From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1371204-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 0071D15808B
	for <garchives@archives.gentoo.org>; Sun, 27 Feb 2022 02:52:50 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 22F272BC009;
	Sun, 27 Feb 2022 02:52:38 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id EC4772BC009
	for <gentoo-commits@lists.gentoo.org>; Sun, 27 Feb 2022 02:52:37 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id D8CC83431C7
	for <gentoo-commits@lists.gentoo.org>; Sun, 27 Feb 2022 02:52:36 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id C1F30303
	for <gentoo-commits@lists.gentoo.org>; Sun, 27 Feb 2022 02:52:33 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1645927997.4234b23d214dd8b53dd631560f9c98778f1c9ac5.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/matrixd.fc policy/modules/services/matrixd.if policy/modules/services/matrixd.te
X-VCS-Directories: policy/modules/services/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 4234b23d214dd8b53dd631560f9c98778f1c9ac5
X-VCS-Branch: master
Date: Sun, 27 Feb 2022 02:52:33 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 6682899f-652c-420f-a35c-c544d403280a
X-Archives-Hash: 99b27121c76aa740759b433c8c077595

commit:     4234b23d214dd8b53dd631560f9c98778f1c9ac5
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 18 18:46:24 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 27 02:13:17 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4234b23d

matrixd: Cleanups.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/matrixd.fc |  6 ++++--
 policy/modules/services/matrixd.if |  2 +-
 policy/modules/services/matrixd.te | 35 ++++++++++++++++-------------------
 3 files changed, 21 insertions(+), 22 deletions(-)

diff --git a/policy/modules/services/matrixd.fc b/policy/modules/services/matrixd.fc
index b59b1c75..6db2d7ed 100644
--- a/policy/modules/services/matrixd.fc
+++ b/policy/modules/services/matrixd.fc
@@ -1,4 +1,6 @@
-/var/lib/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_var_t,s0)
-/var/log/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_log_t,s0)
 /etc/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_conf_t,s0)
+
 /usr/bin/synctl			--	gen_context(system_u:object_r:matrixd_exec_t,s0)
+
+/var/lib/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_var_t,s0)
+/var/log/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_log_t,s0)

diff --git a/policy/modules/services/matrixd.if b/policy/modules/services/matrixd.if
index f1eff5f0..8cf2a845 100644
--- a/policy/modules/services/matrixd.if
+++ b/policy/modules/services/matrixd.if
@@ -1 +1 @@
-## <summary>Matrixd</summary>
+## <summary>matrix.org synapse reference server.</summary>

diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te
index 5c217678..2c7f384c 100644
--- a/policy/modules/services/matrixd.te
+++ b/policy/modules/services/matrixd.te
@@ -1,4 +1,4 @@
-policy_module(matrixd, 1.0.0)
+policy_module(matrixd)
 
 ########################################
 #
@@ -20,23 +20,22 @@ gen_tunable(matrix_allow_federation, true)
 ## </desc>
 gen_tunable(matrix_postgresql_connect, false)
 
-
 type matrixd_t;
 type matrixd_exec_t;
 init_daemon_domain(matrixd_t, matrixd_exec_t)
 
-type matrixd_var_t;
-files_type(matrixd_var_t)
+type matrixd_conf_t;
+files_config_file(matrixd_conf_t)
 
 type matrixd_log_t;
 logging_log_file(matrixd_log_t)
 
-type matrixd_conf_t;
-files_config_file(matrixd_conf_t)
-
 type matrixd_tmp_t;
 files_tmp_file(matrixd_tmp_t)
 
+type matrixd_var_t;
+files_type(matrixd_var_t)
+
 ########################################
 #
 # Local policy
@@ -56,16 +55,15 @@ allow matrixd_t matrixd_tmp_t:file { manage_file_perms map };
 files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file)
 fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file)
 
-manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
-files_search_var_lib(matrixd_t)
-allow matrixd_t matrixd_var_t:file map;
-allow matrixd_t matrixd_var_t:dir manage_dir_perms;
+allow matrixd_t matrixd_conf_t:dir list_dir_perms;
+read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t)
 
 logging_search_logs(matrixd_t)
 manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t)
 
-read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t)
-allow matrixd_t matrixd_conf_t:dir list_dir_perms;
+mmap_manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
+manage_dirs_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
+files_search_var_lib(matrixd_t)
 
 kernel_read_system_state(matrixd_t)
 kernel_read_vm_overcommit_sysctl(matrixd_t)
@@ -81,7 +79,6 @@ corenet_tcp_bind_generic_node(matrixd_t)
 corenet_tcp_bind_http_port(matrixd_t)
 corenet_tcp_connect_http_cache_port(matrixd_t)
 corenet_tcp_connect_http_port(matrixd_t)
-
 corenet_udp_bind_generic_node(matrixd_t)
 corenet_udp_bind_generic_port(matrixd_t)
 corenet_udp_bind_reserved_port(matrixd_t)
@@ -91,11 +88,11 @@ dev_read_urand(matrixd_t)
 files_read_etc_files(matrixd_t)
 files_read_etc_runtime_files(matrixd_t)
 files_read_etc_symlinks(matrixd_t)
-
 # for /usr/share/ca-certificates
 files_read_usr_files(matrixd_t)
 
 init_search_runtime(matrixd_t)
+
 logging_send_syslog_msg(matrixd_t)
 
 miscfiles_read_generic_tls_privkey(matrixd_t)
@@ -106,10 +103,6 @@ sysnet_read_config(matrixd_t)
 
 userdom_search_user_runtime_root(matrixd_t)
 
-optional_policy(`
-	apache_search_config(matrixd_t)
-')
-
 tunable_policy(`matrix_allow_federation',`
 	corenet_tcp_connect_all_unreserved_ports(matrixd_t)
 	corenet_tcp_connect_generic_port(matrixd_t)
@@ -124,3 +117,7 @@ tunable_policy(`matrix_postgresql_connect',`
 	postgresql_tcp_connect(matrixd_t)
 ')
 
+optional_policy(`
+	apache_search_config(matrixd_t)
+')
+ 
\ No newline at end of file