[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/, policy/modules/services/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/, policy/modules/services/

[Jason Zaman]

commit:     26cfb137599281b3669132f1828bd8dcab5b9848
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Tue Dec  6 20:41:39 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec  8 04:44:05 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26cfb137

Apache OpenOffice module (base policy part)

This is a patch that I have created and tested to support Apache
OpenOffice with its own module (base policy part, 1/2).

The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.

Since the second version it includes revisions from Dominick Grift.

Since the third version it should correctly manage files in home
directories and allow some other major functionality.

The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).

The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.

The sixth version of this patch removes obsolete executable
permission from the unconfined module.

The seventh, eighth and nineth versions brings no changes in the base
part of the patch.

All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/roles/staff.te       |  4 ++++
 policy/modules/roles/sysadm.te      |  4 ++++
 policy/modules/roles/unprivuser.te  |  4 ++++
 policy/modules/services/xserver.if  | 19 +++++++++++++++++++
 policy/modules/system/libraries.fc  |  2 ++
 policy/modules/system/unconfined.fc |  1 -
 6 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2f12250..67ca253 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -141,6 +141,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		ooffice_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
 		pyzor_role(staff_r, staff_t)
 	')
 

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7631551..2071dbc 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -721,6 +721,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ooffice_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
 	openct_admin(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 6c2cd55..768dc1a 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -114,6 +114,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		ooffice_role(user_r, user_t)
+	')
+
+	optional_policy(`
 		postgresql_role(user_r, user_t)
 	')
 

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index f6dc616..3b55a08 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -621,6 +621,25 @@ interface(`xserver_read_user_dmrc',`
 
 ########################################
 ## <summary>
+##	Read all users .ICEauthority.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_user_iceauth',`
+	gen_require(`
+		type iceauth_home_t;
+	')
+
+	allow $1 iceauth_home_t:file read_file_perms;
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
 ##	Set the attributes of the X windows console named pipes.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 2e92f7e..f6d1e7c 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
 /opt/(.*/)?jre.*/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/(.*/)?jre/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
 
+/opt/openoffice4/program/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:lib_t,s0)
+
 /opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 # despite the extensions, they are actually libs
 /opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)

diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
index 0abaf84..519f2bf 100644
--- a/policy/modules/system/unconfined.fc
+++ b/policy/modules/system/unconfined.fc
@@ -6,7 +6,6 @@
 /usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 
 /usr/lib/ia32el/ia32x_loader 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 
 /usr/local/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/services/, policy/modules/roles/

[Jason Zaman]

commit:     26cfb137599281b3669132f1828bd8dcab5b9848
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Tue Dec  6 20:41:39 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec  8 04:44:05 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26cfb137

Apache OpenOffice module (base policy part)

This is a patch that I have created and tested to support Apache
OpenOffice with its own module (base policy part, 1/2).

The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.

Since the second version it includes revisions from Dominick Grift.

Since the third version it should correctly manage files in home
directories and allow some other major functionality.

The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).

The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.

The sixth version of this patch removes obsolete executable
permission from the unconfined module.

The seventh, eighth and nineth versions brings no changes in the base
part of the patch.

All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/roles/staff.te       |  4 ++++
 policy/modules/roles/sysadm.te      |  4 ++++
 policy/modules/roles/unprivuser.te  |  4 ++++
 policy/modules/services/xserver.if  | 19 +++++++++++++++++++
 policy/modules/system/libraries.fc  |  2 ++
 policy/modules/system/unconfined.fc |  1 -
 6 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2f12250..67ca253 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -141,6 +141,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		ooffice_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
 		pyzor_role(staff_r, staff_t)
 	')
 

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7631551..2071dbc 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -721,6 +721,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ooffice_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
 	openct_admin(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 6c2cd55..768dc1a 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -114,6 +114,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		ooffice_role(user_r, user_t)
+	')
+
+	optional_policy(`
 		postgresql_role(user_r, user_t)
 	')
 

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index f6dc616..3b55a08 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -621,6 +621,25 @@ interface(`xserver_read_user_dmrc',`
 
 ########################################
 ## <summary>
+##	Read all users .ICEauthority.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_user_iceauth',`
+	gen_require(`
+		type iceauth_home_t;
+	')
+
+	allow $1 iceauth_home_t:file read_file_perms;
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
 ##	Set the attributes of the X windows console named pipes.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 2e92f7e..f6d1e7c 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
 /opt/(.*/)?jre.*/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/(.*/)?jre/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
 
+/opt/openoffice4/program/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:lib_t,s0)
+
 /opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 # despite the extensions, they are actually libs
 /opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)

diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
index 0abaf84..519f2bf 100644
--- a/policy/modules/system/unconfined.fc
+++ b/policy/modules/system/unconfined.fc
@@ -6,7 +6,6 @@
 /usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 
 /usr/lib/ia32el/ia32x_loader 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 
 /usr/local/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)