From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-973292-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id D6CBF1396D0
	for <garchives@archives.gentoo.org>; Sun, 17 Sep 2017 04:21:53 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 8DE251FC0B9;
	Sun, 17 Sep 2017 04:21:51 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 5970F1FC0B9
	for <gentoo-commits@lists.gentoo.org>; Sun, 17 Sep 2017 04:21:51 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 5226C33FE2A
	for <gentoo-commits@lists.gentoo.org>; Sun, 17 Sep 2017 04:21:50 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 3BE649087
	for <gentoo-commits@lists.gentoo.org>; Sun, 17 Sep 2017 04:21:47 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1505618623.56dd0a71e0ed5a64b1a35987cb1b296e97dd38ea.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/dphysswapfile.fc policy/modules/contrib/dphysswapfile.if policy/modules/contrib/dphysswapfile.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 56dd0a71e0ed5a64b1a35987cb1b296e97dd38ea
X-VCS-Branch: master
Date: Sun, 17 Sep 2017 04:21:47 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: e086c3a7-a4eb-4a61-bef4-6521c1c28acb
X-Archives-Hash: 6ec862676721288157e1fc1c724e707e

commit:     56dd0a71e0ed5a64b1a35987cb1b296e97dd38ea
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Sep 14 11:47:48 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 17 03:23:43 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=56dd0a71

dphysswapfile: fix swapfile creation

Currently the policy only works when the swapfile already exists.
During creation swapfile_t is hard coded in `mkswap` and needs to be used.

v2:
move swapfile file context into fstools module

 policy/modules/contrib/dphysswapfile.fc |  6 +++---
 policy/modules/contrib/dphysswapfile.if |  6 ++++--
 policy/modules/contrib/dphysswapfile.te | 14 +++++++++++++-
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/policy/modules/contrib/dphysswapfile.fc b/policy/modules/contrib/dphysswapfile.fc
index 70b0ee3a..dd8ab602 100644
--- a/policy/modules/contrib/dphysswapfile.fc
+++ b/policy/modules/contrib/dphysswapfile.fc
@@ -2,8 +2,8 @@
 
 /etc/rc\.d/init\.d/dphys-swapfile	--	gen_context(system_u:object_r:dphysswapfile_initrc_exec_t,s0)
 
-/usr/bin/dphys-swapfile		--	gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+/usr/bin/dphys-swapfile			--	gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
 
-/usr/sbin/dphys-swapfile		--	gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+/usr/lib/systemd/system/dphys-swapfile\.service -- gen_context(system_u:object_r:dphysswapfile_unit_t,s0)
 
-/var/swap				--	gen_context(system_u:object_r:dphysswapfile_swap_t,s0)
+/usr/sbin/dphys-swapfile		--	gen_context(system_u:object_r:dphysswapfile_exec_t,s0)

diff --git a/policy/modules/contrib/dphysswapfile.if b/policy/modules/contrib/dphysswapfile.if
index 7dda9553..c39464e4 100644
--- a/policy/modules/contrib/dphysswapfile.if
+++ b/policy/modules/contrib/dphysswapfile.if
@@ -11,6 +11,8 @@
 ## </param>
 #
 interface(`dphysswapfile_dontaudit_read_swap',`
+	refpolicywarn(`$0($*) has been deprecated')
+
 	gen_require(`
 		type dphysswapfile_swap_t;
 	')
@@ -38,12 +40,12 @@ interface(`dphysswapfile_dontaudit_read_swap',`
 interface(`dphysswapfile_admin',`
 	gen_require(`
 		type dphysswapfile_t, dphysswapfile_conf_t;
-		type dphysswapfile_initrc_exec_t;
+		type dphysswapfile_initrc_exec_t, dphysswapfile_unit_t;
 	')
 
 	admin_process_pattern($1, dphysswapfile_t)
 
-	init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t)
+	init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t, dphysswapfile_unit_t)
 
 	files_search_etc($1)
 	admin_pattern($1, dphysswapfile_conf_t)

diff --git a/policy/modules/contrib/dphysswapfile.te b/policy/modules/contrib/dphysswapfile.te
index dfd04e32..4bfe7826 100644
--- a/policy/modules/contrib/dphysswapfile.te
+++ b/policy/modules/contrib/dphysswapfile.te
@@ -18,6 +18,9 @@ init_script_file(dphysswapfile_initrc_exec_t)
 type dphysswapfile_swap_t;
 files_type(dphysswapfile_swap_t)
 
+type dphysswapfile_unit_t;
+init_unit_file(dphysswapfile_unit_t)
+
 ########################################
 #
 # Policy
@@ -32,20 +35,29 @@ allow dphysswapfile_t dphysswapfile_conf_t:file read_file_perms;
 
 allow dphysswapfile_t dphysswapfile_exec_t:file execute_no_trans;
 
-allow dphysswapfile_t dphysswapfile_swap_t:file manage_file_perms;
+allow dphysswapfile_t dphysswapfile_swap_t:file { manage_file_perms relabelfrom };
 
 kernel_read_system_state(dphysswapfile_t)
 
 corecmd_exec_bin(dphysswapfile_t)
 corecmd_exec_shell(dphysswapfile_t)
 
+dev_read_rand(dphysswapfile_t)
+dev_read_urand(dphysswapfile_t)
+
 # ignore ls -l /var/swap noise
 files_dontaudit_getattr_pid_dirs(dphysswapfile_t)
 files_read_etc_files(dphysswapfile_t)
 files_search_var(dphysswapfile_t)
+files_var_filetrans(dphysswapfile_t, dphysswapfile_swap_t, file)
 
 fstools_exec(dphysswapfile_t)
+# swapfile_t is hardcoded in mkswap
+fstools_manage_swap_files(dphysswapfile_t)
+fstools_relabelto_swap_files(dphysswapfile_t)
 
 miscfiles_read_localization(dphysswapfile_t)
 
+storage_getattr_removable_dev(dphysswapfile_t)
+
 userdom_dontaudit_search_user_home_dirs(dphysswapfile_t)