From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1452634-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 30BFB158020
	for <garchives@archives.gentoo.org>; Wed,  2 Nov 2022 14:42:59 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 02658E0A87;
	Wed,  2 Nov 2022 14:42:57 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id DEA56E0A87
	for <gentoo-commits@lists.gentoo.org>; Wed,  2 Nov 2022 14:42:56 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 133FC340F7D
	for <gentoo-commits@lists.gentoo.org>; Wed,  2 Nov 2022 14:42:56 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 81D8A721
	for <gentoo-commits@lists.gentoo.org>; Wed,  2 Nov 2022 14:42:52 +0000 (UTC)
From: "Kenton Groombridge" <concord@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" <concord@gentoo.org>
Message-ID: <1667398037.95006bc2eacf58bf5d47246f7e431aa4ea6f64a1.concord@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/glusterfs.if policy/modules/system/selinuxutil.te
X-VCS-Directories: policy/modules/services/ policy/modules/system/
X-VCS-Committer: concord
X-VCS-Committer-Name: Kenton Groombridge
X-VCS-Revision: 95006bc2eacf58bf5d47246f7e431aa4ea6f64a1
X-VCS-Branch: master
Date: Wed,  2 Nov 2022 14:42:52 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 5d97a88e-e4e7-466c-995e-c5c7286a1aa1
X-Archives-Hash: 9f30a380feb17509abf4a64f81a80942

commit:     95006bc2eacf58bf5d47246f7e431aa4ea6f64a1
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Sep 24 17:05:00 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:17 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=95006bc2

selinuxutil: allow semanage, setfiles to inherit gluster fds

The Gluster daemon uses a hook which adds a file context for gluster
bricks when they are created via the use of 'semanage fcontex -a'.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/glusterfs.if | 18 ++++++++++++++++++
 policy/modules/system/selinuxutil.te |  9 +++++++++
 2 files changed, 27 insertions(+)

diff --git a/policy/modules/services/glusterfs.if b/policy/modules/services/glusterfs.if
index 328818ad3..5e6af0ecc 100644
--- a/policy/modules/services/glusterfs.if
+++ b/policy/modules/services/glusterfs.if
@@ -66,6 +66,24 @@ interface(`glusterfs_stream_connect_daemon',`
 	allow $1 glusterd_runtime_t:sock_file read_sock_file_perms;
 ')
 
+########################################
+## <summary>
+##	Inherit and use glusterd file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glusterfs_use_daemon_fds',`
+	gen_require(`
+		type glusterd_t;
+	')
+
+	allow $1 glusterd_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index d3678246a..14a17175f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -208,6 +208,11 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+optional_policy(`
+	# glusterd calls semanage fcontext
+	glusterfs_use_daemon_fds(load_policy_t)
+')
+
 optional_policy(`
 	portage_dontaudit_use_fds(load_policy_t)
 ')
@@ -693,6 +698,10 @@ optional_policy(`
 	apt_use_fds(setfiles_t)
 ')
 
+optional_policy(`
+	glusterfs_use_daemon_fds(setfiles_t)
+')
+
 optional_policy(`
         # leaked file descriptors
         udev_dontaudit_rw_dgram_sockets(setfiles_t)