From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-947113-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id EBE1E139694
	for <garchives@archives.gentoo.org>; Sun, 30 Apr 2017 14:20:12 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 4997921C0C9;
	Sun, 30 Apr 2017 14:20:11 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 16DF421C0C9
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Apr 2017 14:20:11 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 5F7493416A5
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Apr 2017 14:20:03 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 41970744C
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Apr 2017 14:20:00 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1493561864.2aaeb154457ab51334bc8668a33fc89d65bab4e6.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/brctl.te policy/modules/contrib/dpkg.if policy/modules/contrib/dpkg.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 2aaeb154457ab51334bc8668a33fc89d65bab4e6
X-VCS-Branch: master
Date: Sun, 30 Apr 2017 14:20:00 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 76363200-026e-4270-b007-09123e2eb850
X-Archives-Hash: 162d70a30f5a502a4b0b0d918f773654

commit:     2aaeb154457ab51334bc8668a33fc89d65bab4e6
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 19 01:17:16 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:44 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2aaeb154

kmod, lvm, brctl patches from Russell Coker

Patches for modutils, at least one of which is needed to generate an initramfs
on Debian.

Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts
etc.

Patch for brctl to allow it to create sysfs files.

 policy/modules/contrib/brctl.te |  3 ++-
 policy/modules/contrib/dpkg.if  | 39 +++++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/dpkg.te  |  2 +-
 3 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/brctl.te b/policy/modules/contrib/brctl.te
index c5a91138..fd789b5f 100644
--- a/policy/modules/contrib/brctl.te
+++ b/policy/modules/contrib/brctl.te
@@ -1,4 +1,4 @@
-policy_module(brctl, 1.7.0)
+policy_module(brctl, 1.7.1)
 
 ########################################
 #
@@ -29,6 +29,7 @@ kernel_read_sysctl(brctl_t)
 
 corenet_rw_tun_tap_dev(brctl_t)
 
+dev_create_sysfs_files(brctl_t)
 dev_rw_sysfs(brctl_t)
 dev_write_sysfs_dirs(brctl_t)
 

diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if
index fdc06d69..081134f2 100644
--- a/policy/modules/contrib/dpkg.if
+++ b/policy/modules/contrib/dpkg.if
@@ -62,6 +62,25 @@ interface(`dpkg_domtrans_script',`
 
 ########################################
 ## <summary>
+##	access dpkg_script fifos
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`dpkg_script_rw_pipes',`
+	gen_require(`
+		type dpkg_script_t;
+	')
+
+	allow $1 dpkg_script_t:fd use;
+	allow $1 dpkg_script_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	Execute dpkg programs in the dpkg domain.
 ## </summary>
 ## <param name="domain">
@@ -242,3 +261,23 @@ interface(`dpkg_lock_db',`
 	allow $1 dpkg_var_lib_t:dir list_dir_perms;
 	allow $1 dpkg_lock_t:file manage_file_perms;
 ')
+
+########################################
+## <summary>
+##	manage dpkg_script_tmp_t files and dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_manage_script_tmp_files',`
+	gen_require(`
+		type dpkg_script_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 dpkg_script_tmp_t:dir manage_dir_perms;
+	allow $1 dpkg_script_tmp_t:file manage_file_perms;
+')

diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index a3d3f2e5..a91e4896 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.5)
+policy_module(dpkg, 1.11.6)
 
 ########################################
 #