From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-947018-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 6EF29139694
	for <garchives@archives.gentoo.org>; Sun, 30 Apr 2017 09:33:29 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 05F65E0E0B;
	Sun, 30 Apr 2017 09:33:20 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id CCDADE0E0B
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Apr 2017 09:33:09 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 9D22C3416AD
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Apr 2017 09:32:49 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 0B4C9745B
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Apr 2017 09:32:46 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1493544071.235046c2e9c4578585bb482e62e44cf1ef0eacd7.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/apt.te policy/modules/contrib/dpkg.if policy/modules/contrib/dpkg.te policy/modules/contrib/mta.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 235046c2e9c4578585bb482e62e44cf1ef0eacd7
X-VCS-Branch: master
Date: Sun, 30 Apr 2017 09:32:46 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 34c5a74c-1347-474e-b672-1dc20d92adb5
X-Archives-Hash: 3d9c074aba9ed076085a0e5bc329fc69

commit:     235046c2e9c4578585bb482e62e44cf1ef0eacd7
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Apr 29 15:13:24 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:21:11 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=235046c2

apt/dpkg strict patches from Russell Coker.

The following are needed for correct operation of apt and dpkg on a "strict"
configuration.

 policy/modules/contrib/apt.te  |  6 ++++--
 policy/modules/contrib/dpkg.if | 20 ++++++++++++++++++++
 policy/modules/contrib/dpkg.te |  5 ++++-
 policy/modules/contrib/mta.te  |  7 ++++++-
 4 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index dc6f09b1..63b93257 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.10.2)
+policy_module(apt, 1.10.3)
 
 ########################################
 #
@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
 # Local policy
 #
 
-allow apt_t self:capability { chown dac_override fowner fsetid };
+allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
 allow apt_t self:process { signal setpgid fork };
 allow apt_t self:fd use;
 allow apt_t self:fifo_file rw_fifo_file_perms;
@@ -69,12 +69,14 @@ manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
 fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
 manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
 files_var_filetrans(apt_t, apt_var_cache_t, dir)
 
 manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
 files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
 
 allow apt_t apt_var_log_t:file manage_file_perms;
+allow apt_t apt_var_log_t:dir manage_dir_perms;
 logging_log_filetrans(apt_t, apt_var_log_t, file)
 
 can_exec(apt_t, apt_exec_t)

diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if
index 081134f2..c753ad62 100644
--- a/policy/modules/contrib/dpkg.if
+++ b/policy/modules/contrib/dpkg.if
@@ -179,6 +179,26 @@ interface(`dpkg_use_script_fds',`
 
 ########################################
 ## <summary>
+##	Inherit and use file descriptors
+##	from dpkg scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_script_rw_inherited_pipes',`
+	gen_require(`
+		type dpkg_script_t;
+	')
+
+	allow $1 dpkg_script_t:fd use;
+	allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read dpkg package database content.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index a91e4896..e781815d 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.6)
+policy_module(dpkg, 1.11.7)
 
 ########################################
 #
@@ -42,6 +42,8 @@ role dpkg_roles types dpkg_script_t;
 
 type dpkg_script_tmp_t;
 files_tmp_file(dpkg_script_tmp_t)
+# out of order to work around compiler issue
+domain_entry_file(dpkg_script_t, dpkg_script_tmp_t)
 
 type dpkg_script_tmpfs_t;
 files_tmpfs_file(dpkg_script_tmpfs_t)
@@ -69,6 +71,7 @@ allow dpkg_t self:msg { send receive };
 allow dpkg_t dpkg_lock_t:file manage_file_perms;
 
 spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
+spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t)
 
 manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
 manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)

diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 2baa07c9..caa21fb9 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.5)
+policy_module(mta, 2.8.6)
 
 ########################################
 #
@@ -205,6 +205,11 @@ init_rw_stream_sockets(system_mail_t)
 userdom_use_user_terminals(system_mail_t)
 
 optional_policy(`
+	apt_use_fds(system_mail_t)
+	apt_use_ptys(system_mail_t)
+')
+
+optional_policy(`
 	apache_read_squirrelmail_data(system_mail_t)
 	apache_append_squirrelmail_data(system_mail_t)
 	apache_dontaudit_append_log(system_mail_t)


From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-947053-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 10D76139694
	for <garchives@archives.gentoo.org>; Sun, 30 Apr 2017 09:40:51 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 6A961E0C52;
	Sun, 30 Apr 2017 09:40:49 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 34C3FE0C52
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Apr 2017 09:40:49 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 108F63416B8
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Apr 2017 09:40:43 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 2EE1A744E
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Apr 2017 09:40:40 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1493544071.235046c2e9c4578585bb482e62e44cf1ef0eacd7.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/apt.te policy/modules/contrib/dpkg.if policy/modules/contrib/dpkg.te policy/modules/contrib/mta.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 235046c2e9c4578585bb482e62e44cf1ef0eacd7
X-VCS-Branch: next
Date: Sun, 30 Apr 2017 09:40:40 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 380ad941-df3d-4d3a-bfb0-b38d22c790c7
X-Archives-Hash: 27b8dd9b3c251f38769e21679ead1169
Message-ID: <20170430094040.maETiZWg2uyGIafuJroZRS9XEYQ2ELcaL6zixhYOj8w@z>

commit:     235046c2e9c4578585bb482e62e44cf1ef0eacd7
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Apr 29 15:13:24 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:21:11 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=235046c2

apt/dpkg strict patches from Russell Coker.

The following are needed for correct operation of apt and dpkg on a "strict"
configuration.

 policy/modules/contrib/apt.te  |  6 ++++--
 policy/modules/contrib/dpkg.if | 20 ++++++++++++++++++++
 policy/modules/contrib/dpkg.te |  5 ++++-
 policy/modules/contrib/mta.te  |  7 ++++++-
 4 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index dc6f09b1..63b93257 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.10.2)
+policy_module(apt, 1.10.3)
 
 ########################################
 #
@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
 # Local policy
 #
 
-allow apt_t self:capability { chown dac_override fowner fsetid };
+allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
 allow apt_t self:process { signal setpgid fork };
 allow apt_t self:fd use;
 allow apt_t self:fifo_file rw_fifo_file_perms;
@@ -69,12 +69,14 @@ manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
 fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
 manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
 files_var_filetrans(apt_t, apt_var_cache_t, dir)
 
 manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
 files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
 
 allow apt_t apt_var_log_t:file manage_file_perms;
+allow apt_t apt_var_log_t:dir manage_dir_perms;
 logging_log_filetrans(apt_t, apt_var_log_t, file)
 
 can_exec(apt_t, apt_exec_t)

diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if
index 081134f2..c753ad62 100644
--- a/policy/modules/contrib/dpkg.if
+++ b/policy/modules/contrib/dpkg.if
@@ -179,6 +179,26 @@ interface(`dpkg_use_script_fds',`
 
 ########################################
 ## <summary>
+##	Inherit and use file descriptors
+##	from dpkg scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_script_rw_inherited_pipes',`
+	gen_require(`
+		type dpkg_script_t;
+	')
+
+	allow $1 dpkg_script_t:fd use;
+	allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read dpkg package database content.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index a91e4896..e781815d 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.6)
+policy_module(dpkg, 1.11.7)
 
 ########################################
 #
@@ -42,6 +42,8 @@ role dpkg_roles types dpkg_script_t;
 
 type dpkg_script_tmp_t;
 files_tmp_file(dpkg_script_tmp_t)
+# out of order to work around compiler issue
+domain_entry_file(dpkg_script_t, dpkg_script_tmp_t)
 
 type dpkg_script_tmpfs_t;
 files_tmpfs_file(dpkg_script_tmpfs_t)
@@ -69,6 +71,7 @@ allow dpkg_t self:msg { send receive };
 allow dpkg_t dpkg_lock_t:file manage_file_perms;
 
 spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
+spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t)
 
 manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
 manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)

diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 2baa07c9..caa21fb9 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.5)
+policy_module(mta, 2.8.6)
 
 ########################################
 #
@@ -205,6 +205,11 @@ init_rw_stream_sockets(system_mail_t)
 userdom_use_user_terminals(system_mail_t)
 
 optional_policy(`
+	apt_use_fds(system_mail_t)
+	apt_use_ptys(system_mail_t)
+')
+
+optional_policy(`
 	apache_read_squirrelmail_data(system_mail_t)
 	apache_append_squirrelmail_data(system_mail_t)
 	apache_dontaudit_append_log(system_mail_t)