From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 45513139696 for ; Mon, 27 Feb 2017 10:50:58 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A8EDD21C090; Mon, 27 Feb 2017 10:50:57 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 85DA621C090 for ; Mon, 27 Feb 2017 10:50:57 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id D3021340EF6 for ; Mon, 27 Feb 2017 10:50:56 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 9B3C9564D for ; Mon, 27 Feb 2017 10:50:55 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1488191880.9aaa2422ee9903dab8bd049c7cbc7f17850cd66d.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/selinuxutil.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 9aaa2422ee9903dab8bd049c7cbc7f17850cd66d X-VCS-Branch: master Date: Mon, 27 Feb 2017 10:50:55 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 76905b40-d9b6-40f2-8888-eea43dc67b8d X-Archives-Hash: da85f67855aa9248e82d7373ef2b0778 commit: 9aaa2422ee9903dab8bd049c7cbc7f17850cd66d Author: cgzones googlemail com> AuthorDate: Thu Jan 5 10:32:17 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 27 10:38:00 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9aaa2422 newrole: fix denials dontaudit net_admin access due to setsockopt allow communication with systemd-logind policy/modules/system/selinuxutil.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index bc57e4a7..5f624126 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -221,6 +221,7 @@ optional_policy(` # Newrole local policy # +dontaudit newrole_t self:capability net_admin; allow newrole_t self:capability { dac_override fowner setgid setuid }; allow newrole_t self:process setexec; allow newrole_t self:fd use; @@ -282,6 +283,7 @@ auth_use_nsswitch(newrole_t) auth_run_chk_passwd(newrole_t, newrole_roles) auth_run_upd_passwd(newrole_t, newrole_roles) auth_rw_faillog(newrole_t) +auth_use_pam_systemd(newrole_t) # Write to utmp. init_rw_utmp(newrole_t) @@ -330,6 +332,10 @@ tunable_policy(`allow_polyinstantiation',` files_polyinstantiate_all(newrole_t) ') +optional_policy(` + systemd_use_logind_fds(newrole_t) +') + ######################################## # # Restorecond local policy From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 059B2139694 for ; Mon, 27 Feb 2017 11:40:12 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5B82CE0C28; Mon, 27 Feb 2017 11:40:11 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3ABBCE0C28 for ; Mon, 27 Feb 2017 11:40:11 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 20FD6340FDA for ; Mon, 27 Feb 2017 11:40:10 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id DA6B65657 for ; Mon, 27 Feb 2017 11:40:07 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1488191880.9aaa2422ee9903dab8bd049c7cbc7f17850cd66d.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/selinuxutil.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 9aaa2422ee9903dab8bd049c7cbc7f17850cd66d X-VCS-Branch: next Date: Mon, 27 Feb 2017 11:40:07 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: a73f2135-77cd-4284-ab8a-39a71bac774b X-Archives-Hash: b6b160e7b609c4679a2ae4bb6d6929aa Message-ID: <20170227114007.5ZqFWydZqTGUtIwRPATlDb4n_YxvcXT-30kp9G1qcMA@z> commit: 9aaa2422ee9903dab8bd049c7cbc7f17850cd66d Author: cgzones googlemail com> AuthorDate: Thu Jan 5 10:32:17 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 27 10:38:00 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9aaa2422 newrole: fix denials dontaudit net_admin access due to setsockopt allow communication with systemd-logind policy/modules/system/selinuxutil.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index bc57e4a7..5f624126 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -221,6 +221,7 @@ optional_policy(` # Newrole local policy # +dontaudit newrole_t self:capability net_admin; allow newrole_t self:capability { dac_override fowner setgid setuid }; allow newrole_t self:process setexec; allow newrole_t self:fd use; @@ -282,6 +283,7 @@ auth_use_nsswitch(newrole_t) auth_run_chk_passwd(newrole_t, newrole_roles) auth_run_upd_passwd(newrole_t, newrole_roles) auth_rw_faillog(newrole_t) +auth_use_pam_systemd(newrole_t) # Write to utmp. init_rw_utmp(newrole_t) @@ -330,6 +332,10 @@ tunable_policy(`allow_polyinstantiation',` files_polyinstantiate_all(newrole_t) ') +optional_policy(` + systemd_use_logind_fds(newrole_t) +') + ######################################## # # Restorecond local policy