* [gentoo-commits] proj/hardened-refpolicy:swift commit in: /
@ 2015-12-02 15:45 Sven Vermeulen
0 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2015-12-02 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 7df299c23e81022962f221aca35cc00f76015dbd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Oct 26 04:12:02 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:12:02 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7df299c2
Add SystemD build option to travis.yml
.travis.yml | 39 +++++++++++++++++++++++++++++----------
1 file changed, 29 insertions(+), 10 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index 41c4a1f..b3dd454 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -4,15 +4,33 @@ language: python
python:
- "2.7"
-# for T in standard mls mcs ; do for D in arch debian gentoo ; do for I in n y ; do for M in y n ; do
-# echo " - TYPE=$T DISTRO=$D DIRECT_INITRC=$I MONOLITHIC=$M" ; done ; done ; done ; done
+# for T in standard mls mcs ; do for D in arch debian gentoo ; do for I in n y ; do for M in y n ; do for S in n y ; do
+# echo " - TYPE=$T DISTRO=$D DIRECT_INITRC=$I MONOLITHIC=$M SYSTEMD=$S" ; done ; done ; done ; done ; done
env:
- - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
- - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
- - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
- - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
- - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
- - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=n
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=y
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=n
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=y
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=n
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=y
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=n
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=y
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=n
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=y
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=n
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=y
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=n
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=y
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=n
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=y
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=n
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=y
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=n
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=y
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=n
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=y
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=n
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=y
before_install:
- lsb_release -a
@@ -41,10 +59,10 @@ install:
- sudo make CFLAGS="-O2 -pipe -fPIC -Wall" -C selinux-src install
# Drop build.conf settings to listen to env vars
- - sed -r -i -e '/(DIRECT_INITRC|MONOLITHIC|TYPE|DISTRO)/d' build.conf
+ - sed -r -i -e '/(DIRECT_INITRC|MONOLITHIC|TYPE|DISTRO|SYSTEMD)/d' build.conf
script:
- - echo $TYPE $DISTRO $DIRECT_INITRC $MONOLITHIC
+ - echo $TYPE $DISTRO $DIRECT_INITRC $MONOLITHIC $SYSTEMD
- make bare
- make conf
- make
@@ -53,6 +71,7 @@ script:
branches:
only:
- /^travis-.*/
+ - next
- master
notifications:
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift commit in: / Sven Vermeulen
@ 2016-10-24 16:02 ` Sven Vermeulen
2016-10-24 16:03 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
1 sibling, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: a172282d756622acde353c6bd9387431b0b3ff9e
Author: Naftuli Tzvi Kay <rfkrocktk <AT> gmail <DOT> com>
AuthorDate: Sun Aug 21 07:08:42 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:25 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a172282d
Syncthing Policy
Policy governing Syncthing - a file synchronization utility
written in Go.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
syncthing.fc | 3 +++
syncthing.if | 32 +++++++++++++++++++++++++
syncthing.te | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 113 insertions(+)
diff --git a/syncthing.fc b/syncthing.fc
new file mode 100644
index 0000000..4f7f53e
--- /dev/null
+++ b/syncthing.fc
@@ -0,0 +1,3 @@
+/usr/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)
+
+HOME_DIR/\.config/syncthing(/.*)? gen_context(system_u:object_r:syncthing_config_home_t,s0)
diff --git a/syncthing.if b/syncthing.if
new file mode 100644
index 0000000..d71fdaa
--- /dev/null
+++ b/syncthing.if
@@ -0,0 +1,32 @@
+## <summary>Application that lets you synchronize your files across multiple devices.</summary>
+
+########################################
+## <summary>
+## Role access for Syncthing
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`syncthing_role', `
+
+ gen_require(`
+ attribute_role syncthing_roles;
+ type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
+ ')
+
+ roleattribute $1 syncthing_roles;
+
+ domtrans_pattern($2, syncthing_exec_t, syncthing_t)
+
+ allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
+ allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+')
diff --git a/syncthing.te b/syncthing.te
new file mode 100644
index 0000000..8144389
--- /dev/null
+++ b/syncthing.te
@@ -0,0 +1,78 @@
+policy_module(syncthing, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role syncthing_roles;
+role syncthing_roles types syncthing_t;
+
+type syncthing_t;
+type syncthing_exec_t;
+init_daemon_domain(syncthing_t, syncthing_exec_t)
+userdom_user_application_domain(syncthing_t, syncthing_exec_t)
+
+type syncthing_config_home_t;
+userdom_user_home_content(syncthing_config_home_t)
+
+########################################
+#
+# Declarations
+#
+
+allow syncthing_t self:process getsched;
+allow syncthing_t self:fifo_file rw_fifo_file_perms;
+allow syncthing_t self:tcp_socket { listen accept };
+
+can_exec(syncthing_t, syncthing_exec_t)
+
+kernel_read_kernel_sysctls(syncthing_t)
+kernel_read_net_sysctls(syncthing_t)
+kernel_read_system_state(syncthing_t)
+
+corenet_tcp_sendrecv_generic_if(syncthing_t)
+corenet_udp_sendrecv_generic_if(syncthing_t)
+
+corenet_tcp_bind_generic_node(syncthing_t)
+corenet_tcp_sendrecv_generic_node(syncthing_t)
+corenet_tcp_sendrecv_all_ports(syncthing_t)
+
+corenet_udp_bind_generic_node(syncthing_t)
+corenet_udp_sendrecv_generic_node(syncthing_t)
+corenet_udp_sendrecv_all_ports(syncthing_t)
+
+corenet_tcp_connect_all_ports(syncthing_t)
+
+corenet_tcp_bind_syncthing_port(syncthing_t)
+corenet_udp_bind_syncthing_discovery_port(syncthing_t)
+corenet_tcp_bind_syncthing_admin_port(syncthing_t)
+
+dev_read_rand(syncthing_t)
+dev_read_urand(syncthing_t)
+
+fs_getattr_xattr_fs(syncthing_t)
+
+auth_use_nsswitch(syncthing_t)
+
+manage_dirs_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+
+miscfiles_read_generic_certs(syncthing_t)
+miscfiles_read_localization(syncthing_t)
+
+userdom_manage_user_home_content_files(syncthing_t)
+userdom_manage_user_home_content_dirs(syncthing_t)
+userdom_manage_user_home_content_symlinks(syncthing_t)
+userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
+
+# newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
+userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")
+
+userdom_use_user_terminals(syncthing_t)
+
+optional_policy(`
+ # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
+ networkmanager_read_pid_files(syncthing_t)
+')
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: /
@ 2016-10-24 16:02 Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:03 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
0 siblings, 2 replies; 6+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: a172282d756622acde353c6bd9387431b0b3ff9e
Author: Naftuli Tzvi Kay <rfkrocktk <AT> gmail <DOT> com>
AuthorDate: Sun Aug 21 07:08:42 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:25 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a172282d
Syncthing Policy
Policy governing Syncthing - a file synchronization utility
written in Go.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
syncthing.fc | 3 +++
syncthing.if | 32 +++++++++++++++++++++++++
syncthing.te | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 113 insertions(+)
diff --git a/syncthing.fc b/syncthing.fc
new file mode 100644
index 0000000..4f7f53e
--- /dev/null
+++ b/syncthing.fc
@@ -0,0 +1,3 @@
+/usr/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)
+
+HOME_DIR/\.config/syncthing(/.*)? gen_context(system_u:object_r:syncthing_config_home_t,s0)
diff --git a/syncthing.if b/syncthing.if
new file mode 100644
index 0000000..d71fdaa
--- /dev/null
+++ b/syncthing.if
@@ -0,0 +1,32 @@
+## <summary>Application that lets you synchronize your files across multiple devices.</summary>
+
+########################################
+## <summary>
+## Role access for Syncthing
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`syncthing_role', `
+
+ gen_require(`
+ attribute_role syncthing_roles;
+ type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
+ ')
+
+ roleattribute $1 syncthing_roles;
+
+ domtrans_pattern($2, syncthing_exec_t, syncthing_t)
+
+ allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
+ allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+')
diff --git a/syncthing.te b/syncthing.te
new file mode 100644
index 0000000..8144389
--- /dev/null
+++ b/syncthing.te
@@ -0,0 +1,78 @@
+policy_module(syncthing, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role syncthing_roles;
+role syncthing_roles types syncthing_t;
+
+type syncthing_t;
+type syncthing_exec_t;
+init_daemon_domain(syncthing_t, syncthing_exec_t)
+userdom_user_application_domain(syncthing_t, syncthing_exec_t)
+
+type syncthing_config_home_t;
+userdom_user_home_content(syncthing_config_home_t)
+
+########################################
+#
+# Declarations
+#
+
+allow syncthing_t self:process getsched;
+allow syncthing_t self:fifo_file rw_fifo_file_perms;
+allow syncthing_t self:tcp_socket { listen accept };
+
+can_exec(syncthing_t, syncthing_exec_t)
+
+kernel_read_kernel_sysctls(syncthing_t)
+kernel_read_net_sysctls(syncthing_t)
+kernel_read_system_state(syncthing_t)
+
+corenet_tcp_sendrecv_generic_if(syncthing_t)
+corenet_udp_sendrecv_generic_if(syncthing_t)
+
+corenet_tcp_bind_generic_node(syncthing_t)
+corenet_tcp_sendrecv_generic_node(syncthing_t)
+corenet_tcp_sendrecv_all_ports(syncthing_t)
+
+corenet_udp_bind_generic_node(syncthing_t)
+corenet_udp_sendrecv_generic_node(syncthing_t)
+corenet_udp_sendrecv_all_ports(syncthing_t)
+
+corenet_tcp_connect_all_ports(syncthing_t)
+
+corenet_tcp_bind_syncthing_port(syncthing_t)
+corenet_udp_bind_syncthing_discovery_port(syncthing_t)
+corenet_tcp_bind_syncthing_admin_port(syncthing_t)
+
+dev_read_rand(syncthing_t)
+dev_read_urand(syncthing_t)
+
+fs_getattr_xattr_fs(syncthing_t)
+
+auth_use_nsswitch(syncthing_t)
+
+manage_dirs_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+
+miscfiles_read_generic_certs(syncthing_t)
+miscfiles_read_localization(syncthing_t)
+
+userdom_manage_user_home_content_files(syncthing_t)
+userdom_manage_user_home_content_dirs(syncthing_t)
+userdom_manage_user_home_content_symlinks(syncthing_t)
+userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
+
+# newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
+userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")
+
+userdom_use_user_terminals(syncthing_t)
+
+optional_policy(`
+ # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
+ networkmanager_read_pid_files(syncthing_t)
+')
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: /
@ 2016-10-24 16:02 Sven Vermeulen
0 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 7601edab81d7dd32ebe8270c7cd3ac17b0f28431
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Oct 9 11:47:09 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7601edab
Rearrange lines in syncthing.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
syncthing.if | 19 +++++++++----------
syncthing.te | 20 +++++++-------------
2 files changed, 16 insertions(+), 23 deletions(-)
diff --git a/syncthing.if b/syncthing.if
index d71fdaa..065800a 100644
--- a/syncthing.if
+++ b/syncthing.if
@@ -16,17 +16,16 @@
## </param>
#
interface(`syncthing_role', `
+ gen_require(`
+ attribute_role syncthing_roles;
+ type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
+ ')
- gen_require(`
- attribute_role syncthing_roles;
- type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
- ')
+ roleattribute $1 syncthing_roles;
- roleattribute $1 syncthing_roles;
+ domtrans_pattern($2, syncthing_exec_t, syncthing_t)
- domtrans_pattern($2, syncthing_exec_t, syncthing_t)
-
- allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
- allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
+ allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
')
diff --git a/syncthing.te b/syncthing.te
index 8144389..92d0bf5 100644
--- a/syncthing.te
+++ b/syncthing.te
@@ -27,23 +27,23 @@ allow syncthing_t self:tcp_socket { listen accept };
can_exec(syncthing_t, syncthing_exec_t)
+manage_dirs_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+
kernel_read_kernel_sysctls(syncthing_t)
kernel_read_net_sysctls(syncthing_t)
kernel_read_system_state(syncthing_t)
corenet_tcp_sendrecv_generic_if(syncthing_t)
corenet_udp_sendrecv_generic_if(syncthing_t)
-
corenet_tcp_bind_generic_node(syncthing_t)
corenet_tcp_sendrecv_generic_node(syncthing_t)
corenet_tcp_sendrecv_all_ports(syncthing_t)
-
corenet_udp_bind_generic_node(syncthing_t)
corenet_udp_sendrecv_generic_node(syncthing_t)
corenet_udp_sendrecv_all_ports(syncthing_t)
-
corenet_tcp_connect_all_ports(syncthing_t)
-
corenet_tcp_bind_syncthing_port(syncthing_t)
corenet_udp_bind_syncthing_discovery_port(syncthing_t)
corenet_tcp_bind_syncthing_admin_port(syncthing_t)
@@ -55,10 +55,6 @@ fs_getattr_xattr_fs(syncthing_t)
auth_use_nsswitch(syncthing_t)
-manage_dirs_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-manage_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-
miscfiles_read_generic_certs(syncthing_t)
miscfiles_read_localization(syncthing_t)
@@ -66,13 +62,11 @@ userdom_manage_user_home_content_files(syncthing_t)
userdom_manage_user_home_content_dirs(syncthing_t)
userdom_manage_user_home_content_symlinks(syncthing_t)
userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
-
+userdom_use_user_terminals(syncthing_t)
# newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")
-userdom_use_user_terminals(syncthing_t)
-
optional_policy(`
- # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
- networkmanager_read_pid_files(syncthing_t)
+ # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
+ networkmanager_read_pid_files(syncthing_t)
')
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: /
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2016-10-24 16:02 ` Sven Vermeulen
0 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 4a0e65d9a24d32297caee427433746e59468df3e
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Oct 23 20:58:59 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:00:58 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4a0e65d9
Update Changelog and VERSION for release.
Changelog | 234 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
VERSION | 2 +-
2 files changed, 235 insertions(+), 1 deletion(-)
diff --git a/Changelog b/Changelog
index 617f49e..d00f2cf 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,237 @@
+* Sun Oct 23 2016 Chris PeBenito <pebenito@ieee.org> - 2.20161023
+Chris PeBenito (94):
+ Module version bump for systemd-user-sessions fc entry from Dominick Grift
+ Module version bumps for 2 patches from Dominick Grift.
+ Module version bump for vm overcommit sysctl interfaces from Laurent
+ Bigonville.
+ Update contrib.
+ Module version bump for Xorg and SSH patches from Nicolas Iooss.
+ Add neverallow for mac_override capability. It is not used by SELinux.
+ Merge branch 'overcommit-1' of git://github.com/bigon/refpolicy into
+ bigon-overcommit-1
+ Merge branch 'bigon-overcommit-1'
+ Merge branch 'systemd-1' of git://github.com/bigon/refpolicy into
+ bigon-systemd-1
+ Merge branch 'bigon-systemd-1'
+ Module version bump for syslog and systemd changes from Laurent Bigonville
+ Merge pull request #19 from shootingatshadow/fc_sort
+ Merge branch 'xorg-1' of git://github.com/bigon/refpolicy into
+ bigon-xorg-1
+ Merge branch 'bigon-xorg-1'
+ Module version bump for Debian Xorg fc fixes from Laurent Bigonville
+ Add a type and genfscon for nsfs.
+ Module version bump for systemd PrivateNetwork patch from Nicolas Iooss
+ Module version bump for systemd audit_read capability from Laurent
+ Bigonville
+ Merge pull request #21 from fishilico/typos
+ Module version bump for patches from Nicolas Iooss and Grant Ridder.
+ Update contrib.
+ Module version bump for efivarfs patches from Dan Walsh, Vit Mojzis, and
+ Laurent Bigonville
+ Module version bump for ipset fc entry from Laurent Bigonville.
+ Update contrib.
+ Whitespace fix in iptables.fc.
+ Module version bump for iptables fc entries from Laurent Bigonville and
+ Lukas Vrabec.
+ Update contrib.
+ Module version bump for iptables/firewalld patch from Laurent Bigonville.
+ Merge pull request #29 from bigon/appconfig-lxc
+ Module version bump for getty patch from Luis Ressel.
+ Module version bump for tboot utils from Luis Ressel and systemd fix from
+ Jason Zaman.
+ Merge branch 'corecommands-archlinux' of
+ https://github.com/fishilico/selinux-refpolicy-patched
+ Merge branch 'dev_setattr_dlm_control-typo' of
+ https://github.com/fishilico/selinux-refpolicy-patched
+ Merge branch 'kdevtmpfs-unlink' of
+ https://github.com/fishilico/selinux-refpolicy-patched
+ Module version bump for several Arch fixes from Nicolas Iooss.
+ Update contrib.
+ Reduce broad entrypoints for unconfined domains.
+ Update Travis-CI build to newest SELinux userspace release.
+ Update su for libselinux-2.5 changes.
+ Merge branch 'selinux-1' of https://github.com/bigon/refpolicy
+ Module version bump for Debian fc entries from Laurent Bigonville.
+ Module version bump for patches from Dominick Grift and Lukas Vrabec.
+ Add user namespace capability object classes.
+ Module version bump for hwloc-dump-hwdata from Dominick Grift and Grzegorz
+ Andrejczuk.
+ Module version bump for nftables fc entry from Jason Zaman.
+ Update contrib.
+ Module version bump for LMNR port from Laurent Bigonville.
+ Module version bump for systemd-resolved patch from Laurent BIgonville.
+ Merge branch 'master' of https://github.com/qqo/refpolicy into qqo-master
+ Merge branch 'qqo-master'
+ Module version bump for mlstrustedsocket from qqo.
+ Module version bumps + contrib update for user_runtime from Jason Zaman.
+ Update contrib.
+ Module version bump for corecommands update from Garrett Holmstrom.
+ Module version bump for MLS relabeling patch from Lukas Vrabec.
+ Get attributes of generic ptys, from Russell Coker.
+ Module version bump for user_udp_server tunable from Russell Coker.
+ libraries: Move libsystemd fc entry.
+ libraries: Module version bump for libsystemd fc entry from Lukas Vrabec.
+ Update contrib.
+ Systemd units from Russell Coker.
+ corenetwork: Add port labeling for Global Catalog over LDAPS.
+ corenetwork: Missed version bump for previous commit.
+ Update contrib.
+ Allow the system user domains to chat over dbus with a few other domains
+ (e.g. gnome session).
+ Update alsa module use from Guido Trentalancia.
+ Update the sysnetwork module to add some permissions needed by the dhcp
+ client (another separate patch makes changes to the ifconfig part).
+ Ifconfig should be able to read firmware files in /lib (i.e. some network
+ cards need to load their firmware) and it should not audit attempts to
+ load kernel modules directly.
+ Remove redundant libs_read_lib_files() for ifconfig_t.
+ Module version bump for various patches from Guido Trentalancia.
+ Update contrib.
+ Update for the xserver module:
+ userdomain: Fix compile errors.
+ Update contrib.
+ Merge pull request #38 from fishilico/travis-nosudo
+ Module version bump for module_load perm use from Guido Trentalancia.
+ Update contrib.
+ Merge pull request #39 from rfkrocktk/feature/vagrant
+ Merge pull request #40 from jer-gentoo/patch-1
+ userdomain: Move enable_mls block in userdom_common_user_template().
+ Module version bumps for LVM and useromain patches from Guido
+ Trentalancia.
+ Update contrib.
+ Additional change from Guido Trentalancia related to evolution.
+ Module version bump for selinuxutil fix from Jason Zaman.
+ Update contrib.
+ Update contrib.
+ Merge branch 'feature/syncthing' of https://github.com/rfkrocktk/refpolicy
+ into rfkrocktk-feature/syncthing
+ Merge branch 'rfkrocktk-feature/syncthing'
+ Module version bumps for syncthing from Naftuli Tzvi Kay.
+ Merge pull request #41 from SeanPlacchetti/patch-1
+ Merge pull request #42 from SeanPlacchetti/patch-1
+ Merge pull request #43 from williamcroberts/google-patch
+ Update contrib.
+ Bump module versions for release.
+
+Dan Walsh (1):
+ Add label for efivarfs
+
+Dominick Grift (5):
+ systemd: add missing file context spec for systemd-user-sessions
+ executable file
+ authlogin: remove duplicate files_list_var_lib(nsswitch_domain)
+ kernel: implement sysctl_vm_overcommit_t for
+ /proc/sys/vm/overcommit_memory
+ systemd: Add support for --log-target
+ Update refpolicy to handle hwloc
+
+Garrett Holmstrom (1):
+ corecmd: Remove fcontext for /etc/sysconfig/libvirtd
+
+Grant Ridder (1):
+ Add redis-sentinel port to redis network_port def
+
+Guido Trentalancia (6):
+ Add module_load permission to class system
+ Add module_load permission to can_load_kernmodule
+ Remove deprecated semodule options from Makefile
+ Update the lvm module
+ Improve tunable support for rw operations on noxattr fs / removable media
+ userdomain: introduce the user certificate file context (was miscfiles:
+ introduce the user certificate file context)
+
+Jason Zaman (6):
+ system/init: move systemd_ interfaces into optional_policy
+ iptables: add fcontext for nftables
+ authlogin: remove fcontext for /var/run/user
+ userdomain: Introduce types for /run/user
+ userdomain: user_tmp requires searching /run/user
+ userdomain: introduce interfaces for user runtime
+
+Jason Zaman via refpolicy (1):
+ selinuxutil: allow setfiles to read semanage store
+
+Jeroen Roovers (1):
+ Use $(AWK) not plain awk
+
+Laurent Bigonville (15):
+ Add interfaces to read/write /proc/sys/vm/overcommit_memory
+ Give some systemd domain access to /proc/sys/kernel/random/boot_id
+ On Debian, systemd binaries are installed in / not /usr
+ Allow syslogd_t to read sysctl_vm_overcommit_t
+ Label Xorg server binary correctly on Debian
+ Allow systemd the audit_read capability
+ Allow logind to read efivarfs files
+ Add label for /sbin/ipset
+ Label /var/run/ebtables.lock as iptables_var_run_t.
+ Allow {eb,ip,ip6}tables-restore to read files in /run/firewalld
+ Add lxc_contexts config file
+ Add some labels for SELinux tools path in Debian
+ Add the validate_trans access vector to the security class
+ Add llmnr/5355 (Link-local Multicast Name Resolution)
+ Add policy for systemd-resolved
+
+Luis Ressel (2):
+ Allow getty the sys_admin capability
+ Allow sysadm to run txt-stat.
+
+Lukas Vrabec (4):
+ Label /var/run/xtables.lock as iptables_var_run_t.
+ SELinux support for cgroup2 filesystem.
+ Add new MLS attribute to allow relabeling objects higher than system low.
+ This exception is needed for package managers when processing sensitive
+ data.
+ Systemd by version 231 starts using shared library and systemd daemons
+ execute it. For this reason lib_t type is needed.
+
+Mike Palmiotto (1):
+ Add mls support for some db classes
+
+Naftuli Tzvi Kay (2):
+ Add Syncthing Support to Policy
+ Add Vagrant box for development.
+
+Nicolas Iooss (18):
+ Label Xorg server binary correctly on Arch Linux
+ Label OpenSSH files correctly on Arch Linux
+ Label OpenSSH systemd unit files
+ Allow systemd services to use PrivateNetwork feature
+ Fix typo in init_dbus_chat requirements
+ Fix typos in comments from corenetwork module
+ man: Spelling fixes
+ Fix interface descriptions when duplicate ones are found
+ Label /sys/kernel/debug/tracing filesystem
+ Label TexLive scripts bin_t
+ Label system-config-printer applet properly on Arch Linux
+ Label gedit plugins properly on Arch Linux
+ Label some user session DBus services as bin_t
+ Do not label /usr/lib/gvfs/libgvfscommon.so as bin_t
+ Fix typo in dev_setattr_dlm_control interface requirements
+ Allow kdevtmpfs to unlink fixed disk devices
+ Fix typo in module compilation message
+ Make Travis-CI build without using sudo
+
+Rahul Chaudhry (1):
+ fc_sort: cleanup warnings caught by clang tidy / static analyzer.
+
+Russell Coker (2):
+ user_udp_server tunable
+ getattr on unlabeled blk devs
+
+Sean Placchetti (2):
+ Update to refpolicy spec file
+ Update specfile
+
+Vit Mojzis (1):
+ Add interface to allow reading files in efivarfs - contains Linux Kernel
+ configuration options for UEFI systems (UEFI Runtime Variables)
+
+William Roberts (1):
+ fc_sort: strip whitespace errors
+
+qqo (1):
+ Adds attribute mlstrustedsocket, along with the interface.
+
* Tue Dec 08 2015 Chris PeBenito <selinux@tresys.com> - 2.20151208
Alexander Wetzel (1):
adds vfio device support to base policy
diff --git a/VERSION b/VERSION
index 382483e..f011019 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20151208
+2.20161023
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: /
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift commit in: / Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2016-10-24 16:03 ` Sven Vermeulen
1 sibling, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:03 UTC (permalink / raw
To: gentoo-commits
commit: a172282d756622acde353c6bd9387431b0b3ff9e
Author: Naftuli Tzvi Kay <rfkrocktk <AT> gmail <DOT> com>
AuthorDate: Sun Aug 21 07:08:42 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:25 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a172282d
Syncthing Policy
Policy governing Syncthing - a file synchronization utility
written in Go.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
syncthing.fc | 3 +++
syncthing.if | 32 +++++++++++++++++++++++++
syncthing.te | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 113 insertions(+)
diff --git a/syncthing.fc b/syncthing.fc
new file mode 100644
index 0000000..4f7f53e
--- /dev/null
+++ b/syncthing.fc
@@ -0,0 +1,3 @@
+/usr/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)
+
+HOME_DIR/\.config/syncthing(/.*)? gen_context(system_u:object_r:syncthing_config_home_t,s0)
diff --git a/syncthing.if b/syncthing.if
new file mode 100644
index 0000000..d71fdaa
--- /dev/null
+++ b/syncthing.if
@@ -0,0 +1,32 @@
+## <summary>Application that lets you synchronize your files across multiple devices.</summary>
+
+########################################
+## <summary>
+## Role access for Syncthing
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`syncthing_role', `
+
+ gen_require(`
+ attribute_role syncthing_roles;
+ type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
+ ')
+
+ roleattribute $1 syncthing_roles;
+
+ domtrans_pattern($2, syncthing_exec_t, syncthing_t)
+
+ allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
+ allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+')
diff --git a/syncthing.te b/syncthing.te
new file mode 100644
index 0000000..8144389
--- /dev/null
+++ b/syncthing.te
@@ -0,0 +1,78 @@
+policy_module(syncthing, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role syncthing_roles;
+role syncthing_roles types syncthing_t;
+
+type syncthing_t;
+type syncthing_exec_t;
+init_daemon_domain(syncthing_t, syncthing_exec_t)
+userdom_user_application_domain(syncthing_t, syncthing_exec_t)
+
+type syncthing_config_home_t;
+userdom_user_home_content(syncthing_config_home_t)
+
+########################################
+#
+# Declarations
+#
+
+allow syncthing_t self:process getsched;
+allow syncthing_t self:fifo_file rw_fifo_file_perms;
+allow syncthing_t self:tcp_socket { listen accept };
+
+can_exec(syncthing_t, syncthing_exec_t)
+
+kernel_read_kernel_sysctls(syncthing_t)
+kernel_read_net_sysctls(syncthing_t)
+kernel_read_system_state(syncthing_t)
+
+corenet_tcp_sendrecv_generic_if(syncthing_t)
+corenet_udp_sendrecv_generic_if(syncthing_t)
+
+corenet_tcp_bind_generic_node(syncthing_t)
+corenet_tcp_sendrecv_generic_node(syncthing_t)
+corenet_tcp_sendrecv_all_ports(syncthing_t)
+
+corenet_udp_bind_generic_node(syncthing_t)
+corenet_udp_sendrecv_generic_node(syncthing_t)
+corenet_udp_sendrecv_all_ports(syncthing_t)
+
+corenet_tcp_connect_all_ports(syncthing_t)
+
+corenet_tcp_bind_syncthing_port(syncthing_t)
+corenet_udp_bind_syncthing_discovery_port(syncthing_t)
+corenet_tcp_bind_syncthing_admin_port(syncthing_t)
+
+dev_read_rand(syncthing_t)
+dev_read_urand(syncthing_t)
+
+fs_getattr_xattr_fs(syncthing_t)
+
+auth_use_nsswitch(syncthing_t)
+
+manage_dirs_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+
+miscfiles_read_generic_certs(syncthing_t)
+miscfiles_read_localization(syncthing_t)
+
+userdom_manage_user_home_content_files(syncthing_t)
+userdom_manage_user_home_content_dirs(syncthing_t)
+userdom_manage_user_home_content_symlinks(syncthing_t)
+userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
+
+# newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
+userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")
+
+userdom_use_user_terminals(syncthing_t)
+
+optional_policy(`
+ # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
+ networkmanager_read_pid_files(syncthing_t)
+')
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-10-24 16:03 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift commit in: / Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:03 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox