From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 580611395E2 for ; Tue, 6 Dec 2016 14:21:54 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 99B06E0C37; Tue, 6 Dec 2016 14:21:53 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 765F1E0C37 for ; Tue, 6 Dec 2016 14:21:53 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 6FD463412CB for ; Tue, 6 Dec 2016 14:21:52 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 5DD594A6 for ; Tue, 6 Dec 2016 14:21:50 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1481032683.a2f1ba7050cdedf754c399f9c22375bff161b78f.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/portage.if X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: a2f1ba7050cdedf754c399f9c22375bff161b78f X-VCS-Branch: master Date: Tue, 6 Dec 2016 14:21:50 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: f90499f4-fd72-4818-881d-ece705f58a49 X-Archives-Hash: 617d9a57683f9113c958817f81919eec commit: a2f1ba7050cdedf754c399f9c22375bff161b78f Author: Luis Ressel aixah de> AuthorDate: Sat Nov 26 18:05:35 2016 +0000 Commit: Jason Zaman gentoo org> CommitDate: Tue Dec 6 13:58:03 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a2f1ba70 Allow portage compile domains to relabel portage_tmp_t:dir's This permission is requested by a 'cp' in the multibuild.eclass (see bug 600926). It's not actually required, but since we already allow the same permission for files and allowing it for directories doesn't have any security implications, I've chosen use "allow" instead of "dontaudit". policy/modules/contrib/portage.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if index 14c4fb6..e990d79 100644 --- a/policy/modules/contrib/portage.if +++ b/policy/modules/contrib/portage.if @@ -118,6 +118,7 @@ interface(`portage_compile_domain',` files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file }) # SELinux-enabled programs running in the sandbox allow $1 portage_tmp_t:file relabel_file_perms; + allow $1 portage_tmp_t:dir relabel_dir_perms; manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4012C1395E3 for ; Tue, 6 Dec 2016 14:25:19 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 87EB8E0C5A; Tue, 6 Dec 2016 14:25:06 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 66307E0C5A for ; Tue, 6 Dec 2016 14:25:06 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id A269C341643 for ; Tue, 6 Dec 2016 14:25:04 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id E443524CB for ; Tue, 6 Dec 2016 14:25:00 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1481032683.a2f1ba7050cdedf754c399f9c22375bff161b78f.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/portage.if X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: a2f1ba7050cdedf754c399f9c22375bff161b78f X-VCS-Branch: next Date: Tue, 6 Dec 2016 14:25:00 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 22400b36-87f3-4ca1-8a5b-d55837b5e785 X-Archives-Hash: bf4fb8b431271e85fd724d26e713c79a Message-ID: <20161206142500.Qo1-XfdKSm5dlUfD-BJ7MmMydguQy8f75SLS9O_DLmQ@z> commit: a2f1ba7050cdedf754c399f9c22375bff161b78f Author: Luis Ressel aixah de> AuthorDate: Sat Nov 26 18:05:35 2016 +0000 Commit: Jason Zaman gentoo org> CommitDate: Tue Dec 6 13:58:03 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a2f1ba70 Allow portage compile domains to relabel portage_tmp_t:dir's This permission is requested by a 'cp' in the multibuild.eclass (see bug 600926). It's not actually required, but since we already allow the same permission for files and allowing it for directories doesn't have any security implications, I've chosen use "allow" instead of "dontaudit". policy/modules/contrib/portage.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if index 14c4fb6..e990d79 100644 --- a/policy/modules/contrib/portage.if +++ b/policy/modules/contrib/portage.if @@ -118,6 +118,7 @@ interface(`portage_compile_domain',` files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file }) # SELinux-enabled programs running in the sandbox allow $1 portage_tmp_t:file relabel_file_perms; + allow $1 portage_tmp_t:dir relabel_dir_perms; manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)