public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/roles/, ...
@ 2017-04-10 16:59 Sven Vermeulen
  0 siblings, 0 replies; only message in thread
From: Sven Vermeulen @ 2017-04-10 16:59 UTC (permalink / raw
  To: gentoo-commits

commit:     bce66e80249abbc0998755be34847b5b846d1e16
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Apr  6 21:37:50 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 10 16:58:44 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bce66e80

Systemd-related changes from Russell Coker.

 policy/modules/kernel/files.if      | 36 ++++++++++++++
 policy/modules/kernel/files.te      |  2 +-
 policy/modules/roles/sysadm.te      | 12 +----
 policy/modules/services/ssh.if      |  4 ++
 policy/modules/services/ssh.te      |  7 ++-
 policy/modules/services/xserver.te  |  6 ++-
 policy/modules/system/fstools.te    |  3 +-
 policy/modules/system/init.if       | 94 +++++++++++++++++++++++++++++++++++++
 policy/modules/system/init.te       |  6 +--
 policy/modules/system/locallogin.te |  7 ++-
 policy/modules/system/lvm.fc        |  1 +
 policy/modules/system/lvm.te        |  7 ++-
 policy/modules/system/sysnetwork.if | 20 ++++++++
 policy/modules/system/sysnetwork.te |  2 +-
 policy/modules/system/systemd.if    | 84 +++++++++++++++++++++++++++++++++
 policy/modules/system/systemd.te    |  5 +-
 policy/modules/system/udev.te       | 12 ++++-
 policy/modules/system/unconfined.if |  4 ++
 policy/modules/system/unconfined.te |  6 ++-
 19 files changed, 292 insertions(+), 26 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 9f9fdded..0462c1a7 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3021,6 +3021,42 @@ interface(`files_get_etc_unit_status',`
 	allow $1 etc_t:service status;
 ')
 
+########################################
+## <summary>
+##	start etc_t service
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_start_etc_service',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:service start;
+')
+
+########################################
+## <summary>
+##	stop etc_t service
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_stop_etc_service',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:service stop;
+')
+
 #######################################
 ## <summary>
 ##	Relabel from and to generic files in /etc.

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 67be5c71..c979bcc1 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.10)
+policy_module(files, 1.23.11)
 
 ########################################
 #

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7b4bf4d9..d917e008 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.11.3)
+policy_module(sysadm, 2.11.4)
 
 ########################################
 #
@@ -38,15 +38,7 @@ ubac_file_exempt(sysadm_t)
 ubac_fd_exempt(sysadm_t)
 
 init_exec(sysadm_t)
-init_get_system_status(sysadm_t)
-init_disable(sysadm_t)
-init_enable(sysadm_t)
-init_reload(sysadm_t)
-init_reboot_system(sysadm_t)
-init_shutdown_system(sysadm_t)
-init_start_generic_units(sysadm_t)
-init_stop_generic_units(sysadm_t)
-init_reload_generic_units(sysadm_t)
+init_admin(sysadm_t)
 
 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 21374c77..2ea91129 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -271,6 +271,10 @@ template(`ssh_server_template', `
 		files_read_var_lib_symlinks($1_t)
 		nx_spec_domtrans_server($1_t)
 	')
+
+	optional_policy(`
+		systemd_read_logind_sessions_files($1_t)
+	')
 ')
 
 ########################################

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 8d974f90..1b246453 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.9.2)
+policy_module(ssh, 2.9.3)
 
 ########################################
 #
@@ -317,6 +317,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_write_inherited_logind_sessions_pipes(sshd_t)
+	systemd_dbus_chat_logind(sshd_t)
+')
+
+optional_policy(`
 	unconfined_shell_domtrans(sshd_t)
 ')
 

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index a692f7a2..4703673a 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.6)
+policy_module(xserver, 3.13.7)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;
@@ -275,6 +275,10 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
 allow xdm_t xauth_home_t:file manage_file_perms;
 userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
 
+allow xauth_t xdm_t:fd use;
+allow xauth_t xdm_t:fifo_file { getattr read };
+allow xauth_t xdm_t:unix_stream_socket { read write };
+
 kernel_request_load_module(xauth_t)
 
 domain_use_interactive_fds(xauth_t)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 9d729671..a56bfc05 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.20.1)
+policy_module(fstools, 1.20.2)
 
 ########################################
 #
@@ -146,6 +146,7 @@ term_use_console(fsadm_t)
 init_use_fds(fsadm_t)
 init_use_script_ptys(fsadm_t)
 init_dontaudit_getattr_initctl(fsadm_t)
+init_rw_script_stream_sockets(fsadm_t)
 
 logging_send_syslog_msg(fsadm_t)
 

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index e42a7db5..27794bbf 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1175,6 +1175,25 @@ interface(`init_search_pids',`
 	allow $1 init_var_run_t:dir search_dir_perms;
 ')
 
+######################################
+## <summary>
+##  Allow listing of the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_list_pids',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	allow $1 init_var_run_t:dir list_dir_perms;
+	files_search_pids($1)
+')
+
 ########################################
 ## <summary>
 ##	Create files in an init PID directory.
@@ -1582,6 +1601,25 @@ interface(`init_all_labeled_script_domtrans',`
 
 ########################################
 ## <summary>
+##      Allow getting service status of initrc_exec_t scripts
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Target domain
+##      </summary>
+## </param>
+#
+interface(`init_get_script_status',`
+	gen_require(`
+		type initrc_exec_t;
+		class service status;
+	')
+
+	allow $1 initrc_exec_t:service status;
+')
+
+########################################
+## <summary>
 ##	Allow the role to start and stop
 ##	labeled services.
 ## </summary>
@@ -2890,6 +2928,26 @@ interface(`init_get_all_units_status',`
 	allow $1 { init_script_file_type systemdunit }:service status;
 ')
 
+#######################################
+## <summary>
+##      All perms on all systemd units.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`init_manage_all_units',`
+	gen_require(`
+		attribute systemdunit;
+		class service all_service_perms;
+	')
+
+	allow $1 systemdunit:service all_service_perms;
+	allow $1 systemdunit:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Start all systemd units.
@@ -2946,3 +3004,39 @@ interface(`init_reload_all_units',`
 
 	allow $1 { init_script_file_type systemdunit }:service reload;
 ')
+
+########################################
+## <summary>
+##      Allow unconfined access to send instructions to init
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Target domain
+##      </summary>
+## </param>
+#
+interface(`init_admin',`
+	gen_require(`
+		type initrc_exec_t;
+		class service status;
+	')
+
+	dev_manage_null_service($1)
+	init_disable($1)
+	init_enable($1)
+	init_get_all_units_status($1)
+	init_get_generic_units_status($1)
+	init_get_system_status($1)
+	init_manage_all_units($1)
+	init_manage_script_service($1)
+	init_reboot_system($1)
+	init_reload($1)
+	init_reload_all_units($1)
+	init_shutdown_system($1)
+	init_start_all_units($1)
+	init_start_generic_units($1)
+	init_stop_all_units($1)
+	init_stop_generic_units($1)
+	init_stop_system($1)
+	init_telinit($1)
+')

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index aed3e65a..02a240d8 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.15)
+policy_module(init, 2.2.16)
 
 gen_require(`
 	class passwd rootok;
@@ -697,9 +697,7 @@ ifdef(`distro_gentoo',`
 	seutil_read_default_contexts(initrc_t)
 
 	# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
-	sysnet_create_config(initrc_t)
-	sysnet_write_config(initrc_t)
-	sysnet_setattr_config(initrc_t)
+	sysnet_manage_config(initrc_t)
 
 	optional_policy(`
 		abrt_manage_pid_files(initrc_t)

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 22cb0fa3..bcebce9d 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -1,4 +1,4 @@
-policy_module(locallogin, 1.15.3)
+policy_module(locallogin, 1.15.4)
 
 ########################################
 #
@@ -193,6 +193,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_dbus_chat_logind(local_login_t)
+	systemd_write_inherited_logind_sessions_pipes(local_login_t)
+')
+
+optional_policy(`
 	unconfined_shell_domtrans(local_login_t)
 ')
 

diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index d2f755f2..1e6abbaf 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -29,6 +29,7 @@ ifdef(`distro_gentoo',`
 
 /usr/lib/lvm-10/.*				--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/lib/lvm-200/.*				--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/lib/systemd/systemd-cryptsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/lib/systemd/system/blk-availability.*	--	gen_context(system_u:object_r:lvm_unit_t,s0)
 /usr/lib/systemd/system/dm-event.*		--	gen_context(system_u:object_r:lvm_unit_t,s0)
 /usr/lib/systemd/system/lvm2-.*			--	gen_context(system_u:object_r:lvm_unit_t,s0)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 977a374b..09740eb4 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.7)
+policy_module(lvm, 1.19.8)
 
 ########################################
 #
@@ -218,6 +218,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
 files_etc_filetrans(lvm_t, lvm_metadata_t, file)
 files_search_mnt(lvm_t)
 
+kernel_request_load_module(lvm_t)
 kernel_get_sysvipc_info(lvm_t)
 kernel_read_system_state(lvm_t)
 # Read system variables in /proc/sys
@@ -227,6 +228,8 @@ kernel_dontaudit_search_unlabeled(lvm_t)
 # it has no reason to need this
 kernel_dontaudit_getattr_core_if(lvm_t)
 kernel_use_fds(lvm_t)
+# for systemd-cryptsetup
+kernel_read_crypto_sysctls(lvm_t)
 kernel_search_debugfs(lvm_t)
 
 corecmd_exec_bin(lvm_t)
@@ -301,6 +304,8 @@ init_use_fds(lvm_t)
 init_dontaudit_getattr_initctl(lvm_t)
 init_use_script_ptys(lvm_t)
 init_read_script_state(lvm_t)
+# for systemd-cryptsetup to talk to /run/systemd/journal/socket
+init_stream_connect(lvm_t)
 
 logging_send_syslog_msg(lvm_t)
 

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 86313b66..a20a2d46 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -418,6 +418,25 @@ interface(`sysnet_create_config',`
 
 #######################################
 ## <summary>
+##	Relabel network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_relabel_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 net_conf_t:file { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
 ##	Create files in /etc with the type used for
 ##	the network config files.
 ## </summary>
@@ -455,6 +474,7 @@ interface(`sysnet_manage_config',`
 		type net_conf_t;
 	')
 
+	files_search_etc($1)
 	allow $1 net_conf_t:file manage_file_perms;
 
 	ifdef(`distro_debian',`

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a0f907e3..8e6d532a 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.20.7)
+policy_module(sysnetwork, 1.20.8)
 
 ########################################
 #

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 5e5268c0..cd6d2e4a 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pipes',`
 
 ######################################
 ## <summary>
+##     Write systemd_login named pipe.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`systemd_write_logind_pid_pipes',`
+	gen_require(`
+		type systemd_logind_var_run_t;
+	')
+
+	init_search_run($1)
+	files_search_pids($1)
+	allow $1 systemd_logind_var_run_t:fifo_file { getattr write };
+')
+
+######################################
+## <summary>
 ##   Use inherited systemd
 ##   logind file descriptors.
 ## </summary>
@@ -79,6 +99,27 @@ interface(`systemd_use_logind_fds',`
 
 ######################################
 ## <summary>
+##      Read logind sessions files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_read_logind_sessions_files',`
+	gen_require(`
+		type systemd_sessions_var_run_t, systemd_logind_t;
+	')
+
+	allow $1 systemd_logind_t:fd use;
+	init_search_run($1)
+	allow $1 systemd_sessions_var_run_t:dir list_dir_perms;
+	read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t)
+')
+
+######################################
+## <summary>
 ##      Write inherited logind sessions pipes.
 ## </summary>
 ## <param name="domain">
@@ -172,6 +213,25 @@ interface(`systemd_signull_logind',`
 
 ########################################
 ## <summary>
+##	Allow reading /run/systemd/machines
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that can access the machines files
+##	</summary>
+## </param>
+#
+interface(`systemd_read_machines',`
+	gen_require(`
+		type systemd_machined_var_run_t;
+	')
+
+	allow $1 systemd_machined_var_run_t:dir list_dir_perms;
+	allow $1 systemd_machined_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##      allow systemd_passwd_agent to inherit fds
 ## </summary>
 ## <param name="domain">
@@ -188,6 +248,30 @@ interface(`systemd_use_passwd_agent_fds',`
 	allow systemd_passwd_agent_t $1:fd use;
 ')
 
+#######################################
+## <summary>
+##	Allow a systemd_passwd_agent_t process to interact with a daemon
+##	that needs a password from the sysadmin.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_use_passwd_agent',`
+	gen_require(`
+		type systemd_passwd_agent_t;
+		type systemd_passwd_var_run_t;
+	')
+
+	manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+	manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+
+	allow systemd_passwd_agent_t $1:process signull;
+	allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
+')
+
 ########################################
 ## <summary>
 ##      Transition to systemd_passwd_var_run_t when creating dirs

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 672d289d..210ebc1d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.15)
+policy_module(systemd, 1.3.16)
 
 #########################################
 #
@@ -827,7 +827,8 @@ miscfiles_relabel_man_cache(systemd_tmpfiles_t)
 seutil_read_config(systemd_tmpfiles_t)
 seutil_read_file_contexts(systemd_tmpfiles_t)
 
-sysnet_create_config(systemd_tmpfiles_t)
+sysnet_manage_config(systemd_tmpfiles_t)
+sysnet_relabel_config(systemd_tmpfiles_t)
 
 systemd_log_parse_environment(systemd_tmpfiles_t)
 

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index f115d9f8..81543689 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.21.6)
+policy_module(udev, 1.21.7)
 
 ########################################
 #
@@ -40,7 +40,7 @@ ifdef(`enable_mcs',`
 
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
 dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:capability2 block_suspend;
+allow udev_t self:capability2 { wake_alarm block_suspend };
 allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow udev_t self:process { execmem setfscreate };
 allow udev_t self:fd use;
@@ -119,6 +119,7 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
 files_read_usr_files(udev_t)
 files_read_etc_runtime_files(udev_t)
 files_read_etc_files(udev_t)
+files_read_kernel_modules(udev_t)
 files_exec_etc_files(udev_t)
 files_getattr_generic_locks(udev_t)
 files_search_mnt(udev_t)
@@ -148,8 +149,14 @@ auth_domtrans_pam_console(udev_t)
 auth_use_nsswitch(udev_t)
 
 init_read_utmp(udev_t)
+# systemd-udevd searches /run/systemd
+init_search_run(udev_t)
 init_dontaudit_write_utmp(udev_t)
 init_getattr_initctl(udev_t)
+init_start_all_units(udev_t)
+init_stop_all_units(udev_t)
+# for hdparm init script run by udev
+init_get_script_status(udev_t)
 
 logging_search_logs(udev_t)
 logging_send_syslog_msg(udev_t)
@@ -228,6 +235,7 @@ ifdef(`init_systemd',`
 
 	init_dgram_send(udev_t)
 
+	systemd_read_logind_sessions_files(udev_t)
 	systemd_read_logind_pids(udev_t)
 ',`
 	fs_manage_tmpfs_dirs(udev_t)

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 3f7f66a7..02f9dfce 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',`
 		class dbus all_dbus_perms;
 		class nscd all_nscd_perms;
 		class passwd all_passwd_perms;
+		class service all_service_perms;
 	')
 
 	# Use most Linux capabilities
@@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',`
 	files_unconfined($1)
 	fs_unconfined($1)
 	selinux_unconfined($1)
+	files_get_etc_unit_status($1)
+	files_start_etc_service($1)
+	files_stop_etc_service($1)
 
 	tunable_policy(`allow_execheap',`
 		# Allow making the stack executable via mprotect.

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index c979a681..bfb8b1c5 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.9.2)
+policy_module(unconfined, 3.9.3)
 
 ########################################
 #
@@ -96,6 +96,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	init_admin(unconfined_t)
+')
+
+optional_policy(`
 	inn_domtrans(unconfined_t)
 ')
 


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2017-04-10 16:59 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-10 16:59 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/roles/, Sven Vermeulen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox