* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/, policy/modules/system/
2015-10-26 5:36 [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/ Jason Zaman
@ 2015-10-26 5:48 ` Jason Zaman
0 siblings, 0 replies; 5+ messages in thread
From: Jason Zaman @ 2015-10-26 5:48 UTC (permalink / raw
To: gentoo-commits
commit: 5dece5bd67bca8c3df92c74d776119ae9af8ebc2
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 20 18:48:38 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:52:58 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5dece5bd
Add supporting rules for domains tightly-coupled with systemd.
policy/modules/kernel/devices.if | 52 +++++++++++++++++++++++++++++++++----
policy/modules/kernel/kernel.te | 17 ++++++++++++
policy/modules/services/ssh.te | 5 ++++
policy/modules/system/init.te | 1 +
policy/modules/system/locallogin.te | 8 ++++++
policy/modules/system/logging.fc | 1 +
policy/modules/system/logging.te | 22 ++++++++++++++++
policy/modules/system/lvm.te | 6 +++++
policy/modules/system/modutils.te | 8 ++++++
policy/modules/system/sysnetwork.te | 8 ++++++
policy/modules/system/udev.te | 12 +++++++++
11 files changed, 135 insertions(+), 5 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 835ec14..a052db5 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,11 +143,11 @@ interface(`dev_relabel_all_dev_nodes',`
type device_t;
')
- relabelfrom_dirs_pattern($1, device_t, device_node)
- relabelfrom_files_pattern($1, device_t, device_node)
+ relabelfrom_dirs_pattern($1, device_t, { device_t device_node })
+ relabelfrom_files_pattern($1, device_t, { device_t device_node })
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
- relabelfrom_fifo_files_pattern($1, device_t, device_node)
- relabelfrom_sock_files_pattern($1, device_t, device_node)
+ relabelfrom_fifo_files_pattern($1, device_t, { device_t device_node })
+ relabelfrom_sock_files_pattern($1, device_t, { device_t device_node })
relabel_blk_files_pattern($1, device_t, { device_t device_node })
relabel_chr_files_pattern($1, device_t, { device_t device_node })
')
@@ -709,7 +709,7 @@ interface(`dev_relabelfrom_generic_chr_files',`
type device_t;
')
- allow $1 device_t:chr_file relabelfrom;
+ allow $1 device_t:chr_file relabelfrom_chr_file_perms;
')
########################################
@@ -1943,6 +1943,30 @@ interface(`dev_filetrans_dri',`
########################################
## <summary>
+## Automatic type transition to the type
+## for event device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_input_dev',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, event_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Get the attributes of the event devices.
## </summary>
## <param name="domain">
@@ -2017,6 +2041,24 @@ interface(`dev_rw_input_dev',`
########################################
## <summary>
+## Create, read, write, and delete input event devices (/dev/input).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_input_dev',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ manage_chr_files_pattern($1, device_t, event_device_t)
+')
+
+########################################
+## <summary>
## Get the attributes of the framebuffer device node.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 14b5713..f2d5756 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -299,6 +299,23 @@ ifdef(`distro_redhat',`
fs_rw_tmpfs_chr_files(kernel_t)
')
+ifdef(`init_systemd',`
+ optional_policy(`
+ dev_manage_input_dev(kernel_t)
+ dev_filetrans_input_dev(kernel_t)
+ ')
+
+ optional_policy(`
+ selinux_compute_create_context(kernel_t)
+ ')
+
+ optional_policy(`
+ storage_dev_filetrans_fixed_disk(kernel_t)
+ storage_setattr_fixed_disk_dev(kernel_t)
+ storage_create_fixed_disk_dev(kernel_t)
+ ')
+')
+
optional_policy(`
# loop devices
fstools_use_fds(kernel_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 783d0e7..e5932aa 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -266,6 +266,11 @@ ifdef(`distro_debian',`
allow sshd_t self:process { getcap setcap };
')
+ifdef(`init_systemd',`
+ systemd_dbus_chat_logind(sshd_t)
+ init_rw_stream_sockets(sshd_t)
+')
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d5d7b10..916b895 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -222,6 +222,7 @@ ifdef(`init_systemd',`
dev_rw_autofs(init_t)
dev_create_generic_dirs(init_t)
+ dev_manage_input_dev(init_t)
dev_relabel_all_dev_nodes(init_t)
dev_read_urand(init_t)
dev_write_kmsg(init_t)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 5281665..766614c 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -135,6 +135,14 @@ userdom_use_unpriv_users_fds(local_login_t)
userdom_sigchld_all_users(local_login_t)
userdom_create_all_users_keys(local_login_t)
+ifdef(`init_systemd',`
+ auth_manage_faillog(local_login_t)
+
+ systemd_dbus_chat_logind(local_login_t)
+ systemd_use_logind_fds(local_login_t)
+ systemd_manage_logind_pid_pipes(local_login_t)
+')
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(local_login_t)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index a0e957c..fb319d4 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -72,6 +72,7 @@ ifdef(`distro_redhat',`
/var/run/syslog-ng\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/systemd/journal/socket -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
/var/run/systemd/journal/dev-log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 72b7ff5..6f7335e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -120,6 +120,10 @@ locallogin_dontaudit_use_fds(auditctl_t)
logging_set_audit_parameters(auditctl_t)
logging_send_syslog_msg(auditctl_t)
+ifdef(`init_systemd',`
+ init_rw_stream_sockets(auditctl_t)
+')
+
########################################
#
# Auditd local policy
@@ -248,6 +252,10 @@ miscfiles_read_localization(audisp_t)
sysnet_dns_name_resolve(audisp_t)
+ifdef(`init_systemd',`
+ kernel_dgram_send(audisp_t)
+')
+
optional_policy(`
dbus_system_bus_client(audisp_t)
')
@@ -480,6 +488,20 @@ miscfiles_read_localization(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
userdom_dontaudit_search_user_home_dirs(syslogd_t)
+ifdef(`init_systemd',`
+ allow syslogd_t self:capability { chown setuid setgid };
+
+ kernel_use_fds(syslogd_t)
+ kernel_getattr_dgram_sockets(syslogd_t)
+ kernel_rw_unix_dgram_sockets(syslogd_t)
+ kernel_rw_stream_sockets(syslogd_t)
+
+ init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
+ init_dgram_send(syslogd_t)
+
+ udev_read_pid_files(syslogd_t)
+')
+
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
# and high priority messages to /dev/tty12
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 6880656..f0bea03 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -304,6 +304,12 @@ seutil_sigchld_newrole(lvm_t)
userdom_use_user_terminals(lvm_t)
+ifdef(`init_systemd',`
+ init_rw_stream_sockets(lvm_t)
+
+ fs_manage_hugetlbfs_dirs(lvm_t)
+')
+
ifdef(`distro_redhat',`
# this is from the initrd:
kernel_rw_unlabeled_dirs(lvm_t)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index b17ad6c..4a5b572 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -183,6 +183,14 @@ userdom_dontaudit_search_user_home_dirs(insmod_t)
kernel_domtrans_to(insmod_t, insmod_exec_t)
+ifdef(`init_systemd',`
+ kernel_search_key(insmod_t)
+
+ init_rw_stream_sockets(insmod_t)
+
+ systemd_write_kmod_files(insmod_t)
+')
+
optional_policy(`
alsa_domtrans(insmod_t)
')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 7a7b479..ff32383 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -162,6 +162,14 @@ ifdef(`distro_ubuntu',`
')
')
+ifdef(`init_systemd',`
+ init_rw_stream_sockets(dhcpc_t)
+ init_read_state(dhcpc_t)
+ init_stream_connect(dhcpc_t)
+ init_get_all_units_status(dhcpc_t)
+ init_search_units(dhcpc_t)
+')
+
optional_policy(`
consoletype_run(dhcpc_t, dhcpc_roles)
')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a9a2296..40868ad 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -218,6 +218,18 @@ ifdef(`distro_redhat',`
')
')
+ifdef(`init_systemd',`
+ kernel_load_module(udev_t)
+
+ files_search_kernel_modules(udev_t)
+
+ fs_read_cgroup_files(udev_t)
+
+ init_dgram_send(udev_t)
+
+ systemd_read_logind_pids(udev_t)
+')
+
optional_policy(`
alsa_domtrans(udev_t)
alsa_read_lib(udev_t)
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/, policy/modules/system/
@ 2017-04-10 16:59 Sven Vermeulen
0 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2017-04-10 16:59 UTC (permalink / raw
To: gentoo-commits
commit: e4b056799a16ac4b3e00106baa3297b2862684a0
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Apr 10 16:58:05 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 10 16:58:05 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e4b05679
Backport "Misc fc changes from Russel Coker."
git apply failed so had to do this manually
policy/modules/kernel/corecommands.fc | 5 +++++
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/kernel/files.fc | 1 +
policy/modules/kernel/files.te | 2 +-
policy/modules/kernel/terminal.fc | 4 +++-
policy/modules/kernel/terminal.te | 2 +-
policy/modules/services/xserver.fc | 4 ++++
policy/modules/services/xserver.te | 2 +-
policy/modules/system/init.fc | 5 ++++-
policy/modules/system/init.te | 2 +-
policy/modules/system/libraries.fc | 1 +
policy/modules/system/libraries.te | 2 +-
policy/modules/system/lvm.fc | 2 ++
policy/modules/system/lvm.te | 2 +-
policy/modules/system/udev.fc | 1 +
policy/modules/system/udev.te | 2 +-
16 files changed, 29 insertions(+), 10 deletions(-)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 2b645e4d..f86daaf7 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -153,6 +153,7 @@ ifdef(`distro_gentoo',`
/usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/lib/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/postfix/configure-instance\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -160,6 +161,7 @@ ifdef(`distro_gentoo',`
/usr/lib/at-spi2-core(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/dovecot/.+ gen_context(system_u:object_r:bin_t,s0)
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -205,6 +207,7 @@ ifdef(`distro_gentoo',`
/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/selinux/hll/pp -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -266,6 +269,7 @@ ifdef(`distro_gentoo',`
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/ajaxterm/ajaxterm.py.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -299,6 +303,7 @@ ifdef(`distro_gentoo',`
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/reportbug/handle_bugscript -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 1f532aa3..6f051a32 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.23.5)
+policy_module(corecommands, 1.23.6)
########################################
#
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 548d1e03..e69a0025 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -215,6 +215,7 @@ HOME_ROOT/lost\+found/.* <<none>>
ifdef(`distro_debian',`
# on Debian /lib/init/rw is a tmpfs used like /run
/usr/lib/init/rw(/.*)? gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
+/run/resolvconf(/.*)? -d gen_context(system_u:object_r:etc_t,s0)
')
ifndef(`distro_redhat',`
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 33c92c70..67be5c71 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.9)
+policy_module(files, 1.23.10)
########################################
#
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
index 6657b048..51199ac4 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@@ -24,8 +24,10 @@
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
-/dev/pts/ptmx -c gen_context(system_u:object_r:devpts_t,s0)
/dev/pts/[0-9]+ -c gen_context(system_u:object_r:user_devpts_t,s0)
+# if /dev/ptmx is a symlink to /dev/pts/ptmx then we need to have /dev/pts/ptmx
+# relabelled before sshd etc are ready to accept connections
+/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
/dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index a1fca0da..bf1e11ff 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,4 +1,4 @@
-policy_module(terminal, 1.16.2)
+policy_module(terminal, 1.16.3)
########################################
#
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index f9f541d4..201d28fa 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -33,6 +33,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/etc/sddm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -66,6 +67,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/usr/bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -116,6 +118,7 @@ ifndef(`distro_debian',`
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/sddm(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -125,6 +128,7 @@ ifndef(`distro_debian',`
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/run/sddm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/run/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 5750e14e..a692f7a2 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.5)
+policy_module(xserver, 3.13.6)
gen_require(`
class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index d39bdee6..49c84772 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -38,7 +38,6 @@ ifdef(`distro_gentoo', `
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
@@ -65,6 +64,10 @@ ifdef(`distro_gentoo', `
ifdef(`distro_debian',`
/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/kdm/.* -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/etc/network/if-pre-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/network/if-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/network/if-down\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/network/if-post-down\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
')
ifdef(`distro_gentoo', `
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a0a1723c..aed3e65a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.14)
+policy_module(init, 2.2.15)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 1bac9659..f174ab68 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -105,6 +105,7 @@ ifdef(`distro_debian',`
/usr/(.*/)?dh-python/dh_pypy -- gen_context(system_u:object_r:lib_t,s0)
')
+/usr/lib/postfix/lib.*so.* -- gen_context(system_u:object_r:lib_t,s0)
/usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index bf5a9b63..a4e2764d 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,4 +1,4 @@
-policy_module(libraries, 2.14.1)
+policy_module(libraries, 2.14.2)
########################################
#
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index e9e7882e..d2f755f2 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -46,6 +46,7 @@ ifdef(`distro_gentoo',`
/usr/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -97,6 +98,7 @@ ifdef(`distro_gentoo',`
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
+/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
ifdef(`distro_gentoo',`
# Bug 529430 comment 7
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 59cb1ba5..977a374b 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.6)
+policy_module(lvm, 1.19.7)
########################################
#
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 709d8330..0e433bed 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -38,6 +38,7 @@ ifdef(`distro_redhat',`
/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
ifdef(`distro_debian',`
+/run/console-setup(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 18b0e29c..f115d9f8 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.21.5)
+policy_module(udev, 1.21.6)
########################################
#
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/, policy/modules/system/
@ 2018-07-12 14:37 Jason Zaman
0 siblings, 0 replies; 5+ messages in thread
From: Jason Zaman @ 2018-07-12 14:37 UTC (permalink / raw
To: gentoo-commits
commit: b655a97dc1dbc580f51f58201bb101b39da39ea0
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jul 10 15:03:17 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jul 11 14:41:35 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b655a97d
Allow map xserver_misc_device_t for nvidia driver
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/services/xserver.if | 1 +
policy/modules/services/xserver.te | 1 +
policy/modules/system/init.te | 1 +
4 files changed, 21 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 3e7f4538..f68d60ab 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -5079,6 +5079,24 @@ interface(`dev_rw_xserver_misc',`
rw_chr_files_pattern($1, device_t, xserver_misc_device_t)
')
+########################################
+## <summary>
+## Map X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_map_xserver_misc',`
+ gen_require(`
+ type xserver_misc_device_t;
+ ')
+
+ allow $1 xserver_misc_device_t:chr_file map;
+')
+
########################################
## <summary>
## Read and write to the zero device (/dev/zero).
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 24caccad..7e13483b 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -82,6 +82,7 @@ interface(`xserver_restricted_role',`
allow $2 xserver_tmp_t:file { getattr read };
dev_rw_xserver_misc($2)
+ dev_map_xserver_misc($2)
dev_rw_power_management($2)
dev_read_input($2)
dev_read_misc($2)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 1202b8e5..2e85c3bd 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -749,6 +749,7 @@ dev_read_raw_memory(xserver_t)
dev_wx_raw_memory(xserver_t)
# for other device nodes such as the NVidia binary-only driver
dev_rw_xserver_misc(xserver_t)
+dev_map_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
dev_rwx_zero(xserver_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 7ffda24c..a1222272 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -635,6 +635,7 @@ dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
dev_rw_xserver_misc(initrc_t)
+dev_map_xserver_misc(initrc_t)
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/, policy/modules/system/
@ 2021-02-07 3:20 Jason Zaman
0 siblings, 0 replies; 5+ messages in thread
From: Jason Zaman @ 2021-02-07 3:20 UTC (permalink / raw
To: gentoo-commits
commit: 18093d5cf8b672e6cb0dd6109022b5f6a9915e7b
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Feb 2 19:30:10 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 6 21:15:09 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=18093d5c
various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/kernel.te | 2 +-
policy/modules/services/dovecot.te | 2 +-
policy/modules/services/mta.te | 2 +-
policy/modules/services/ssh.te | 2 +-
policy/modules/system/authlogin.te | 2 +-
policy/modules/system/lvm.te | 2 +-
policy/modules/system/selinuxutil.te | 2 +-
7 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 2620c98c..f60b70b3 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.28.4)
+policy_module(kernel, 1.28.5)
########################################
#
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 16fa4e52..1fd54d31 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.25.1)
+policy_module(dovecot, 1.25.2)
########################################
#
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 4833e74e..872845a1 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.14.0)
+policy_module(mta, 2.14.1)
########################################
#
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 21109ae6..04c84992 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.14.4)
+policy_module(ssh, 2.14.5)
########################################
#
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 7fcacf32..24a98ded 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.17.7)
+policy_module(authlogin, 2.17.8)
########################################
#
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 99053132..bb6a0004 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.25.3)
+policy_module(lvm, 1.25.4)
########################################
#
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ec65eb88..966baa6e 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.28.1)
+policy_module(selinuxutil, 1.28.2)
gen_require(` #selint-disable:S-001
bool secure_mode;
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/, policy/modules/system/
@ 2021-03-21 22:10 Jason Zaman
0 siblings, 0 replies; 5+ messages in thread
From: Jason Zaman @ 2021-03-21 22:10 UTC (permalink / raw
To: gentoo-commits
commit: 286490b1856495f641b55781cd7294bb05276188
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 12 16:18:53 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=286490b1
various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/files.te | 2 +-
policy/modules/kernel/filesystem.te | 2 +-
policy/modules/kernel/kernel.te | 2 +-
policy/modules/services/dbus.te | 2 +-
policy/modules/system/authlogin.te | 2 +-
policy/modules/system/init.te | 2 +-
policy/modules/system/logging.te | 2 +-
policy/modules/system/lvm.te | 2 +-
policy/modules/system/selinuxutil.te | 2 +-
policy/modules/system/sysnetwork.te | 2 +-
policy/modules/system/systemd.te | 2 +-
policy/modules/system/udev.te | 2 +-
12 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 09ce9a3e..d97425eb 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.30.0)
+policy_module(files, 1.30.1)
########################################
#
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 638c9316..999cefe4 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.29.0)
+policy_module(filesystem, 1.29.1)
########################################
#
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index cf1e64fc..c44f49ed 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.29.0)
+policy_module(kernel, 1.29.1)
########################################
#
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 0a6c3b72..fd74c4d9 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.30.0)
+policy_module(dbus, 1.30.1)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 5c8f8b4c..982350d7 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.18.0)
+policy_module(authlogin, 2.18.1)
########################################
#
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 64cddd70..1a7c2c96 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.10.0)
+policy_module(init, 2.10.1)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index a6868af0..b14a1940 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.33.0)
+policy_module(logging, 1.33.1)
########################################
#
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 398e3426..91d88067 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.26.0)
+policy_module(lvm, 1.26.1)
########################################
#
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 3589b4db..84ad9ee5 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.29.0)
+policy_module(selinuxutil, 1.29.1)
gen_require(` #selint-disable:S-001
bool secure_mode;
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 5556baef..2d866e96 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.27.0)
+policy_module(sysnetwork, 1.27.1)
########################################
#
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 74ac00cc..2e08efd1 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.11.0)
+policy_module(systemd, 1.11.1)
#########################################
#
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index d26b9892..6ab8559f 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.29.0)
+policy_module(udev, 1.29.1)
########################################
#
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-03-21 22:11 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-10 16:59 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/, policy/modules/system/ Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2021-03-21 22:10 Jason Zaman
2021-02-07 3:20 Jason Zaman
2018-07-12 14:37 Jason Zaman
2015-10-26 5:36 [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/ Jason Zaman
2015-10-26 5:48 ` [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/, policy/modules/system/ Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox