From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 6000B139085 for ; Mon, 23 Jan 2017 15:44:23 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 35C862241BA; Mon, 23 Jan 2017 15:44:22 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 056552241BA for ; Mon, 23 Jan 2017 15:44:21 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id C9D5A3416A7 for ; Mon, 23 Jan 2017 15:44:20 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 407812D14 for ; Mon, 23 Jan 2017 15:44:19 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1485176165.95bb9a0c4c8e7b00b48cd5ba7675efe259a03d41.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/screen.fc policy/modules/contrib/screen.if policy/modules/contrib/screen.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 95bb9a0c4c8e7b00b48cd5ba7675efe259a03d41 X-VCS-Branch: master Date: Mon, 23 Jan 2017 15:44:19 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: f6f50115-13a0-4ef0-a699-dc8bb0a728a6 X-Archives-Hash: a00a7a8fed2ca63668d86f3eb1d0695a commit: 95bb9a0c4c8e7b00b48cd5ba7675efe259a03d41 Author: cgzones googlemail com> AuthorDate: Thu Jan 5 19:14:47 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Mon Jan 23 12:56:05 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=95bb9a0c update screen module policy/modules/contrib/screen.fc | 10 +++++----- policy/modules/contrib/screen.if | 10 +++++----- policy/modules/contrib/screen.te | 29 ++++++++++++----------------- 3 files changed, 22 insertions(+), 27 deletions(-) diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc index 975d48f..7196c59 100644 --- a/policy/modules/contrib/screen.fc +++ b/policy/modules/contrib/screen.fc @@ -1,9 +1,9 @@ -HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) +HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0) -/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) -/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) +/run/screen(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) +/run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) -/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) -/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) +/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) diff --git a/policy/modules/contrib/screen.if b/policy/modules/contrib/screen.if index 2795f69..884e261 100644 --- a/policy/modules/contrib/screen.if +++ b/policy/modules/contrib/screen.if @@ -26,7 +26,7 @@ template(`screen_role_template',` attribute screen_domain; attribute_role screen_roles; type screen_exec_t, screen_tmp_t; - type screen_home_t, screen_var_run_t; + type screen_home_t, screen_runtime_t; ') ######################################## @@ -69,10 +69,10 @@ template(`screen_role_template',` userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc") userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf") - manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) - manage_files_pattern($3, screen_var_run_t, screen_var_run_t) - manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t) - manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) + manage_dirs_pattern($3, screen_runtime_t, screen_runtime_t) + manage_files_pattern($3, screen_runtime_t, screen_runtime_t) + manage_lnk_files_pattern($3, screen_runtime_t, screen_runtime_t) + manage_fifo_files_pattern($3, screen_runtime_t, screen_runtime_t) corecmd_bin_domtrans($1_screen_t, $3) corecmd_shell_domtrans($1_screen_t, $3) diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te index bebb3ec..d50f157 100644 --- a/policy/modules/contrib/screen.te +++ b/policy/modules/contrib/screen.te @@ -13,27 +13,23 @@ type screen_exec_t; application_executable_file(screen_exec_t) type screen_home_t; -typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_screen_home_t }; -typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t }; userdom_user_home_content(screen_home_t) type screen_tmp_t; -typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t }; -typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t }; userdom_user_tmp_file(screen_tmp_t) -type screen_var_run_t; -typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; -typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t }; -files_pid_file(screen_var_run_t) -ubac_constrained(screen_var_run_t) +type screen_runtime_t; +typealias screen_runtime_t alias screen_var_run_t; +files_pid_file(screen_runtime_t) +ubac_constrained(screen_runtime_t) ######################################## # # Common screen domain local policy # -allow screen_domain self:capability { setuid setgid fsetid }; +# dac_override : read /dev/pts/ID +allow screen_domain self:capability { setuid setgid fsetid dac_override }; allow screen_domain self:process signal_perms; allow screen_domain self:fd use; allow screen_domain self:fifo_file rw_fifo_file_perms; @@ -44,12 +40,12 @@ manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t) manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir }) -filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file) +filetrans_pattern(screen_domain, screen_tmp_t, screen_runtime_t, sock_file) -manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) -manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t) -manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) -files_pid_filetrans(screen_domain, screen_var_run_t, dir) +manage_fifo_files_pattern(screen_domain, screen_runtime_t, screen_runtime_t) +manage_dirs_pattern(screen_domain, screen_runtime_t, screen_runtime_t) +manage_sock_files_pattern(screen_domain, screen_runtime_t, screen_runtime_t) +files_pid_filetrans(screen_domain, screen_runtime_t, dir) manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t) read_files_pattern(screen_domain, screen_home_t, screen_home_t) @@ -91,8 +87,7 @@ fs_getattr_all_fs(screen_domain) auth_dontaudit_read_shadow(screen_domain) auth_dontaudit_exec_utempter(screen_domain) - -init_rw_utmp(screen_domain) +auth_rw_utmp(screen_domain) logging_send_syslog_msg(screen_domain)