From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-925755-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 6000B139085
	for <garchives@archives.gentoo.org>; Mon, 23 Jan 2017 15:44:23 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 35C862241BA;
	Mon, 23 Jan 2017 15:44:22 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 056552241BA
	for <gentoo-commits@lists.gentoo.org>; Mon, 23 Jan 2017 15:44:21 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id C9D5A3416A7
	for <gentoo-commits@lists.gentoo.org>; Mon, 23 Jan 2017 15:44:20 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 407812D14
	for <gentoo-commits@lists.gentoo.org>; Mon, 23 Jan 2017 15:44:19 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1485176165.95bb9a0c4c8e7b00b48cd5ba7675efe259a03d41.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/screen.fc policy/modules/contrib/screen.if policy/modules/contrib/screen.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 95bb9a0c4c8e7b00b48cd5ba7675efe259a03d41
X-VCS-Branch: master
Date: Mon, 23 Jan 2017 15:44:19 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: f6f50115-13a0-4ef0-a699-dc8bb0a728a6
X-Archives-Hash: a00a7a8fed2ca63668d86f3eb1d0695a

commit:     95bb9a0c4c8e7b00b48cd5ba7675efe259a03d41
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan  5 19:14:47 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jan 23 12:56:05 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=95bb9a0c

update screen module

 policy/modules/contrib/screen.fc | 10 +++++-----
 policy/modules/contrib/screen.if | 10 +++++-----
 policy/modules/contrib/screen.te | 29 ++++++++++++-----------------
 3 files changed, 22 insertions(+), 27 deletions(-)

diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc
index 975d48f..7196c59 100644
--- a/policy/modules/contrib/screen.fc
+++ b/policy/modules/contrib/screen.fc
@@ -1,9 +1,9 @@
-HOME_DIR/\.screen(/.*)?	gen_context(system_u:object_r:screen_home_t,s0)
+HOME_DIR/\.screen(/.*)?		gen_context(system_u:object_r:screen_home_t,s0)
 HOME_DIR/\.screenrc	--	gen_context(system_u:object_r:screen_home_t,s0)
 HOME_DIR/\.tmux\.conf	--	gen_context(system_u:object_r:screen_home_t,s0)
 
-/usr/bin/screen	--	gen_context(system_u:object_r:screen_exec_t,s0)
-/usr/bin/tmux	--	gen_context(system_u:object_r:screen_exec_t,s0)
+/run/screen(/.*)?		gen_context(system_u:object_r:screen_runtime_t,s0)
+/run/tmux(/.*)?			gen_context(system_u:object_r:screen_runtime_t,s0)
 
-/run/screen(/.*)?	gen_context(system_u:object_r:screen_var_run_t,s0)
-/run/tmux(/.*)?	gen_context(system_u:object_r:screen_var_run_t,s0)
+/usr/bin/screen		--	gen_context(system_u:object_r:screen_exec_t,s0)
+/usr/bin/tmux		--	gen_context(system_u:object_r:screen_exec_t,s0)

diff --git a/policy/modules/contrib/screen.if b/policy/modules/contrib/screen.if
index 2795f69..884e261 100644
--- a/policy/modules/contrib/screen.if
+++ b/policy/modules/contrib/screen.if
@@ -26,7 +26,7 @@ template(`screen_role_template',`
 		attribute screen_domain;
 		attribute_role screen_roles;
 		type screen_exec_t, screen_tmp_t;
-		type screen_home_t, screen_var_run_t;
+		type screen_home_t, screen_runtime_t;
 	')
 
 	########################################
@@ -69,10 +69,10 @@ template(`screen_role_template',`
 	userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
 	userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
 
-	manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
-	manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
-	manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
-	manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
+	manage_dirs_pattern($3, screen_runtime_t, screen_runtime_t)
+	manage_files_pattern($3, screen_runtime_t, screen_runtime_t)
+	manage_lnk_files_pattern($3, screen_runtime_t, screen_runtime_t)
+	manage_fifo_files_pattern($3, screen_runtime_t, screen_runtime_t)
 
 	corecmd_bin_domtrans($1_screen_t, $3)
 	corecmd_shell_domtrans($1_screen_t, $3)

diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
index bebb3ec..d50f157 100644
--- a/policy/modules/contrib/screen.te
+++ b/policy/modules/contrib/screen.te
@@ -13,27 +13,23 @@ type screen_exec_t;
 application_executable_file(screen_exec_t)
 
 type screen_home_t;
-typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_screen_home_t };
-typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t };
 userdom_user_home_content(screen_home_t)
 
 type screen_tmp_t;
-typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
-typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
 userdom_user_tmp_file(screen_tmp_t)
 
-type screen_var_run_t;
-typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
-typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
-files_pid_file(screen_var_run_t)
-ubac_constrained(screen_var_run_t)
+type screen_runtime_t;
+typealias screen_runtime_t alias screen_var_run_t;
+files_pid_file(screen_runtime_t)
+ubac_constrained(screen_runtime_t)
 
 ########################################
 #
 # Common screen domain local policy
 #
 
-allow screen_domain self:capability { setuid setgid fsetid };
+# dac_override : read /dev/pts/ID
+allow screen_domain self:capability { setuid setgid fsetid dac_override };
 allow screen_domain self:process signal_perms;
 allow screen_domain self:fd use;
 allow screen_domain self:fifo_file rw_fifo_file_perms;
@@ -44,12 +40,12 @@ manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
 manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
 manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
 files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
-filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file)
+filetrans_pattern(screen_domain, screen_tmp_t, screen_runtime_t, sock_file)
 
-manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
-manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
-manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
-files_pid_filetrans(screen_domain, screen_var_run_t, dir)
+manage_fifo_files_pattern(screen_domain, screen_runtime_t, screen_runtime_t)
+manage_dirs_pattern(screen_domain, screen_runtime_t, screen_runtime_t)
+manage_sock_files_pattern(screen_domain, screen_runtime_t, screen_runtime_t)
+files_pid_filetrans(screen_domain, screen_runtime_t, dir)
 
 manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
 read_files_pattern(screen_domain, screen_home_t, screen_home_t)
@@ -91,8 +87,7 @@ fs_getattr_all_fs(screen_domain)
 
 auth_dontaudit_read_shadow(screen_domain)
 auth_dontaudit_exec_utempter(screen_domain)
-
-init_rw_utmp(screen_domain)
+auth_rw_utmp(screen_domain)
 
 logging_send_syslog_msg(screen_domain)