From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-933215-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 49112139694
	for <garchives@archives.gentoo.org>; Tue, 21 Feb 2017 07:11:59 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 59A7D21C087;
	Tue, 21 Feb 2017 07:11:52 +0000 (UTC)
Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 27EA521C087
	for <gentoo-commits@lists.gentoo.org>; Tue, 21 Feb 2017 07:11:52 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id F2D4934105A
	for <gentoo-commits@lists.gentoo.org>; Tue, 21 Feb 2017 07:11:50 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id C7C774F2C
	for <gentoo-commits@lists.gentoo.org>; Tue, 21 Feb 2017 07:11:48 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1487658878.1be54ba357bd1336f0150d5337dedea3b1736421.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/selinuxutil.fc policy/modules/system/selinuxutil.te
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 1be54ba357bd1336f0150d5337dedea3b1736421
X-VCS-Branch: master
Date: Tue, 21 Feb 2017 07:11:48 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: d8cb1059-0caa-436d-afc6-fac4d1b94505
X-Archives-Hash: 5ff2b91bc14aaf21662cb409a807449d

commit:     1be54ba357bd1336f0150d5337dedea3b1736421
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jan  6 14:10:04 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 06:34:38 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1be54ba3

selinuxutil: adjustments

* no negative permission matching for newrole_t:process
* do not label /usr/lib/selinux as policy_src_t, otherwise semodule can not run /usr/lib/selinux/hll/pp
* reorder label for /run/restorecond.pid
* fix systemd related denials

 policy/modules/system/selinuxutil.fc | 65 ++++++++++++++++++------------------
 policy/modules/system/selinuxutil.te | 25 +++++++++++---
 2 files changed, 52 insertions(+), 38 deletions(-)

diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 8159897e..f7b84401 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -3,53 +3,52 @@
 #
 # /etc
 #
-/etc/selinux(/.*)?			gen_context(system_u:object_r:selinux_config_t,s0)
-/etc/selinux/([^/]*/)?contexts(/.*)?	gen_context(system_u:object_r:default_context_t,s0)
-/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
-/etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?setrans\.conf --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?modules(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
-/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
-/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
-/etc/selinux/([^/]*/)?users(/.*)? --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux(/.*)?					gen_context(system_u:object_r:selinux_config_t,s0)
+/etc/selinux/([^/]*/)?contexts(/.*)?			gen_context(system_u:object_r:default_context_t,s0)
+/etc/selinux/([^/]*/)?contexts/files(/.*)?		gen_context(system_u:object_r:file_context_t,s0)
+/etc/selinux/([^/]*/)?policy(/.*)?			gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?setrans\.conf		--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?seusers			--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?modules(/.*)?			gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK --	gen_context(system_u:object_r:semanage_read_lock_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK --	gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+/etc/selinux/([^/]*/)?users(/.*)?		--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
 
 #
 # /root
 #
-/root/\.default_contexts	-- 	gen_context(system_u:object_r:default_context_t,s0)
+/root/\.default_contexts			-- 	gen_context(system_u:object_r:default_context_t,s0)
+
+#
+# /run
+#
+/run/restorecond\.pid				--	gen_context(system_u:object_r:restorecond_run_t,s0)
 
 #
 # /usr
 #
-/usr/bin/checkpolicy		--	gen_context(system_u:object_r:checkpolicy_exec_t,s0)
-/usr/bin/newrole		--	gen_context(system_u:object_r:newrole_exec_t,s0)
+/usr/bin/checkpolicy				--	gen_context(system_u:object_r:checkpolicy_exec_t,s0)
+/usr/bin/newrole				--	gen_context(system_u:object_r:newrole_exec_t,s0)
 
-/usr/lib/selinux(/.*)?			gen_context(system_u:object_r:policy_src_t,s0)
-/usr/lib/systemd/system/restorecond.*\.service -- gen_context(system_u:object_r:restorecond_unit_t,s0)
+/usr/lib/systemd/system/restorecond.*\.service	--	gen_context(system_u:object_r:restorecond_unit_t,s0)
 
-/usr/sbin/load_policy		--	gen_context(system_u:object_r:load_policy_exec_t,s0)
-/usr/sbin/restorecon		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
-/usr/sbin/restorecond		--	gen_context(system_u:object_r:restorecond_exec_t,s0)
-/usr/sbin/run_init		--	gen_context(system_u:object_r:run_init_exec_t,s0)
-/usr/sbin/setfiles.*		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
-/usr/sbin/setsebool		--	gen_context(system_u:object_r:semanage_exec_t,s0)
-/usr/sbin/semanage		--	gen_context(system_u:object_r:semanage_exec_t,s0)
-/usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
-/usr/libexec/selinux/semanage_migrate_store		--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/load_policy				--	gen_context(system_u:object_r:load_policy_exec_t,s0)
+/usr/sbin/restorecon				--	gen_context(system_u:object_r:setfiles_exec_t,s0)
+/usr/sbin/restorecond				--	gen_context(system_u:object_r:restorecond_exec_t,s0)
+/usr/sbin/run_init				--	gen_context(system_u:object_r:run_init_exec_t,s0)
+/usr/sbin/setfiles.*				--	gen_context(system_u:object_r:setfiles_exec_t,s0)
+/usr/sbin/setsebool				--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/semanage				--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/semodule				--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/libexec/selinux/semanage_migrate_store	--	gen_context(system_u:object_r:semanage_exec_t,s0)
 
 #
 # /var/lib
 #
-/var/lib/selinux(/.*)?			gen_context(system_u:object_r:semanage_store_t,s0)
-/var/lib/selinux/[^/]+/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
-/var/lib/selinux/[^/]+/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
-/usr/lib/selinux/semanage_migrate_store	--	gen_context(system_u:object_r:semanage_exec_t,s0)
-
-#
-# /var/run
-#
-/run/restorecond\.pid	--	gen_context(system_u:object_r:restorecond_var_run_t,s0)
+/var/lib/selinux(/.*)?					gen_context(system_u:object_r:semanage_store_t,s0)
+/var/lib/selinux/[^/]+/semanage\.read\.LOCK	--	gen_context(system_u:object_r:semanage_read_lock_t,s0)
+/var/lib/selinux/[^/]+/semanage\.trans\.LOCK	--	gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+/usr/lib/selinux/semanage_migrate_store		--	gen_context(system_u:object_r:semanage_exec_t,s0)
 
 ifdef(`distro_gentoo',`
 # Support for gentoo python switcheridoo

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index dd95cf64..703a4453 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -88,8 +88,9 @@ role system_r types restorecond_t;
 type restorecond_unit_t;
 init_unit_file(restorecond_unit_t)
 
-type restorecond_var_run_t;
-files_pid_file(restorecond_var_run_t)
+type restorecond_run_t;
+typealias restorecond_run_t alias restorecond_var_run_t;
+files_pid_file(restorecond_run_t)
 
 type run_init_t;
 type run_init_exec_t;
@@ -221,7 +222,6 @@ optional_policy(`
 #
 
 allow newrole_t self:capability { dac_override fowner setgid setuid };
-allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow newrole_t self:process setexec;
 allow newrole_t self:fd use;
 allow newrole_t self:fifo_file rw_fifo_file_perms;
@@ -303,6 +303,21 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+ifdef(`init_systemd',`
+	optional_policy(`
+		systemd_use_logind_fds(newrole_t)
+		systemd_dbus_chat_logind(newrole_t)
+	')
+')
+
+optional_policy(`
+	dbus_system_bus_client(newrole_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(newrole_t)
+	')
+')
+
 # if secure mode is enabled, then newrole
 # can only transition to unprivileged users
 if(secure_mode) {
@@ -323,8 +338,8 @@ tunable_policy(`allow_polyinstantiation',`
 allow restorecond_t self:capability { dac_override dac_read_search fowner };
 allow restorecond_t self:fifo_file rw_fifo_file_perms;
 
-allow restorecond_t restorecond_var_run_t:file manage_file_perms;
-files_pid_filetrans(restorecond_t, restorecond_var_run_t, file)
+allow restorecond_t restorecond_run_t:file manage_file_perms;
+files_pid_filetrans(restorecond_t, restorecond_run_t, file)
 
 kernel_getattr_debugfs(restorecond_t)
 kernel_read_system_state(restorecond_t)