[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/, policy/modules/services/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/, policy/modules/services/
@ 2017-06-13  8:25 Jason Zaman
  0 siblings, 0 replies; only message in thread
From: Jason Zaman @ 2017-06-13  8:25 UTC (permalink / raw
  To: gentoo-commits

commit:     b0d06664412c0c7baee2b8e12a26206d05a1ee02
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jun  8 14:16:15 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:02:15 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b0d06664

rkhunter: add interfaces for rkhunter module and sysadm permit

 policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
 policy/modules/roles/sysadm.te      |  4 ++++
 policy/modules/services/ssh.if      | 19 +++++++++++++++++++
 3 files changed, 41 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 295f3698..e85169c3 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4823,6 +4823,24 @@ interface(`fs_getattr_tracefs',`
 
 ########################################
 ## <summary>
+##	Get attributes of dirs on tracefs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_tracefs_dirs',`
+	gen_require(`
+		type tracefs_t;
+	')
+
+	allow $1 tracefs_t:dir getattr;
+')
+
+########################################
+## <summary>
 ##      search directories on a tracefs filesystem
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 8912fb6e..6d18020b 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -906,6 +906,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	rkhunter_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	rngd_admin(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 3eca8306..22642eb3 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -601,6 +601,25 @@ interface(`ssh_tcp_connect',`
 
 ########################################
 ## <summary>
+##	Execute the ssh daemon in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_exec_sshd',`
+	gen_require(`
+		type sshd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, sshd_exec_t)
+')
+
+########################################
+## <summary>
 ##	Execute the ssh daemon sshd domain.
 ## </summary>
 ## <param name="domain">


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2017-06-13  8:25 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-13  8:25 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/, policy/modules/services/ Jason Zaman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox