)
+policy_module(logrotate, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
index 4256a4c..e9bfaca 100644
--- a/policy/modules/contrib/logwatch.te
+++ b/policy/modules/contrib/logwatch.te
@@ -1,4 +1,4 @@
-policy_module(logwatch, 1.11.6)
+policy_module(logwatch, 1.12.0)
#################################
#
diff --git a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te
index b9270f7..39d3164 100644
--- a/policy/modules/contrib/lpd.te
+++ b/policy/modules/contrib/lpd.te
@@ -1,4 +1,4 @@
-policy_module(lpd, 1.13.5)
+policy_module(lpd, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
index 8eaf51b..ac81c7f 100644
--- a/policy/modules/contrib/mailman.te
+++ b/policy/modules/contrib/mailman.te
@@ -1,4 +1,4 @@
-policy_module(mailman, 1.9.4)
+policy_module(mailman, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/mailscanner.te b/policy/modules/contrib/mailscanner.te
index 725ba32..6b6e2e1 100644
--- a/policy/modules/contrib/mailscanner.te
+++ b/policy/modules/contrib/mailscanner.te
@@ -1,4 +1,4 @@
-policy_module(mailscanner, 1.0.2)
+policy_module(mailscanner, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 5a414e0..9e6239c 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.0.3)
+policy_module(mandb, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te
index 383deb0..59b3b3d 100644
--- a/policy/modules/contrib/mcelog.te
+++ b/policy/modules/contrib/mcelog.te
@@ -1,4 +1,4 @@
-policy_module(mcelog, 1.1.4)
+policy_module(mcelog, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/memcached.te b/policy/modules/contrib/memcached.te
index 4926208..daf6334 100644
--- a/policy/modules/contrib/memcached.te
+++ b/policy/modules/contrib/memcached.te
@@ -1,4 +1,4 @@
-policy_module(memcached, 1.2.3)
+policy_module(memcached, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/milter.te b/policy/modules/contrib/milter.te
index 92508b2..4dc99f4 100644
--- a/policy/modules/contrib/milter.te
+++ b/policy/modules/contrib/milter.te
@@ -1,4 +1,4 @@
-policy_module(milter, 1.4.2)
+policy_module(milter, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/minidlna.fc b/policy/modules/contrib/minidlna.fc
new file mode 100644
index 0000000..05ad732
--- /dev/null
+++ b/policy/modules/contrib/minidlna.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/minidlna -- gen_context(system_u:object_r:minidlna_initrc_exec_t,s0)
+
+/etc/minidlna\.conf -- gen_context(system_u:object_r:minidlna_etc_t,s0)
+
+/usr/sbin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0)
+
+/var/lib/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
+
+/var/log/minidlna\.log -- gen_context(system_u:object_r:minidlna_log_t,s0)
+
+/var/run/minidlna(/.*)? gen_context(system_u:object_r:minidlna_var_run_t,s0)
diff --git a/policy/modules/contrib/minidlna.if b/policy/modules/contrib/minidlna.if
new file mode 100644
index 0000000..d27f634
--- /dev/null
+++ b/policy/modules/contrib/minidlna.if
@@ -0,0 +1,64 @@
+## <summary>MiniDLNA server</summary>
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an minidlna environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`minidlna_admin',`
+ gen_require(`
+ type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t;
+ type minidlna_etc_t, minidlna_log_t, minidlna_db_t;
+ ')
+
+ allow $1 minidlna_t:process { ptrace signal_perms };
+ ps_process_pattern($1, minidlna_t)
+
+ minidlna_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 minidlna_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+ admin_pattern($1, minidlna_etc_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, minidlna_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, minidlna_db_t)
+
+ files_search_pids($1)
+ admin_pattern($1, minidlna_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute minidlna init scripts in
+## the initrc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`minidlna_initrc_domtrans',`
+ gen_require(`
+ type minidlna_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, minidlna_initrc_exec_t)
+')
diff --git a/policy/modules/contrib/minidlna.te b/policy/modules/contrib/minidlna.te
new file mode 100644
index 0000000..586d6cc
--- /dev/null
+++ b/policy/modules/contrib/minidlna.te
@@ -0,0 +1,126 @@
+policy_module(minidlna, 0.1)
+
+#############################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow minidlna to read generic user content
+## </p>
+## </desc>
+gen_tunable(minidlna_read_generic_user_content, false)
+
+## <desc>
+## <p>
+## Allow minidlna to read all user content
+## </p>
+## </desc>
+gen_tunable(minidlna_read_all_user_content, false)
+
+## <desc>
+## <p>
+## Allow minidlna to read xdg videos, pictures and music labeled files
+## </p>
+## </desc>
+gen_tunable(minidlna_read_xdg_media_content, false)
+
+type minidlna_t;
+type minidlna_exec_t;
+init_daemon_domain(minidlna_t, minidlna_exec_t)
+
+type minidlna_initrc_exec_t;
+init_script_file(minidlna_initrc_exec_t)
+
+type minidlna_etc_t;
+files_config_file(minidlna_etc_t)
+
+type minidlna_log_t;
+logging_log_file(minidlna_log_t)
+
+type minidlna_db_t;
+files_type(minidlna_db_t)
+
+type minidlna_var_run_t;
+files_pid_file(minidlna_var_run_t)
+
+###############################################
+#
+# Local policy
+#
+
+allow minidlna_t self:process { setsched };
+allow minidlna_t self:tcp_socket create_stream_socket_perms;
+allow minidlna_t self:udp_socket { create_socket_perms node_bind };
+allow minidlna_t self:netlink_route_socket rw_netlink_socket_perms;
+allow minidlna_t minidlna_log_t:file { create_file_perms append_file_perms };
+allow minidlna_t minidlna_etc_t:file read_file_perms;
+
+manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
+create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
+rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
+files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)
+
+manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
+rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
+files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
+
+kernel_read_fs_sysctls(minidlna_t)
+kernel_read_system_state(minidlna_t)
+
+logging_log_filetrans(minidlna_t, minidlna_log_t, file)
+
+corecmd_exec_bin(minidlna_t)
+corecmd_exec_shell(minidlna_t)
+
+corenet_all_recvfrom_netlabel(minidlna_t)
+corenet_all_recvfrom_unlabeled(minidlna_t)
+
+corenet_sendrecv_ssdp_client_packets(minidlna_t)
+corenet_sendrecv_ssdp_server_packets(minidlna_t)
+
+# Next can be removed if trivnet1 calls are enabled
+corenet_tcp_bind_all_unreserved_ports(minidlna_t)
+corenet_tcp_bind_generic_node(minidlna_t)
+corenet_tcp_sendrecv_generic_if(minidlna_t)
+corenet_tcp_sendrecv_generic_node(minidlna_t)
+
+corenet_udp_bind_generic_node(minidlna_t)
+corenet_udp_bind_ssdp_port(minidlna_t)
+
+#corenet_sendrecv_trivnet1_server_packets(minidlna_t)
+#corenet_sendrecv_trivnet1_server_packets(minidlna_t)
+#corenet_tcp_bind_trivnet1_port(minidlna_t)
+
+files_read_etc_files(minidlna_t)
+
+miscfiles_read_localization(minidlna_t)
+miscfiles_read_public_files(minidlna_t)
+
+tunable_policy(`minidlna_read_generic_user_content',`
+ userdom_list_user_tmp(minidlna_t)
+ userdom_read_user_home_content_files(minidlna_t)
+ userdom_read_user_home_content_symlinks(minidlna_t)
+ userdom_read_user_tmp_files(minidlna_t)
+ userdom_read_user_tmp_symlinks(minidlna_t)
+',`
+ files_dontaudit_list_home(minidlna_t)
+ files_dontaudit_list_tmp(minidlna_t)
+
+ userdom_dontaudit_list_user_home_dirs(minidlna_t)
+ userdom_dontaudit_list_user_tmp(minidlna_t)
+ userdom_dontaudit_read_user_home_content_files(minidlna_t)
+ userdom_dontaudit_read_user_tmp_files(minidlna_t)
+')
+
+tunable_policy(`minidlna_read_all_user_content',`
+ userdom_list_user_tmp(minidlna_t)
+ userdom_read_all_user_home_content(minidlna_t)
+')
+
+tunable_policy(`minidlna_read_xdg_media_content',`
+ xdg_read_music_home(minidlna_t)
+ xdg_read_pictures_home(minidlna_t)
+ xdg_read_videos_home(minidlna_t)
+')
diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te
index cb4c13d..4b30bf3 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -1,4 +1,4 @@
-policy_module(modemmanager, 1.1.1)
+policy_module(modemmanager, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/mojomojo.te b/policy/modules/contrib/mojomojo.te
index 7e534cf..b94102e 100644
--- a/policy/modules/contrib/mojomojo.te
+++ b/policy/modules/contrib/mojomojo.te
@@ -1,4 +1,4 @@
-policy_module(mojomojo, 1.0.1)
+policy_module(mojomojo, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/mongodb.te b/policy/modules/contrib/mongodb.te
index 4de8949..169f236 100644
--- a/policy/modules/contrib/mongodb.te
+++ b/policy/modules/contrib/mongodb.te
@@ -1,4 +1,4 @@
-policy_module(mongodb, 1.0.2)
+policy_module(mongodb, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/mono.te b/policy/modules/contrib/mono.te
index d287fe9..a6a8643 100644
--- a/policy/modules/contrib/mono.te
+++ b/policy/modules/contrib/mono.te
@@ -1,4 +1,4 @@
-policy_module(mono, 1.8.1)
+policy_module(mono, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/monop.te b/policy/modules/contrib/monop.te
index 4462c0e..5f93763 100644
--- a/policy/modules/contrib/monop.te
+++ b/policy/modules/contrib/monop.te
@@ -1,4 +1,4 @@
-policy_module(monop, 1.7.1)
+policy_module(monop, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 1bc744e..3255a31 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.7.4)
+policy_module(mozilla, 2.8.0)
########################################
#
diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index 7c8afcc..c088da3 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -1,4 +1,4 @@
-policy_module(mpd, 1.0.4)
+policy_module(mpd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index 396a397..5378660 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -1,4 +1,4 @@
-policy_module(mplayer, 2.4.5)
+policy_module(mplayer, 2.5.0)
########################################
#
diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
index c97c177..65a246a 100644
--- a/policy/modules/contrib/mrtg.te
+++ b/policy/modules/contrib/mrtg.te
@@ -1,4 +1,4 @@
-policy_module(mrtg, 1.8.2)
+policy_module(mrtg, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 32bcd86..75635b3 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.6.5)
+policy_module(mta, 2.7.0)
########################################
#
diff --git a/policy/modules/contrib/munin.te b/policy/modules/contrib/munin.te
index 97370e4..728fec4 100644
--- a/policy/modules/contrib/munin.te
+++ b/policy/modules/contrib/munin.te
@@ -1,4 +1,4 @@
-policy_module(munin, 1.8.10)
+policy_module(munin, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 9f6179e..2ce286f 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.13.5)
+policy_module(mysql, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/nagios.te b/policy/modules/contrib/nagios.te
index 44ad3b7..7b3e682 100644
--- a/policy/modules/contrib/nagios.te
+++ b/policy/modules/contrib/nagios.te
@@ -1,4 +1,4 @@
-policy_module(nagios, 1.12.3)
+policy_module(nagios, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/ncftool.te b/policy/modules/contrib/ncftool.te
index b13c0b1..71f30ba 100644
--- a/policy/modules/contrib/ncftool.te
+++ b/policy/modules/contrib/ncftool.te
@@ -1,4 +1,4 @@
-policy_module(ncftool, 1.1.2)
+policy_module(ncftool, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/nessus.te b/policy/modules/contrib/nessus.te
index 56c0fbd..fe1068b 100644
--- a/policy/modules/contrib/nessus.te
+++ b/policy/modules/contrib/nessus.te
@@ -1,4 +1,4 @@
-policy_module(nessus, 1.8.1)
+policy_module(nessus, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 1a1f3eb..c2bcda3 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.14.8)
+policy_module(networkmanager, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/nis.te b/policy/modules/contrib/nis.te
index 3e4a31c..3a6b035 100644
--- a/policy/modules/contrib/nis.te
+++ b/policy/modules/contrib/nis.te
@@ -1,4 +1,4 @@
-policy_module(nis, 1.11.1)
+policy_module(nis, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/nscd.te b/policy/modules/contrib/nscd.te
index df4c10f..bcd7d0a 100644
--- a/policy/modules/contrib/nscd.te
+++ b/policy/modules/contrib/nscd.te
@@ -1,4 +1,4 @@
-policy_module(nscd, 1.10.3)
+policy_module(nscd, 1.11.0)
gen_require(`
class nscd all_nscd_perms;
diff --git a/policy/modules/contrib/nsd.te b/policy/modules/contrib/nsd.te
index dde7f42..47bb1d2 100644
--- a/policy/modules/contrib/nsd.te
+++ b/policy/modules/contrib/nsd.te
@@ -1,4 +1,4 @@
-policy_module(nsd, 1.7.1)
+policy_module(nsd, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te
index a3e56f0..9b98909 100644
--- a/policy/modules/contrib/nslcd.te
+++ b/policy/modules/contrib/nslcd.te
@@ -1,4 +1,4 @@
-policy_module(nslcd, 1.3.1)
+policy_module(nslcd, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/ntop.te b/policy/modules/contrib/ntop.te
index 52757d8..8ec7859 100644
--- a/policy/modules/contrib/ntop.te
+++ b/policy/modules/contrib/ntop.te
@@ -1,4 +1,4 @@
-policy_module(ntop, 1.9.2)
+policy_module(ntop, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index b90e343..f81b113 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.10.3)
+policy_module(ntp, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/numad.te b/policy/modules/contrib/numad.te
index f5d145d..b0a1be4 100644
--- a/policy/modules/contrib/numad.te
+++ b/policy/modules/contrib/numad.te
@@ -1,4 +1,4 @@
-policy_module(numad, 1.0.3)
+policy_module(numad, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
index 0c9deb7..5b2cb0d 100644
--- a/policy/modules/contrib/nut.te
+++ b/policy/modules/contrib/nut.te
@@ -1,4 +1,4 @@
-policy_module(nut, 1.2.4)
+policy_module(nut, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/nx.te b/policy/modules/contrib/nx.te
index b1832ca..091f872 100644
--- a/policy/modules/contrib/nx.te
+++ b/policy/modules/contrib/nx.te
@@ -1,4 +1,4 @@
-policy_module(nx, 1.6.1)
+policy_module(nx, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/oav.te b/policy/modules/contrib/oav.te
index 75fdf58..b09c4c4 100644
--- a/policy/modules/contrib/oav.te
+++ b/policy/modules/contrib/oav.te
@@ -1,4 +1,4 @@
-policy_module(oav, 1.9.1)
+policy_module(oav, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/oddjob.te b/policy/modules/contrib/oddjob.te
index 296a1d3..e403097 100644
--- a/policy/modules/contrib/oddjob.te
+++ b/policy/modules/contrib/oddjob.te
@@ -1,4 +1,4 @@
-policy_module(oddjob, 1.9.2)
+policy_module(oddjob, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/oident.te b/policy/modules/contrib/oident.te
index cd22d87..edfad9d 100644
--- a/policy/modules/contrib/oident.te
+++ b/policy/modules/contrib/oident.te
@@ -1,4 +1,4 @@
-policy_module(oident, 2.2.1)
+policy_module(oident, 2.3.0)
########################################
#
diff --git a/policy/modules/contrib/openca.te b/policy/modules/contrib/openca.te
index d808ab0..0fc3a58 100644
--- a/policy/modules/contrib/openca.te
+++ b/policy/modules/contrib/openca.te
@@ -1,4 +1,4 @@
-policy_module(openca, 1.2.1)
+policy_module(openca, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/openct.te b/policy/modules/contrib/openct.te
index 8467596..61f1841 100644
--- a/policy/modules/contrib/openct.te
+++ b/policy/modules/contrib/openct.te
@@ -1,4 +1,4 @@
-policy_module(openct, 1.5.1)
+policy_module(openct, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/openhpi.te b/policy/modules/contrib/openhpi.te
index 7f398c0..8de6191 100644
--- a/policy/modules/contrib/openhpi.te
+++ b/policy/modules/contrib/openhpi.te
@@ -1,4 +1,4 @@
-policy_module(openhpi, 1.0.1)
+policy_module(openhpi, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index 3270ff9..ad85917 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.11.3)
+policy_module(openvpn, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te
index 508fedf..f1ff784 100644
--- a/policy/modules/contrib/openvswitch.te
+++ b/policy/modules/contrib/openvswitch.te
@@ -1,4 +1,4 @@
-policy_module(openvswitch, 1.0.1)
+policy_module(openvswitch, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/pacemaker.te b/policy/modules/contrib/pacemaker.te
index 3dd8ada..6e6efb6 100644
--- a/policy/modules/contrib/pacemaker.te
+++ b/policy/modules/contrib/pacemaker.te
@@ -1,4 +1,4 @@
-policy_module(pacemaker, 1.0.2)
+policy_module(pacemaker, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/pads.te b/policy/modules/contrib/pads.te
index 29a7364..078adc4 100644
--- a/policy/modules/contrib/pads.te
+++ b/policy/modules/contrib/pads.te
@@ -1,4 +1,4 @@
-policy_module(pads, 1.0.1)
+policy_module(pads, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/passenger.te b/policy/modules/contrib/passenger.te
index 4e114ff..34dbc16 100644
--- a/policy/modules/contrib/passenger.te
+++ b/policy/modules/contrib/passenger.te
@@ -1,4 +1,4 @@
-policy_module(passanger, 1.0.3)
+policy_module(passanger, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/pcmcia.te b/policy/modules/contrib/pcmcia.te
index 3ad10b5..8176e4a 100644
--- a/policy/modules/contrib/pcmcia.te
+++ b/policy/modules/contrib/pcmcia.te
@@ -1,4 +1,4 @@
-policy_module(pcmcia, 1.6.1)
+policy_module(pcmcia, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index 96db654..1fb1964 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -1,4 +1,4 @@
-policy_module(pcscd, 1.7.3)
+policy_module(pcscd, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/pegasus.te b/policy/modules/contrib/pegasus.te
index 7bcf327..608f454 100644
--- a/policy/modules/contrib/pegasus.te
+++ b/policy/modules/contrib/pegasus.te
@@ -1,4 +1,4 @@
-policy_module(pegasus, 1.8.3)
+policy_module(pegasus, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/perdition.te b/policy/modules/contrib/perdition.te
index 39027de..9feb1ef 100644
--- a/policy/modules/contrib/perdition.te
+++ b/policy/modules/contrib/perdition.te
@@ -1,4 +1,4 @@
-policy_module(perdition, 1.7.1)
+policy_module(perdition, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/pingd.te b/policy/modules/contrib/pingd.te
index 0f77942..ab01060 100644
--- a/policy/modules/contrib/pingd.te
+++ b/policy/modules/contrib/pingd.te
@@ -1,4 +1,4 @@
-policy_module(pingd, 1.0.1)
+policy_module(pingd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te
index b1f412b..3078ce9 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.1.4)
+policy_module(plymouthd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/podsleuth.te b/policy/modules/contrib/podsleuth.te
index a14b3bc..9123f71 100644
--- a/policy/modules/contrib/podsleuth.te
+++ b/policy/modules/contrib/podsleuth.te
@@ -1,4 +1,4 @@
-policy_module(podsleuth, 1.6.1)
+policy_module(podsleuth, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index 49694e8..ee91778 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.2.8)
+policy_module(policykit, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/polipo.te b/policy/modules/contrib/polipo.te
index 316d53a..0beb2a1 100644
--- a/policy/modules/contrib/polipo.te
+++ b/policy/modules/contrib/polipo.te
@@ -1,4 +1,4 @@
-policy_module(polipo, 1.0.4)
+policy_module(polipo, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index f175b3e..20da39d 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -1,4 +1,4 @@
-policy_module(portage, 1.13.7)
+policy_module(portage, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
index 738c13b..18b255e 100644
--- a/policy/modules/contrib/portmap.te
+++ b/policy/modules/contrib/portmap.te
@@ -1,4 +1,4 @@
-policy_module(portmap, 1.10.1)
+policy_module(portmap, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/portreserve.te b/policy/modules/contrib/portreserve.te
index a38b57a..00b01e2 100644
--- a/policy/modules/contrib/portreserve.te
+++ b/policy/modules/contrib/portreserve.te
@@ -1,4 +1,4 @@
-policy_module(portreserve, 1.3.1)
+policy_module(portreserve, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/portslave.te b/policy/modules/contrib/portslave.te
index e85e33d..cbe36c1 100644
--- a/policy/modules/contrib/portslave.te
+++ b/policy/modules/contrib/portslave.te
@@ -1,4 +1,4 @@
-policy_module(portslave, 1.7.2)
+policy_module(portslave, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 037d231..0cb7938 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.14.12)
+policy_module(postfix, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/postfixpolicyd.te b/policy/modules/contrib/postfixpolicyd.te
index 70f0533..ea1582a 100644
--- a/policy/modules/contrib/postfixpolicyd.te
+++ b/policy/modules/contrib/postfixpolicyd.te
@@ -1,4 +1,4 @@
-policy_module(postfixpolicyd, 1.2.1)
+policy_module(postfixpolicyd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/postgrey.te b/policy/modules/contrib/postgrey.te
index 3b11496..fd58805 100644
--- a/policy/modules/contrib/postgrey.te
+++ b/policy/modules/contrib/postgrey.te
@@ -1,4 +1,4 @@
-policy_module(postgrey, 1.8.1)
+policy_module(postgrey, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index b2b5dba..d616ca3 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -1,4 +1,4 @@
-policy_module(ppp, 1.13.5)
+policy_module(ppp, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/prelink.te b/policy/modules/contrib/prelink.te
index c0f047a..8e26216 100644
--- a/policy/modules/contrib/prelink.te
+++ b/policy/modules/contrib/prelink.te
@@ -1,4 +1,4 @@
-policy_module(prelink, 1.10.2)
+policy_module(prelink, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/prelude.te b/policy/modules/contrib/prelude.te
index db864df..8f44609 100644
--- a/policy/modules/contrib/prelude.te
+++ b/policy/modules/contrib/prelude.te
@@ -1,4 +1,4 @@
-policy_module(prelude, 1.3.2)
+policy_module(prelude, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/privoxy.te b/policy/modules/contrib/privoxy.te
index 85b1c9a..ec21f80 100644
--- a/policy/modules/contrib/privoxy.te
+++ b/policy/modules/contrib/privoxy.te
@@ -1,4 +1,4 @@
-policy_module(privoxy, 1.11.1)
+policy_module(privoxy, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te
index d447152..fbbc398 100644
--- a/policy/modules/contrib/procmail.te
+++ b/policy/modules/contrib/procmail.te
@@ -1,4 +1,4 @@
-policy_module(procmail, 1.12.2)
+policy_module(procmail, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/psad.te b/policy/modules/contrib/psad.te
index 5427bb6..b5d717b 100644
--- a/policy/modules/contrib/psad.te
+++ b/policy/modules/contrib/psad.te
@@ -1,4 +1,4 @@
-policy_module(psad, 1.0.1)
+policy_module(psad, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/ptchown.te b/policy/modules/contrib/ptchown.te
index fb37f18..28d2abc 100644
--- a/policy/modules/contrib/ptchown.te
+++ b/policy/modules/contrib/ptchown.te
@@ -1,4 +1,4 @@
-policy_module(ptchown, 1.1.3)
+policy_module(ptchown, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/publicfile.te b/policy/modules/contrib/publicfile.te
index d7df1b3..3246bef 100644
--- a/policy/modules/contrib/publicfile.te
+++ b/policy/modules/contrib/publicfile.te
@@ -1,4 +1,4 @@
-policy_module(publicfile, 1.1.1)
+policy_module(publicfile, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 9d474f5..643d58e 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.5.5)
+policy_module(pulseaudio, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index dd2dde4..86e3512 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.3.8)
+policy_module(puppet, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/pxe.te b/policy/modules/contrib/pxe.te
index 72db707..06bec9b 100644
--- a/policy/modules/contrib/pxe.te
+++ b/policy/modules/contrib/pxe.te
@@ -1,4 +1,4 @@
-policy_module(pxe, 1.4.1)
+policy_module(pxe, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/pyicqt.te b/policy/modules/contrib/pyicqt.te
index 99bebbd..f2863de 100644
--- a/policy/modules/contrib/pyicqt.te
+++ b/policy/modules/contrib/pyicqt.te
@@ -1,4 +1,4 @@
-policy_module(pyicqt, 1.0.1)
+policy_module(pyicqt, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/pyzor.te b/policy/modules/contrib/pyzor.te
index 6c456d2..2439d13 100644
--- a/policy/modules/contrib/pyzor.te
+++ b/policy/modules/contrib/pyzor.te
@@ -1,4 +1,4 @@
-policy_module(pyzor, 2.2.1)
+policy_module(pyzor, 2.3.0)
########################################
#
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 81205b1..2995e8a 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.7.5)
+policy_module(qemu, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te
index 1bef513..83cccf9 100644
--- a/policy/modules/contrib/qmail.te
+++ b/policy/modules/contrib/qmail.te
@@ -1,4 +1,4 @@
-policy_module(qmail, 1.5.1)
+policy_module(qmail, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/qpid.te b/policy/modules/contrib/qpid.te
index 76f5b39..83eb09e 100644
--- a/policy/modules/contrib/qpid.te
+++ b/policy/modules/contrib/qpid.te
@@ -1,4 +1,4 @@
-policy_module(qpid, 1.0.1)
+policy_module(qpid, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/quantum.te b/policy/modules/contrib/quantum.te
index 769d1fd..8644d8b 100644
--- a/policy/modules/contrib/quantum.te
+++ b/policy/modules/contrib/quantum.te
@@ -1,4 +1,4 @@
-policy_module(quantum, 1.0.2)
+policy_module(quantum, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/quota.te b/policy/modules/contrib/quota.te
index 4b2c272..f47c8e8 100644
--- a/policy/modules/contrib/quota.te
+++ b/policy/modules/contrib/quota.te
@@ -1,4 +1,4 @@
-policy_module(quota, 1.5.2)
+policy_module(quota, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
index 1e7927f..403a4fe 100644
--- a/policy/modules/contrib/radius.te
+++ b/policy/modules/contrib/radius.te
@@ -1,4 +1,4 @@
-policy_module(radius, 1.12.1)
+policy_module(radius, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/radvd.te b/policy/modules/contrib/radvd.te
index b31f2d7..6d162e4 100644
--- a/policy/modules/contrib/radvd.te
+++ b/policy/modules/contrib/radvd.te
@@ -1,4 +1,4 @@
-policy_module(radvd, 1.13.1)
+policy_module(radvd, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te
index 2c1730b..4ab29d2 100644
--- a/policy/modules/contrib/raid.te
+++ b/policy/modules/contrib/raid.te
@@ -1,4 +1,4 @@
-policy_module(raid, 1.12.5)
+policy_module(raid, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/razor.te b/policy/modules/contrib/razor.te
index 5ddedbc..68455f9 100644
--- a/policy/modules/contrib/razor.te
+++ b/policy/modules/contrib/razor.te
@@ -1,4 +1,4 @@
-policy_module(razor, 2.3.2)
+policy_module(razor, 2.4.0)
########################################
#
diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te
index f1512d6..c0b02c9 100644
--- a/policy/modules/contrib/readahead.te
+++ b/policy/modules/contrib/readahead.te
@@ -1,4 +1,4 @@
-policy_module(readahead, 1.12.2)
+policy_module(readahead, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/realmd.te b/policy/modules/contrib/realmd.te
index 9a8f052..5bc878b 100644
--- a/policy/modules/contrib/realmd.te
+++ b/policy/modules/contrib/realmd.te
@@ -1,4 +1,4 @@
-policy_module(realmd, 1.0.2)
+policy_module(realmd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/remotelogin.te b/policy/modules/contrib/remotelogin.te
index c51a32c..ae30871 100644
--- a/policy/modules/contrib/remotelogin.te
+++ b/policy/modules/contrib/remotelogin.te
@@ -1,4 +1,4 @@
-policy_module(remotelogin, 1.7.2)
+policy_module(remotelogin, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/resmgr.te b/policy/modules/contrib/resmgr.te
index 6f219b3..f6eb358 100644
--- a/policy/modules/contrib/resmgr.te
+++ b/policy/modules/contrib/resmgr.te
@@ -1,4 +1,4 @@
-policy_module(resmgr, 1.2.2)
+policy_module(resmgr, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/rgmanager.te b/policy/modules/contrib/rgmanager.te
index b418d1c..c8a1e16 100644
--- a/policy/modules/contrib/rgmanager.te
+++ b/policy/modules/contrib/rgmanager.te
@@ -1,4 +1,4 @@
-policy_module(rgmanager, 1.2.2)
+policy_module(rgmanager, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 2c2de9a..7f87224 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -1,4 +1,4 @@
-policy_module(rhcs, 1.1.4)
+policy_module(rhcs, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/rhsmcertd.te b/policy/modules/contrib/rhsmcertd.te
index 1cedd70..d1ebe6a 100644
--- a/policy/modules/contrib/rhsmcertd.te
+++ b/policy/modules/contrib/rhsmcertd.te
@@ -1,4 +1,4 @@
-policy_module(rhsmcertd, 1.0.2)
+policy_module(rhsmcertd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/ricci.te b/policy/modules/contrib/ricci.te
index 9702ed2..0ba2569 100644
--- a/policy/modules/contrib/ricci.te
+++ b/policy/modules/contrib/ricci.te
@@ -1,4 +1,4 @@
-policy_module(ricci, 1.7.4)
+policy_module(ricci, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te
index d34cdec..20696cc 100644
--- a/policy/modules/contrib/rlogin.te
+++ b/policy/modules/contrib/rlogin.te
@@ -1,4 +1,4 @@
-policy_module(rlogin, 1.10.1)
+policy_module(rlogin, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
index 35c1427..4ab4eb5 100644
--- a/policy/modules/contrib/rngd.te
+++ b/policy/modules/contrib/rngd.te
@@ -1,4 +1,4 @@
-policy_module(rngd, 1.0.2)
+policy_module(rngd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/roundup.te b/policy/modules/contrib/roundup.te
index 353960c..ccb5991 100644
--- a/policy/modules/contrib/roundup.te
+++ b/policy/modules/contrib/roundup.te
@@ -1,4 +1,4 @@
-policy_module(roundup, 1.7.1)
+policy_module(roundup, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 9abcbc8..1e6b44d 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.14.6)
+policy_module(rpc, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index c49828c..196f168 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.5.4)
+policy_module(rpcbind, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 5cbe81c..6fc360e 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.15.3)
+policy_module(rpm, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te
index f842825..575e3e3 100644
--- a/policy/modules/contrib/rshd.te
+++ b/policy/modules/contrib/rshd.te
@@ -1,4 +1,4 @@
-policy_module(rshd, 1.7.1)
+policy_module(rshd, 1.8.0)
########################################
#
--git a/policy/modules/contrib/rssh.te b/policy/modules/contrib/rssh.te
index d1fd97f..5c5465f 100644
--- a/policy/modules/contrib/rssh.te
+++ b/policy/modules/contrib/rssh.te
@@ -1,4 +1,4 @@
-policy_module(rssh, 2.2.1)
+policy_module(rssh, 2.3.0)
########################################
#
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index e3e7c96..abeb302 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -1,4 +1,4 @@
-policy_module(rsync, 1.12.2)
+policy_module(rsync, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index 3f5a8ef..7eea21f 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.1.2)
+policy_module(rtkit, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/rwho.te b/policy/modules/contrib/rwho.te
index 9927d29..7fb75f4 100644
--- a/policy/modules/contrib/rwho.te
+++ b/policy/modules/contrib/rwho.te
@@ -1,4 +1,4 @@
-policy_module(rwho, 1.6.1)
+policy_module(rwho, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 57c034b..54b89a6 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.15.7)
+policy_module(samba, 1.16.0)
#################################
#
diff --git a/policy/modules/contrib/sambagui.te b/policy/modules/contrib/sambagui.te
index d9f8784..e18b0a2 100644
--- a/policy/modules/contrib/sambagui.te
+++ b/policy/modules/contrib/sambagui.te
@@ -1,4 +1,4 @@
-policy_module(sambagui, 1.1.2)
+policy_module(sambagui, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index 931312b..c41ce4b 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -1,4 +1,4 @@
-policy_module(samhain, 1.1.1)
+policy_module(samhain, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/sanlock.te b/policy/modules/contrib/sanlock.te
index a34eac4..0045465 100644
--- a/policy/modules/contrib/sanlock.te
+++ b/policy/modules/contrib/sanlock.te
@@ -1,4 +1,4 @@
-policy_module(sanlock, 1.0.2)
+policy_module(sanlock, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te
index a63b875..20ebffb 100644
--- a/policy/modules/contrib/sasl.te
+++ b/policy/modules/contrib/sasl.te
@@ -1,4 +1,4 @@
-policy_module(sasl, 1.14.3)
+policy_module(sasl, 1.15.0)
########################################
#
diff --git a/policy/modules/contrib/sblim.te b/policy/modules/contrib/sblim.te
index 4a23d84..299756b 100644
--- a/policy/modules/contrib/sblim.te
+++ b/policy/modules/contrib/sblim.te
@@ -1,4 +1,4 @@
-policy_module(sblim, 1.0.3)
+policy_module(sblim, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
index 0d2bc5f..7da9b3d 100644
--- a/policy/modules/contrib/screen.te
+++ b/policy/modules/contrib/screen.te
@@ -1,4 +1,4 @@
-policy_module(screen, 2.5.4)
+policy_module(screen, 2.6.0)
########################################
#
diff --git a/policy/modules/contrib/sectoolm.te b/policy/modules/contrib/sectoolm.te
index 8193bf1..4bc8c13 100644
--- a/policy/modules/contrib/sectoolm.te
+++ b/policy/modules/contrib/sectoolm.te
@@ -1,4 +1,4 @@
-policy_module(sectoolm, 1.0.1)
+policy_module(sectoolm, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
index 5f35d78..320db21 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -1,4 +1,4 @@
-policy_module(sendmail, 1.11.5)
+policy_module(sendmail, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/setroubleshoot.te b/policy/modules/contrib/setroubleshoot.te
index 49b12ae..1aaf1dd 100644
--- a/policy/modules/contrib/setroubleshoot.te
+++ b/policy/modules/contrib/setroubleshoot.te
@@ -1,4 +1,4 @@
-policy_module(setroubleshoot, 1.11.2)
+policy_module(setroubleshoot, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/shorewall.te b/policy/modules/contrib/shorewall.te
index ca03de6..7710b9f 100644
--- a/policy/modules/contrib/shorewall.te
+++ b/policy/modules/contrib/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.3.5)
+policy_module(shorewall, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
index 7880d1f..e2544e1 100644
--- a/policy/modules/contrib/shutdown.te
+++ b/policy/modules/contrib/shutdown.te
@@ -1,4 +1,4 @@
-policy_module(shutdown, 1.1.2)
+policy_module(shutdown, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/slocate.te b/policy/modules/contrib/slocate.te
index ba26427..4df4417 100644
--- a/policy/modules/contrib/slocate.te
+++ b/policy/modules/contrib/slocate.te
@@ -1,4 +1,4 @@
-policy_module(slocate, 1.11.1)
+policy_module(slocate, 1.12.0)
#################################
#
diff --git a/policy/modules/contrib/slpd.te b/policy/modules/contrib/slpd.te
index 66ac42a..731512a 100644
--- a/policy/modules/contrib/slpd.te
+++ b/policy/modules/contrib/slpd.te
@@ -1,4 +1,4 @@
-policy_module(slpd, 1.0.3)
+policy_module(slpd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/slrnpull.te b/policy/modules/contrib/slrnpull.te
index 5437237..59eb07f 100644
--- a/policy/modules/contrib/slrnpull.te
+++ b/policy/modules/contrib/slrnpull.te
@@ -1,4 +1,4 @@
-policy_module(slrnpull, 1.4.1)
+policy_module(slrnpull, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te
index 9ade9c5..9cf6582 100644
--- a/policy/modules/contrib/smartmon.te
+++ b/policy/modules/contrib/smartmon.te
@@ -1,4 +1,4 @@
-policy_module(smartmon, 1.11.3)
+policy_module(smartmon, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te
index a8b1aaf..ec031a0 100644
--- a/policy/modules/contrib/smokeping.te
+++ b/policy/modules/contrib/smokeping.te
@@ -1,4 +1,4 @@
-policy_module(smokeping, 1.1.2)
+policy_module(smokeping, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/smoltclient.te b/policy/modules/contrib/smoltclient.te
index 9c8f9a5..b3f2c6f 100644
--- a/policy/modules/contrib/smoltclient.te
+++ b/policy/modules/contrib/smoltclient.te
@@ -1,4 +1,4 @@
-policy_module(smoltclient, 1.1.1)
+policy_module(smoltclient, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/snmp.te b/policy/modules/contrib/snmp.te
index 81864ce..9dcaeb8 100644
--- a/policy/modules/contrib/snmp.te
+++ b/policy/modules/contrib/snmp.te
@@ -1,4 +1,4 @@
-policy_module(snmp, 1.13.4)
+policy_module(snmp, 1.14.0)
########################################
#
diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index ccd28bb..1af72df 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -1,4 +1,4 @@
-policy_module(snort, 1.10.1)
+policy_module(snort, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te
index 703efa3..3ab1967 100644
--- a/policy/modules/contrib/sosreport.te
+++ b/policy/modules/contrib/sosreport.te
@@ -1,4 +1,4 @@
-policy_module(sosreport, 1.2.2)
+policy_module(sosreport, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/soundserver.te b/policy/modules/contrib/soundserver.te
index db1bc6f..0919e0c 100644
--- a/policy/modules/contrib/soundserver.te
+++ b/policy/modules/contrib/soundserver.te
@@ -1,4 +1,4 @@
-policy_module(soundserver, 1.8.1)
+policy_module(soundserver, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 4faa7e0..02fba54 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.5.8)
+policy_module(spamassassin, 2.6.0)
########################################
#
diff --git a/policy/modules/contrib/speedtouch.te b/policy/modules/contrib/speedtouch.te
index 9025dbd..b38b8b1 100644
--- a/policy/modules/contrib/speedtouch.te
+++ b/policy/modules/contrib/speedtouch.te
@@ -1,4 +1,4 @@
-policy_module(speedtouch, 1.4.1)
+policy_module(speedtouch, 1.5.0)
#######################################
#
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 8ad5645..a68b5c4 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.11.2)
+policy_module(squid, 1.12.0)
########################################
#
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index 8b537aa..2d8db1f 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -1,4 +1,4 @@
-policy_module(sssd, 1.1.4)
+policy_module(sssd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te
index 9992e62..27a8480 100644
--- a/policy/modules/contrib/stunnel.te
+++ b/policy/modules/contrib/stunnel.te
@@ -1,4 +1,4 @@
-policy_module(stunnel, 1.10.2)
+policy_module(stunnel, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/svnserve.te b/policy/modules/contrib/svnserve.te
index c6aaac7..49d688d 100644
--- a/policy/modules/contrib/svnserve.te
+++ b/policy/modules/contrib/svnserve.te
@@ -1,4 +1,4 @@
-policy_module(svnserve, 1.0.2)
+policy_module(svnserve, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/sxid.te b/policy/modules/contrib/sxid.te
index c9824cb..01a9d0a 100644
--- a/policy/modules/contrib/sxid.te
+++ b/policy/modules/contrib/sxid.te
@@ -1,4 +1,4 @@
-policy_module(sxid, 1.7.1)
+policy_module(sxid, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te
index c8b80b2..b92f677 100644
--- a/policy/modules/contrib/sysstat.te
+++ b/policy/modules/contrib/sysstat.te
@@ -1,4 +1,4 @@
-policy_module(sysstat, 1.7.1)
+policy_module(sysstat, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/systemtap.te b/policy/modules/contrib/systemtap.te
index 6c06a84..ffde368 100644
--- a/policy/modules/contrib/systemtap.te
+++ b/policy/modules/contrib/systemtap.te
@@ -1,4 +1,4 @@
-policy_module(systemtap, 1.0.2)
+policy_module(systemtap, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/tcpd.te b/policy/modules/contrib/tcpd.te
index f388db3..2d6d2c2 100644
--- a/policy/modules/contrib/tcpd.te
+++ b/policy/modules/contrib/tcpd.te
@@ -1,4 +1,4 @@
-policy_module(tcpd, 1.4.1)
+policy_module(tcpd, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index ac8213a..c9ce881 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -1,4 +1,4 @@
-policy_module(tcsd, 1.0.3)
+policy_module(tcsd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te
index e9c0964..f779f37 100644
--- a/policy/modules/contrib/telepathy.te
+++ b/policy/modules/contrib/telepathy.te
@@ -1,4 +1,4 @@
-policy_module(telepathy, 1.3.5)
+policy_module(telepathy, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te
index 9f89916..b9e2061 100644
--- a/policy/modules/contrib/telnet.te
+++ b/policy/modules/contrib/telnet.te
@@ -1,4 +1,4 @@
-policy_module(telnet, 1.10.2)
+policy_module(telnet, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/tftp.te b/policy/modules/contrib/tftp.te
index f455e70..cfaa2a1 100644
--- a/policy/modules/contrib/tftp.te
+++ b/policy/modules/contrib/tftp.te
@@ -1,4 +1,4 @@
-policy_module(tftp, 1.12.4)
+policy_module(tftp, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/tgtd.te b/policy/modules/contrib/tgtd.te
index c93c973..7361eed 100644
--- a/policy/modules/contrib/tgtd.te
+++ b/policy/modules/contrib/tgtd.te
@@ -1,4 +1,4 @@
-policy_module(tgtd, 1.2.3)
+policy_module(tgtd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
index de5696f..04a56d2 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -1,4 +1,4 @@
-policy_module(thunderbird, 2.3.4)
+policy_module(thunderbird, 2.4.0)
########################################
#
diff --git a/policy/modules/contrib/timidity.te b/policy/modules/contrib/timidity.te
index 67ca5c5..97cd155 100644
--- a/policy/modules/contrib/timidity.te
+++ b/policy/modules/contrib/timidity.te
@@ -1,4 +1,4 @@
-policy_module(timidity, 1.9.1)
+policy_module(timidity, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/tmpreaper.te b/policy/modules/contrib/tmpreaper.te
index a4a949c..00bd63c 100644
--- a/policy/modules/contrib/tmpreaper.te
+++ b/policy/modules/contrib/tmpreaper.te
@@ -1,4 +1,4 @@
-policy_module(tmpreaper, 1.6.3)
+policy_module(tmpreaper, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 964a395..5ceacde 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.8.4)
+policy_module(tor, 1.9.0)
########################################
#
diff --git a/policy/modules/contrib/transproxy.te b/policy/modules/contrib/transproxy.te
index 20d1a28..34973ee 100644
--- a/policy/modules/contrib/transproxy.te
+++ b/policy/modules/contrib/transproxy.te
@@ -1,4 +1,4 @@
-policy_module(transproxy, 1.7.1)
+policy_module(transproxy, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/tripwire.te b/policy/modules/contrib/tripwire.te
index 2e1110d..03aa6b7 100644
--- a/policy/modules/contrib/tripwire.te
+++ b/policy/modules/contrib/tripwire.te
@@ -1,4 +1,4 @@
-policy_module(tripwire, 1.2.1)
+policy_module(tripwire, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/tuned.te b/policy/modules/contrib/tuned.te
index 7116181..393a330 100644
--- a/policy/modules/contrib/tuned.te
+++ b/policy/modules/contrib/tuned.te
@@ -1,4 +1,4 @@
-policy_module(tuned, 1.1.4)
+policy_module(tuned, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te
index 3292fcc..afd2d6c 100644
--- a/policy/modules/contrib/tvtime.te
+++ b/policy/modules/contrib/tvtime.te
@@ -1,4 +1,4 @@
-policy_module(tvtime, 2.2.1)
+policy_module(tvtime, 2.3.0)
########################################
#
diff --git a/policy/modules/contrib/tzdata.te b/policy/modules/contrib/tzdata.te
index aa6ae96..221c43b 100644
--- a/policy/modules/contrib/tzdata.te
+++ b/policy/modules/contrib/tzdata.te
@@ -1,4 +1,4 @@
-policy_module(tzdata, 1.4.1)
+policy_module(tzdata, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/ucspitcp.te b/policy/modules/contrib/ucspitcp.te
index 5e365c2..7745b72 100644
--- a/policy/modules/contrib/ucspitcp.te
+++ b/policy/modules/contrib/ucspitcp.te
@@ -1,4 +1,4 @@
-policy_module(ucspitcp, 1.3.1)
+policy_module(ucspitcp, 1.4.0)
########################################
#
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
index 42cde84..de35e5f 100644
--- a/policy/modules/contrib/ulogd.te
+++ b/policy/modules/contrib/ulogd.te
@@ -1,4 +1,4 @@
-policy_module(ulogd, 1.2.2)
+policy_module(ulogd, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/uml.te b/policy/modules/contrib/uml.te
index dc03cc5..b68bd49 100644
--- a/policy/modules/contrib/uml.te
+++ b/policy/modules/contrib/uml.te
@@ -1,4 +1,4 @@
-policy_module(uml, 2.2.1)
+policy_module(uml, 2.3.0)
########################################
#
diff --git a/policy/modules/contrib/updfstab.te b/policy/modules/contrib/updfstab.te
index 2d871b8..5ceb912 100644
--- a/policy/modules/contrib/updfstab.te
+++ b/policy/modules/contrib/updfstab.te
@@ -1,4 +1,4 @@
-policy_module(updfstab, 1.5.1)
+policy_module(updfstab, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/uptime.te b/policy/modules/contrib/uptime.te
index 09741f6..58397dc 100644
--- a/policy/modules/contrib/uptime.te
+++ b/policy/modules/contrib/uptime.te
@@ -1,4 +1,4 @@
-policy_module(uptime, 1.4.1)
+policy_module(uptime, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/usbmodules.te b/policy/modules/contrib/usbmodules.te
index cb9b5bb..279e511 100644
--- a/policy/modules/contrib/usbmodules.te
+++ b/policy/modules/contrib/usbmodules.te
@@ -1,4 +1,4 @@
-policy_module(usbmodules, 1.2.1)
+policy_module(usbmodules, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/usbmuxd.te b/policy/modules/contrib/usbmuxd.te
index 8840be6..34a8917 100644
--- a/policy/modules/contrib/usbmuxd.te
+++ b/policy/modules/contrib/usbmuxd.te
@@ -1,4 +1,4 @@
-policy_module(usbmuxd, 1.1.1)
+policy_module(usbmuxd, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te
index 274ed9c..9f2ec97 100644
--- a/policy/modules/contrib/userhelper.te
+++ b/policy/modules/contrib/userhelper.te
@@ -1,4 +1,4 @@
-policy_module(userhelper, 1.7.3)
+policy_module(userhelper, 1.8.0)
########################################
#
diff --git a/policy/modules/contrib/usernetctl.te b/policy/modules/contrib/usernetctl.te
index dd3f01e..f973af8 100644
--- a/policy/modules/contrib/usernetctl.te
+++ b/policy/modules/contrib/usernetctl.te
@@ -1,4 +1,4 @@
-policy_module(usernetctl, 1.6.1)
+policy_module(usernetctl, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/uucp.te b/policy/modules/contrib/uucp.te
index 380902c..849f607 100644
--- a/policy/modules/contrib/uucp.te
+++ b/policy/modules/contrib/uucp.te
@@ -1,4 +1,4 @@
-policy_module(uucp, 1.12.1)
+policy_module(uucp, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/uuidd.te b/policy/modules/contrib/uuidd.te
index e670f55..f8e52fc 100644
--- a/policy/modules/contrib/uuidd.te
+++ b/policy/modules/contrib/uuidd.te
@@ -1,4 +1,4 @@
-policy_module(uuidd, 1.0.1)
+policy_module(uuidd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/uwimap.te b/policy/modules/contrib/uwimap.te
index b81e5c8..acdc78a 100644
--- a/policy/modules/contrib/uwimap.te
+++ b/policy/modules/contrib/uwimap.te
@@ -1,4 +1,4 @@
-policy_module(uwimap, 1.9.3)
+policy_module(uwimap, 1.10.0)
########################################
#
diff --git a/policy/modules/contrib/vbetool.te b/policy/modules/contrib/vbetool.te
index 14e1eec..2a61f75 100644
--- a/policy/modules/contrib/vbetool.te
+++ b/policy/modules/contrib/vbetool.te
@@ -1,4 +1,4 @@
-policy_module(vbetool, 1.6.1)
+policy_module(vbetool, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te
index 77be35a..947c70a 100644
--- a/policy/modules/contrib/vdagent.te
+++ b/policy/modules/contrib/vdagent.te
@@ -1,4 +1,4 @@
-policy_module(vdagent, 1.0.2)
+policy_module(vdagent, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te
index 0be8535..3d11c6a 100644
--- a/policy/modules/contrib/vhostmd.te
+++ b/policy/modules/contrib/vhostmd.te
@@ -1,4 +1,4 @@
-policy_module(vhostmd, 1.0.1)
+policy_module(vhostmd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 65735c2..9230f0d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.6.10)
+policy_module(virt, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te
index 9ead775..6b72968 100644
--- a/policy/modules/contrib/vlock.te
+++ b/policy/modules/contrib/vlock.te
@@ -1,4 +1,4 @@
-policy_module(vlock, 1.1.1)
+policy_module(vlock, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
index 3a56513..4ad1894 100644
--- a/policy/modules/contrib/vmware.te
+++ b/policy/modules/contrib/vmware.te
@@ -1,4 +1,4 @@
-policy_module(vmware, 2.6.1)
+policy_module(vmware, 2.7.0)
########################################
#
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
index febc3e5..e2220ae 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -1,4 +1,4 @@
-policy_module(vnstatd, 1.0.1)
+policy_module(vnstatd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te
index 9329eae..95b26d1 100644
--- a/policy/modules/contrib/vpn.te
+++ b/policy/modules/contrib/vpn.te
@@ -1,4 +1,4 @@
-policy_module(vpn, 1.15.1)
+policy_module(vpn, 1.16.0)
########################################
#
diff --git a/policy/modules/contrib/w3c.te b/policy/modules/contrib/w3c.te
index bcb76b6..b14d6a9 100644
--- a/policy/modules/contrib/w3c.te
+++ b/policy/modules/contrib/w3c.te
@@ -1,4 +1,4 @@
-policy_module(w3c, 1.0.1)
+policy_module(w3c, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
index 29f79e8..3548317 100644
--- a/policy/modules/contrib/watchdog.te
+++ b/policy/modules/contrib/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.7.1)
+policy_module(watchdog, 1.8.0)
#################################
#
diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te
index ebbdaf6..4815a93 100644
--- a/policy/modules/contrib/wdmd.te
+++ b/policy/modules/contrib/wdmd.te
@@ -1,4 +1,4 @@
-policy_module(wdmd, 1.0.3)
+policy_module(wdmd, 1.1.0)
########################################
#
diff --git a/policy/modules/contrib/webadm.te b/policy/modules/contrib/webadm.te
index 708254f..2a6cae7 100644
--- a/policy/modules/contrib/webadm.te
+++ b/policy/modules/contrib/webadm.te
@@ -1,4 +1,4 @@
-policy_module(webadm, 1.1.1)
+policy_module(webadm, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index eab24f6..b6f0641 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -1,4 +1,4 @@
-policy_module(webalizer, 1.12.1)
+policy_module(webalizer, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
index b51923c..491b87b 100644
--- a/policy/modules/contrib/wine.te
+++ b/policy/modules/contrib/wine.te
@@ -1,4 +1,4 @@
-policy_module(wine, 1.10.1)
+policy_module(wine, 1.11.0)
########################################
#
diff --git a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te
index cf5cab6..ff6ef38 100644
--- a/policy/modules/contrib/wireshark.te
+++ b/policy/modules/contrib/wireshark.te
@@ -1,4 +1,4 @@
-policy_module(wireshark, 2.3.1)
+policy_module(wireshark, 2.4.0)
########################################
#
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 7c7f7fa..6b4cda6 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.2.5)
+policy_module(wm, 1.3.0)
########################################
#
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index ed40676..6f736a9 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -1,4 +1,4 @@
-policy_module(xen, 1.12.5)
+policy_module(xen, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/xfs.te b/policy/modules/contrib/xfs.te
index 0cea2cd..0928c5d 100644
--- a/policy/modules/contrib/xfs.te
+++ b/policy/modules/contrib/xfs.te
@@ -1,4 +1,4 @@
-policy_module(xfs, 1.6.1)
+policy_module(xfs, 1.7.0)
########################################
#
diff --git a/policy/modules/contrib/xguest.te b/policy/modules/contrib/xguest.te
index 2882821..a64aad3 100644
--- a/policy/modules/contrib/xguest.te
+++ b/policy/modules/contrib/xguest.te
@@ -1,4 +1,4 @@
-policy_module(xguest, 1.1.2)
+policy_module(xguest, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/xscreensaver.te b/policy/modules/contrib/xscreensaver.te
index c9c9650..04096a0 100644
--- a/policy/modules/contrib/xscreensaver.te
+++ b/policy/modules/contrib/xscreensaver.te
@@ -1,4 +1,4 @@
-policy_module(xscreensaver, 1.1.1)
+policy_module(xscreensaver, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/yam.te b/policy/modules/contrib/yam.te
index d837e88..2695db2 100644
--- a/policy/modules/contrib/yam.te
+++ b/policy/modules/contrib/yam.te
@@ -1,4 +1,4 @@
-policy_module(yam, 1.4.1)
+policy_module(yam, 1.5.0)
########################################
#
diff --git a/policy/modules/contrib/zabbix.te b/policy/modules/contrib/zabbix.te
index 46e4cd3..7f496c6 100644
--- a/policy/modules/contrib/zabbix.te
+++ b/policy/modules/contrib/zabbix.te
@@ -1,4 +1,4 @@
-policy_module(zabbix, 1.5.3)
+policy_module(zabbix, 1.6.0)
########################################
#
diff --git a/policy/modules/contrib/zarafa.te b/policy/modules/contrib/zarafa.te
index a4479b1..3fded1c 100644
--- a/policy/modules/contrib/zarafa.te
+++ b/policy/modules/contrib/zarafa.te
@@ -1,4 +1,4 @@
-policy_module(zarafa, 1.1.4)
+policy_module(zarafa, 1.2.0)
########################################
#
diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
index b0803c2..2e80d04 100644
--- a/policy/modules/contrib/zebra.te
+++ b/policy/modules/contrib/zebra.te
@@ -1,4 +1,4 @@
-policy_module(zebra, 1.12.1)
+policy_module(zebra, 1.13.0)
########################################
#
diff --git a/policy/modules/contrib/zosremote.te b/policy/modules/contrib/zosremote.te
index 9ba9f81..bc6a5db 100644
--- a/policy/modules/contrib/zosremote.te
+++ b/policy/modules/contrib/zosremote.te
@@ -1,4 +1,4 @@
-policy_module(zosremote, 1.1.1)
+policy_module(zosremote, 1.2.0)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-05-01 18:23 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-05-01 18:23 UTC (permalink / raw
To: gentoo-commits
commit: de0e1dda1d087b718bbd250ab46c24f0a04a713a
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Apr 24 20:14:52 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed May 1 18:21:50 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=de0e1dda
Update Changelog for release.
---
policy/modules/contrib/Changelog | 1071 ++++++++++++++++++++++++++++++++++++++
1 files changed, 1071 insertions(+), 0 deletions(-)
diff --git a/policy/modules/contrib/Changelog b/policy/modules/contrib/Changelog
new file mode 100644
index 0000000..8b9356a
--- /dev/null
+++ b/policy/modules/contrib/Changelog
@@ -0,0 +1,1071 @@
+* Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424
+Chris PeBenito (18):
+ Rewrite of mcelog module from Guido Trentalancia
+ Remove unnecessary lines in mcelog.te.
+ Slight rearrangement in mcelog.te.
+ Module version bump for mcelog update from Guido Trentalancia.
+ Module version bump for ntp module fixes from Dominick Grift.
+ Module version bump for fc substitutions optimizations from Sven
+ Vermeulen.
+ Module version bump for postfix/mta misc fixes from Sven Vermeulen.
+ Module version bump for init_daemon_run_dirs usage from Sven Vermeulen.
+ Turn off all tunables by default, from Guido Trentalancia.
+ Module version bump for tunable default change.
+ Module version bump for saslauthd tcp mysql connections from Mika Flueger.
+ Move kernel request line in quota.
+ Module version bump for quota kernel module request from Mika Pflueger.
+ Module version bump for djbdns ports fixes from Russell Coker.
+ Remove stray + in keystone.te.
+ Whitespace fixes in cron.fc.
+ Module version bump for pulseaudio type_transition conflict fix from Sven
+ Vermeulen.
+ Bump module versions for release.
+
+Dominick Grift (889):
+ Initial BIRD Internet Routing Daemon policy
+ oident daemon fixes
+ Introduce ntp_conf_t
+ Allow ntp_admin() to manage ntp_drift_t content.
+ List etc_t directories
+ Use "Role allowed access." for consistency
+ Use permissions sets for compatibility.
+ Remove getattr permision from ntp_admin()
+ Initial Sensord policy module
+ Various block_suspend capability2 support from Fedora
+ Gitolite3 support from Fedora
+ /var/lib/sqlgrey is greylist milter data from Fedora
+ Terminal related fixes for plymouthd from Fedora Support block_suspend
+ capability2 for plymouth
+ Support minimal polkit in new location
+ Support ldap for user authentication from Fedora
+ Sanlock sends kill signals to non-root processes from Fedora Various
+ other capabilities for sanlock from Fedora
+ Initial support for sqlgrey from Fedora
+ Tor reads network sysctls from Fedora
+ GPG agent reads /dev/random from Fedora
+ Freshclam reads system and network state from Fedora
+ Execute wpa_cli in the NetworkManager_t domain for wicd from Fedora
+ lpstat.cups reads fips_enabled from Fedora
+ Initial system tap compile server policy module
+ Systemtap server admin manages stapserver_var_lib_t content
+ Telepathy Idle reads gschemas.compiled from Fedora
+ Initial slpd policy module
+ Initial lightsquid policy module
+ Initial wdmd policy module
+ Initial mailscanner policy module and some depencies.
+ Support slpd log rotation
+ Initial numad policy module
+ Open log files for append only
+ CGClear reads CGConfig files from Fedora Cosmetic changes to cgroup
+ policy module File contexts of cgroup app executables files in
+ /sbin also apply to /usr/sbin Make cgroup_admin() a bit more
+ compact
+ Initial svnserve policy module
+ Various small changes to ucspitcp
+ Initial fcoe policy module
+ Initial lldpad policy module
+ fcoemon sends to lldpad with a dgram socket
+ Initial quantum policy module
+ Initial dspam policy module
+ Module version bump for Telepathy file context spec fixes from Laurent
+ Bigonville.
+ Initial isns policy module
+ Various changes to tcs policy module
+ Initial ctdb policy module
+ Various changes to the sblim policy module and its dependencies
+ Initial polipo policy module
+ Module version bump for networkmanager fixes
+ Fixes to the polipo policy module
+ Module version bump for smartmon fixes from Laurent Bigonville.
+ Module version bump for accountsd file context spec fix from Laurent
+ Bigonville.
+ Various changes to the raid module
+ Module version bump for rtkit file context spec fix from Laurent
+ Bigonville
+ Initial couchdb policy module
+ Changes to the bind policy module
+ Initial dnssectrigger policy module
+ Initial man2html policy module
+ Initial openhpi policy module
+ Bind sends/receives http server instead of client packets conditionally
+ Two file context regular expression fixes by Eric Paris
+ Type mdadm_t is no longer a unconfined type
+ Initial pkcs policy module
+ Initial cfengine policy module
+ Initial keystone policy module
+ Initial l2tp policy module
+ Initial mongodb policy module
+ cfengine whitespace cleanup
+ Changes to the accountsservice policy module
+ Changes to the acct policy module
+ Changes to the ada policy module
+ changes to the afs policy module
+ Changes to the accountsservice policy module
+ Changes to the aiccu policy module
+ Changes to the aide policy module
+ Syntax error in afs_admin()
+ Changes to the aisexec policy module
+ Changes to the alsa policy module
+ Changes to the amanda policy module
+ Changes to the amavisd policy module and relevant dependencies
+ Changes to the amtu policy module
+ Changes to the anaconda policy module
+ Changes to the abrt policy module and relevant dependencies
+ numad sends/receives msgs from Fedora
+ Amtu executable file in installed in /usr/sbin in Fedora
+ The (usr/)? expression does not work consistently so better not use it
+ at all
+ Changes to the httpd policy module
+ Merge branch 'master' of
+ ssh://dgrift@oss.tresys.com/home/git/refpolicy-contrib
+ Fixes to the apache policy module and dependencies
+ Changes to the apcupsd policy module
+ Role attributes for lightsquid application domain
+ Changes to the mailscanner module
+ Changes to the svnserve policy module
+ Changes to the quantum policy module
+ Changes to the dspam module
+ Changes to the ctdb policy module
+ Changes to the couchdb policy module
+ Changes to the openhpid policy module
+ Changes to the keystone policy module
+ Changes to the l2tp policy module
+ Changes to the apm module and relevant dependencies
+ Changes to the arpwatch policy module
+ Changes to the apcupsd policy module
+ Changes to the abrt policy module
+ Changes to the apache policy module
+ Changes to the asterisk policy module and dependencies
+ Changes to the authbind policy module
+ Changes to the automount policy module
+ Change acpid lock file context spec
+ Changes to the avahi policy module and dependencies
+ Changes to the awstats policy module
+ Changes to the bacula policy module
+ Changes to the bcfg2 policy module
+ Changes to the apt policy module
+ Changes to the apache policy module
+ Changes to the backup module
+ Changes to the bind policy module
+ Bird module clean up
+ Fix arpwatch connected_stream_socket_perms
+ Changes to the bitlbee policy module
+ Changes to the blueman policy module
+ Changes to the bluetooth policy module
+ Changes to the brctl policy module
+ Changes to the apache policy module
+ Changes to the bugzilla policy module
+ Changes to the calamaris policy module
+ Implement lightsquid_admin()
+ Changes to the apache policy module and dependencies
+ Initial boinc policy module
+ Initial callweaver policy module
+ Changes to the canna policy module
+ Changes to the ccs policy module
+ Changes to the cdrecord policy module
+ Changes to the certmaster policy module and various role attribute fixes
+ cdrecord needs to read and write callers unix domain stream socket not
+ create it
+ Changes to the certmonger policy module and its dependencies
+ Initial cachefilesd policy module
+ Changes to the certwatch policy module
+ Changes to the chronyd policy module
+ Changes to the cipe policy module
+ Changes to the clamav policy module
+ Various network clean up
+ Add dev_rw_cachefiles() to cachefilesd policy module
+ Changes to the clockspeed policy module
+ Changes to the clogd policy module
+ Changes to the cmirrord policy module
+ Changes to the cobbler policy module
+ Changes to the colord policy module
+ Changes to the comsat policy module
+ Initial collectd policy module
+ Initial condor policy module and relevant dependencies
+ Changes to the consolekit policy module and relevant dependencies
+ Changes to the corosync policy module and relevant dependencies
+ Clean up couchdb network rules
+ Changes to the courier policy module
+ Changes to the cpucontrol policy module
+ Changes to the cpufreqselector policy module
+ Changes to the cron policy module and relevant dependencies
+ Changes to the cups policy module and relevant dependencies
+ Changes to the cvs policy module
+ Remove redundant connect avperms
+ Changes to the cyphesis policy module
+ Remove redundant rules from apache_admin()
+ Changes to the cyrus policy module
+ Changes to the daemontools policy module
+ Changes to the dante policy module
+ Modify dbadm boolean descriptions
+ Changes to the dbus policy module and its dependencies
+ Changes to the dcc policy module
+ Changes to the ddclient policy module
+ Changes to the ddcprobe policy module
+ Changes to the denyhosts policy module
+ Changes to the devicekit policy module and relevant dependencies
+ Changes to the dhcpd policy module
+ Changes tothe dictd policy module
+ Changes to the discc policy module
+ Changes to the djbdns policy module
+ Changes to the dkim policy module
+ Changes to the dmidecode policy module
+ Module bump for Laurent Bigonville trousers init script file context
+ specification fix
+ Module bump for Laurent Bigonville libvirt init script file context
+ specification fix
+ Changes to the dnsmasq policy module and relevant dependencies
+ Changes to the dovecot policy module
+ Changes to the dpkg policy module
+ Changes to the entropyd policy module
+ Changes to the evolution policy module
+ Changes to the exim policy module and relevant dependencies
+ Changes to the cron policy module
+ Changes to the fail2ban policy module
+ fcoemon XML clean up
+ Changes to the fetchmail policy module
+ Changes to the fingerd policy module
+ Initial firewalld policy module
+ Changes to the firstboot policy module
+ Changes to the fprint policy module and relevant dependencies
+ Changes to the ftp module
+ Changes to the games policy module
+ Clean up evolution and cdrecord XML
+ Changes to the gatekeeper policy module
+ Changes to the gift policy module
+ Changes to the git policy module
+ Changes to the gitosis policy module
+ Changes to the glance policy module
+ Initial glusterfs policy module
+ Add gatekeeper newline
+ Deprecate glusterd_admin() use glusterfs_admin() instead
+ Portage module version bump for autofs support by Matthew Thode and
+ clean up
+ cfengine: This location is now labeled with a cfengine private type
+ Changes to the slpd policy module
+ Changes to the gnomeclock policy module and relevant dependencies
+ Changes to the gpg policy module
+ Changes to the gpm policy module
+ Changes to the gpsd policy module and relevant dependencies
+ changes to the guest policy module
+ Changes to the gnomeclock policy module
+ Deprecate various DBUS interfaces and relevant dependencies
+ Changes to the cachefilesd policy module
+ Remove file context specification for kgpg which is a GUI frontend to
+ GPG. Domain transition to gpg_t will happen when kgpg runs gpg.
+ (rhbz#862229)
+ Initial mandb policy module
+ Changes to the hadoop policy module
+ Changes to the hald policy module
+ Changes to the hddtemp policy module
+ Changes to the howl policy module
+ changes to the mandb policy module
+ Changes to the dbus policy module
+ Changes to the rpm policy module
+ Changes to the i18n_input policy module
+ Changes to the icecast policy module
+ Changes to the ifplugd policy module
+ Changes to the imaze policy module
+ Changes to the inetd policy module and relevant dependencies
+ Changes to the innd policy module
+ Changes to the irc policy module
+ Changes to the ircd policy module
+ Changes to the irc policy module
+ Changes to the dbus policy module
+ Changes to the avahi policy module
+ Changes to the bluetooth policy module
+ Changes to the aiccu policy module
+ Changes to the bacula policy module
+ Changes to the boinc policy module
+ Changes to the bugzilla policy module
+ Changes to the ccs policy module
+ Changes to the clamav policy module
+ Changes to the cobbler policy module
+ Changes to the cyphesis policy module
+ Changes to the dante policy module
+ Changes to the dbskk policy module
+ Changes to the ddclient policy module
+ Changes to the denyhosts policy module
+ Changes to the dnssectrigger policy module
+ Changes to the dovecot policy module
+ Changes to the drbd policy module
+ Changes to the evolution policy module
+ Changes to the fail2ban policy module
+ Changes to the firewalld policy module
+ Changes to the firstboot policy module
+ Changes to the games policy module
+ Changes to the gift policy module
+ Changes to the glance policy module
+ Changes to the hald policy module
+ Changes to the dbus policy module
+ Changes to the git policy module
+ Changes to the polipo policy module
+ Changes to the firewalld policy module
+ Changes to the gpg policy module
+ Tab clean up in ircbalance file context file
+ Changes to the irqbalance policy module
+ Tab clean up in iscsi file context file
+ Changes to the iscsi policy module
+ Tab clean up in jabber file context file
+ Changes to the jabberd policy module
+ Changes to the pyicqt policy module
+ Tab clean up in java file context file
+ Changes to the java policy module
+ Changes to the dbus policy module
+ Changes to the gnome policy module
+ Changes to the apache policy module
+ Changes to the accountsd policy module
+ Changes to the alsa policy module
+ Changes to the evolution policy module
+ Changes to the bluetooth policy module
+ Changes to the games policy module
+ Changes to the gift policy module
+ Changes to the gpg policy module
+ Changes to the hadoop policy module
+ Tab clean up in kdump file context file
+ Changes to the kdump policy module
+ Changes to the gpg policy module
+ Changes to the dbus policy module
+ Changes to the evolution policy module
+ Changes to the gpm policy module
+ Version bump for evolution file context fixes by Laurent Bigonville
+ Version bump for nut file context fixes by Laurent Bigonville
+ Changes to the kdumpgui policy module
+ Tab clean up in kerberos file context file
+ Changes to the kerberos policy module and relevant dependencies
+ Changes to the kerneloops policy module
+ Tab clean up in kerberos file context file
+ Changes to the kismet policy module
+ Clean up amavis XML header
+ Initial keyboardd policy module
+ Tab clean up in ksmtuned file context file
+ Changes to the ksmtuned policy module
+ Tab clean up in ktalk file context file
+ Changes to the ktalk policy module
+ Changes to the kudzu policy module
+ Initial iodine policy module
+ Initial dirmngr policy module
+ Changes to the iodine policy module
+ Changes to the kerberos policy module
+ Changes to the kdumpgui policy module
+ Update deprecated interface calls ( gnome_read_config ->
+ gnome_read_generic_home_content )
+ Changes to the mozilla policy module
+ Changes to the thunderbird policy module
+ Changes to the l2tp policy module
+ Tab clean up in ldap file context file
+ Changes to the ldap policy module
+ Tab clean up in likewise file context file
+ Changes to the likewise policy module
+ Tab clean up in lircd file context file
+ Changes to the lircd policy module
+ Changes to the livecd policy module
+ Tab clean up in loadkeys file context file
+ Changes to the loadkeys policy module and relevant dependencies
+ Tab clean up in lockdev file context file
+ Changes to the lockdev policy module
+ Tab clean up in logrotate file context file
+ Changes to the logrotate policy module and relevant dependencies
+ Tab clean up in logwatch file context file
+ Changes to the logrotate policy module
+ Changes to the logwatch policy module
+ Tab clean up in lpd file context file
+ Changes to the lpd policy module
+ Tab clean up in cron policy module
+ Changes to the lpd policy module
+ Changes to the consolekit policy module
+ Tab fix in cron policy module
+ Tab clean up in mailman file context file
+ Changes to the mailman policy module and relevant dependencies
+ Tab clean up in mcelog file context file
+ Changes to the mcelog policy module
+ Tab clean up in mediawiki file context file
+ Mediawiki XML clean up
+ Tab clean up in memcached file context file
+ Changes to the memcached policy module
+ Changes to the apache policy module
+ Tab clean up in milter file context file
+ Changes to the milter policy module and relevant dependencies
+ Changes to the modemmanager policy module
+ Tab clean up in mojomojo file context file
+ Changes to the mojomojo policy module and relevant dependencies
+ Changes to the gpg policy module
+ Changes to the mongodb policy module
+ Changes to the mono policy module
+ Changes to the monop policy module
+ Tab clean up in mozilla file context file
+ Changes to the mozilla policy module and relevant dependencies
+ Changes to the mozilla policy module
+ Changes to the apache policy module
+ Tab clean up in mpd file context file
+ Changes to the mpd policy module
+ Tab clean up in mplayer file context file
+ Changes to the evolution policy module
+ Changes to the mplayer policy module
+ Changes to the irc policy module
+ Tab clean up in mrtg file context file
+ Changes to the mrtg policy module
+ Tab clean up in mta file context file
+ Changes to the mta policy module and relevant dependencies
+ Changes to the mta policy module and relevant dependencies
+ Get rid of mozilla_conf_t as it is unused
+ Changes to the logrotate policy module
+ Changes to the logwatch policy module
+ Changes to the java policy module
+ Changes to the apache module and relevant dependencies
+ Tab clean up in munin file context file
+ Changes to the munin policy module and relevant dependencies
+ Tab clean up in mysql file context file
+ Changes to mysqld policy module
+ Changes to various policy modules
+ Changes to the munin policy module
+ Changes to the dovecot policy module
+ Changes to various policy modules
+ Changes to the mta policy module
+ Changes to the certmonger policy module and relavant dependencies
+ Tab clean up in nagios file context file
+ Changes to the nagios policy module and relevant dependencies
+ Changes to the modutils policy module
+ Tab cleanup in the nessus file context file
+ Changes to the nessus policy module
+ Tab clean up in the network manager file context file
+ Changes to the networkmanager policy module and relevant dependencies
+ Changes to the mozilla policy module
+ Changes to the cobbler policy module
+ Initial rngd policy module
+ Tab clean up in the nis file context file
+ Changes to the nis policy module
+ Tab clean up in the nscd file context file
+ Changes to the nscd policy module
+ Tab clean up in the nsd file context file
+ Changes to the nsd policy module
+ Tab clean up in the nslcd file context file
+ Changes to the nslcd policy module
+ Tab clean up in the ntop file context file
+ Changes to the ntop policy module
+ Tab clean up in the ntp file context file
+ Changes to the ntp policy module
+ Changes to the numad policy module
+ Tab clean up in the nut file context file
+ Changes to the nut policy module
+ Tab clean up in the nx file context file
+ Changes to the nx policy module
+ Changes to the oav policy module
+ Initial obex policy module
+ Tab clean up in the oddjob file context file
+ Tab clean up in gpg policy module
+ Changes to the oddjob policy module
+ Changes to the mozilla policy module
+ Initial pacemaker policy module
+ Tab clean up in the oidentd file context file
+ Changes to the oident policy module
+ Tab clean up in the openca file context file
+ Changes to the openca policy module
+ Tab clean up in the openct file context file
+ Changes to the openct policy module
+ Tab clean up in the openvpn file context file
+ Changes to the openvpn policy module
+ Tab clean up in the pads file context file
+ Changes to the pads policy module
+ Tab clean up in the passenger file context file
+ Changes to the passenger policy module and relevant dependencies
+ Tab clean up in the pcmcia file context file
+ Changes to the pcmcia policy module
+ Tab clean up in the pcscd file context file
+ Changes to the pcscd policy module and relevant dependencies
+ Tab clean up in the pegasus file context file
+ Changes to the pegasus policy module
+ Tab clean up in the perdition file context file
+ Changes to the perdition policy module
+ Tab clean up in the pingd file context file
+ Changes to the pingd policy module
+ Changes to the plymouthd policy module
+ Changes to the mozilla policy module
+ Changes to the plymouth policy module
+ Tab clean up in the podsleuth file context file
+ Changes to the podsleuth policy module
+ Tab clean up in the policykit file context file
+ Changes to the policykit policy module and relevant dependencies
+ Tab clean up in the portage file context file
+ Changes to the portage policy module
+ Tab clean up in the portmap file context file
+ Changes to the portmap policy module
+ Tab clean up in the portreserve file context file
+ Changes to the portreserve policy module
+ Tab clean up in the portslave file context file
+ Changes to the portslave policy module and relevant dependencies
+ Tab clean up in the postfix file context file
+ Changes to the postfix policy module and relevant dependencies
+ Fixes to various policy modules
+ Tab clean up in the postfixpolicyd file context file
+ Changes to the postfixpolicyd policy module
+ Tab clean up in the postgrey file context file
+ Changes to the postgrey policy module
+ Tab clean up in the ppp file context file
+ Changes to the ppp policy module and relevant dependencies
+ Tab clean up in the prelink file context file
+ Changes to the prelink policy module and relevant dependencies
+ Tab clean up in the prelude file context file
+ Changes to the prelude policy module
+ Tab clean up in the privoxy file context file
+ Changes to the privoxy policy module
+ Tab clean up in the procmail file context file
+ Changes to the procmail policy module
+ Tab clean up in the psad file context file
+ Changes to the psad policy module
+ Changes to the ptchown policy module
+ Tab clean up in the publicfile file context file
+ Changes to the publicfile policy module
+ Fix a fatal syntax error in mozilla_plugin_role()
+ Changes to the plymouth policy module
+ Changes to the policykit policy module
+ Module version bump for fixes in shorewall, fail2ban and portage policy
+ modules by Sven Vermeulen
+ Tab clean up in the puppet file context file
+ Changes to ther puppet policy module and relevant dependencies
+ Initial pwauth policy module
+ Tab clean up in the pxe file context file
+ Changes to the pxe policy module
+ Tab clean up in the pyzor file context file
+ Changes to the pyzor policy module
+ Tab clean up in the qemu file context file
+ Changes to the qemu policy module
+ Tab clean up in the virt file context file
+ Changes to the virt policy module and relevant depedencies
+ Changes to the virt policy module
+ Changes to the cron policy module
+ Changes to the qemu policy module
+ Changes to the virt policy module
+ Epylog wants sys_nice and setsched
+ Tab clean up in the qmail file context file
+ Changes to the qmail policy module
+ Tab clean up in the qpid file context file
+ Changes to the qpid policy module
+ Tab clean up in the quota file context file
+ Changes to the quota policy module and relevant dependencies
+ Initial rabbitmq policy module
+ Tab clean up in the radius file context file
+ Changes to the radius policy module
+ Tab clean up in the radvd file context file
+ Changes to the radvd policy module
+ Changes to the raid policy module
+ Tab clean up in the razor file context file
+ Changes to the razor policy module and relevant dependencies
+ Smokeping cgi needs to run ping with a domain transition Remove
+ redundant socket create already provided by
+ sysnet_dns_name_resolve()
+ Changes to the virt policy module
+ Changes to the apache policy module
+ Changes to the gnome policy module
+ Changes to the rdisc policy mpdule
+ Changes to the readahead policy module
+ Changes to the remotelogin policy module
+ Tab clean up in the resmgr file context file
+ Changes to the resmgr policy module
+ Tab clean up in the rgmanager file context file
+ Changes to the rgmanager policy module
+ Initial Realmd policy module and relevant dependencies
+ Fix resmgrd init script file context specification
+ Changes to the cups policy module
+ automount reads overcommit_memory
+ Changes to the networkmanager policy module
+ Freshclam manages amavis spool content
+ Changes to the tftp policy module
+ Changes to the cobbler policy module
+ Tab clean up in the rhcs file context file
+ Changes to the rhcs policy module and relevant dependencies
+ Tab clean up in the rhgb file context file
+ Changes to the rhgb policy module
+ Tab clean up in the rhsmcertd file context file
+ Changes to the rhsmcertd policy module
+ Tab clean up in the ricci file context file
+ Changes to the ricci policy module
+ Tab clean up in the rlogin file context file
+ Changes to the rlogin policy module
+ Tab clean up in the roundup file context file
+ Changes to the roundup policy module
+ Changes to the remotelogin policy module
+ Changes to the apache policy module
+ Changes to the awstats policy module
+ fix puppet_admin() need to require types that it uses
+ Replace wrong type in puppet_admin()
+ Fix a syntax error in ricci_domtrans()
+ Catch all rpcbind content in /var/run
+ Changes to the cups policy module
+ Tab clean up in the rpc file context file
+ Changes to the rpc policy module
+ Tab clean up in the rpcbind file context file
+ Changes to the rpcbind policy module
+ Tab clean up in the rpm file context file
+ Changes to the rpm policy module and depedencies
+ Changes to the rshd policy module
+ Changes to the virt policy module
+ Changes to the rssh policy module
+ Tab clean up in the rsync file context file
+ Fix a typo in apache XML
+ Changes to the rsync policy module
+ Changes to the rtkit policy module
+ Tab clean up in the rwho file context file
+ Changes to the rwho policy module
+ Reads /proc/sys/kernel/random/poolsize
+ Tab clean up in the samba file context file
+ Changes to the samba policy module and relevant dependencies
+ Tab clean up in the sambagui file context file
+ Changes to the sambagui policy module
+ Initial firewallgui policy module
+ Tab clean up in the samhain file context file
+ Changes to the samhain policy module
+ Tab clean up in the sanlock file context file
+ Changes to the sanlock policy module and relevant dependencies
+ Tab clean up in the sasl file context file
+ Changes to the sasl policy module
+ Chnages to the sblim policy module
+ Tab clean up in the screen file context file
+ Changes to the screen policy module
+ Tab clean up in the sectoolm file context file
+ Changes to firewallgui policy module
+ Changes to the sectoolm policy module
+ Tab clean up in the sendmail file context file
+ Changes to the sendmail policy module and relevant dependencies
+ Tab clean up in the setroubleshoot file context file
+ Changes to the setroubleshoot policy module
+ Tab clean up in the shorewall file context file
+ Changes to the shorewall policy module
+ Tab clean up in the shutdown file context file
+ Changes to the shutdown policy module and relevant dependencies
+ Tab clean up in the slocate file context file
+ Changes to the slocate policy module and relevant dependencies
+ These domains transition to shutdown domain now so they no longer need
+ direct access
+ Re-add missing network rule in screen policy module
+ fail2ban server sets scheduler
+ shutdown XML clean up
+ libvirtd sets kernel scheduler
+ mongod reads cpuinfo_max_freq
+ Changes to the slrnpull policy module
+ Tab clean up in the smartmon file context file
+ Changes to the smartmon policy module
+ Tab clean up in the smokeping file context file
+ Changes to the smokeping policy module
+ Tab clean up in the smoltclient file context file
+ Changes to the smoltclient policy module
+ Tab clean up in the snmp file context file
+ Changes to the snmp policy module
+ Tab clean up in the snort file context file
+ Changes to the snort policy module
+ Changes to the sosreport policy module and relevant dependencies
+ Tab clean up in the soundserver file context file
+ Changes to the soundserver policy module
+ Tab clean up in the spamassassin file context file
+ Changes to the spamassassin policy module and relevant dependendies
+ spamassassin_role callers create ~/.spamd with the spamd_home_t user
+ home type instead
+ Re-add sys_admin capability that was lost with porting from Fedora
+ Move mailscanner content to mailscanner module
+ Changes to the speedtouch policy module
+ Tab clean up in the squid file context file
+ Changes to the squid policy module
+ Changes to the sssd policy module
+ Tab clean up in the stunnel file context file
+ Changes to the stunnel policy module
+ Tab clean up in the sxid file context file
+ Changes to the sxid policy module
+ Tab clean up in the sysstat file context file
+ Changes to the sysstat policy module
+ Tab clean up in the tcpd file context file
+ Changes to the tcpd policy module
+ Changes to the tcsd policy module
+ Tab clean up in the telepathy file context file
+ Changes to the telepathy policy module
+ Tab clean up in the telnet file context file
+ Changes to the telnet policy module
+ Tab clean up in the tftp file context file
+ Changes to the tftp policy module
+ Tab clean up in the tgtd file context file
+ Changes to the tgtd policy module
+ Tab clean up in the thunderbird file context file
+ Changes to the thunderbird policy module
+ Catch /var/log/cron directory as well
+ Dovecot module version bump for fixes by Sven Vermeulen
+ Portage module version bump for fixes by Sven Vermeulen
+ Cron module version bump for fixes by Sven Vermeulen
+ Changes to the exim policy module
+ Entropyd reads /proc/meminfo
+ Blueman reads tmp_t directories
+ Do not audit attempts by cups config to read tmp_t directories
+ Do not audit attempts by fail2ban to read tmp_t directories
+ Do not audit attempts by firewalld to read tmp_t directories
+ Gnomeclock reads urandom and realtime clock
+ Kdumpctl needs sys_chroot capability
+ Various kdumpgui fixes from Fedora
+ Do not audit attempts by logwatch to read tmp_t directories
+ Catch all alias files
+ Refine aliases file transition with names
+ Realmd dbus chat policykit and networkmanager from Fedora
+ Do not audit attempts by tuned to read tmp_t directories
+ Changes to the timidity policy module
+ Tab clean up in the tmpreaper file context file
+ Changes to the tmpreaper policy module and relevant dependencies
+ Tab clean up in the tor file context file
+ Changes to the tor policy module
+ Changes to the transproxy policy module
+ Tab clean up in the tripwire file context file
+ Changes to the tripwire policy module
+ Tab clean up in the tuned file context file
+ Changes to the tuned policy module
+ Tab clean up in the tvtime file context file
+ Changes to the tvtime policy module
+ Changes to the tzdata policy module
+ Changes to the ucspitcp policy module
+ Tab clean up in the ulogd file context file
+ Changes to the ulogd policy module
+ Tab clean up in the uml file context file
+ Changes to the uml policy module
+ Make it so that irc clients can also get attributes of cifs, nfs, fuse
+ and other file systems
+ Changes to the updfstab policy module
+ Changes to the uptime policy module
+ Tab clean up in the usbmodules file context file
+ Changes to the usbmodule policy module
+ Changes to the usbmuxd policy module
+ Tab clean up in the userhelper file context file
+ Screen sends child terminated signals to all interactive fd domains
+ Changes to the userhelper policy module and relevant dependencies
+ Changes to the virt policy module
+ Module version bump for fail2ban changes by Sven Vermeulen
+ Changes to the rpm policy module
+ fix smartmon init script file context specification
+ Changes to the usernetctl policy module
+ Tab clean up in the uucp file context file
+ Changes to the uucp policy module
+ Changes to the virt policy module
+ Tab clean up in the uuid file context file
+ Changes to the uuidd policy module
+ Tab clean up in the uwimap file context file
+ Changes to the uwimap policy module
+ Tab clean up in the varnishd file context file
+ Changes to the varnishd policy module
+ Changes to the vbetool policy module
+ Tab clean up in the vdagent file context file
+ Changes to the vdagent policy module
+ Tab clean up in the vhostmd file context file
+ Changes to the vhostmd policy module
+ Changes to the vlock policy module
+ Tab clean up in the vmware file context file
+ Changes to the vmware policy module
+ Tab clean up in the vnstatd file context file
+ Changes to the vnstatd policy module
+ Tab clean up in the vpn file context file
+ Changes to the vpnc policy module
+ Tab clean up in the w3c file context file
+ Changes to the w3c policy module
+ Tab clean up in the watchdog file context file
+ Changes to the watchdog policy module
+ Changes to the wdmd policy module
+ Changes to the webadm policy modules
+ Changes to the webalizer policy module
+ White space fix in apache policy module
+ Changes to the wine policy module
+ Tab clean up in the wireshark file context file
+ Changes to the wireshark policy module
+ Tab clean up in the wm file context file
+ Changes to the wm policy module
+ Changes to the inn policy module
+ Move man cache file type to miscfiles
+ Changes to the inn policy module
+ More accurate dbadm boolean descriptions
+ mysql_admin() has access to ~/.my.cnf files
+ Tab clean up in the xen file context file
+ Changes to the xen policy module and relevant dependencies
+ Tab clean up in the xfs file context file
+ Changes to the xfs policy module
+ Changes to the xguest policy module and relevant dependencies
+ Changes to the xprint policy module
+ Changes to the xscreensaver policy module
+ Tab clean up in the yam file context file
+ Changes to the yam policy module
+ Tab clean up in the zabbix file context file
+ Changes to the zabbix policy module
+ Tab clean up in the zarafa file context file
+ Changes to the zarafa policy module
+ Tab clean up in the zebra file context file
+ Changes to the zebra policy module
+ Changes to the zosremote policy module
+ Changes to the mysql policy module
+ Tab clean up in the pulseaudio file context file
+ Changes to the pulseaudio policy module and relevant dependencies
+ Changes to the pulseaudio policy module
+ One chown too many
+ Changes to the mplayer policy module
+ The prelink cron script now runs in its own domain
+ Initial smstools policy module
+ Initial openvswitch policy module and relevant dependencies
+ Reads pcsd pid files
+ Reads random device
+ winbind manages smbd pid sock files from Fedora
+ Changes to the bind policy module
+ CG rules daemon reads all sysctls
+ Runs consoletype and searches nfs state data from Fedora
+ Support munin unbound plugin from Fedora
+ Zabbix sends signals from Fedora
+ Blueman sets scheduler and sends signals from Fedora
+ pcscd_read_pub_files is deprecated, use pcscd_read_pid_files instead
+ Module version bumps for fixes in portage and virt modules by Sven
+ Vermeulen
+ Policy module version bumps for various changes by Sven Vermeulen
+ Changes to the openvpn policy module
+ Module version bumps for various fixes by Sven Vermeulen
+ Changes to the mandb policy module
+ Changes to the tmpreaper policy module
+ Changes to the munin policy module
+ Changes to the rngd policy module
+ Changes to the awstats policy module and relevant dependencies
+ Changes to the apache policy module
+ Changes to various policy modules
+ Changes to the abrt policy module
+ Changes to the passenger policy module and relevant depedencies
+ Changes to the pegagus policy module
+ Changes to the mta policy module
+ Changes to the fetchmail policy module
+ Changes to the bitlbee policy module
+ Changes to the blueman policy module and relevant dependencies
+ Changes to the amavis policy module
+ Changes to the userhelper policy module
+ Changes to the blueman policy module
+ Changes to the squid policy module
+ Changes to the sblim policy module
+ Changes to the kdumpgui policy module
+ Changes to the mailman policy module
+ Changes to the realmd policy module
+ Changes to the raid policy module
+ Changes to the samba policy module
+ Changes to the various policy modules
+ Changes to the snmp policy module
+ Changes to the spamassassin policy module
+ Changes to the sssd policy module
+ Changes to the l2tpd policy module
+ Changes to the shorewall policy module
+ Changes to the xen policy module
+ Changes to the tftp policy modules
+ Changes to the accountsd policy module
+ Changes to the tgtd policy module
+ Changes to the corosync policy module
+ Changes to the kdump policy module
+ Changes to the openvswitch policy module
+ Changes to the mpd policy module
+ Changes to the mozilla policy module
+ Changes to the zarafa policy module
+ Changes to the boinc policy module
+ Changes to the setroubleshoot policy module
+ Changes to the dspam policy module
+ Changes to the rgrmanager policy module and relevant dependencies
+ Changes to the svnserve policy module
+ Changes to the virt policy module
+ Changes to the prelink policy module
+ Changes to the apache policy module
+ Changes to the gnomeclock policy module
+ Changes to various policy modules
+ Changes to the pegagus policy module
+ Changes to the shorewall policy module
+ Changes to the kerberos policy module
+ Changes to the rhcs policy module
+ Changes to the irc policy module
+ Changes to the clamav policy module
+ Changes to the mrtg policy module
+ Changes to the munin policy module
+ Changes to the amavis policy module
+ Changes to the ppp policy module
+ Initial jockey policy module
+ Module version bumps for "several named transition for directories
+ created in /var/run by initscripts" in various modules by Laurent
+ Bigonville
+ Module version bumps for fixes in various modules by Laurent Bigonville
+ Module version bump for changes to the consolekit policy module by
+ Laurent Bigonville
+ Changes to the stunnel policy module
+ Module version bumps for fixes in various modules by Sven Vermeulen
+ Changes to the virt policy module
+ Changes to the apache policy module
+ Changes to the wm policy module
+ Changes to the samba policy module
+ Changes to the certmonger policy module
+ Changes to the mozilla policy module
+ Changes to the corosync policy module
+ Changes to the pacemaker policy module
+ Changes to the tuned policy module
+ Changes to the cups module and relevant dependencies
+ Changes to the rhsmcertd policy module
+ Changes to the lpd policy module
+ Changes to the munin policy module
+ Changes to the ntp policy module
+ Changes to the tor policy module
+ Changes to the firewalld policy module
+ Changes to the dspam policy module
+ Changes to the setroubleshoot policy module
+ Changes to the condor policy module
+ Changes to the kerberos policy module
+ Changes to the passenger policy module
+ Changes to the ppp policy module
+ Changes to the the dkim policy module
+ Changes to the abrt policy module
+ Changes to the lircd policy module
+ Changes to the dkim policy module
+ Changes to the virt policy module
+ Changes to the munin policy module
+ Changes to the dovecot policy module
+ Changes to the cobbler policy module
+ Changes to the userhelper policy module
+ Changes to the logwatch policy module
+ Changes to the wdmd policy module and relevant dependencies
+ Changes to the nscd policy module and relevant dependencies
+ Changes to the dbus policy module
+ Module version bumps for fixes in various policy modules by Laurent
+ Bigonville
+ Changes to the cups policy module
+ Changes to the dbus policy module
+ Changes to the apcupsd policy module
+ Remove redundant net_bind_service capabilities in various modules
+ Changes to the virt policy module
+ Changes to the puppet policy module
+ Module version bumps for fixes in various policy module by Sven
+ Vermeulen
+ Module version bumps for file context fixes in various policy modules by
+ Laurent Bigonville
+ Make httpd_manage_all_user_content() do what it advertises
+ Add more networking rules to mplayer policy module for compatibility
+ Fix fcronsighup file context. Should be crontab_exec_t as per previous
+ spec
+ Module version bumps for changes in various modules by Sven Vermeulen
+ Move asterisk_exec() and modify XML header
+ Consolekit creates /var/run/console directories with a type transition
+ unconditionally
+ Module version bump in consolekit policy module for changes by Sven
+ Vermeulen
+ The imaplogin executable file should be courier_pop_exec_t according to
+ existing file context specification
+ Module version bump for changes to the fail2ban policy module by Sven
+ Vermeulen
+ Modules version bumps for changes in various policy modules by Sven
+ Vermeulen
+
+Laurent Bigonville (28):
+ Add Debian locations for Telepathy connection managers
+ Label telepathy-rakia as telepathy-sofiasip
+ Allow smartd daemon to write in /var/lib/smartmontools directory
+ Add Debian location for smartd daemon initscript
+ Add Debian location for accounts-daemon daemon
+ Add Debian location for rtkit-daemon daemon
+ Add Debian location for tcsd init script
+ Add Debian location for libvirtd init script
+ Add Debian location for evolution executables
+ Add Debian locationis for nut executables and configuration files
+ Add several named transition for directories created in /var/run by
+ initscripts
+ Run packagekit under apt_t context on Debian distribution
+ Add proper label for colord daemon in debian
+ Allow the system dbus to search cgroup directories
+ Allow virtd_t context to read sysctl_crypto_t
+ Allow colord_t context to read sysctl_crypto_t
+ Add proper label for gconfd-2 daemon in Debian
+ Ensure that consolekit can create /var/run/console directory on Debian
+ Properly label nm-dispatcher.action on Debian
+ policykit.fc: Properly label polkit-agent-helper-1 on Debian
+ cups.fc: Properly label cups-pk-helper-mechanism on Debian
+ Allow pcscd the fsetid capability
+ Allow networkmanager_t to read crypto_sysctl_t
+ Allow virsh_t context to read sysctl_crypto_t
+ Allow cupsd_t to read cupsd_log_t
+ gnomeclock.fc: Properly label gsd-datetime-mechanism in Debian
+ ptchown.fc: Properly label pt_chown executable in Debian
+ Label /usr/bin/kvm as qemu_exec_t
+
+Matthew Thode (2):
+ added autofs support and nsswitch support
+ removing refrences to named_var_lib_t as it doesn't exist anymore for
+ bind.if
+
+Mika Pflüger (3):
+ Allow saslauthd_t to talk to mysqld via TCP
+ Quota policy adjustments: * Allow quota_t to load kernel modules
+ Debian locations for dovecot deliver and dovecot auth.
+
+Russell Coker (1):
+ Fix djbdns ports
+
+Sven Vermeulen (75):
+ Update with new substitutions
+ Mark the pid directory as a pid directory
+ Add in transitions for queue types when the queues are created
+ Fix typo in interface postfix_exec_postqueue
+ Allow maildelivery to use dotlock files in the mail spool
+ Allow postfix local to change ownership of mailfiles
+ Use libexec location for postfix binaries
+ Allow initrc_t to create run dirs for contrib modules
+ Update logwatch location in file context
+ Sandbox is an inherent part of the portage inner workings
+ Fix startup issue with fail2ban-client
+ Be able to get output from fail2ban-client
+ Ignore searches when ran from the user home directory
+ Shorewall admins execute shorewall too
+ Shorewall needs sys_admin capability for manipulating network stack
+ Be able to display dovecot errors
+ Remove transition to ldconfig
+ Adding interfaces for handling cron log files
+ Fail2ban client checks state of log files before telling the server
+ Support mysql init script
+ Support initial creation of mysql database files
+ Portage fetch domain needs to access certificates
+ Make samba domtrans optional in virt
+ Fix typo in tunable declaration for fcron_crond
+ Introducing cron_manage_log_files interface
+ Introduce dontaudit interfaces for leaked fd and unix stream sockets
+ Dontaudit attempts by system_mail_t to use leaked fd or stream sockets
+ Support at service
+ Additional postfix admin requirements
+ Reintroduce postfix_var_run_t for pid directory and fowner capability
+ Postfix deferred queue should not mark mails as postfix_spool_maildrop_t
+ Running qemu with SDL support requires more xserver-related privileges
+ Fix typo in clockspeed comment
+ Support openvpn status file
+ Asterisk voicemail messages are generated from tmp
+ Make rtkit calls optional
+ Gentoo installs dovecot certs in /etc/ssl/dovecot
+ Moving sandbox code to sandbox section (v2)
+ Allow sandbox to log violations
+ Use rw_fifo_file_perms
+ Apache should not depend on gpg
+ Named init script creates rundir
+ Add ~/.maildir as a valid maildir destination
+ Support stunnel_read_config for startup
+ Updates on stunnel policy
+ More .maildir fixes
+ Mark make.profile entry as portage_conf_t (v2)
+ Move mta call (coding style)
+ Changes to puppet domain
+ Allow rpc admin to run exportfs
+ Grant sys_admin capability to puppet
+ Puppet module helper scripts are puppet_var_lib_t
+ Support netlink_route_socket creation for puppet
+ Puppet initscript creates /run/puppet
+ Puppet runs statfs against selinuxfs
+ mplayer streams HTTP resources
+ fcron and fcronsighup binaries are moved
+ Asterisk needs to search through logs
+ Denial in mail log on node bind
+ Fix typo in mcelog_admin (missing bracket)
+ Add in contexts for fcron rm.systab and systab.tmp
+ Remove pulseaudio filename_trans conflict
+ Allow asterisk admins to execute asterisk binary directly
+ Support tagfiles for consolekit
+ ConsoleKit needs to read the dbus machine-id
+ File context updates for courier-imap
+ Update on file contexts for OpenLDAP
+ Update on file contexts for wpa_supplicant
+ Allow IRC clients to read certificates
+ Allow reading /proc/self for fail2ban due to FAM support
+ Update file contexts for puppet
+ Support ~/.tmux.conf as tmux configuration file
+ Add setuid/setgid capability to ulogd_t
+ Support tmux control socket
+ Postfix creates defer(red) queue locations
+
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-04-29 18:11 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-04-29 18:11 UTC (permalink / raw
To: gentoo-commits
commit: 4447dcf0e04584911b97f5da7522ab3c3a82ca7f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Apr 29 18:10:13 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Apr 29 18:10:13 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4447dcf0
Remove duplicate definition for wpa_cli (reported by amade)
---
policy/modules/contrib/networkmanager.fc | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index e5b2282..7b80c1e 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -43,4 +43,3 @@
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_cli-.* -- gen_context(system_u:object_r:wpa_cli_var_run_t,s0)
-/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-04-28 10:01 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-04-28 10:01 UTC (permalink / raw
To: gentoo-commits
commit: f6a909347b12fb523dd3b9b1abf789ca5e1ef446
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Apr 28 10:00:28 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Apr 28 10:00:28 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f6a90934
Listing directory contents is allowed when reading user media content
---
policy/modules/contrib/xdg.if | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if
index d5d2dda..8d508bd 100644
--- a/policy/modules/contrib/xdg.if
+++ b/policy/modules/contrib/xdg.if
@@ -802,6 +802,7 @@ interface(`xdg_read_videos_home',`
')
read_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
+ list_dirs_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
userdom_search_user_home_dirs($1)
')
@@ -822,6 +823,7 @@ interface(`xdg_read_pictures_home',`
')
read_files_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
+ list_dirs_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
userdom_search_user_home_dirs($1)
')
@@ -842,6 +844,7 @@ interface(`xdg_read_music_home',`
')
read_files_pattern($1, xdg_music_home_t, xdg_music_home_t)
+ list_dirs_pattern($1, xdg_music_home_t, xdg_music_home_t)
userdom_search_user_home_dirs($1)
')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-04-28 9:17 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-04-28 9:17 UTC (permalink / raw
To: gentoo-commits
commit: 54a20ed2fbc51358eb55d87934fb1a28609bd34c
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Apr 21 13:21:27 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Apr 21 13:21:27 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=54a20ed2
Dot is special, escape it
---
policy/modules/contrib/chromium.fc | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/policy/modules/contrib/chromium.fc b/policy/modules/contrib/chromium.fc
index 3eb84b9..defd4f1 100644
--- a/policy/modules/contrib/chromium.fc
+++ b/policy/modules/contrib/chromium.fc
@@ -1,6 +1,6 @@
/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
/usr/lib/chromium-browser/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/usr/lib/chromium-browser/chromium-launcher.sh -- gen_context(system_u:object_r:chromium_exec_t,s0)
+/usr/lib/chromium-browser/chromium-launcher\.sh -- gen_context(system_u:object_r:chromium_exec_t,s0)
/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-04-28 9:17 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-04-28 9:17 UTC (permalink / raw
To: gentoo-commits
commit: cba1b4175829b34b784cdc85b3fe744049bde589
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Apr 28 09:16:34 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Apr 28 09:16:34 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cba1b417
Add xdg media content read interfaces
---
policy/modules/contrib/xdg.if | 60 +++++++++++++++++++++++++++++++++++++++++
1 files changed, 60 insertions(+), 0 deletions(-)
diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if
index 06ec2fc..d5d2dda 100644
--- a/policy/modules/contrib/xdg.if
+++ b/policy/modules/contrib/xdg.if
@@ -788,6 +788,66 @@ interface(`xdg_read_downloads_home',`
#########################################
## <summary>
+## Read user video content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_read_videos_home',`
+ gen_require(`
+ type xdg_videos_home_t;
+ ')
+
+ read_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+#########################################
+## <summary>
+## Read user pictures content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_read_pictures_home',`
+ gen_require(`
+ type xdg_pictures_home_t;
+ ')
+
+ read_files_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+#########################################
+## <summary>
+## Read user music content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_read_music_home',`
+ gen_require(`
+ type xdg_music_home_t;
+ ')
+
+ read_files_pattern($1, xdg_music_home_t, xdg_music_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+#########################################
+## <summary>
## Create downloaded content
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-04-21 7:38 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-04-21 7:38 UTC (permalink / raw
To: gentoo-commits
commit: eb7f4be575141422b672e26de16992cf33cb86a3
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Apr 21 07:37:59 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Apr 21 07:37:59 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=eb7f4be5
Mark chromium-launcher as entrypoint
---
policy/modules/contrib/chromium.fc | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/contrib/chromium.fc b/policy/modules/contrib/chromium.fc
index 17bbafb..3eb84b9 100644
--- a/policy/modules/contrib/chromium.fc
+++ b/policy/modules/contrib/chromium.fc
@@ -1,5 +1,6 @@
/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
/usr/lib/chromium-browser/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/usr/lib/chromium-browser/chromium-launcher.sh -- gen_context(system_u:object_r:chromium_exec_t,s0)
/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-04-19 18:01 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-04-19 18:01 UTC (permalink / raw
To: gentoo-commits
commit: 5a0dbd11713c3d3776646abc51f55ca3e056cb1f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 19 18:00:31 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 19 18:00:31 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5a0dbd11
Fix typo, its xdg_music_home_t, not documents again
---
policy/modules/contrib/xdg.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/policy/modules/contrib/xdg.te b/policy/modules/contrib/xdg.te
index 96c865c..78c1a0e 100644
--- a/policy/modules/contrib/xdg.te
+++ b/policy/modules/contrib/xdg.te
@@ -33,7 +33,7 @@ type xdg_documents_home_t; # customizable
userdom_user_home_content(xdg_documents_home_t)
type xdg_music_home_t; # customizable
-userdom_user_home_content(xdg_documents_home_t)
+userdom_user_home_content(xdg_music_home_t)
type xdg_pictures_home_t; # customizable
userdom_user_home_content(xdg_pictures_home_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-04-19 15:41 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-04-19 15:41 UTC (permalink / raw
To: gentoo-commits
commit: 00873e74f83c9a33ea64654d5f6668164dd27f69
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 19 15:34:16 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 19 15:38:30 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=00873e74
Add read/create/write interfaces for downloads content
With these interfaces, we can now support the generic set of privileges:
- read (xdg_read_downloads_home)
- write (xdg_create_downloads_home + xdg_write_downloads_home)
- manage (xdg_manage_downloads_home)
---
policy/modules/contrib/chromium.te | 1 +
policy/modules/contrib/xdg.if | 61 ++++++++++++++++++++++++++++++++++++
2 files changed, 62 insertions(+), 0 deletions(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index c3c5dab..668e590 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -159,6 +159,7 @@ xdg_create_config_home_dirs(chromium_t)
xdg_create_data_home_dirs(chromium_t)
xdg_generic_user_home_dir_filetrans_cache_home(chromium_t, dir, ".cache")
xdg_generic_user_home_dir_filetrans_config_home(chromium_t, dir, ".config")
+xdg_manage_downloads_home(chromium_t)
xdg_read_config_home_files(chromium_t)
xdg_read_data_home_files(chromium_t)
diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if
index 3613a65..06ec2fc 100644
--- a/policy/modules/contrib/xdg.if
+++ b/policy/modules/contrib/xdg.if
@@ -765,6 +765,67 @@ interface(`xdg_relabel_all_data_home',`
userdom_search_user_home_dirs($1)
')
+
+#########################################
+## <summary>
+## Read downloaded content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_read_downloads_home',`
+ gen_require(`
+ type xdg_downloads_home_t;
+ ')
+
+ read_files_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+#########################################
+## <summary>
+## Create downloaded content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_create_downloads_home',`
+ gen_require(`
+ type xdg_downloads_home_t;
+ ')
+
+ create_files_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
+#########################################
+## <summary>
+## Write downloaded content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`xdg_write_downloads_home',`
+ gen_require(`
+ type xdg_downloads_home_t;
+ ')
+
+ write_files_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
+
+ userdom_search_user_home_dirs($1)
+')
+
#########################################
## <summary>
## Manage downloaded content
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-04-19 15:41 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-04-19 15:41 UTC (permalink / raw
To: gentoo-commits
commit: 5f315f3c2e195ca41605abe29529b8df3ecf8207
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 19 15:40:45 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Apr 19 15:40:45 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5f315f3c
Allow chromium to write to downloads
---
policy/modules/contrib/chromium.te | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 668e590..ec816e4 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -159,7 +159,8 @@ xdg_create_config_home_dirs(chromium_t)
xdg_create_data_home_dirs(chromium_t)
xdg_generic_user_home_dir_filetrans_cache_home(chromium_t, dir, ".cache")
xdg_generic_user_home_dir_filetrans_config_home(chromium_t, dir, ".config")
-xdg_manage_downloads_home(chromium_t)
+xdg_create_downloads_home(chromium_t)
+xdg_write_downloads_home(chromium_t)
xdg_read_config_home_files(chromium_t)
xdg_read_data_home_files(chromium_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-04-18 19:57 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-04-18 19:57 UTC (permalink / raw
To: gentoo-commits
commit: 3d7cd5e42a6dbcaa6584c19fdadad58fcb6233bb
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr 18 19:55:53 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Apr 18 19:55:53 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3d7cd5e4
Fix bug #466156 - Grant write privileges to squid on its log files
The squid daemon currently seems to require write privileges on the files
(squid_log_t): append no longer cuts it. This is confirmed for both the
cache.log file as well as netdb.state file.
Switching append_files_pattern to write_files_pattern.
---
policy/modules/contrib/squid.te | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
index 221c560..8ad5645 100644
--- a/policy/modules/contrib/squid.te
+++ b/policy/modules/contrib/squid.te
@@ -238,3 +238,13 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
+
+ifdef(`distro_gentoo',`
+ ###################################
+ #
+ # Local policy
+ #
+
+ # Instead of append, see bug #466156
+ write_files_pattern(squid_t, squid_log_t, squid_log_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-04-18 19:52 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-04-18 19:52 UTC (permalink / raw
To: gentoo-commits
commit: b56b73b412a1a24e6436ed89e044dbe84e9a07f7
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr 18 19:50:21 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Apr 18 19:50:21 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b56b73b4
Run dmidecode after newrole or on terminals
The dmidecode application needs to use the file descriptors owned by newrole_t
when invoked after a newrole (which is common for administrators who first
logged on as staff before switching to sysadm_r).
Grant this through domain_use_interactive_fds(), allowing output for dmidecode
to be displayed on such terminals.
---
policy/modules/contrib/dmidecode.te | 9 +++++++++
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te
index c947c2c..7f30dce 100644
--- a/policy/modules/contrib/dmidecode.te
+++ b/policy/modules/contrib/dmidecode.te
@@ -30,3 +30,12 @@ files_list_usr(dmidecode_t)
locallogin_use_fds(dmidecode_t)
userdom_use_user_terminals(dmidecode_t)
+
+ifdef(`distro_gentoo',`
+ ###########################
+ #
+ # Local policy
+ #
+
+ domain_use_interactive_fds(dmidecode_t)
+')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-04-17 20:23 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-04-17 20:23 UTC (permalink / raw
To: gentoo-commits
commit: 11f1036e7ba670cb5afaa3996b6f7ba6ba255cc1
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Apr 17 20:23:03 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Apr 17 20:23:03 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=11f1036e
Merged from upstream, no longer needed in ifdef distro block
---
policy/modules/contrib/asterisk.if | 21 ---------------------
1 files changed, 0 insertions(+), 21 deletions(-)
diff --git a/policy/modules/contrib/asterisk.if b/policy/modules/contrib/asterisk.if
index 58e115d..57e3b8e 100644
--- a/policy/modules/contrib/asterisk.if
+++ b/policy/modules/contrib/asterisk.if
@@ -156,24 +156,3 @@ interface(`asterisk_admin',`
asterisk_exec($1)
')
')
-
-# Gentoo specific stuff but I cannot use ifdef distro_gentoo in interfaces
-
-######################################
-## <summary>
-## Execute asterisk in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to execute asterisk
-## </summary>
-## </param>
-#
-interface(`asterisk_exec',`
- gen_require(`
- type asterisk_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1, asterisk_exec_t)
-')
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-04-17 17:50 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-04-17 17:50 UTC (permalink / raw
To: gentoo-commits
commit: 2b7e9b6bd2fdbc4242e14c697df28e3233745df1
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr 11 08:34:43 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Apr 17 17:43:34 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2b7e9b6b
Add setuid/setgid capability to ulogd_t
The ulog daemon, when launched with the "-u" option, will change uid/gid after
it finished its root-required tasks. This is handled in src/ulogd.c. If we do
not allow setuid/setgid, the following errors are displayed and the start-up
fails.
Sun Mar 17 23:53:53 2013 <5> ulogd.c:1184 Changing UID / GID
Sun Mar 17 23:53:53 2013 <8> ulogd.c:1186 can't set GID 245
Reported-by: vespian <vespian <AT> o2.pl>
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/ulogd.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
index 1d3167c..c3d3af7 100644
--- a/policy/modules/contrib/ulogd.te
+++ b/policy/modules/contrib/ulogd.te
@@ -26,7 +26,7 @@ logging_log_file(ulogd_var_log_t)
# Local policy
#
-allow ulogd_t self:capability { net_admin sys_nice };
+allow ulogd_t self:capability { net_admin setuid setgid sys_nice };
allow ulogd_t self:process setsched;
allow ulogd_t self:netlink_nflog_socket create_socket_perms;
allow ulogd_t self:netlink_socket create_socket_perms;
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-04-17 17:50 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-04-17 17:50 UTC (permalink / raw
To: gentoo-commits
commit: a3b2fc45ae2980c6f56a7c6e48167c7e14723648
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr 11 08:34:40 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Apr 17 17:43:31 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a3b2fc45
Update file contexts for puppet
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/puppet.fc | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/contrib/puppet.fc b/policy/modules/contrib/puppet.fc
index 04240b0..c97ac6b 100644
--- a/policy/modules/contrib/puppet.fc
+++ b/policy/modules/contrib/puppet.fc
@@ -3,6 +3,10 @@
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-04-17 17:50 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-04-17 17:50 UTC (permalink / raw
To: gentoo-commits
commit: d9453ff0df39a28ee259a447bdecddfe51b8ae26
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr 11 08:34:41 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Apr 17 17:43:32 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d9453ff0
Support ~/.tmux.conf as tmux configuration file
The tmux application is similar to screen, and already supported in the policy
as such. Include ~/.tmux.conf as screen_home_t and include the proper transition
when the file is created.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/screen.fc | 1 +
policy/modules/contrib/screen.if | 1 +
2 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc
index 5956221..d5fb7d5 100644
--- a/policy/modules/contrib/screen.fc
+++ b/policy/modules/contrib/screen.fc
@@ -1,5 +1,6 @@
HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
+HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
diff --git a/policy/modules/contrib/screen.if b/policy/modules/contrib/screen.if
index 7bb92d5..c7ffb21 100644
--- a/policy/modules/contrib/screen.if
+++ b/policy/modules/contrib/screen.if
@@ -65,6 +65,7 @@ template(`screen_role_template',`
userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
+ userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-04-17 17:50 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-04-17 17:50 UTC (permalink / raw
To: gentoo-commits
commit: 976b0fa49050304d87605bdeb0da0914d65870c9
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr 11 08:34:39 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Apr 17 17:43:38 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=976b0fa4
Postfix creates defer(red) queue locations
At startup, the Postfix daemon will check if the defer and deferred queues are
available. If not, it will create them. Introduce the proper file transitions to
support this.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/postfix.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index b8c5c15..ee7f937 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -244,6 +244,8 @@ create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "defer")
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")
filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-04-17 17:50 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-04-17 17:50 UTC (permalink / raw
To: gentoo-commits
commit: 68a52460d5a7edf53e6a71d332c981d4866278fb
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr 11 08:34:42 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Apr 17 17:43:36 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=68a52460
Support tmux control socket
The tmux application places its control socket in /tmp/tmux-*. Introduce a
transition from screen_tmp_t (the /tmp/tmux-* directory) towards
screen_var_run_t for socket files.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/screen.te | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
index aacdbfc..90185dc 100644
--- a/policy/modules/contrib/screen.te
+++ b/policy/modules/contrib/screen.te
@@ -38,12 +38,13 @@ allow screen_domain self:process signal_perms;
allow screen_domain self:fd use;
allow screen_domain self:fifo_file rw_fifo_file_perms;
allow screen_domain self:tcp_socket { accept listen };
-allow screen_domain self:unix_stream_socket connectto;
+allow screen_domain self:unix_stream_socket { accept connectto listen };
manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
+filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file)
manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
^ permalink raw reply related [flat|nested] 1958+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2013-04-17 17:50 Sven Vermeulen
0 siblings, 0 replies; 1958+ messages in thread
From: Sven Vermeulen @ 2013-04-17 17:50 UTC (permalink / raw
To: gentoo-commits
commit: de516294cacc9e7b5e56c41583897f680e7905b3
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Wed Apr 17 16:25:09 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Apr 17 17:43:40 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=de516294
Modules version bumps for changes in various policy modules by Sven Vermeulen
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/irc.te | 2 +-
policy/modules/contrib/ldap.te | 2 +-
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/postfix.te | 2 +-
policy/modules/contrib/puppet.te | 2 +-
policy/modules/contrib/screen.te | 2 +-
policy/modules/contrib/ulogd.te | 2 +-
7 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
index a70dd7c..7981a2f 100644
--- a/policy/modules/contrib/irc.te
+++ b/policy/modules/contrib/irc.te
@@ -1,4 +1,4 @@
-policy_module(irc, 2.2.3)
+policy_module(irc, 2.2.4)
########################################
#
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 7968e39..62274d9 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.10.2)
+policy_module(ldap, 1.10.3)
########################################
#
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 2280d85..1a1f3eb 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.14.7)
+policy_module(networkmanager, 1.14.8)
########################################
#
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index ee7f937..5baa885 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.14.11)
+policy_module(postfix, 1.14.12)
########################################
#
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 9f89323..dd2dde4 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.3.7)
+policy_module(puppet, 1.3.8)
########################################
#
diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
index 90185dc..0d2bc5f 100644
--- a/policy/modules/contrib/screen.te
+++ b/policy/modules/contrib/screen.te
@@ -1,4 +1,4 @@
-policy_module(screen, 2.5.3)
+policy_module(screen, 2.5.4)
########################################
#
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
index c3d3af7..50ece05 100644
--- a/policy/modules/contrib/ulogd.te
+++ b/policy/modules/contrib/ulogd.te
@@ -1,4 +1,4 @@
-policy_module(ulogd, 1.2.1)
+policy_module(ulogd, 1.2.2)
########################################
#
^ permalink raw reply related [flat|nested] 1958+ messages in thread
end of thread, other threads:[~2022-12-13 20:55 UTC | newest]
Thread overview: 1958+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-08-13 18:32 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ Jason Zaman
2016-08-13 18:35 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2022-12-13 20:55 [gentoo-commits] proj/hardened-refpolicy:master " Kenton Groombridge
2022-10-12 13:35 [gentoo-commits] proj/hardened-refpolicy:concord-dev " Kenton Groombridge
2022-09-03 20:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Kenton Groombridge
2022-09-03 20:04 Kenton Groombridge
2018-07-12 14:37 Jason Zaman
2018-06-24 9:54 Jason Zaman
2018-06-24 8:46 Jason Zaman
2018-06-24 8:46 Jason Zaman
2018-06-24 8:46 Jason Zaman
2018-06-24 8:46 Jason Zaman
2018-06-24 8:46 Jason Zaman
2018-06-24 8:46 Jason Zaman
2018-06-24 8:46 Jason Zaman
2018-06-24 8:46 Jason Zaman
2018-06-24 8:46 Jason Zaman
2018-06-24 8:46 Jason Zaman
2018-06-24 8:46 Jason Zaman
2018-06-24 8:46 Jason Zaman
2018-06-24 8:46 Jason Zaman
2018-06-24 8:46 Jason Zaman
2018-06-24 8:46 Jason Zaman
2018-06-09 5:24 Jason Zaman
2018-06-09 5:24 Jason Zaman
2018-06-09 5:24 Jason Zaman
2018-06-09 5:24 Jason Zaman
2018-06-09 5:24 Jason Zaman
2018-04-22 14:07 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-12 11:57 Jason Zaman
2018-03-25 10:29 Sven Vermeulen
2018-03-25 10:29 Sven Vermeulen
2018-03-25 10:29 Sven Vermeulen
2018-03-25 10:29 Sven Vermeulen
2018-03-25 10:29 Sven Vermeulen
2018-03-25 10:29 Sven Vermeulen
2018-03-25 10:29 Sven Vermeulen
2018-03-25 10:29 Sven Vermeulen
2018-03-25 10:29 Sven Vermeulen
2018-03-25 10:29 Sven Vermeulen
2018-02-18 11:30 Jason Zaman
2018-02-18 11:30 Jason Zaman
2018-01-18 16:37 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2017-12-23 15:58 Jason Zaman
2017-12-23 15:58 Jason Zaman
2017-12-23 15:58 Jason Zaman
2017-12-23 15:58 Jason Zaman
2017-12-14 5:15 Jason Zaman
2017-12-14 5:15 Jason Zaman
2017-12-14 5:15 Jason Zaman
2017-12-14 5:15 Jason Zaman
2017-12-14 5:15 Jason Zaman
2017-12-14 5:15 Jason Zaman
2017-12-14 5:15 Jason Zaman
2017-12-14 5:15 Jason Zaman
2017-12-13 10:34 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-11-17 14:59 Jason Zaman
2017-11-17 14:59 Jason Zaman
2017-11-17 14:59 Jason Zaman
2017-11-17 14:59 Jason Zaman
2017-11-05 8:01 Jason Zaman
2017-11-05 8:01 Jason Zaman
2017-11-05 8:01 Jason Zaman
2017-11-05 8:01 Jason Zaman
2017-11-05 8:01 Jason Zaman
2017-10-31 5:40 Jason Zaman
2017-10-31 5:40 Jason Zaman
2017-10-31 5:40 Jason Zaman
2017-10-31 5:40 Jason Zaman
2017-10-31 5:40 Jason Zaman
2017-10-31 5:40 Jason Zaman
2017-10-30 15:07 Jason Zaman
2017-10-30 15:07 Jason Zaman
2017-10-30 15:07 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-09-17 4:21 Jason Zaman
2017-09-17 4:21 Jason Zaman
2017-09-17 4:21 Jason Zaman
2017-09-17 4:21 Jason Zaman
2017-09-17 4:21 Jason Zaman
2017-09-17 4:21 Jason Zaman
2017-09-15 17:19 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-15 3:42 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-06-13 8:25 Jason Zaman
2017-06-13 8:25 Jason Zaman
2017-06-13 8:25 Jason Zaman
2017-06-13 8:25 Jason Zaman
2017-06-13 8:25 Jason Zaman
2017-06-13 8:25 Jason Zaman
2017-06-13 8:25 Jason Zaman
2017-06-13 8:25 Jason Zaman
2017-06-13 8:25 Jason Zaman
2017-06-13 8:25 Jason Zaman
2017-06-13 8:25 Jason Zaman
2017-06-13 8:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-05-25 17:04 Jason Zaman
2017-05-25 16:43 Jason Zaman
2017-05-25 16:43 Jason Zaman
2017-05-25 16:43 Jason Zaman
2017-05-25 16:43 Jason Zaman
2017-05-25 16:43 Jason Zaman
2017-05-25 16:43 Jason Zaman
2017-05-25 16:43 Jason Zaman
2017-05-25 16:43 Jason Zaman
2017-05-18 17:03 Sven Vermeulen
2017-05-18 17:03 Sven Vermeulen
2017-05-18 17:03 Sven Vermeulen
2017-05-18 17:03 Sven Vermeulen
2017-05-18 17:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 17:03 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-18 17:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 17:03 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-07 17:47 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-05-07 17:41 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-05-07 17:47 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-05-07 16:09 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-05-07 17:47 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-05-07 16:09 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-05-07 17:41 Jason Zaman
2017-05-07 16:09 Jason Zaman
2017-05-07 16:09 Jason Zaman
2017-05-07 16:09 Jason Zaman
2017-05-07 16:09 Jason Zaman
2017-05-07 16:09 Jason Zaman
2017-05-07 16:09 Jason Zaman
2017-04-30 14:20 Jason Zaman
2017-04-30 14:20 Jason Zaman
2017-04-30 14:20 Jason Zaman
2017-04-30 14:20 Jason Zaman
2017-04-30 14:20 Jason Zaman
2017-04-30 14:20 Jason Zaman
2017-04-30 14:20 Jason Zaman
2017-04-30 14:20 Jason Zaman
2017-04-30 14:20 Jason Zaman
2017-04-30 14:20 Jason Zaman
2017-04-30 14:20 Jason Zaman
2017-04-30 14:20 Jason Zaman
2017-04-30 14:20 Jason Zaman
2017-04-30 14:20 Jason Zaman
2017-04-30 14:20 Jason Zaman
2017-04-30 14:20 Jason Zaman
2017-04-30 14:20 Jason Zaman
2017-04-30 14:19 Jason Zaman
2017-04-30 14:19 Jason Zaman
2017-04-30 14:19 Jason Zaman
2017-04-30 14:19 Jason Zaman
2017-04-30 14:19 Jason Zaman
2017-04-30 14:19 Jason Zaman
2017-04-30 9:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-04-30 9:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-04-30 9:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-04-30 9:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-04-30 9:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-04-30 9:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-04-30 9:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-04-30 9:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-04-30 9:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-04-30 9:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-04-30 9:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-04-30 9:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-30 9:32 Jason Zaman
2017-04-10 16:59 Sven Vermeulen
2017-04-10 16:59 Sven Vermeulen
2017-03-30 17:09 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-03-30 17:06 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-03-30 17:09 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-03-30 17:06 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-03-30 17:09 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-03-30 17:06 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-03-30 17:09 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-03-30 17:06 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-03-30 17:09 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-03-30 17:06 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-03-30 17:06 Jason Zaman
2017-03-30 17:06 Jason Zaman
2017-03-30 17:06 Jason Zaman
2017-03-30 17:06 Jason Zaman
2017-03-30 17:06 Jason Zaman
2017-03-30 17:06 Jason Zaman
2017-03-30 17:06 Jason Zaman
2017-03-30 17:06 Jason Zaman
2017-03-30 17:06 Jason Zaman
2017-03-30 17:06 Jason Zaman
2017-03-30 17:06 Jason Zaman
2017-03-30 17:06 Jason Zaman
2017-03-30 17:06 Jason Zaman
2017-03-16 8:18 Jason Zaman
2017-02-27 11:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-27 10:50 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-27 11:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-27 10:50 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-27 10:50 Jason Zaman
2017-02-25 16:58 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-25 16:58 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-25 16:58 Jason Zaman
2017-02-25 15:28 Jason Zaman
2017-02-25 14:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-25 14:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-25 14:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-25 14:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-25 14:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-25 14:51 Jason Zaman
2017-02-25 14:51 Jason Zaman
2017-02-25 14:51 Jason Zaman
2017-02-21 8:42 Jason Zaman
2017-02-21 8:42 Jason Zaman
2017-02-21 8:42 Jason Zaman
2017-02-21 7:11 Jason Zaman
2017-02-21 7:11 Jason Zaman
2017-02-21 7:11 Jason Zaman
2017-02-21 7:11 Jason Zaman
2017-02-21 7:11 Jason Zaman
2017-02-21 7:11 Jason Zaman
2017-02-21 7:11 Jason Zaman
2017-02-21 7:11 Jason Zaman
2017-02-21 7:11 Jason Zaman
2017-02-17 8:50 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-17 8:44 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-17 8:50 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-17 8:44 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-17 8:50 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-17 8:44 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-17 8:50 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-17 8:44 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-17 8:50 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-17 8:44 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-17 8:50 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-17 8:44 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-17 8:44 Jason Zaman
2017-02-17 8:44 Jason Zaman
2017-02-17 8:44 Jason Zaman
2017-02-17 8:44 Jason Zaman
2017-02-17 8:44 Jason Zaman
2017-02-17 8:44 Jason Zaman
2017-02-16 11:34 Jason Zaman
2017-02-16 11:34 Jason Zaman
2017-02-05 15:13 [gentoo-commits] proj/hardened-refpolicy:usrmerge " Jason Zaman
2017-02-16 11:34 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-05 6:29 Jason Zaman
2017-02-05 6:29 Jason Zaman
2017-01-25 11:59 Jason Zaman
2017-01-25 11:59 Jason Zaman
2017-01-25 11:59 Jason Zaman
2017-01-23 15:44 Jason Zaman
2017-01-23 15:44 Jason Zaman
2017-01-23 15:44 Jason Zaman
2017-01-23 15:44 Jason Zaman
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2016-12-11 15:05 Jason Zaman
2016-12-11 15:05 Jason Zaman
2016-12-11 15:05 Jason Zaman
2016-12-11 15:05 Jason Zaman
2016-12-08 5:03 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-08 4:47 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-08 4:47 Jason Zaman
2016-12-06 15:10 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 15:21 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:25 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 14:21 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:25 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 13:39 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:25 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 13:39 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:25 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 13:39 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 14:21 Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-10-26 17:28 Jason Zaman
2016-10-26 17:28 Jason Zaman
2016-10-24 16:56 Sven Vermeulen
2016-10-24 16:03 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:02 Sven Vermeulen
2016-10-03 6:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03 6:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03 6:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03 6:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03 6:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03 6:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03 6:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03 6:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03 6:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03 6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03 6:20 Jason Zaman
2016-10-03 6:20 Jason Zaman
2016-10-03 6:20 Jason Zaman
2016-10-03 6:20 Jason Zaman
2016-10-03 6:20 Jason Zaman
2016-10-03 6:20 Jason Zaman
2016-10-03 6:20 Jason Zaman
2016-08-31 16:38 Jason Zaman
2016-08-31 16:38 Jason Zaman
2016-08-31 16:38 Jason Zaman
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 Jason Zaman
2016-08-17 16:59 Jason Zaman
2016-08-17 16:59 Jason Zaman
2016-08-13 18:35 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-13 18:35 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-13 18:35 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-13 18:35 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-13 18:35 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-13 18:35 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-13 18:35 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-13 18:35 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-13 18:32 Jason Zaman
2016-08-13 18:32 Jason Zaman
2016-08-13 18:32 Jason Zaman
2016-08-13 18:32 Jason Zaman
2016-08-13 18:32 Jason Zaman
2016-07-31 10:38 Sven Vermeulen
2016-07-31 10:38 Sven Vermeulen
2016-07-03 11:34 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-07-03 11:33 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-07-03 11:34 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-07-03 11:33 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-07-03 11:34 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-07-03 11:33 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-07-03 11:34 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-06-04 11:01 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-07-03 11:33 Sven Vermeulen
2016-07-03 11:33 Sven Vermeulen
2016-07-03 11:33 Sven Vermeulen
2016-06-02 8:43 Jason Zaman
2016-06-02 6:32 Jason Zaman
2016-06-02 6:32 Jason Zaman
2016-06-02 6:32 Jason Zaman
2016-06-02 6:32 Jason Zaman
2016-06-02 6:32 Jason Zaman
2016-06-02 6:32 Jason Zaman
2016-06-02 6:32 Jason Zaman
2016-06-02 6:32 Jason Zaman
2016-06-02 6:32 Jason Zaman
2016-06-02 6:32 Jason Zaman
2016-06-02 6:32 Jason Zaman
2016-06-02 6:32 Jason Zaman
2016-05-13 5:37 Jason Zaman
2016-04-01 17:48 Sven Vermeulen
2016-03-23 18:36 Jason Zaman
2016-03-23 18:36 Jason Zaman
2016-03-23 17:45 Jason Zaman
2016-03-11 18:50 Jason Zaman
2016-03-11 18:50 Jason Zaman
2016-03-11 17:20 Jason Zaman
2016-03-11 17:20 Jason Zaman
2016-03-11 17:20 Jason Zaman
2016-03-11 17:20 Jason Zaman
2016-03-11 17:20 Jason Zaman
2016-03-11 17:20 Jason Zaman
2016-03-11 17:20 Jason Zaman
2016-02-13 7:23 Jason Zaman
2016-02-12 3:51 Jason Zaman
2016-02-12 3:51 Jason Zaman
2016-02-12 3:51 Jason Zaman
2016-02-12 3:51 Jason Zaman
2016-02-12 3:51 Jason Zaman
2016-02-12 3:51 Jason Zaman
2016-02-12 3:51 Jason Zaman
2016-02-12 3:51 Jason Zaman
2016-02-12 3:51 Jason Zaman
2016-02-12 3:51 Jason Zaman
2016-02-12 3:51 Jason Zaman
2016-01-30 17:21 Jason Zaman
2016-01-30 17:21 Jason Zaman
2015-12-19 3:15 Jason Zaman
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-17 16:10 Jason Zaman
2015-12-17 16:10 Jason Zaman
2015-12-17 16:10 Jason Zaman
2015-12-17 16:10 Jason Zaman
2015-12-17 16:10 Jason Zaman
2015-12-17 16:10 Jason Zaman
2015-11-23 13:42 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-11-23 13:41 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-11-22 12:31 Sven Vermeulen
2015-11-22 10:14 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-11-23 13:41 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-11-22 10:14 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-11-23 13:41 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-26 5:48 Jason Zaman
2015-10-26 5:48 Jason Zaman
2015-10-26 5:36 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-26 5:48 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-22 13:44 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-22 13:44 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-17 17:02 Jason Zaman
2015-10-17 17:02 Jason Zaman
2015-10-17 17:02 Jason Zaman
2015-10-17 17:02 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-17 17:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-11 10:48 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-09-20 7:00 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-11 10:48 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-09-20 7:00 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-09-20 7:00 Jason Zaman
2015-09-06 11:25 Jason Zaman
2015-09-06 11:25 Jason Zaman
2015-09-06 11:23 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-09-06 11:25 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-09-06 11:23 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-09-06 11:25 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-09-02 14:41 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-09-02 14:41 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-09-02 14:41 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-09-02 3:46 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-27 19:52 Jason Zaman
2015-08-27 19:11 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-27 19:11 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-27 19:11 Jason Zaman
2015-08-27 19:11 Jason Zaman
2015-08-27 19:11 Jason Zaman
2015-08-27 19:11 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-27 19:11 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-27 19:11 Jason Zaman
2015-08-27 18:58 Jason Zaman
2015-08-27 18:00 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-27 18:58 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-26 6:46 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-23 4:13 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-23 4:13 Jason Zaman
2015-08-10 20:46 Sven Vermeulen
2015-08-10 20:46 Sven Vermeulen
2015-08-02 19:06 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-07-31 14:18 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-02 19:06 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-07-31 14:18 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-02 19:06 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-02 19:05 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-02 19:06 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-07-31 14:15 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-02 19:02 Sven Vermeulen
2015-08-02 18:07 Sven Vermeulen
2015-07-31 14:15 Jason Zaman
2015-07-13 21:45 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-07-13 21:45 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-07-13 21:45 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-07-13 13:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-07-13 21:45 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-07-13 21:45 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-07-13 21:45 Jason Zaman
2015-07-13 21:45 Jason Zaman
2015-07-13 20:59 Jason Zaman
2015-07-13 17:42 Sven Vermeulen
2015-07-11 14:09 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-07-01 17:11 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-07-11 14:09 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-07-11 13:43 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-07-11 14:09 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-07-07 14:39 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-07-07 14:12 Sven Vermeulen
2015-07-02 18:07 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-07-02 17:07 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-07-02 18:07 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-07-02 17:07 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-07-02 17:07 Jason Zaman
2015-06-27 15:03 Sven Vermeulen
2015-06-11 16:08 Sven Vermeulen
2015-06-11 16:04 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-06-09 14:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-06-09 14:25 Sven Vermeulen
2015-06-09 13:59 Sven Vermeulen
2015-06-09 13:33 Jason Zaman
2015-06-09 13:33 Jason Zaman
2015-05-30 16:15 Jason Zaman
2015-05-30 13:07 Jason Zaman
2015-05-27 20:00 Jason Zaman
2015-05-27 20:00 Jason Zaman
2015-05-25 16:15 Sven Vermeulen
2015-05-22 19:32 Jason Zaman
2015-05-22 19:32 Jason Zaman
2015-05-22 19:32 Jason Zaman
2015-05-22 19:32 Jason Zaman
2015-05-22 19:32 Jason Zaman
2015-05-16 11:31 Sven Vermeulen
2015-05-16 11:13 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-05-16 11:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-05-15 13:47 Sven Vermeulen
2015-05-15 13:47 Sven Vermeulen
2015-05-15 13:47 Sven Vermeulen
2015-05-15 13:47 Sven Vermeulen
2015-05-09 12:24 Sven Vermeulen
2015-04-15 15:04 Jason Zaman
2015-04-14 14:55 Jason Zaman
2015-04-13 20:27 Jason Zaman
2015-04-13 20:27 Jason Zaman
2015-04-13 20:27 Jason Zaman
2015-04-13 20:27 Jason Zaman
2015-04-13 20:27 Jason Zaman
2015-04-13 20:27 Jason Zaman
2015-04-13 20:27 Jason Zaman
2015-04-13 20:27 Jason Zaman
2015-04-13 20:27 Jason Zaman
2015-04-11 11:08 Jason Zaman
2015-04-11 10:10 Jason Zaman
2015-04-11 10:07 [gentoo-commits] proj/hardened-refpolicy:nginx " Jason Zaman
2015-04-11 10:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-03-29 10:01 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-03-29 9:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-03-29 10:01 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-03-29 9:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-03-29 10:01 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-03-29 9:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-03-29 9:59 Jason Zaman
2015-03-25 16:01 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-03-25 15:55 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-03-25 16:01 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-03-25 15:55 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-03-25 16:01 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-03-25 15:55 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-03-25 16:01 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-03-25 15:55 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-03-25 16:01 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-03-25 15:55 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-03-25 16:01 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-03-25 15:55 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-03-25 15:55 Jason Zaman
2015-02-19 10:46 Sven Vermeulen
2015-02-19 10:46 Sven Vermeulen
2015-02-15 18:06 Sven Vermeulen
2015-02-15 18:03 Sven Vermeulen
2015-02-15 18:00 Sven Vermeulen
2015-02-15 18:00 Sven Vermeulen
2015-01-31 11:22 Sven Vermeulen
2015-01-29 20:53 Sven Vermeulen
2015-01-29 20:53 Sven Vermeulen
2015-01-29 20:53 Sven Vermeulen
2015-01-29 20:53 Sven Vermeulen
2015-01-29 9:12 Jason Zaman
2015-01-29 9:12 Jason Zaman
2015-01-29 8:38 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-01-29 9:12 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-01-29 8:38 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-01-29 9:12 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-01-29 8:38 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-01-29 9:12 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-01-26 5:59 Jason Zaman
2015-01-25 13:45 Sven Vermeulen
2015-01-03 12:21 Sven Vermeulen
2015-01-02 17:22 Sven Vermeulen
2015-01-02 17:22 Sven Vermeulen
2015-01-02 17:22 Sven Vermeulen
2015-01-02 17:22 Sven Vermeulen
2015-01-02 17:22 Sven Vermeulen
2015-01-02 17:22 Sven Vermeulen
2015-01-02 17:22 Sven Vermeulen
2014-12-30 20:46 Sven Vermeulen
2014-12-30 19:57 Sven Vermeulen
2014-12-21 12:49 Jason Zaman
2014-12-20 12:46 Jason Zaman
2014-12-20 12:11 Sven Vermeulen
2014-12-20 12:11 Sven Vermeulen
2014-12-15 19:41 Sven Vermeulen
2014-12-15 18:40 Sven Vermeulen
2014-12-04 1:46 Jason Zaman
2014-12-04 1:46 Jason Zaman
2014-12-04 1:46 Jason Zaman
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:userroles " Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:userroles " Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:userroles " Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-12-03 12:56 [gentoo-commits] proj/hardened-refpolicy:userroles " Jason Zaman
2014-12-03 12:54 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-12-03 12:54 Jason Zaman
2014-12-03 12:54 Jason Zaman
2014-12-03 12:54 Jason Zaman
2014-12-03 12:54 Jason Zaman
2014-12-03 12:54 Jason Zaman
2014-12-03 12:54 Jason Zaman
2014-12-03 12:54 Jason Zaman
2014-11-28 9:40 Sven Vermeulen
2014-11-23 13:22 Sven Vermeulen
2014-11-11 13:38 Sven Vermeulen
2014-11-11 13:36 Sven Vermeulen
2014-11-11 10:38 Sven Vermeulen
2014-11-08 16:36 Sven Vermeulen
2014-11-01 18:00 Sven Vermeulen
2014-10-19 17:38 [gentoo-commits] proj/hardened-refpolicy:perfinion " Jason Zaman
2014-10-25 19:21 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-10-12 9:51 [gentoo-commits] proj/hardened-refpolicy:perfinion " Jason Zaman
2014-10-25 19:21 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-10-12 8:27 Sven Vermeulen
2014-10-12 8:27 Sven Vermeulen
2014-09-13 9:38 Sven Vermeulen
2014-09-13 9:38 Sven Vermeulen
2014-09-13 9:38 Sven Vermeulen
2014-09-03 19:37 [gentoo-commits] proj/hardened-refpolicy:perfinion " Jason Zaman
2014-09-03 19:36 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-09-01 20:42 Jason Zaman
2014-09-01 20:42 Jason Zaman
2014-09-01 20:11 Sven Vermeulen
2014-09-01 20:11 Sven Vermeulen
2014-09-01 20:11 Sven Vermeulen
2014-09-01 20:11 Sven Vermeulen
2014-08-31 16:07 Sven Vermeulen
2014-08-31 16:07 Sven Vermeulen
2014-08-30 20:16 Sven Vermeulen
2014-08-29 19:03 Sven Vermeulen
2014-08-26 15:26 Sven Vermeulen
2014-08-26 14:55 Sven Vermeulen
2014-08-26 14:55 Sven Vermeulen
2014-08-22 17:55 Sven Vermeulen
2014-08-19 20:16 Sven Vermeulen
2014-08-19 20:05 Sven Vermeulen
2014-08-19 20:05 Sven Vermeulen
2014-08-19 20:05 Sven Vermeulen
2014-08-19 9:19 Jason Zaman
2014-08-19 9:19 Jason Zaman
2014-08-19 9:19 Jason Zaman
2014-08-19 9:19 Jason Zaman
2014-08-19 9:19 Jason Zaman
2014-08-19 9:19 Jason Zaman
2014-08-15 16:14 Sven Vermeulen
2014-08-15 14:51 Sven Vermeulen
2014-08-15 10:04 [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-15 10:04 [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-15 10:04 [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-15 10:04 [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 Sven Vermeulen
2014-08-11 15:09 Sven Vermeulen
2014-08-11 15:04 Sven Vermeulen
2014-08-10 16:59 Sven Vermeulen
2014-08-10 16:49 Sven Vermeulen
2014-08-10 16:42 Sven Vermeulen
2014-08-10 14:02 Sven Vermeulen
2014-08-10 13:54 Sven Vermeulen
2014-08-08 12:36 [gentoo-commits] proj/hardened-refpolicy:testing " Sven Vermeulen
2014-08-08 12:36 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-06 18:09 Sven Vermeulen
2014-08-01 11:49 Sven Vermeulen
2014-07-31 15:28 Sven Vermeulen
2014-07-31 15:26 Sven Vermeulen
2014-07-29 14:07 Sven Vermeulen
2014-07-29 14:07 Sven Vermeulen
2014-07-29 14:07 Sven Vermeulen
2014-07-29 14:07 Sven Vermeulen
2014-07-29 14:07 Sven Vermeulen
2014-07-29 14:07 Sven Vermeulen
2014-07-15 16:16 Sven Vermeulen
2014-07-06 9:49 Sven Vermeulen
2014-07-06 9:49 Sven Vermeulen
2014-07-05 17:17 Sven Vermeulen
2014-07-05 17:17 Sven Vermeulen
2014-07-05 16:26 Sven Vermeulen
2014-06-30 19:03 Sven Vermeulen
2014-06-30 19:03 Sven Vermeulen
2014-06-25 20:05 Sven Vermeulen
2014-06-25 19:56 Sven Vermeulen
2014-06-25 19:06 Sven Vermeulen
2014-06-25 19:06 Sven Vermeulen
2014-06-25 19:06 Sven Vermeulen
2014-06-25 19:06 Sven Vermeulen
2014-06-25 19:06 Sven Vermeulen
2014-06-21 18:36 Sven Vermeulen
2014-06-08 18:08 Sven Vermeulen
2014-06-08 13:29 Sven Vermeulen
2014-06-07 19:18 Sven Vermeulen
2014-06-07 19:18 Sven Vermeulen
2014-06-07 19:18 Sven Vermeulen
2014-05-29 17:29 Sven Vermeulen
2014-05-29 16:37 Sven Vermeulen
2014-05-28 17:54 Sven Vermeulen
2014-05-28 17:54 Sven Vermeulen
2014-05-22 16:53 Sven Vermeulen
2014-05-22 16:53 Sven Vermeulen
2014-05-22 16:33 Sven Vermeulen
2014-05-22 16:33 Sven Vermeulen
2014-05-22 16:33 Sven Vermeulen
2014-05-18 12:00 Sven Vermeulen
2014-05-18 11:03 Sven Vermeulen
2014-05-15 18:10 Sven Vermeulen
2014-05-04 10:51 Sven Vermeulen
2014-05-01 20:22 Sven Vermeulen
2014-05-01 8:46 Sven Vermeulen
2014-04-27 15:34 Sven Vermeulen
2014-04-27 15:34 Sven Vermeulen
2014-04-27 15:34 Sven Vermeulen
2014-04-27 15:34 Sven Vermeulen
2014-04-27 15:34 Sven Vermeulen
2014-04-27 15:34 Sven Vermeulen
2014-04-21 15:25 Sven Vermeulen
2014-04-21 15:25 Sven Vermeulen
2014-04-17 19:04 Sven Vermeulen
2014-04-17 19:04 Sven Vermeulen
2014-04-17 19:04 Sven Vermeulen
2014-04-17 19:04 Sven Vermeulen
2014-04-17 19:04 Sven Vermeulen
2014-04-17 19:04 Sven Vermeulen
2014-04-12 19:03 Sven Vermeulen
2014-04-12 13:38 Sven Vermeulen
2014-04-12 13:38 Sven Vermeulen
2014-04-11 17:48 Sven Vermeulen
2014-04-11 17:48 Sven Vermeulen
2014-04-11 17:48 Sven Vermeulen
2014-04-11 17:48 Sven Vermeulen
2014-04-08 17:02 Sven Vermeulen
2014-04-08 16:02 Sven Vermeulen
2014-04-08 16:02 Sven Vermeulen
2014-04-08 16:02 Sven Vermeulen
2014-04-08 16:02 Sven Vermeulen
2014-04-08 16:02 Sven Vermeulen
2014-04-08 16:02 Sven Vermeulen
2014-04-08 16:02 Sven Vermeulen
2014-04-08 16:02 Sven Vermeulen
2014-04-08 16:02 Sven Vermeulen
2014-04-08 16:02 Sven Vermeulen
2014-03-31 18:49 Sven Vermeulen
2014-03-31 18:49 Sven Vermeulen
2014-03-31 18:49 Sven Vermeulen
2014-03-30 8:56 Sven Vermeulen
2014-03-19 18:32 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-03-10 18:19 Sven Vermeulen
2014-03-10 18:19 Sven Vermeulen
2014-03-04 15:30 Sven Vermeulen
2014-03-04 15:30 Sven Vermeulen
2014-03-04 15:30 Sven Vermeulen
2014-02-17 20:54 Sven Vermeulen
2014-02-17 19:55 Sven Vermeulen
2014-02-17 19:55 Sven Vermeulen
2014-02-17 19:55 Sven Vermeulen
2014-02-15 9:45 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-01 11:37 Sven Vermeulen
2014-02-01 10:00 Sven Vermeulen
2014-02-01 10:00 Sven Vermeulen
2014-01-23 19:54 Sven Vermeulen
2014-01-20 20:33 Sven Vermeulen
2014-01-19 19:08 Sven Vermeulen
2013-12-20 21:00 Sven Vermeulen
2013-12-18 8:16 Sven Vermeulen
2013-12-18 8:06 Sven Vermeulen
2013-12-17 8:52 Sven Vermeulen
2013-12-17 8:12 Sven Vermeulen
2013-12-16 14:14 Sven Vermeulen
2013-12-08 13:16 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-30 15:05 Sven Vermeulen
2013-11-25 19:16 Sven Vermeulen
2013-11-25 19:16 Sven Vermeulen
2013-11-25 19:16 Sven Vermeulen
2013-11-25 19:16 Sven Vermeulen
2013-11-25 17:25 Sven Vermeulen
2013-11-17 17:26 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-11 13:45 Sven Vermeulen
2013-11-03 11:19 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-27 6:50 Sven Vermeulen
2013-09-26 18:47 Sven Vermeulen
2013-09-25 18:05 Sven Vermeulen
2013-09-25 17:50 Sven Vermeulen
2013-09-25 9:49 Sven Vermeulen
2013-09-25 9:49 Sven Vermeulen
2013-09-25 9:49 Sven Vermeulen
2013-09-25 9:49 Sven Vermeulen
2013-09-25 9:49 Sven Vermeulen
2013-09-25 9:49 Sven Vermeulen
2013-09-25 9:49 Sven Vermeulen
2013-09-25 9:49 Sven Vermeulen
2013-09-25 9:49 Sven Vermeulen
2013-09-25 9:49 Sven Vermeulen
2013-09-25 9:49 Sven Vermeulen
2013-09-25 9:49 Sven Vermeulen
2013-09-25 9:49 Sven Vermeulen
2013-09-25 9:49 Sven Vermeulen
2013-09-25 9:49 Sven Vermeulen
2013-09-25 9:49 Sven Vermeulen
2013-09-23 13:31 Sven Vermeulen
2013-09-23 13:31 Sven Vermeulen
2013-09-23 13:31 Sven Vermeulen
2013-09-23 13:31 Sven Vermeulen
2013-09-23 13:31 Sven Vermeulen
2013-09-23 13:31 Sven Vermeulen
2013-09-23 13:31 Sven Vermeulen
2013-09-23 13:31 Sven Vermeulen
2013-09-23 13:31 Sven Vermeulen
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-18 8:58 Sven Vermeulen
2013-09-18 8:58 Sven Vermeulen
2013-09-16 9:26 Sven Vermeulen
2013-08-27 10:33 Sven Vermeulen
2013-08-24 15:36 Sven Vermeulen
2013-08-17 8:26 Sven Vermeulen
2013-08-16 14:01 Sven Vermeulen
2013-08-16 13:59 Sven Vermeulen
2013-08-16 13:59 Sven Vermeulen
2013-08-16 13:59 Sven Vermeulen
2013-08-16 13:59 Sven Vermeulen
2013-08-16 13:59 Sven Vermeulen
2013-08-16 13:59 Sven Vermeulen
2013-08-16 13:59 Sven Vermeulen
2013-08-16 13:53 Sven Vermeulen
2013-08-16 13:53 Sven Vermeulen
2013-08-16 13:24 Sven Vermeulen
2013-08-16 11:26 Sven Vermeulen
2013-08-16 11:12 Sven Vermeulen
2013-08-16 10:45 Sven Vermeulen
2013-08-16 10:45 Sven Vermeulen
2013-08-16 10:45 Sven Vermeulen
2013-08-16 10:45 Sven Vermeulen
2013-08-16 7:38 Sven Vermeulen
2013-08-16 6:35 Sven Vermeulen
2013-08-15 18:33 Sven Vermeulen
2013-08-15 7:35 Sven Vermeulen
2013-08-15 7:32 Sven Vermeulen
2013-07-23 12:02 Sven Vermeulen
2013-06-24 20:46 Sven Vermeulen
2013-06-22 19:35 Sven Vermeulen
2013-06-22 19:00 Sven Vermeulen
2013-06-10 18:32 Sven Vermeulen
2013-05-31 13:48 Sven Vermeulen
2013-05-31 13:48 Sven Vermeulen
2013-05-31 13:48 Sven Vermeulen
2013-05-31 13:48 Sven Vermeulen
2013-05-31 13:48 Sven Vermeulen
2013-05-31 13:48 Sven Vermeulen
2013-05-31 13:48 Sven Vermeulen
2013-05-31 13:48 Sven Vermeulen
2013-05-16 9:06 Sven Vermeulen
2013-05-16 9:06 Sven Vermeulen
2013-05-09 17:14 Sven Vermeulen
2013-05-09 17:14 Sven Vermeulen
2013-05-07 9:46 Sven Vermeulen
2013-05-02 19:28 Sven Vermeulen
2013-05-01 20:17 Sven Vermeulen
2013-05-01 20:11 Sven Vermeulen
2013-05-01 18:42 Sven Vermeulen
2013-05-01 18:23 Sven Vermeulen
2013-05-01 18:23 Sven Vermeulen
2013-04-29 18:11 Sven Vermeulen
2013-04-28 10:01 Sven Vermeulen
2013-04-28 9:17 Sven Vermeulen
2013-04-28 9:17 Sven Vermeulen
2013-04-21 7:38 Sven Vermeulen
2013-04-19 18:01 Sven Vermeulen
2013-04-19 15:41 Sven Vermeulen
2013-04-19 15:41 Sven Vermeulen
2013-04-18 19:57 Sven Vermeulen
2013-04-18 19:52 Sven Vermeulen
2013-04-17 20:23 Sven Vermeulen
2013-04-17 17:50 Sven Vermeulen
2013-04-17 17:50 Sven Vermeulen
2013-04-17 17:50 Sven Vermeulen
2013-04-17 17:50 Sven Vermeulen
2013-04-17 17:50 Sven Vermeulen
2013-04-17 17:50 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox