From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4218713832E for ; Wed, 17 Aug 2016 17:00:09 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4A1B621C182; Wed, 17 Aug 2016 17:00:02 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 8CE7D21C170 for ; Wed, 17 Aug 2016 17:00:01 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id AD278340F10 for ; Wed, 17 Aug 2016 17:00:00 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id B61602457 for ; Wed, 17 Aug 2016 16:59:58 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1471450964.814a47ac343732aacb70ae6440c3f5b4a4f479f6.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/sysnetwork.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 814a47ac343732aacb70ae6440c3f5b4a4f479f6 X-VCS-Branch: next Date: Wed, 17 Aug 2016 16:59:58 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 026da2f8-144e-45c5-aeae-81a8b6c3ae51 X-Archives-Hash: 7b6532826f1d2570c2d6b72234c14c62 commit: 814a47ac343732aacb70ae6440c3f5b4a4f479f6 Author: Chris PeBenito ieee org> AuthorDate: Sun Aug 14 18:51:42 2016 +0000 Commit: Jason Zaman gentoo org> CommitDate: Wed Aug 17 16:22:44 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=814a47ac Update the sysnetwork module to add some permissions needed by the dhcp client (another separate patch makes changes to the ifconfig part). Create auxiliary interfaces in the ntp module. The permission to execute restorecon/setfiles (required by the dhclient-script script and granted in a previous version of this patch) is not granted, as it does not break the script functioning. Include revisions from Chris PeBenito. Signed-off-by: Guido Trentalancia trentalancia.net> policy/modules/system/sysnetwork.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 287d2fd..c67494e 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -130,9 +130,11 @@ files_search_home(dhcpc_t) files_search_var_lib(dhcpc_t) files_dontaudit_search_locks(dhcpc_t) files_getattr_generic_locks(dhcpc_t) +files_manage_var_files(dhcpc_t) fs_getattr_all_fs(dhcpc_t) fs_search_auto_mountpoints(dhcpc_t) +fs_search_cgroup_dirs(dhcpc_t) term_dontaudit_use_all_ttys(dhcpc_t) term_dontaudit_use_all_ptys(dhcpc_t) @@ -227,6 +229,7 @@ optional_policy(` optional_policy(` ntp_initrc_domtrans(dhcpc_t) ntp_read_drift_files(dhcpc_t) + ntp_read_conf_files(dhcpc_t) ') optional_policy(` From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 0DA1713832F for ; Wed, 17 Aug 2016 16:59:11 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3C0C821C0AA; Wed, 17 Aug 2016 16:59:08 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B1EB421C0AA for ; Wed, 17 Aug 2016 16:59:07 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 4D7ED340E72 for ; Wed, 17 Aug 2016 16:59:06 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 4012E2457 for ; Wed, 17 Aug 2016 16:59:04 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1471450964.814a47ac343732aacb70ae6440c3f5b4a4f479f6.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/sysnetwork.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 814a47ac343732aacb70ae6440c3f5b4a4f479f6 X-VCS-Branch: master Date: Wed, 17 Aug 2016 16:59:04 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 9b0920db-6c2d-4835-881f-9fd5e6a2ffef X-Archives-Hash: bb2b18361ae4fc760c8cacf52d633f6c Message-ID: <20160817165904.9HPt-u_6eOGAWYggE7LUKpROYOmYKlFwvVLbbsDR7qA@z> commit: 814a47ac343732aacb70ae6440c3f5b4a4f479f6 Author: Chris PeBenito ieee org> AuthorDate: Sun Aug 14 18:51:42 2016 +0000 Commit: Jason Zaman gentoo org> CommitDate: Wed Aug 17 16:22:44 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=814a47ac Update the sysnetwork module to add some permissions needed by the dhcp client (another separate patch makes changes to the ifconfig part). Create auxiliary interfaces in the ntp module. The permission to execute restorecon/setfiles (required by the dhclient-script script and granted in a previous version of this patch) is not granted, as it does not break the script functioning. Include revisions from Chris PeBenito. Signed-off-by: Guido Trentalancia trentalancia.net> policy/modules/system/sysnetwork.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 287d2fd..c67494e 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -130,9 +130,11 @@ files_search_home(dhcpc_t) files_search_var_lib(dhcpc_t) files_dontaudit_search_locks(dhcpc_t) files_getattr_generic_locks(dhcpc_t) +files_manage_var_files(dhcpc_t) fs_getattr_all_fs(dhcpc_t) fs_search_auto_mountpoints(dhcpc_t) +fs_search_cgroup_dirs(dhcpc_t) term_dontaudit_use_all_ttys(dhcpc_t) term_dontaudit_use_all_ptys(dhcpc_t) @@ -227,6 +229,7 @@ optional_policy(` optional_policy(` ntp_initrc_domtrans(dhcpc_t) ntp_read_drift_files(dhcpc_t) + ntp_read_conf_files(dhcpc_t) ') optional_policy(`