From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-947006-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 46827139694
	for <garchives@archives.gentoo.org>; Sun, 30 Apr 2017 09:33:11 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 3E895E0DEE;
	Sun, 30 Apr 2017 09:33:04 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 133B7E0DEE
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Apr 2017 09:32:59 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 9FA10341694
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Apr 2017 09:32:47 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 03E65744E
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Apr 2017 09:32:45 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1493543572.8c603f3c8d2287b778473a09b4576bee12401b59.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/brctl.te policy/modules/contrib/dpkg.if policy/modules/contrib/dpkg.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 8c603f3c8d2287b778473a09b4576bee12401b59
X-VCS-Branch: master
Date: Sun, 30 Apr 2017 09:32:45 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 13dbef4e-a9c1-4397-a740-41346ba884be
X-Archives-Hash: a507b9b1502cdd0d2257b9e4ddf429e0

commit:     8c603f3c8d2287b778473a09b4576bee12401b59
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 19 01:17:16 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c603f3c

kmod, lvm, brctl patches from Russell Coker

Patches for modutils, at least one of which is needed to generate an initramfs
on Debian.

Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts
etc.

Patch for brctl to allow it to create sysfs files.

 policy/modules/contrib/brctl.te |  3 ++-
 policy/modules/contrib/dpkg.if  | 39 +++++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/dpkg.te  |  2 +-
 3 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/brctl.te b/policy/modules/contrib/brctl.te
index c5a91138..fd789b5f 100644
--- a/policy/modules/contrib/brctl.te
+++ b/policy/modules/contrib/brctl.te
@@ -1,4 +1,4 @@
-policy_module(brctl, 1.7.0)
+policy_module(brctl, 1.7.1)
 
 ########################################
 #
@@ -29,6 +29,7 @@ kernel_read_sysctl(brctl_t)
 
 corenet_rw_tun_tap_dev(brctl_t)
 
+dev_create_sysfs_files(brctl_t)
 dev_rw_sysfs(brctl_t)
 dev_write_sysfs_dirs(brctl_t)
 

diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if
index fdc06d69..081134f2 100644
--- a/policy/modules/contrib/dpkg.if
+++ b/policy/modules/contrib/dpkg.if
@@ -62,6 +62,25 @@ interface(`dpkg_domtrans_script',`
 
 ########################################
 ## <summary>
+##	access dpkg_script fifos
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`dpkg_script_rw_pipes',`
+	gen_require(`
+		type dpkg_script_t;
+	')
+
+	allow $1 dpkg_script_t:fd use;
+	allow $1 dpkg_script_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	Execute dpkg programs in the dpkg domain.
 ## </summary>
 ## <param name="domain">
@@ -242,3 +261,23 @@ interface(`dpkg_lock_db',`
 	allow $1 dpkg_var_lib_t:dir list_dir_perms;
 	allow $1 dpkg_lock_t:file manage_file_perms;
 ')
+
+########################################
+## <summary>
+##	manage dpkg_script_tmp_t files and dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_manage_script_tmp_files',`
+	gen_require(`
+		type dpkg_script_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 dpkg_script_tmp_t:dir manage_dir_perms;
+	allow $1 dpkg_script_tmp_t:file manage_file_perms;
+')

diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index a3d3f2e5..a91e4896 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.5)
+policy_module(dpkg, 1.11.6)
 
 ########################################
 #