* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/admin/
@ 2022-06-06 15:08 Kenton Groombridge
0 siblings, 0 replies; 6+ messages in thread
From: Kenton Groombridge @ 2022-06-06 15:08 UTC (permalink / raw
To: gentoo-commits
commit: b22fed5fbdff44ad8164c546744649dfa11bd2d3
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Tue Apr 19 22:53:44 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Jun 6 15:07:16 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b22fed5f
portage: allow portage to map ebuild files
When portage syncs a repo with git, git will mmap() ebuild files. Allow
portage to map ebuild files to fix permission denied errors on syncing.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
policy/modules/admin/portage.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 86966705..e3a19574 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -200,6 +200,8 @@ domain_dontaudit_read_all_domains_state(portage_t)
files_manage_all_files(portage_t)
# eselect uses file, which mmap()s its db
files_map_usr_files(portage_t)
+# portage executing git mmap()s ebuild files when syncing
+allow portage_t portage_ebuild_t:file map;
selinux_get_fs_mount(portage_t)
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/admin/
2022-06-06 15:13 [gentoo-commits] proj/hardened-refpolicy:various-20211111 " Kenton Groombridge
@ 2022-06-06 15:13 ` Kenton Groombridge
0 siblings, 0 replies; 6+ messages in thread
From: Kenton Groombridge @ 2022-06-06 15:13 UTC (permalink / raw
To: gentoo-commits
commit: ab7293ed112926cd2bb3d08838425ded6e681df6
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Tue Apr 19 22:53:44 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Jun 6 15:12:59 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ab7293ed
portage: allow portage to map ebuild files
When portage syncs a repo with git, git will mmap() ebuild files. Allow
portage to map ebuild files to fix permission denied errors on syncing.
Bug: https://bugs.gentoo.org/833017
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
policy/modules/admin/portage.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 86966705..e3a19574 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -200,6 +200,8 @@ domain_dontaudit_read_all_domains_state(portage_t)
files_manage_all_files(portage_t)
# eselect uses file, which mmap()s its db
files_map_usr_files(portage_t)
+# portage executing git mmap()s ebuild files when syncing
+allow portage_t portage_ebuild_t:file map;
selinux_get_fs_mount(portage_t)
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/admin/
@ 2022-06-06 15:15 Kenton Groombridge
0 siblings, 0 replies; 6+ messages in thread
From: Kenton Groombridge @ 2022-06-06 15:15 UTC (permalink / raw
To: gentoo-commits
commit: 25cc0b997697b8cb53f2e45e44c2bacfe6f96afc
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Tue Apr 19 22:53:44 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Jun 6 15:14:58 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=25cc0b99
portage: allow portage to map ebuild files
When portage syncs a repo with git, git will mmap() ebuild files. Allow
portage to map ebuild files to fix permission denied errors on syncing.
Bug: https://bugs.gentoo.org/833017
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/admin/portage.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 86966705..e3a19574 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -200,6 +200,8 @@ domain_dontaudit_read_all_domains_state(portage_t)
files_manage_all_files(portage_t)
# eselect uses file, which mmap()s its db
files_map_usr_files(portage_t)
+# portage executing git mmap()s ebuild files when syncing
+allow portage_t portage_ebuild_t:file map;
selinux_get_fs_mount(portage_t)
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/admin/
@ 2022-10-12 13:34 Kenton Groombridge
0 siblings, 0 replies; 6+ messages in thread
From: Kenton Groombridge @ 2022-10-12 13:34 UTC (permalink / raw
To: gentoo-commits
commit: 7e3534c4597019c27f590644345ee64d3b45ceb0
Author: Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Thu Aug 25 01:56:56 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 19:07:50 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7e3534c4
usbguard: Allow to read fips_enabled sysctl
node=localhost type=AVC msg=audit(1661391275.238:339): avc: denied { search } for pid=1031 comm="usbguard-daemon" name="crypto" dev="proc" ino=20463 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1661391275.238:339): avc: denied { read } for pid=1031 comm="usbguard-daemon" name="fips_enabled" dev="proc" ino=20464 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661391275.238:339): avc: denied { open } for pid=1031 comm="usbguard-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=20464 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661391275.238:340): avc: denied { getattr } for pid=1031 comm="usbguard-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=20464 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/usbguard.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/usbguard.te b/policy/modules/admin/usbguard.te
index 26d9028b..4e8be854 100644
--- a/policy/modules/admin/usbguard.te
+++ b/policy/modules/admin/usbguard.te
@@ -65,6 +65,7 @@ setattr_files_pattern(usbguard_t, usbguard_log_t, usbguard_log_t)
dev_rw_sysfs(usbguard_t)
+kernel_read_crypto_sysctls(usbguard_t)
kernel_read_kernel_sysctls(usbguard_t)
kernel_dontaudit_getattr_proc(usbguard_t)
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/admin/
2022-09-03 20:04 [gentoo-commits] proj/hardened-refpolicy:master " Kenton Groombridge
@ 2022-10-12 13:34 ` Kenton Groombridge
0 siblings, 0 replies; 6+ messages in thread
From: Kenton Groombridge @ 2022-10-12 13:34 UTC (permalink / raw
To: gentoo-commits
commit: 7d41f1b7b4f4d675b62835be6d2416eb2368a1a1
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Tue Apr 19 22:53:44 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 20:04:23 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7d41f1b7
portage: allow portage to map ebuild files
When portage syncs a repo with git, git will mmap() ebuild files. Allow
portage to map ebuild files to fix permission denied errors on syncing.
Bug: https://bugs.gentoo.org/833017
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/admin/portage.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 86966705..e3a19574 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -200,6 +200,8 @@ domain_dontaudit_read_all_domains_state(portage_t)
files_manage_all_files(portage_t)
# eselect uses file, which mmap()s its db
files_map_usr_files(portage_t)
+# portage executing git mmap()s ebuild files when syncing
+allow portage_t portage_ebuild_t:file map;
selinux_get_fs_mount(portage_t)
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/admin/
@ 2022-10-12 13:35 Kenton Groombridge
0 siblings, 0 replies; 6+ messages in thread
From: Kenton Groombridge @ 2022-10-12 13:35 UTC (permalink / raw
To: gentoo-commits
commit: ab4247d2a76e436488b7b02833f795e258e17156
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Wed Oct 12 13:34:10 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Oct 12 13:34:10 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ab4247d2
netutils: add file context for ss in /usr/bin
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/admin/netutils.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 3086ab3d..acb9ed60 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -7,6 +7,7 @@
/usr/bin/mtr-packet -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/bin/ss -- gen_context(system_u:object_r:ss_exec_t,s0)
/usr/bin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/bin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
/usr/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-10-12 13:35 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-10-12 13:34 [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/admin/ Kenton Groombridge
-- strict thread matches above, loose matches on Subject: below --
2022-10-12 13:35 Kenton Groombridge
2022-09-03 20:04 [gentoo-commits] proj/hardened-refpolicy:master " Kenton Groombridge
2022-10-12 13:34 ` [gentoo-commits] proj/hardened-refpolicy:concord-dev " Kenton Groombridge
2022-06-06 15:15 Kenton Groombridge
2022-06-06 15:13 [gentoo-commits] proj/hardened-refpolicy:various-20211111 " Kenton Groombridge
2022-06-06 15:13 ` [gentoo-commits] proj/hardened-refpolicy:concord-dev " Kenton Groombridge
2022-06-06 15:08 Kenton Groombridge
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox