From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-950612-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id C5DFE139694
	for <garchives@archives.gentoo.org>; Thu, 18 May 2017 16:55:09 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 02098E0EA3;
	Thu, 18 May 2017 16:54:58 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id C1914E0EA3
	for <gentoo-commits@lists.gentoo.org>; Thu, 18 May 2017 16:54:57 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 6D1E434165C
	for <gentoo-commits@lists.gentoo.org>; Thu, 18 May 2017 16:54:56 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 0FCD57455
	for <gentoo-commits@lists.gentoo.org>; Thu, 18 May 2017 16:54:55 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1493561865.9f8cb24323e7357725e97e57caa71920e398ea6b.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/apt.if policy/modules/contrib/apt.te policy/modules/contrib/cron.te policy/modules/contrib/mrtg.if policy/modules/contrib/mrtg.te policy/modules/contrib/rsync.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 9f8cb24323e7357725e97e57caa71920e398ea6b
X-VCS-Branch: swift
Date: Thu, 18 May 2017 16:54:55 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: c01b86de-2a4d-4049-8680-7bba9b4f9f54
X-Archives-Hash: 3ca3ccb13a1c92875866df3b337c3d69

commit:     9f8cb24323e7357725e97e57caa71920e398ea6b
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 22:02:08 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:17:45 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f8cb243

some little misc things from Russell Coker.

This patch allows setfiles to use file handles inherited from apt (for dpkg
postinst scripts), adds those rsync permissions that were rejected previously
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
allows system_cronjob_t some access it requires (including net_admin for
when it runs utilities that set buffers).

 policy/modules/contrib/apt.if   | 20 ++++++++++++++++++++
 policy/modules/contrib/apt.te   |  2 +-
 policy/modules/contrib/cron.te  | 25 +++++++++++++++++++++----
 policy/modules/contrib/mrtg.if  | 18 ++++++++++++++++++
 policy/modules/contrib/mrtg.te  |  2 +-
 policy/modules/contrib/rsync.te |  4 +++-
 6 files changed, 64 insertions(+), 7 deletions(-)

diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if
index 0a1bc49f..568aa97d 100644
--- a/policy/modules/contrib/apt.if
+++ b/policy/modules/contrib/apt.if
@@ -176,6 +176,26 @@ interface(`apt_read_cache',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete apt package cache content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_manage_cache',`
+	gen_require(`
+		type apt_var_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 apt_var_cache_t:dir manage_dir_perms;
+	allow $1 apt_var_cache_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read apt package database content.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index 05197c4c..dc6f09b1 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.10.1)
+policy_module(apt, 1.10.2)
 
 ########################################
 #

diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 5cb7dac1..15e6bdb4 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.3)
+policy_module(cron, 2.11.4)
 
 gen_require(`
 	class passwd rootok;
@@ -338,6 +338,13 @@ ifdef(`distro_debian',`
 	allow crond_t self:process setrlimit;
 
 	optional_policy(`
+		apt_manage_cache(system_cronjob_t)
+		apt_read_db(system_cronjob_t)
+
+		dpkg_manage_db(system_cronjob_t)
+	')
+
+	optional_policy(`
 		logwatch_search_cache_dir(crond_t)
 	')
 ')
@@ -429,6 +436,7 @@ optional_policy(`
 	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
 	# so cron jobs can restart daemons
 	init_stream_connect(system_cronjob_t)
+	init_manage_script_service(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -440,7 +448,7 @@ optional_policy(`
 # System local policy
 #
 
-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
 allow system_cronjob_t self:process { signal_perms getsched setsched };
 allow system_cronjob_t self:fd use;
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
@@ -461,10 +469,11 @@ allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
 allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms;
 files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, { file lnk_file })
 
+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
 
 manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 
@@ -475,7 +484,7 @@ allow system_cronjob_t crond_t:process sigchld;
 allow system_cronjob_t cron_spool_t:dir list_dir_perms;
 allow system_cronjob_t cron_spool_t:file rw_file_perms;
 
-allow system_cronjob_t crond_tmp_t:file { read write };
+allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
 
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
@@ -560,10 +569,15 @@ tunable_policy(`cron_can_relabel',`
 ')
 
 optional_policy(`
+	acct_manage_data(system_cronjob_t)
+')
+
+optional_policy(`
 	apache_exec_modules(system_cronjob_t)
 	apache_read_config(system_cronjob_t)
 	apache_read_log(system_cronjob_t)
 	apache_read_sys_content(system_cronjob_t)
+	apache_delete_lib_files(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -607,6 +621,7 @@ optional_policy(`
 
 optional_policy(`
 	mrtg_append_create_logs(system_cronjob_t)
+	mrtg_read_config(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -649,6 +664,8 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
 allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
 allow cronjob_t self:unix_dgram_socket create_socket_perms;
 
+allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
+
 kernel_read_system_state(cronjob_t)
 kernel_read_kernel_sysctls(cronjob_t)
 

diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if
index 0a71bd89..b25b0894 100644
--- a/policy/modules/contrib/mrtg.if
+++ b/policy/modules/contrib/mrtg.if
@@ -2,6 +2,24 @@
 
 ########################################
 ## <summary>
+##	Read mrtg configuration
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mrtg_read_config',`
+	gen_require(`
+		type mrtg_etc_t;
+	')
+
+	allow $1 mrtg_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create and append mrtg log files.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
index 5126d9d5..96d48f37 100644
--- a/policy/modules/contrib/mrtg.te
+++ b/policy/modules/contrib/mrtg.te
@@ -1,4 +1,4 @@
-policy_module(mrtg, 1.11.0)
+policy_module(mrtg, 1.11.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index 2fce98b0..11c7041a 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -1,4 +1,4 @@
-policy_module(rsync, 1.15.0)
+policy_module(rsync, 1.15.1)
 
 ########################################
 #
@@ -123,6 +123,8 @@ dev_read_urand(rsync_t)
 fs_getattr_all_fs(rsync_t)
 fs_search_auto_mountpoints(rsync_t)
 
+files_getattr_all_pipes(rsync_t)
+files_getattr_all_sockets(rsync_t)
 files_search_home(rsync_t)
 
 auth_can_read_shadow_passwords(rsync_t)