* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/admin/, ...
@ 2014-12-03 12:54 Jason Zaman
0 siblings, 0 replies; 2+ messages in thread
From: Jason Zaman @ 2014-12-03 12:54 UTC (permalink / raw
To: gentoo-commits
commit: 8253183963f78c69d401d0740f2f35d4cc7726b4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Dec 2 21:20:40 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Dec 2 21:20:40 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=82531839
remove things that have been upstreamed
---
policy/modules/admin/bootloader.fc | 4 ----
policy/modules/admin/sudo.if | 7 -------
policy/modules/kernel/corecommands.fc | 2 --
policy/modules/services/xserver.fc | 7 -------
policy/modules/system/authlogin.if | 34 ----------------------------------
policy/modules/system/fstools.fc | 2 --
policy/modules/system/ipsec.fc | 4 ----
7 files changed, 60 deletions(-)
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index 6bd044c..d908d56 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -11,7 +11,3 @@
/usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-
-ifdef(`distro_gentoo',`
-/usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-')
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index c6140e3..56ce11c 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -160,13 +160,6 @@ template(`sudo_role_template',`
optional_policy(`
fprintd_dbus_chat($1_sudo_t)
')
-
- ifdef(`distro_gentoo',`
- # Set ownership of ts directory (timestamp keeping)
- allow $1_sudo_t self:capability { chown };
- # Create /var/run/sudo
- auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
- ')
')
########################################
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index e61b52b..fdf1915 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -422,6 +422,4 @@ ifdef(`distro_suse',`
ifdef(`distro_gentoo',`
/usr/lib/python-exec/python-exec2 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/python-exec/python.*/.* -- gen_context(system_u:object_r:bin_t,s0)
-
-/usr/lib/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0)
')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 49eeac1..5ef36fb 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -128,11 +128,4 @@ ifdef(`distro_suse',`
ifdef(`distro_gentoo',`
HOME_DIR/\.local/share/xorg(/.*)? gen_context(system_u:object_r:xserver_xdg_data_home_t,s0)
-
-/etc/lightdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
-
-/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
')
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 41004c5..f05d7bf 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1836,37 +1836,3 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
-
-# Should be in an ifdef distro_gentoo but that is not supported in the global if file
-
-########################################
-## <summary>
-## Create specified objects in
-## pid directories with the pam var
-## run file type using a
-## file type transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
-#
-interface(`auth_pid_filetrans_pam_var_run',`
- gen_require(`
- type pam_var_run_t;
- ')
-
- files_pid_filetrans($1, pam_var_run_t, $2, $3)
-')
-
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index fb132f9..be77216 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -66,6 +66,4 @@
ifdef(`distro_gentoo',`
/sbin/mkfs\.f2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/mkfs\.f2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 47f9327..0f1e351 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -41,7 +41,3 @@
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
-
-ifdef(`distro_gentoo',`
-/var/lib/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
-')
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/admin/, ...
@ 2022-09-03 19:54 Jason Zaman
0 siblings, 0 replies; 2+ messages in thread
From: Jason Zaman @ 2022-09-03 19:54 UTC (permalink / raw
To: gentoo-commits
commit: 8d05a891d62852e95e4dbcb3f16e299be7cd4644
Author: Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com>
AuthorDate: Wed Mar 9 20:50:22 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 19:07:49 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8d05a891
Add cloud-init.
This is used by cloud providers to set up VMs during deployment.
https://github.com/canonical/cloud-init
Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/cloudinit.fc | 10 +++
policy/modules/admin/cloudinit.if | 108 ++++++++++++++++++++++++++++++++
policy/modules/admin/cloudinit.te | 108 ++++++++++++++++++++++++++++++++
policy/modules/admin/usermanage.fc | 1 +
policy/modules/kernel/corecommands.fc | 1 +
policy/modules/kernel/corenetwork.if.in | 18 ++++++
policy/modules/services/ssh.fc | 2 +-
policy/modules/services/ssh.if | 55 ++++++++++++++++
policy/modules/system/libraries.if | 44 +++++++++++++
policy/modules/system/sysnetwork.te | 2 +-
policy/modules/system/systemd.te | 9 +++
11 files changed, 356 insertions(+), 2 deletions(-)
diff --git a/policy/modules/admin/cloudinit.fc b/policy/modules/admin/cloudinit.fc
new file mode 100644
index 00000000..f5fdc535
--- /dev/null
+++ b/policy/modules/admin/cloudinit.fc
@@ -0,0 +1,10 @@
+/run/cloud-init(/.*)? gen_context(system_u:object_r:cloud_init_runtime_t,s0)
+
+/usr/bin/cloud-id -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/cloud-init-per -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+
+/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_init_state_t,s0)
+
+/var/log/cloud-init-output\.log -- gen_context(system_u:object_r:cloud_init_log_t,s0)
+/var/log/cloud-init\.log -- gen_context(system_u:object_r:cloud_init_log_t,s0)
diff --git a/policy/modules/admin/cloudinit.if b/policy/modules/admin/cloudinit.if
new file mode 100644
index 00000000..4469d7b1
--- /dev/null
+++ b/policy/modules/admin/cloudinit.if
@@ -0,0 +1,108 @@
+## <summary>Init scripts for cloud VMs</summary>
+
+########################################
+## <summary>
+## Create cloud-init runtime directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cloudinit_create_runtime_dirs',`
+ gen_require(`
+ type cloud_init_runtime_t;
+ ')
+
+ files_search_runtime($1)
+ allow $1 cloud_init_runtime_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Write cloud-init runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cloudinit_write_runtime_files',`
+ gen_require(`
+ type cloud_init_runtime_t;
+ ')
+
+ files_search_runtime($1)
+ write_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
+')
+
+########################################
+## <summary>
+## Create cloud-init runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cloudinit_create_runtime_files',`
+ gen_require(`
+ type cloud_init_runtime_t;
+ ')
+
+ files_search_runtime($1)
+ create_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
+')
+
+#######################################
+## <summary>
+## Create files in /run with the type used for
+## cloud-init runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`cloudinit_filetrans_runtime',`
+ gen_require(`
+ type cloud_init_runtime_t;
+ ')
+
+ files_runtime_filetrans($1, cloud_init_runtime_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Get the attribute of cloud-init state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cloudinit_getattr_state_files',`
+ gen_require(`
+ type cloud_init_state_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 cloud_init_state_t:dir list_dir_perms;
+ allow $1 cloud_init_state_t:lnk_file read_lnk_file_perms;
+ allow $1 cloud_init_state_t:file getattr;
+')
diff --git a/policy/modules/admin/cloudinit.te b/policy/modules/admin/cloudinit.te
new file mode 100644
index 00000000..f531cc5d
--- /dev/null
+++ b/policy/modules/admin/cloudinit.te
@@ -0,0 +1,108 @@
+policy_module(cloudinit)
+
+########################################
+#
+# Declarations
+#
+
+type cloud_init_t;
+type cloud_init_exec_t;
+init_system_domain(cloud_init_t, cloud_init_exec_t)
+
+type cloud_init_log_t;
+logging_log_file(cloud_init_log_t)
+
+type cloud_init_runtime_t;
+files_runtime_file(cloud_init_runtime_t)
+files_mountpoint(cloud_init_runtime_t)
+
+type cloud_init_state_t;
+files_type(cloud_init_state_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cloud_init_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid };
+dontaudit cloud_init_t self:capability { net_admin sys_tty_config };
+allow cloud_init_t self:fifo_file rw_fifo_file_perms;
+allow cloud_init_t self:unix_dgram_socket create_socket_perms;
+
+allow cloud_init_t cloud_init_log_t:file { create_file_perms append_file_perms setattr };
+logging_log_filetrans(cloud_init_t, cloud_init_log_t, file)
+
+manage_files_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_t)
+manage_lnk_files_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_t)
+manage_dirs_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_t)
+files_runtime_filetrans(cloud_init_t, cloud_init_runtime_t, { dir file lnk_file })
+
+manage_files_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t)
+manage_lnk_files_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t)
+manage_dirs_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t)
+files_var_lib_filetrans(cloud_init_t, cloud_init_state_t, { dir file lnk_file })
+
+auth_domtrans_chk_passwd(cloud_init_t)
+
+corecmd_exec_bin(cloud_init_t)
+corecmd_exec_shell(cloud_init_t)
+
+corenet_dontaudit_tcp_bind_generic_node(cloud_init_t)
+
+dbus_system_bus_client(cloud_init_t)
+
+dev_getattr_all_blk_files(cloud_init_t)
+# /sys/devices/pci0000:00/0000:00:03.0/net/eth0/address
+dev_read_sysfs(cloud_init_t)
+
+files_manage_config_dirs(cloud_init_t)
+files_relabel_config_dirs(cloud_init_t)
+files_manage_config_files(cloud_init_t)
+files_relabel_config_files(cloud_init_t)
+
+fs_getattr_all_fs(cloud_init_t)
+fs_search_tmpfs(cloud_init_t)
+fs_search_cgroup_dirs(cloud_init_t)
+fs_read_iso9660_files(cloud_init_t)
+
+fstools_domtrans(cloud_init_t)
+
+hostname_domtrans(cloud_init_t)
+
+init_get_system_status(cloud_init_t)
+init_read_state(cloud_init_t)
+init_stream_connect(cloud_init_t)
+
+kernel_read_system_state(cloud_init_t)
+kernel_read_crypto_sysctls(cloud_init_t)
+kernel_read_kernel_sysctls(cloud_init_t)
+
+libs_dontaudit_manage_lib_dirs(cloud_init_t)
+libs_dontaudit_manage_lib_files(cloud_init_t)
+
+logging_send_syslog_msg(cloud_init_t)
+
+miscfiles_read_localization(cloud_init_t)
+
+mount_domtrans(cloud_init_t)
+
+seutil_read_default_contexts(cloud_init_t)
+
+ssh_domtrans_keygen(cloud_init_t)
+ssh_manage_home_files(cloud_init_t)
+ssh_create_home_dirs(cloud_init_t)
+ssh_setattr_home_dirs(cloud_init_t)
+# Read public keys
+ssh_read_server_keys(cloud_init_t)
+
+sysnet_domtrans_ifconfig(cloud_init_t)
+
+term_write_console(cloud_init_t)
+
+usermanage_domtrans_useradd(cloud_init_t)
+usermanage_domtrans_groupadd(cloud_init_t)
+usermanage_domtrans_passwd(cloud_init_t)
+
+optional_policy(`
+ systemd_dbus_chat_hostnamed(cloud_init_t)
+')
diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
index 620eefc6..1065db10 100644
--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
@@ -24,6 +24,7 @@ ifdef(`distro_debian',`
/usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
+/usr/sbin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0)
/usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
/usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
/usr/sbin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 48540ef9..28c4e825 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -179,6 +179,7 @@ ifdef(`distro_gentoo',`
/usr/lib/bluetooth/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/cloud-init(/.*)? gen_context(system_u:object_r:bin_t,s0)
#/usr/lib/dhcpcd/dhcpcd-hooks(/.*)? gen_context(system_u:object_r:bin_t,s0)
#/usr/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/dovecot/.+ gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 65e54854..d1038d74 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -910,6 +910,24 @@ interface(`corenet_tcp_bind_generic_node',`
allow $1 node_t:tcp_socket node_bind;
')
+########################################
+## <summary>
+## Do not audit denials on binding TCP sockets to generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ dontaudit $1 node_t:tcp_socket node_bind;
+')
+
########################################
## <summary>
## Bind UDP sockets to generic nodes.
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 60060c35..5c512e97 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,7 +1,7 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host.*_key(\.pub)? -- gen_context(system_u:object_r:sshd_key_t,s0)
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index c438985e..606bf43f 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -730,6 +730,43 @@ interface(`ssh_agent_exec',`
can_exec($1, ssh_agent_exec_t)
')
+########################################
+## <summary>
+## Set the attributes of ssh home directory (~/.ssh)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_setattr_home_dirs',`
+ gen_require(`
+ type ssh_home_t;
+ ')
+
+ allow $1 ssh_home_t:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
+## Create ssh home directory (~/.ssh)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_create_home_dirs',`
+ gen_require(`
+ type ssh_home_t;
+ ')
+
+ allow $1 ssh_home_t:dir create_dir_perms;
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
+')
+
########################################
## <summary>
## Read ssh home directory content
@@ -775,6 +812,24 @@ interface(`ssh_domtrans_keygen',`
## </summary>
## <param name="domain">
## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_read_server_keys',`
+ gen_require(`
+ type sshd_key_t;
+ ')
+
+ allow $1 sshd_key_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit denials on reading ssh server keys
+## </summary>
+## <param name="domain">
+## <summary>
## Domain to not audit.
## </summary>
## </param>
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index cb1ef12c..20e307c8 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -233,6 +233,31 @@ interface(`libs_dontaudit_write_lib_dirs',`
dontaudit $1 lib_t:dir write;
')
+########################################
+## <summary>
+## Do not audit attempts to manage to library directories.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to manage to library directories.
+## Typically this is used to quiet attempts to recompile
+## python byte code.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`libs_dontaudit_manage_lib_dirs',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ dontaudit $1 lib_t:dir manage_dir_perms;
+')
+
########################################
## <summary>
## Create, read, write, and delete library directories.
@@ -332,6 +357,25 @@ interface(`libs_manage_lib_files',`
manage_files_pattern($1, lib_t, lib_t)
')
+########################################
+## <summary>
+## Do not audit attempts to create, read, write,
+## and delete generic files in library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`libs_dontaudit_manage_lib_files',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ dontaudit $1 lib_t:file manage_file_perms;
+')
+
########################################
## <summary>
## Relabel files to the type used in library directories.
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 155a8059..e18bdf2a 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -51,7 +51,7 @@ optional_policy(`
')
type net_conf_t;
-files_type(net_conf_t)
+files_config_file(net_conf_t)
ifdef(`distro_debian',`
init_daemon_runtime_file(net_conf_t, dir, "network")
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 3d853c4c..2dc8b901 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -530,6 +530,15 @@ ifdef(`distro_gentoo',`
corecmd_shell_entry_type(systemd_generator_t)
')
+optional_policy(`
+ cloudinit_create_runtime_dirs(systemd_generator_t)
+ cloudinit_write_runtime_files(systemd_generator_t)
+ cloudinit_create_runtime_files(systemd_generator_t)
+ cloudinit_filetrans_runtime(systemd_generator_t, dir, "cloud-init")
+
+ cloudinit_getattr_state_files(systemd_generator_t)
+')
+
optional_policy(`
fstools_exec(systemd_generator_t)
')
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-09-03 19:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-09-03 19:54 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/admin/, Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2014-12-03 12:54 Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox