From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-955233-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 2EFB7139694
	for <garchives@archives.gentoo.org>; Tue, 13 Jun 2017 08:25:56 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 09A3021C1C5;
	Tue, 13 Jun 2017 08:25:46 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id CD0AA21C1C5
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Jun 2017 08:25:45 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id AF42C34191C
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Jun 2017 08:25:44 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 560837494
	for <gentoo-commits@lists.gentoo.org>; Tue, 13 Jun 2017 08:25:40 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1497341003.d14a17d668122568037f0f2600b915c43403e7fc.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/arpwatch.fc policy/modules/contrib/arpwatch.if policy/modules/contrib/arpwatch.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: d14a17d668122568037f0f2600b915c43403e7fc
X-VCS-Branch: master
Date: Tue, 13 Jun 2017 08:25:40 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: b2944136-8ba3-47ae-a749-925627c759e9
X-Archives-Hash: 442a2ef35b4ff6ed2997135f9376d6ba

commit:     d14a17d668122568037f0f2600b915c43403e7fc
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jun  9 13:41:00 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:03:23 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d14a17d6

arpwatch: update

v2:
 - do not deprecate arpwatch_initrc_domtrans

 policy/modules/contrib/arpwatch.fc |  4 ++--
 policy/modules/contrib/arpwatch.if | 15 +++++++--------
 policy/modules/contrib/arpwatch.te | 17 ++++++++++-------
 3 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/policy/modules/contrib/arpwatch.fc b/policy/modules/contrib/arpwatch.fc
index 304f4622..9b0eadc8 100644
--- a/policy/modules/contrib/arpwatch.fc
+++ b/policy/modules/contrib/arpwatch.fc
@@ -1,6 +1,6 @@
 /etc/rc\.d/init\.d/arpwatch		--	gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
 
-/usr/lib/systemd/system/arpwatch.*\.service --	gen_context(system_u:object_r:arpwatch_unit_t,s0)
+/usr/lib/systemd/system/arpwatch[^/]*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
 
 /usr/bin/arpwatch			--	gen_context(system_u:object_r:arpwatch_exec_t,s0)
 
@@ -10,4 +10,4 @@
 
 /var/lib/arpwatch(/.*)?				gen_context(system_u:object_r:arpwatch_data_t,s0)
 
-/run/arpwatch.*\.pid			--	gen_context(system_u:object_r:arpwatch_var_run_t,s0)
+/run/arpwatch.*\.pid			--	gen_context(system_u:object_r:arpwatch_pid_t,s0)

diff --git a/policy/modules/contrib/arpwatch.if b/policy/modules/contrib/arpwatch.if
index 76389b79..63e1b571 100644
--- a/policy/modules/contrib/arpwatch.if
+++ b/policy/modules/contrib/arpwatch.if
@@ -137,20 +137,19 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
 interface(`arpwatch_admin',`
 	gen_require(`
 		type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
-		type arpwatch_data_t, arpwatch_var_run_t;
+		type arpwatch_data_t, arpwatch_pid_t, arpwatch_unit_t;
 	')
 
-	allow $1 arpwatch_t:process { ptrace signal_perms };
-	ps_process_pattern($1, arpwatch_t)
+	admin_process_pattern($1, arpwatch_t)
 
-	init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t)
+	init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t, arpwatch_unit_t)
 
-	files_list_tmp($1)
+	files_search_tmp($1)
 	admin_pattern($1, arpwatch_tmp_t)
 
-	files_list_var($1)
+	files_search_var_lib($1)
 	admin_pattern($1, arpwatch_data_t)
 
-	files_list_pids($1)
-	admin_pattern($1, arpwatch_var_run_t)
+	files_search_pids($1)
+	admin_pattern($1, arpwatch_pid_t)
 ')

diff --git a/policy/modules/contrib/arpwatch.te b/policy/modules/contrib/arpwatch.te
index 935e8614..7bc0d9ce 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -21,21 +21,21 @@ files_tmp_file(arpwatch_tmp_t)
 type arpwatch_unit_t;
 init_unit_file(arpwatch_unit_t)
 
-type arpwatch_var_run_t;
-files_pid_file(arpwatch_var_run_t)
+type arpwatch_pid_t alias arpwatch_var_run_t;
+files_pid_file(arpwatch_pid_t)
 
 ########################################
 #
 # Local policy
 #
 
-allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
-dontaudit arpwatch_t self:capability sys_tty_config;
+allow arpwatch_t self:capability { dac_override net_admin net_raw setgid setuid };
 allow arpwatch_t self:process signal_perms;
 allow arpwatch_t self:unix_stream_socket { accept listen };
 allow arpwatch_t self:tcp_socket { accept listen };
 allow arpwatch_t self:packet_socket create_socket_perms;
-allow arpwatch_t self:socket create_socket_perms;
+allow arpwatch_t self:socket { create ioctl };
+allow arpwatch_t self:netlink_netfilter_socket { create read write };
 
 manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
 manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
@@ -45,14 +45,17 @@ manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
 manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
 files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
 
-manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
-files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
+manage_files_pattern(arpwatch_t, arpwatch_pid_t, arpwatch_pid_t)
+files_pid_filetrans(arpwatch_t, arpwatch_pid_t, file)
 
 kernel_read_kernel_sysctls(arpwatch_t)
 kernel_read_network_state(arpwatch_t)
 kernel_read_system_state(arpwatch_t)
 kernel_request_load_module(arpwatch_t)
+# /sys/kernel/debug/usb/usbmon/\d+t
+kernel_dontaudit_search_debugfs(arpwatch_t)
 
+# /sys/class/net
 dev_read_sysfs(arpwatch_t)
 dev_read_usbmon_dev(arpwatch_t)
 dev_rw_generic_usb_dev(arpwatch_t)