From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id B72ED139694 for ; Sun, 30 Apr 2017 14:20:25 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7D32821C0F9; Sun, 30 Apr 2017 14:20:13 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4838321C0F9 for ; Sun, 30 Apr 2017 14:20:13 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 96E5D3416B6 for ; Sun, 30 Apr 2017 14:20:11 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id EF2687455 for ; Sun, 30 Apr 2017 14:20:00 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1493561864.97a89021e9da46a60f54655f5f8f0aa2dd8b88cb.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/dbus.te policy/modules/contrib/gpg.te policy/modules/contrib/policykit.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 97a89021e9da46a60f54655f5f8f0aa2dd8b88cb X-VCS-Branch: master Date: Sun, 30 Apr 2017 14:20:00 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 6ad12166-511b-4324-b065-50286c185955 X-Archives-Hash: 6c38cd9984e2c786bd0359d05bd156b4 commit: 97a89021e9da46a60f54655f5f8f0aa2dd8b88cb Author: Chris PeBenito ieee org> AuthorDate: Wed Apr 26 10:25:59 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sun Apr 30 14:17:44 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=97a89021 login take 4 from Russell Coker. I have used optional sections for dbus and xserver as requested and also fixed a minor issue of a rule not being in the correct section. Please merge this. policy/modules/contrib/dbus.te | 6 ++++++ policy/modules/contrib/gpg.te | 12 ++++++++++++ policy/modules/contrib/policykit.te | 5 +++++ 3 files changed, 23 insertions(+) diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te index 579b2230..80ceb9de 100644 --- a/policy/modules/contrib/dbus.te +++ b/policy/modules/contrib/dbus.te @@ -149,6 +149,12 @@ ifdef(`distro_gentoo',` ') ') +ifdef(`init_systemd', ` + # gdm3 causes system_dbusd_t to want this access + dev_rw_dri(system_dbusd_t) + dev_rw_input_dev(system_dbusd_t) +') + optional_policy(` # for /run/systemd/users/* systemd_read_logind_pids(system_dbusd_t) diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te index 4345bd08..c795f278 100644 --- a/policy/modules/contrib/gpg.te +++ b/policy/modules/contrib/gpg.te @@ -87,6 +87,7 @@ gpg_stream_connect_agent(gpg_t) domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) +kernel_read_crypto_sysctls(gpg_t) kernel_read_sysctl(gpg_t) # read /proc/cpuinfo kernel_read_system_state(gpg_t) @@ -232,6 +233,8 @@ kernel_dontaudit_search_sysctl(gpg_agent_t) kernel_read_core_if(gpg_agent_t) kernel_read_system_state(gpg_agent_t) +auth_use_nsswitch(gpg_agent_t) + corecmd_exec_bin(gpg_agent_t) corecmd_exec_shell(gpg_agent_t) @@ -272,6 +275,10 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` + dbus_system_bus_client(gpg_agent_t) +') + +optional_policy(` mozilla_dontaudit_rw_user_home_files(gpg_agent_t) ') @@ -279,6 +286,11 @@ optional_policy(` pcscd_stream_connect(gpg_agent_t) ') +optional_policy(` + xserver_sigchld_xdm(gpg_agent_t) + xserver_read_user_xauth(gpg_agent_t) +') + ############################## # # Pinentry local policy diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te index d7686081..ee6ad3da 100644 --- a/policy/modules/contrib/policykit.te +++ b/policy/modules/contrib/policykit.te @@ -89,6 +89,7 @@ kernel_read_kernel_sysctls(policykit_t) kernel_read_system_state(policykit_t) dev_read_urand(policykit_t) +dev_read_urand(policykit_t) domain_read_all_domains_state(policykit_t) @@ -96,6 +97,8 @@ files_dontaudit_search_all_mountpoints(policykit_t) fs_getattr_xattr_fs(policykit_t) fs_list_inotifyfs(policykit_t) +fs_getattr_tmpfs(policykit_t) +fs_getattr_cgroup(policykit_t) auth_use_nsswitch(policykit_t) @@ -105,6 +108,8 @@ userdom_read_all_users_state(policykit_t) optional_policy(` dbus_system_domain(policykit_t, policykit_exec_t) + userdom_dbus_send_all_users(policykit_t) + optional_policy(` consolekit_dbus_chat(policykit_t) ')