From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 74C32139694 for ; Fri, 17 Feb 2017 08:44:16 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8CA7621C039; Fri, 17 Feb 2017 08:44:15 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 54AD321C039 for ; Fri, 17 Feb 2017 08:44:15 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id EDCFE33BF1B for ; Fri, 17 Feb 2017 08:44:13 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 648794AC8 for ; Fri, 17 Feb 2017 08:44:12 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1487319217.26534d6388eb4e76eb8dc7c4f35b7d2a80cb45a6.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/admin/bootloader.fc policy/modules/admin/bootloader.te X-VCS-Directories: policy/modules/admin/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 26534d6388eb4e76eb8dc7c4f35b7d2a80cb45a6 X-VCS-Branch: master Date: Fri, 17 Feb 2017 08:44:12 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: eb0a8d62-26a4-40fe-8783-6512546ca351 X-Archives-Hash: 87ad4c380795513fa0f85a3876ac1cce commit: 26534d6388eb4e76eb8dc7c4f35b7d2a80cb45a6 Author: Chris PeBenito ieee org> AuthorDate: Sat Feb 11 19:26:48 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:13:37 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26534d63 Revert "bootloader: stricter permissions and more tailored file contexts" This reverts commit b0c13980d224c49207315154905eb7fcb90f289d. policy/modules/admin/bootloader.fc | 6 ------ policy/modules/admin/bootloader.te | 17 ++++------------- 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index d3925950..cdd6d3dd 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -1,12 +1,6 @@ -/boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0) -/boot/grub.*/.* gen_context(system_u:object_r:bootloader_run_t,s0) - -/boot/grub.*/grub.cfg -- gen_context(system_u:object_r:bootloader_etc_t,s0) -/boot/grub.*/grub.conf -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) -/etc/grub.d(/.*)? -- gen_context(system_u:object_r:bootloader_etc_t,s0) /usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/sbin/grub2?-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index fd9df5c8..bd69d431 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -22,13 +22,6 @@ application_domain(bootloader_t, bootloader_exec_t) role bootloader_roles types bootloader_t; # -# bootloader_run_t are image and other runtime -# files -# -type bootloader_run_t alias run_bootloader_t; -files_type(bootloader_run_t) - -# # bootloader_etc_t is the configuration file, # grub.conf, lilo.conf, etc. # @@ -52,7 +45,7 @@ allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_raw allow bootloader_t self:process { signal_perms execmem }; allow bootloader_t self:fifo_file rw_fifo_file_perms; -allow bootloader_t bootloader_etc_t:file exec_file_perms; +allow bootloader_t bootloader_etc_t:file read_file_perms; # uncomment the following lines if you use "lilo -p" #allow bootloader_t bootloader_etc_t:file manage_file_perms; #files_etc_filetrans(bootloader_t,bootloader_etc_t,file) @@ -66,11 +59,6 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file # for tune2fs (cjp: ?) files_root_filetrans(bootloader_t, bootloader_tmp_t, file) -manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) -manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) -manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) -files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file }) - kernel_getattr_core_if(bootloader_t) kernel_read_network_state(bootloader_t) kernel_read_system_state(bootloader_t) @@ -108,7 +96,10 @@ corecmd_exec_all_executables(bootloader_t) domain_use_interactive_fds(bootloader_t) files_create_boot_dirs(bootloader_t) +files_manage_boot_files(bootloader_t) +files_manage_boot_symlinks(bootloader_t) files_read_etc_files(bootloader_t) +files_exec_etc_files(bootloader_t) files_read_usr_src_files(bootloader_t) files_read_usr_files(bootloader_t) files_read_var_files(bootloader_t) From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 6E0C3139696 for ; Fri, 17 Feb 2017 08:50:58 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9743E21C090; Fri, 17 Feb 2017 08:50:57 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 5A696E0C50 for ; Fri, 17 Feb 2017 08:50:57 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 0D1E033BEBE for ; Fri, 17 Feb 2017 08:50:56 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id A636E4AC6 for ; Fri, 17 Feb 2017 08:50:54 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1487319217.26534d6388eb4e76eb8dc7c4f35b7d2a80cb45a6.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/admin/bootloader.fc policy/modules/admin/bootloader.te X-VCS-Directories: policy/modules/admin/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 26534d6388eb4e76eb8dc7c4f35b7d2a80cb45a6 X-VCS-Branch: next Date: Fri, 17 Feb 2017 08:50:54 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: a4f36569-3c33-45cc-b545-a2558cac8b37 X-Archives-Hash: a6f818940c2e57ead438a6cdbd705b02 Message-ID: <20170217085054.vKRDtTGOe8GMXrZy_krZhp_jFHrp3ebOCTqghH5nSY4@z> commit: 26534d6388eb4e76eb8dc7c4f35b7d2a80cb45a6 Author: Chris PeBenito ieee org> AuthorDate: Sat Feb 11 19:26:48 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:13:37 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26534d63 Revert "bootloader: stricter permissions and more tailored file contexts" This reverts commit b0c13980d224c49207315154905eb7fcb90f289d. policy/modules/admin/bootloader.fc | 6 ------ policy/modules/admin/bootloader.te | 17 ++++------------- 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index d3925950..cdd6d3dd 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -1,12 +1,6 @@ -/boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0) -/boot/grub.*/.* gen_context(system_u:object_r:bootloader_run_t,s0) - -/boot/grub.*/grub.cfg -- gen_context(system_u:object_r:bootloader_etc_t,s0) -/boot/grub.*/grub.conf -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) -/etc/grub.d(/.*)? -- gen_context(system_u:object_r:bootloader_etc_t,s0) /usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/sbin/grub2?-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index fd9df5c8..bd69d431 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -22,13 +22,6 @@ application_domain(bootloader_t, bootloader_exec_t) role bootloader_roles types bootloader_t; # -# bootloader_run_t are image and other runtime -# files -# -type bootloader_run_t alias run_bootloader_t; -files_type(bootloader_run_t) - -# # bootloader_etc_t is the configuration file, # grub.conf, lilo.conf, etc. # @@ -52,7 +45,7 @@ allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_raw allow bootloader_t self:process { signal_perms execmem }; allow bootloader_t self:fifo_file rw_fifo_file_perms; -allow bootloader_t bootloader_etc_t:file exec_file_perms; +allow bootloader_t bootloader_etc_t:file read_file_perms; # uncomment the following lines if you use "lilo -p" #allow bootloader_t bootloader_etc_t:file manage_file_perms; #files_etc_filetrans(bootloader_t,bootloader_etc_t,file) @@ -66,11 +59,6 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file # for tune2fs (cjp: ?) files_root_filetrans(bootloader_t, bootloader_tmp_t, file) -manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) -manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) -manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) -files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file }) - kernel_getattr_core_if(bootloader_t) kernel_read_network_state(bootloader_t) kernel_read_system_state(bootloader_t) @@ -108,7 +96,10 @@ corecmd_exec_all_executables(bootloader_t) domain_use_interactive_fds(bootloader_t) files_create_boot_dirs(bootloader_t) +files_manage_boot_files(bootloader_t) +files_manage_boot_symlinks(bootloader_t) files_read_etc_files(bootloader_t) +files_exec_etc_files(bootloader_t) files_read_usr_src_files(bootloader_t) files_read_usr_files(bootloader_t) files_read_var_files(bootloader_t)