* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2012-12-07 15:36 Sven Vermeulen
0 siblings, 0 replies; 22+ messages in thread
From: Sven Vermeulen @ 2012-12-07 15:36 UTC (permalink / raw
To: gentoo-commits
commit: 014a20d36eed27d09fd60610f62a121a4f25c5c4
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Dec 7 05:46:27 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Dec 7 15:35:52 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=014a20d3
Module version bump from Debian changes from Laurent Bigonville.
---
policy/modules/services/ssh.te | 2 +-
policy/modules/services/xserver.te | 2 +-
policy/modules/system/authlogin.te | 2 +-
policy/modules/system/udev.te | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index fc2a164..d440e3b 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.3.1)
+policy_module(ssh, 2.3.2)
########################################
#
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 74ab6e8..595e61f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.8.3)
+policy_module(xserver, 3.8.4)
gen_require(`
class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index c7c4fb6..60320c3 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.4.0)
+policy_module(authlogin, 2.4.1)
########################################
#
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index aa943a9..c1b1c98 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.15.3)
+policy_module(udev, 1.15.4)
########################################
#
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2013-12-06 17:33 Sven Vermeulen
0 siblings, 0 replies; 22+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
To: gentoo-commits
commit: 023c81f826342c88f21aa5da3d6143365730b319
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov 9 09:45:13 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 6 17:30:11 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=023c81f8
sshd/setrans: make respective init scripts create pid dirs with proper contexts
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/services/ssh.te | 4 ++++
policy/modules/system/setrans.te | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index cc877c7..d7559d8 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -33,6 +33,10 @@ corecmd_executable_file(sshd_exec_t)
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
+ifdef(`distro_debian',`
+ init_daemon_run_dir(sshd_var_run_t, "sshd")
+')
+
type sshd_key_t;
files_type(sshd_key_t)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 8e1e27d..83e355c 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -20,6 +20,10 @@ type setrans_var_run_t;
files_pid_file(setrans_var_run_t)
mls_trusted_object(setrans_var_run_t)
+ifdef(`distro_debian',`
+ init_daemon_run_dir(setrans_var_run_t, "setrans")
+')
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh)
')
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2014-06-10 18:17 Sven Vermeulen
0 siblings, 0 replies; 22+ messages in thread
From: Sven Vermeulen @ 2014-06-10 18:17 UTC (permalink / raw
To: gentoo-commits
commit: 68f5cc14f8f24288659272c3cd766bc0497b81aa
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Jun 9 12:21:33 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 10 18:14:30 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=68f5cc14
Module version bump for shutdown transitions from Luis Ressel.
---
policy/modules/services/xserver.te | 2 +-
policy/modules/system/init.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index a3aa4bc..f2cc9b3 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.10.2)
+policy_module(xserver, 3.10.3)
gen_require(`
class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 2deb7e5..355892a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.21.1)
+policy_module(init, 1.21.2)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2014-06-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 22+ messages in thread
From: Sven Vermeulen @ 2014-06-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: 0744c90f57350d1f958e93bc341c5b9461fbd30c
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Jun 30 18:34:51 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Jun 30 18:58:50 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0744c90f
Module version bump for init_daemon_pid_file from Sven Vermeulen.
---
policy/modules/services/postgresql.te | 2 +-
policy/modules/services/ssh.te | 2 +-
policy/modules/system/init.te | 2 +-
policy/modules/system/setrans.te | 2 +-
policy/modules/system/sysnetwork.te | 2 +-
policy/modules/system/udev.te | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index c38bb46..87cf69d 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,4 +1,4 @@
-policy_module(postgresql, 1.16.1)
+policy_module(postgresql, 1.16.2)
gen_require(`
class db_database all_db_database_perms;
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 43b9cc1..c5f585f 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.5.0)
+policy_module(ssh, 2.5.1)
########################################
#
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4bee18e..b73bd23 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.21.2)
+policy_module(init, 1.21.3)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 057456c..05690b3 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -1,4 +1,4 @@
-policy_module(setrans, 1.9.1)
+policy_module(setrans, 1.9.2)
gen_require(`
class context contains;
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 35372f6..35ca66f 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.16.1)
+policy_module(sysnetwork, 1.16.2)
########################################
#
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 246f006..83a8b11 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.17.2)
+policy_module(udev, 1.17.3)
########################################
#
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2014-06-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 22+ messages in thread
From: Sven Vermeulen @ 2014-06-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: 2674c787163e1e862c60468ca753b1f60230499b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jun 25 19:53:02 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Jun 30 18:58:07 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2674c787
Use init_daemon_pid_file instead of init_daemon_run_dir
Update non-contrib modules to use init_daemon_pid_file instead of
init_daemon_run_dir.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/services/postgresql.te | 2 +-
policy/modules/services/ssh.te | 2 +-
policy/modules/system/setrans.te | 2 +-
policy/modules/system/sysnetwork.te | 2 +-
policy/modules/system/udev.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index c771377..c38bb46 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -63,7 +63,7 @@ files_tmp_file(postgresql_tmp_t)
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
-init_daemon_run_dir(postgresql_var_run_t, "postgresql")
+init_daemon_pid_file(postgresql_var_run_t, dir, "postgresql")
# database clients attribute
attribute sepgsql_admin_type;
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 536a2d9..43b9cc1 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -85,7 +85,7 @@ type sshd_keytab_t;
files_type(sshd_keytab_t)
ifdef(`distro_debian',`
- init_daemon_run_dir(sshd_var_run_t, "sshd")
+ init_daemon_pid_file(sshd_var_run_t, dir, "sshd")
')
##############################
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index a840e70..057456c 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -21,7 +21,7 @@ files_pid_file(setrans_var_run_t)
mls_trusted_object(setrans_var_run_t)
ifdef(`distro_debian',`
- init_daemon_run_dir(setrans_var_run_t, "setrans")
+ init_daemon_pid_file(setrans_var_run_t, dir, "setrans")
')
ifdef(`enable_mcs',`
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 945ffb5..35372f6 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -40,7 +40,7 @@ type net_conf_t alias resolv_conf_t;
files_type(net_conf_t)
ifdef(`distro_debian',`
- init_daemon_run_dir(net_conf_t, "network")
+ init_daemon_pid_file(net_conf_t, dir, "network")
')
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 95de10c..246f006 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -25,7 +25,7 @@ files_type(udev_rules_t)
type udev_var_run_t;
files_pid_file(udev_var_run_t)
-init_daemon_run_dir(udev_var_run_t, "udev")
+init_daemon_pid_file(udev_var_run_t, dir, "udev")
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2015-05-27 20:00 Jason Zaman
0 siblings, 0 replies; 22+ messages in thread
From: Jason Zaman @ 2015-05-27 20:00 UTC (permalink / raw
To: gentoo-commits
commit: fd82f6a7dac4b340b56b14083d4198be6ae0a549
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed May 27 18:50:45 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed May 27 19:00:19 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fd82f6a7
Module version bumps for further init_startstop_service() changes from Jason Zaman.
policy/modules/services/postgresql.te | 2 +-
policy/modules/system/init.te | 2 +-
policy/modules/system/logging.te | 2 +-
policy/modules/system/selinuxutil.te | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index a686088..b4ba0f1 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,4 +1,4 @@
-policy_module(postgresql, 1.17.0)
+policy_module(postgresql, 1.17.1)
gen_require(`
class db_database all_db_database_perms;
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 141df45..95db0d0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.22.1)
+policy_module(init, 1.22.2)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 003af6a..72b7ff5 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.22.0)
+policy_module(logging, 1.22.1)
########################################
#
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 9b70f53..51c64be 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.19.0)
+policy_module(selinuxutil, 1.19.1)
gen_require(`
bool secure_mode;
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2016-08-17 16:59 ` Jason Zaman
0 siblings, 0 replies; 22+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: cdcc81664dc918aed249997137cfb8ff026d549d
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:58:57 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:22:44 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cdcc8166
Module version bump for various patches from Guido Trentalancia.
policy/modules/services/xserver.te | 2 +-
policy/modules/system/init.te | 2 +-
policy/modules/system/sysnetwork.te | 2 +-
policy/modules/system/udev.te | 2 +-
policy/modules/system/userdomain.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 4f9826c..fc19905 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.11.2)
+policy_module(xserver, 3.11.3)
gen_require(`
class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f646a93..7b9c61b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.0.3)
+policy_module(init, 2.0.4)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 2258f90..3d49015 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.18.0)
+policy_module(sysnetwork, 1.18.1)
########################################
#
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index cc724ea..fea0b51 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.19.0)
+policy_module(udev, 1.19.1)
########################################
#
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index e67afee..b6b6d15 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.11.3)
+policy_module(userdomain, 4.11.4)
########################################
#
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2016-08-17 16:59 Jason Zaman
0 siblings, 0 replies; 22+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
To: gentoo-commits
commit: 25f1cbbdaedcf74f0b7af03fea89063e4e401c0f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:34:19 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:22:44 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=25f1cbbd
Update alsa module use from Guido Trentalancia.
policy/modules/services/xserver.fc | 1 +
policy/modules/services/xserver.te | 4 ++++
policy/modules/system/init.te | 2 +-
policy/modules/system/udev.te | 2 +-
policy/modules/system/userdomain.if | 4 ++--
5 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index a531dba..4cbba44 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -75,6 +75,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/usr/lib/xorg/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/lib/xorg-server/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/lib/xorg-server/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/lib/X11/xdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/usr/sbin/lightdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index ca4be69..4f9826c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -507,6 +507,10 @@ optional_policy(`
')
optional_policy(`
+ colord_dbus_chat(xdm_t)
+')
+
+optional_policy(`
consolekit_dbus_chat(xdm_t)
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 0d4f74a..f646a93 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -697,7 +697,7 @@ ifdef(`distro_redhat',`
miscfiles_read_hwdata(initrc_t)
optional_policy(`
- alsa_manage_rw_config(initrc_t)
+ alsa_manage_config(initrc_t)
')
optional_policy(`
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a7e918b..cc724ea 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -234,7 +234,7 @@ ifdef(`init_systemd',`
optional_policy(`
alsa_domtrans(udev_t)
alsa_read_lib(udev_t)
- alsa_read_rw_config(udev_t)
+ alsa_read_config(udev_t)
')
optional_policy(`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index f0b4778..534a249 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -603,7 +603,7 @@ template(`userdom_common_user_template',`
optional_policy(`
alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
alsa_manage_home_files($1_t)
- alsa_read_rw_config($1_t)
+ alsa_read_config($1_t)
alsa_relabel_home_files($1_t)
')
@@ -982,7 +982,7 @@ template(`userdom_restricted_xwindows_user_template',`
xserver_restricted_role($1_r, $1_t)
optional_policy(`
- alsa_read_rw_config($1_t)
+ alsa_read_config($1_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2017-01-13 18:43 Sven Vermeulen
0 siblings, 0 replies; 22+ messages in thread
From: Sven Vermeulen @ 2017-01-13 18:43 UTC (permalink / raw
To: gentoo-commits
commit: 4d0eb1e88ae6044142059e8c0b49867642348047
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Jan 4 00:35:56 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:38:56 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4d0eb1e8
Module version bump for patches from Guido Trentalancia.
policy/modules/services/xserver.te | 2 +-
policy/modules/system/init.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 2df9a3e..cef33cb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.12.8)
+policy_module(xserver, 3.12.9)
gen_require(`
class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index ce6f2f9..a47a4eb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.1.2)
+policy_module(init, 2.1.3)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2017-11-17 14:59 Jason Zaman
0 siblings, 0 replies; 22+ messages in thread
From: Jason Zaman @ 2017-11-17 14:59 UTC (permalink / raw
To: gentoo-commits
commit: 4f2ec64bdbdbe5450ab7b678a7afa077f0947255
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Nov 14 23:33:06 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Nov 15 01:11:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4f2ec64b
Module version bumps.
policy/modules/services/xserver.te | 2 +-
policy/modules/system/libraries.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 7e5a97d3..673fe37c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.14.3)
+policy_module(xserver, 3.14.4)
gen_require(`
class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index a24c6796..c6ece55a 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,4 +1,4 @@
-policy_module(libraries, 2.15.1)
+policy_module(libraries, 2.15.2)
########################################
#
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2017-12-12 7:59 Jason Zaman
0 siblings, 0 replies; 22+ messages in thread
From: Jason Zaman @ 2017-12-12 7:59 UTC (permalink / raw
To: gentoo-commits
commit: ea5074af003a258b531cf3e84460cc456aca29e8
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Dec 8 00:02:02 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:06:27 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ea5074af
xserver, sysnetwork, systemd: Module version bump.
policy/modules/services/xserver.te | 2 +-
policy/modules/system/sysnetwork.te | 2 +-
policy/modules/system/systemd.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index b512fbe7..5936018f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.14.5)
+policy_module(xserver, 3.14.6)
gen_require(`
class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 1fec9b9b..e45a6a5d 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.21.2)
+policy_module(sysnetwork, 1.21.3)
########################################
#
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 9a65b8f6..9ab85680 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.4.6)
+policy_module(systemd, 1.4.7)
#########################################
#
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2018-12-09 11:48 Jason Zaman
0 siblings, 0 replies; 22+ messages in thread
From: Jason Zaman @ 2018-12-09 11:48 UTC (permalink / raw
To: gentoo-commits
commit: f26f88c6f2ab91ff413ba052b12e111d34b5ed32
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Nov 18 00:02:54 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:56:47 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f26f88c6
cron, minissdpd, ntp, systemd: Module version bump.
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/services/cron.te | 2 +-
policy/modules/services/minissdpd.te | 2 +-
policy/modules/services/ntp.te | 2 +-
policy/modules/system/systemd.te | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 2143e40c..ab1d35a2 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.14.0)
+policy_module(cron, 2.14.1)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/services/minissdpd.te b/policy/modules/services/minissdpd.te
index 65b1aed3..6dfa0087 100644
--- a/policy/modules/services/minissdpd.te
+++ b/policy/modules/services/minissdpd.te
@@ -1,4 +1,4 @@
-policy_module(minissdpd, 1.4.0)
+policy_module(minissdpd, 1.4.1)
########################################
#
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 29fb6b7e..7003693e 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.18.1)
+policy_module(ntp, 1.18.2)
########################################
#
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e9b74257..41448713 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.6.1)
+policy_module(systemd, 1.6.2)
#########################################
#
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2019-02-10 4:14 Jason Zaman
0 siblings, 0 replies; 22+ messages in thread
From: Jason Zaman @ 2019-02-10 4:14 UTC (permalink / raw
To: gentoo-commits
commit: 1404015272ed6954f662683dfc503bbaac7da319
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Mon Jan 28 08:48:40 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=14040152
yet another little patch
This should all be obvious.
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/services/devicekit.te | 2 ++
policy/modules/system/lvm.te | 1 +
policy/modules/system/sysnetwork.te | 1 +
3 files changed, 4 insertions(+)
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index ca9de7cc..941880ef 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -91,6 +91,7 @@ files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
kernel_getattr_message_if(devicekit_disk_t)
kernel_list_unlabeled(devicekit_disk_t)
kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
+kernel_read_crypto_sysctls(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
@@ -108,6 +109,7 @@ dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
+dev_read_rand(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
dev_rw_sysfs(devicekit_disk_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index f4999e1b..bff2baa7 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -308,6 +308,7 @@ init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
+init_read_script_tmp_files(lvm_t)
# for systemd-cryptsetup to talk to /run/systemd/journal/socket
init_stream_connect(lvm_t)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 08f62ccd..ece5a301 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -375,6 +375,7 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
devicekit_read_pid_files(ifconfig_t)
+ devicekit_append_inherited_log_files(ifconfig_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2019-03-26 10:17 Jason Zaman
0 siblings, 0 replies; 22+ messages in thread
From: Jason Zaman @ 2019-03-26 10:17 UTC (permalink / raw
To: gentoo-commits
commit: 8eb6fcff84e1c7e037c4b5b18ab36e00283bc4ec
Author: Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Tue Mar 5 22:33:50 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8eb6fcff
Update cron use to pam interface
I'm seeing a many denials for cron related to faillog_t, lastlog_t
and wtmp_t. These are all due to the fact cron is using pam (and my
system is configured with pam_faillog). I have updated cron to use
auth_use_pam interface to grant needed permissions.
Additional change to allow systemd_logind dbus for cron.
I have included many of the denials I'm seeing, but there are probably
others I didn't capture.
type=AVC msg=audit(1551411001.389:1281): avc: denied { read write } for pid=8807 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1281): avc: denied { open } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1281): arch=c000003e syscall=2 success=yes exit=3 a0=7f94f608c2ee a1=2 a2=0 a3=75646f6d6d61705f items=1 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key="logins"
type=AVC msg=audit(1551411001.389:1282): avc: denied { lock } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1282): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1551411001.389:1283): avc: denied { write } for pid=8807 comm="crond" name="wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1283): avc: denied { open } for pid=8807 comm="crond" path="/var/log/wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.489:1513): avc: denied { getattr } for pid=7323 comm="systemd-logind" path="/proc/9183/cgroup" dev="proc" ino=49836 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc: denied { read write } for pid=9183 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc: denied { open } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1515): avc: denied { lock } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551412201.511:1515): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=9183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=USER_START msg=audit(1551412201.511:1516): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1551412201.512:1517): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1551412201.524:1521): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1551412201.525:1522): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_AVC msg=audit(1551629402.000:21914): pid=7387 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6407 tpid=7395 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/services/cron.te | 4 ++--
policy/modules/system/authlogin.if | 3 +--
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index f58f6d15..0a19e09c 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -315,9 +315,8 @@ init_start_all_units(system_cronjob_t)
init_get_generic_units_status(system_cronjob_t)
init_get_system_status(system_cronjob_t)
-auth_domtrans_chk_passwd(crond_t)
auth_manage_var_auth(crond_t)
-auth_use_nsswitch(crond_t)
+auth_use_pam(crond_t)
logging_send_audit_msgs(crond_t)
logging_send_syslog_msg(crond_t)
@@ -439,6 +438,7 @@ optional_policy(`
')
optional_policy(`
+ systemd_dbus_chat_logind(crond_t)
systemd_write_inherited_logind_sessions_pipes(crond_t)
')
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 1ebd8814..702f38f1 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -51,10 +51,9 @@ interface(`auth_use_pam',`
auth_domtrans_chk_passwd($1)
auth_domtrans_upd_passwd($1)
auth_dontaudit_read_shadow($1)
- auth_read_login_records($1)
- auth_append_login_records($1)
auth_rw_lastlog($1)
auth_rw_faillog($1)
+ auth_rw_login_records($1)
auth_setattr_faillog_files($1)
auth_exec_pam($1)
auth_use_nsswitch($1)
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2019-03-26 10:17 Jason Zaman
0 siblings, 0 replies; 22+ messages in thread
From: Jason Zaman @ 2019-03-26 10:17 UTC (permalink / raw
To: gentoo-commits
commit: e6836a0e6a7d9845824ea1fd1760896b8c2bf280
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Mar 24 18:43:35 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e6836a0e
authlogin, dbus, ntp: Module version bump.
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/services/dbus.te | 2 +-
policy/modules/services/ntp.te | 2 +-
policy/modules/system/authlogin.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index cfe63c4a..b164b75e 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.26.0)
+policy_module(dbus, 1.26.1)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index bf8d46a4..c01fe5f1 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.19.0)
+policy_module(ntp, 1.19.1)
########################################
#
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index d105c58c..525977ac 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.14.1)
+policy_module(authlogin, 2.14.2)
########################################
#
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2020-02-15 7:33 Jason Zaman
0 siblings, 0 replies; 22+ messages in thread
From: Jason Zaman @ 2020-02-15 7:33 UTC (permalink / raw
To: gentoo-commits
commit: 568cd7e29f67a9da390dde180ca00331aac01448
Author: Daniel Burgener <dburgener <AT> tresys <DOT> com>
AuthorDate: Fri Jan 31 19:41:28 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=568cd7e2
Remove unneeded semicolons after interface and macro calls
Signed-off-by: Daniel Burgener <dburgener <AT> tresys.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/wireguard.te | 2 +-
policy/modules/system/systemd.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/wireguard.te b/policy/modules/services/wireguard.te
index 4e6aad64..07c2d71f 100644
--- a/policy/modules/services/wireguard.te
+++ b/policy/modules/services/wireguard.te
@@ -42,7 +42,7 @@ allow wireguard_t self:netlink_route_socket r_netlink_socket_perms;
allow wireguard_t self:udp_socket create_socket_perms;
allow wireguard_t self:unix_stream_socket create_socket_perms;
-manage_files_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t);
+manage_files_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t)
files_read_etc_files(wireguard_t)
manage_files_pattern(wireguard_t, wireguard_runtime_t, wireguard_runtime_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index d039e2a1..f55294e3 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -99,7 +99,7 @@ type systemd_hw_exec_t;
init_system_domain(systemd_hw_t, systemd_hw_exec_t)
type systemd_hwdb_t;
-files_type(systemd_hwdb_t);
+files_type(systemd_hwdb_t)
type systemd_journal_t;
files_type(systemd_journal_t)
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2020-11-28 23:09 Jason Zaman
0 siblings, 0 replies; 22+ messages in thread
From: Jason Zaman @ 2020-11-28 23:09 UTC (permalink / raw
To: gentoo-commits
commit: e2236d7e0c64a40ec71ab835f5818e396437ec2e
Author: Jason Zaman <perfinion <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 17 03:46:21 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 28 22:55:48 2020 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e2236d7e
userdomain: Add watch on home dirs
avc: denied { watch } for pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/xserver.if | 11 +-
policy/modules/system/miscfiles.if | 18 ++++
policy/modules/system/userdomain.if | 15 ++-
policy/modules/system/xdg.if | 198 ++++++++++++++++++++++++++++++++++++
4 files changed, 240 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index baa39ef8..d5d6c791 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -95,6 +95,7 @@ interface(`xserver_restricted_role',`
dev_rw_usbfs($2)
miscfiles_read_fonts($2)
+ miscfiles_watch_fonts_dirs($2)
xserver_common_x_domain_template(user, $2) #selint-disable:S-004
xserver_domtrans($2)
@@ -186,10 +187,13 @@ interface(`xserver_role',`
optional_policy(`
xdg_manage_all_cache($2)
xdg_relabel_all_cache($2)
+ xdg_watch_all_cache_dirs($2)
xdg_manage_all_config($2)
xdg_relabel_all_config($2)
+ xdg_watch_all_config_dirs($2)
xdg_manage_all_data($2)
xdg_relabel_all_data($2)
+ xdg_watch_all_data_dirs($2)
xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
@@ -203,14 +207,19 @@ interface(`xserver_role',`
xdg_manage_documents($2)
xdg_relabel_documents($2)
+ xdg_watch_documents_dirs($2)
xdg_manage_downloads($2)
xdg_relabel_downloads($2)
+ xdg_watch_downloads_dirs($2)
xdg_manage_music($2)
xdg_relabel_music($2)
+ xdg_watch_music_dirs($2)
xdg_manage_pictures($2)
xdg_relabel_pictures($2)
+ xdg_watch_pictures_dirs($2)
xdg_manage_videos($2)
xdg_relabel_videos($2)
+ xdg_watch_videos_dirs($2)
xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
')
@@ -508,7 +517,7 @@ interface(`xserver_use_user_fonts',`
')
# Read per user fonts
- allow $1 user_fonts_t:dir list_dir_perms;
+ allow $1 user_fonts_t:dir { list_dir_perms watch };
allow $1 user_fonts_t:file { map read_file_perms };
# Manipulate the global font cache
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index a0b13261..751b3579 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -854,6 +854,24 @@ interface(`miscfiles_manage_public_files',`
manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
')
+########################################
+## <summary>
+## Watch public files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_watch_public_dirs',`
+ gen_require(`
+ type public_content_rw_t;
+ ')
+
+ allow $1 public_content_rw_t:dir watch;
+')
+
########################################
## <summary>
## Read TeX data
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b7fe1a79..7ce340dc 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -289,6 +289,12 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
+ allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads };
+ allow $2 user_home_t:file { watch watch_mount watch_sb watch_with_perm watch_reads };
+ allow $2 user_home_t:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+ allow $2 user_home_t:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+ allow $2 user_home_t:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+
tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs($2)
fs_read_nfs_files($2)
@@ -368,7 +374,11 @@ interface(`userdom_manage_home_role',`
# cjp: this should probably be removed:
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 user_home_dir_t:dir watch;
+ allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads };
+ allow $2 user_home_t:file { watch watch_mount watch_sb watch_with_perm watch_reads };
+ allow $2 user_home_t:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+ allow $2 user_home_t:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };
+ allow $2 user_home_t:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };
userdom_manage_user_certs($2)
userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
@@ -631,6 +641,8 @@ template(`userdom_common_user_template',`
files_read_var_lib_files($1_t)
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
+ files_watch_etc_dirs($1_t)
+ files_watch_usr_dirs($1_t)
fs_rw_cgroup_files($1_t)
@@ -1183,6 +1195,7 @@ template(`userdom_unpriv_user_template', `
files_exec_usr_files($1_t)
miscfiles_manage_public_files($1_t)
+ miscfiles_watch_public_dirs($1_t)
tunable_policy(`user_dmesg',`
kernel_read_ring_buffer($1_t)
diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index e94d6720..b7620384 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -83,6 +83,42 @@ interface(`xdg_search_cache_dirs',`
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Watch the xdg cache home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_cache_dirs',`
+ gen_require(`
+ type xdg_cache_t;
+ ')
+
+ allow $1 xdg_cache_t:dir watch;
+')
+
+########################################
+## <summary>
+## Watch all the xdg cache home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_all_cache_dirs',`
+ gen_require(`
+ attribute xdg_cache_type;
+ ')
+
+ allow $1 xdg_cache_type:dir watch;
+')
+
########################################
## <summary>
## Read the xdg cache home files
@@ -333,6 +369,42 @@ interface(`xdg_search_config_dirs',`
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Watch the xdg config home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_config_dirs',`
+ gen_require(`
+ type xdg_config_t;
+ ')
+
+ allow $1 xdg_config_t:dir watch;
+')
+
+########################################
+## <summary>
+## Watch all the xdg config home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_all_config_dirs',`
+ gen_require(`
+ attribute xdg_config_type;
+ ')
+
+ allow $1 xdg_config_type:dir watch;
+')
+
########################################
## <summary>
## Read the xdg config home files
@@ -563,6 +635,42 @@ interface(`xdg_relabel_all_config',`
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Watch the xdg data home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_data_dirs',`
+ gen_require(`
+ type xdg_data_t;
+ ')
+
+ allow $1 xdg_data_t:dir watch;
+')
+
+########################################
+## <summary>
+## Watch all the xdg data home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_all_data_dirs',`
+ gen_require(`
+ attribute xdg_data_type;
+ ')
+
+ allow $1 xdg_data_type:dir watch;
+')
+
########################################
## <summary>
## Read the xdg data home files
@@ -793,6 +901,24 @@ interface(`xdg_relabel_all_data',`
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Watch the xdg documents home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_documents_dirs',`
+ gen_require(`
+ type xdg_documents_t;
+ ')
+
+ allow $1 xdg_documents_t:dir watch;
+')
+
########################################
## <summary>
## Create objects in the user home dir with an automatic type transition to
@@ -865,6 +991,24 @@ interface(`xdg_relabel_documents',`
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Watch the xdg downloads home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_downloads_dirs',`
+ gen_require(`
+ type xdg_downloads_t;
+ ')
+
+ allow $1 xdg_downloads_t:dir watch;
+')
+
#########################################
## <summary>
## Read downloaded content
@@ -1006,6 +1150,24 @@ interface(`xdg_relabel_downloads',`
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Watch the xdg pictures home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_pictures_dirs',`
+ gen_require(`
+ type xdg_pictures_t;
+ ')
+
+ allow $1 xdg_pictures_t:dir watch;
+')
+
#########################################
## <summary>
## Read user pictures content
@@ -1101,6 +1263,24 @@ interface(`xdg_relabel_pictures',`
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Watch the xdg music home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_music_dirs',`
+ gen_require(`
+ type xdg_music_t;
+ ')
+
+ allow $1 xdg_music_t:dir watch;
+')
+
#########################################
## <summary>
## Read user music content
@@ -1196,6 +1376,24 @@ interface(`xdg_relabel_music',`
userdom_search_user_home_dirs($1)
')
+########################################
+## <summary>
+## Watch the xdg video content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_watch_videos_dirs',`
+ gen_require(`
+ type xdg_videos_t;
+ ')
+
+ allow $1 xdg_videos_t:dir watch;
+')
+
#########################################
## <summary>
## Read user video content
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2021-01-11 1:27 Jason Zaman
0 siblings, 0 replies; 22+ messages in thread
From: Jason Zaman @ 2021-01-11 1:27 UTC (permalink / raw
To: gentoo-commits
commit: 6069aa838b4f8dc5dccc14a0487eeb04916cc50e
Author: 0xC0ncord <me <AT> concord <DOT> sh>
AuthorDate: Mon Nov 23 20:22:59 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 21:52:17 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6069aa83
userdomain, xserver: move xdg rules to userdom_xdg_user_template
xdg rules are normally set in xserver. But, if a modular policy is being
used and the xserver module is not present, the required rules for users
to be able to access xdg content are never created and thus these files
and directories cannot be interacted with by users. This change adds a
new template that can be called to grant these privileges to userdomain
types as necessary.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/xserver.if | 36 ---------------------
policy/modules/system/userdomain.if | 62 +++++++++++++++++++++++++++++++++++++
2 files changed, 62 insertions(+), 36 deletions(-)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index d5d6c791..e18dc704 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -185,42 +185,6 @@ interface(`xserver_role',`
xserver_read_xkb_libs($2)
optional_policy(`
- xdg_manage_all_cache($2)
- xdg_relabel_all_cache($2)
- xdg_watch_all_cache_dirs($2)
- xdg_manage_all_config($2)
- xdg_relabel_all_config($2)
- xdg_watch_all_config_dirs($2)
- xdg_manage_all_data($2)
- xdg_relabel_all_data($2)
- xdg_watch_all_data_dirs($2)
-
- xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
- xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
- xdg_generic_user_home_dir_filetrans_data($2, dir, ".local")
-
- xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents")
- xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads")
- xdg_generic_user_home_dir_filetrans_music($2, dir, "Music")
- xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures")
- xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos")
-
- xdg_manage_documents($2)
- xdg_relabel_documents($2)
- xdg_watch_documents_dirs($2)
- xdg_manage_downloads($2)
- xdg_relabel_downloads($2)
- xdg_watch_downloads_dirs($2)
- xdg_manage_music($2)
- xdg_relabel_music($2)
- xdg_watch_music_dirs($2)
- xdg_manage_pictures($2)
- xdg_relabel_pictures($2)
- xdg_watch_pictures_dirs($2)
- xdg_manage_videos($2)
- xdg_relabel_videos($2)
- xdg_watch_videos_dirs($2)
-
xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
')
')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 7ce340dc..4c902bff 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1207,6 +1207,9 @@ template(`userdom_unpriv_user_template', `
fs_exec_noxattr($1_t)
')
+ # Allow users to manage xdg content in their home directories
+ userdom_xdg_user_template($1_t)
+
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
@@ -1529,6 +1532,65 @@ template(`userdom_security_admin_template',`
')
')
+########################################
+## <summary>
+## Allow user to interact with xdg content types
+## </summary>
+## <desc>
+## <p>
+## Create rules to allow a user to manage xdg
+## content in a user home directory with an
+## automatic type transition to those types.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_xdg_user_template',`
+ xdg_manage_all_cache($1_t)
+ xdg_relabel_all_cache($1_t)
+ xdg_watch_all_cache_dirs($1_t)
+ xdg_manage_all_config($1_t)
+ xdg_relabel_all_config($1_t)
+ xdg_watch_all_config_dirs($1_t)
+ xdg_manage_all_data($1_t)
+ xdg_relabel_all_data($1_t)
+ xdg_watch_all_data_dirs($1_t)
+
+ xdg_generic_user_home_dir_filetrans_cache($1_t, dir, ".cache")
+ xdg_generic_user_home_dir_filetrans_config($1_t, dir, ".config")
+ xdg_generic_user_home_dir_filetrans_data($1_t, dir, ".local")
+
+ xdg_generic_user_home_dir_filetrans_documents($1_t, dir, "Documents")
+ xdg_generic_user_home_dir_filetrans_downloads($1_t, dir, "Downloads")
+ xdg_generic_user_home_dir_filetrans_music($1_t, dir, "Music")
+ xdg_generic_user_home_dir_filetrans_pictures($1_t, dir, "Pictures")
+ xdg_generic_user_home_dir_filetrans_videos($1_t, dir, "Videos")
+
+ xdg_manage_documents($1_t)
+ xdg_relabel_documents($1_t)
+ xdg_watch_documents_dirs($1_t)
+ xdg_manage_downloads($1_t)
+ xdg_relabel_downloads($1_t)
+ xdg_watch_downloads_dirs($1_t)
+ xdg_manage_music($1_t)
+ xdg_relabel_music($1_t)
+ xdg_watch_music_dirs($1_t)
+ xdg_manage_pictures($1_t)
+ xdg_relabel_pictures($1_t)
+ xdg_watch_pictures_dirs($1_t)
+ xdg_manage_videos($1_t)
+ xdg_relabel_videos($1_t)
+ xdg_watch_videos_dirs($1_t)
+')
+
########################################
## <summary>
## Make the specified type usable as
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2022-11-02 14:42 Kenton Groombridge
0 siblings, 0 replies; 22+ messages in thread
From: Kenton Groombridge @ 2022-11-02 14:42 UTC (permalink / raw
To: gentoo-commits
commit: 0d854a362ee5625add66fcb2212d27a035639f48
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Sep 24 17:51:14 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov 2 14:07:18 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d854a36
glusterfs, selinuxutil: make modifying fcontexts a tunable
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/glusterfs.te | 26 +++++++++++++++++++++-----
policy/modules/system/selinuxutil.if | 36 ++++++++++++++++++++++++++++++++++++
policy/modules/system/selinuxutil.te | 11 +++++++----
3 files changed, 64 insertions(+), 9 deletions(-)
diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te
index 690aa828a..85a55ed5b 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -1,5 +1,15 @@
policy_module(glusterfs)
+## <desc>
+## <p>
+## Allow the gluster daemon to automatically
+## add and remove file contexts from the local
+## SELinux policy when adding and removing
+## bricks.
+## </p>
+## </desc>
+gen_tunable(glusterfs_modify_policy, false)
+
########################################
#
# Declarations
@@ -129,11 +139,17 @@ logging_send_syslog_msg(glusterd_t)
miscfiles_read_generic_certs(glusterd_t)
miscfiles_read_localization(glusterd_t)
-# needed by relabeling hooks when adding bricks
-seutil_domtrans_semanage(glusterd_t)
-seutil_exec_setfiles(glusterd_t)
-seutil_read_default_contexts(glusterd_t)
-
userdom_dontaudit_search_user_runtime_root(glusterd_t)
xdg_dontaudit_search_data_dirs(glusterd_t)
+
+tunable_policy(`glusterfs_modify_policy',`
+ # needed by relabeling hooks when adding bricks
+ seutil_domtrans_semanage(glusterd_t)
+ seutil_exec_setfiles(glusterd_t)
+ seutil_read_default_contexts(glusterd_t)
+',`
+ seutil_dontaudit_exec_semanage(glusterd_t)
+ seutil_dontaudit_exec_setfiles(glusterd_t)
+ seutil_dontaudit_read_file_contexts(glusterd_t)
+')
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index c0735f2b8..30db6a094 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -574,6 +574,24 @@ interface(`seutil_exec_setfiles',`
can_exec($1, setfiles_exec_t)
')
+########################################
+## <summary>
+## Do not audit attempts to execute setfiles.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`seutil_dontaudit_exec_setfiles',`
+ gen_require(`
+ type setfiles_exec_t;
+ ')
+
+ dontaudit $1 setfiles_exec_t:file exec_file_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to search the SELinux
@@ -1028,6 +1046,24 @@ interface(`seutil_run_semanage',`
roleattribute $2 semanage_roles;
')
+########################################
+## <summary>
+## Do not audit attempts to execute semanage.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`seutil_dontaudit_exec_semanage',`
+ gen_require(`
+ type semanage_exec_t;
+ ')
+
+ dontaudit $1 semanage_exec_t:file exec_file_perms;
+')
+
########################################
## <summary>
## Read the semanage module store.
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 14a17175f..2b823b543 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -209,8 +209,9 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
- # glusterd calls semanage fcontext
- glusterfs_use_daemon_fds(load_policy_t)
+ tunable_policy(`glusterfs_modify_policy',`
+ glusterfs_use_daemon_fds(load_policy_t)
+ ')
')
optional_policy(`
@@ -695,11 +696,13 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
- apt_use_fds(setfiles_t)
+ tunable_policy(`glusterfs_modify_policy',`
+ glusterfs_use_daemon_fds(setfiles_t)
+ ')
')
optional_policy(`
- glusterfs_use_daemon_fds(setfiles_t)
+ apt_use_fds(setfiles_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2023-02-13 15:35 Kenton Groombridge
0 siblings, 0 replies; 22+ messages in thread
From: Kenton Groombridge @ 2023-02-13 15:35 UTC (permalink / raw
To: gentoo-commits
commit: e19a19f4bb6fdd3d55ee981413ee48bd34f4860a
Author: Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Mon Dec 26 09:25:59 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:19:52 2023 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e19a19f4
munin: disk-plugin: transition to fsadm
smart_ plugin currently execute smartctl on the disk_munin_plugin_t domain.
But lot of rules are still missing for a correct smartctl execution.
Instead of duplicating most of all fsadm rules, it is easier to transition to the correct domain.
Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/munin.if | 17 +++++++++++++++++
policy/modules/services/munin.te | 6 +++---
policy/modules/system/fstools.te | 4 ++++
3 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index 9cf4cb20e..de654d4ea 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -189,3 +189,20 @@ interface(`munin_admin',`
admin_pattern($1, httpd_munin_content_t)
')
+
+########################################
+## <summary>
+## Permit to read/write Munin TCP sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_rw_tcp_sockets',`
+ gen_require(`
+ type munin_t;
+ ')
+ allow $1 munin_t:tcp_socket rw_socket_perms;
+')
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 2e6b1542a..9fc77c8e9 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -52,8 +52,6 @@ munin_plugin_template(unconfined)
allow munin_plugin_domain self:process signal;
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
-allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-
read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
allow munin_plugin_domain munin_exec_t:file read_file_perms;
@@ -79,6 +77,8 @@ fs_getattr_all_fs(munin_plugin_domain)
miscfiles_read_localization(munin_plugin_domain)
+munin_rw_tcp_sockets(munin_plugin_domain)
+
optional_policy(`
nscd_use(munin_plugin_domain)
')
@@ -260,7 +260,7 @@ optional_policy(`
')
optional_policy(`
- fstools_exec(disk_munin_plugin_t)
+ fstools_domtrans(disk_munin_plugin_t)
')
####################################
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 3d5525cc4..079aacad3 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -208,6 +208,10 @@ optional_policy(`
modutils_read_module_deps(fsadm_t)
')
+optional_policy(`
+ munin_rw_tcp_sockets(fsadm_t)
+')
+
optional_policy(`
nis_use_ypbind(fsadm_t)
')
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2023-10-06 16:44 Kenton Groombridge
0 siblings, 0 replies; 22+ messages in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
To: gentoo-commits
commit: 9a761587cf212b96c093e2ea1d9c3ed66ff7c37d
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Sep 21 14:21:25 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct 6 15:27:06 2023 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9a761587
debian motd.d directory (#689)
* policy for Debian motd.d dir
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/xserver.te | 1 +
policy/modules/system/authlogin.fc | 1 +
policy/modules/system/authlogin.if | 1 +
3 files changed, 3 insertions(+)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 68d9bd34b..58cd85626 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -472,6 +472,7 @@ auth_manage_pam_runtime_dirs(xdm_t)
auth_manage_pam_runtime_files(xdm_t)
auth_manage_pam_console_data(xdm_t)
auth_read_shadow_history(xdm_t)
+auth_use_pam_motd_dynamic(xdm_t)
auth_write_login_records(xdm_t)
# Run telinit->init to shutdown.
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index b47da01a5..adb53a05a 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -59,6 +59,7 @@ ifdef(`distro_suse', `
/run/motd -- gen_context(system_u:object_r:pam_motd_runtime_t,s0)
/run/motd\.dynamic -- gen_context(system_u:object_r:pam_motd_runtime_t,s0)
/run/motd\.dynamic\.new -- gen_context(system_u:object_r:pam_motd_runtime_t,s0)
+/run/motd\.d(/.*)? gen_context(system_u:object_r:pam_motd_runtime_t,s0)
/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_runtime_t,s0)
/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/run/sepermit(/.*)? gen_context(system_u:object_r:pam_runtime_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 4d11800aa..cd5ab2d7f 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -129,6 +129,7 @@ interface(`auth_use_pam_motd_dynamic',`
corecmd_exec_shell($1)
allow $1 pam_motd_runtime_t:file manage_file_perms;
+ allow $1 pam_motd_runtime_t:dir rw_dir_perms;
files_runtime_filetrans($1, pam_motd_runtime_t, file, "motd.dynamic.new")
')
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
@ 2024-09-22 0:03 Jason Zaman
0 siblings, 0 replies; 22+ messages in thread
From: Jason Zaman @ 2024-09-22 0:03 UTC (permalink / raw
To: gentoo-commits
commit: 2e1192a4f76b25a7f91cdda83ffddaea56723119
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 9 19:23:24 2024 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2e1192a4
iptables: allow reading container engine tmp files
When multus creates a new network, iptables rules get written to /tmp
and iptables will be called to load them.
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/container.if | 20 ++++++++++++++++++++
policy/modules/system/iptables.te | 5 +++--
2 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index c9f4aa934..902c31b89 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -480,6 +480,26 @@ interface(`container_search_engine_tmp',`
allow $1 container_engine_tmp_t:dir search_dir_perms;
')
+########################################
+## <summary>
+## Allow the specified domain to read
+## container engine temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_read_engine_tmp_files',`
+ gen_require(`
+ type container_engine_tmp_t;
+ ')
+
+ container_search_engine_tmp($1)
+ allow $1 container_engine_tmp_t:file read_file_perms;
+')
+
########################################
## <summary>
## Allow the specified domain to manage
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 684d91a25..7c401fa50 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -105,11 +105,12 @@ sysnet_dns_name_resolve(iptables_t)
userdom_use_inherited_user_terminals(iptables_t)
-
-
optional_policy(`
# iptables may try to rw /ptmx in a container
container_dontaudit_rw_chr_files(iptables_t)
+
+ # iptables reads firewall rules written to tmp
+ container_read_engine_tmp_files(iptables_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 22+ messages in thread
end of thread, other threads:[~2024-09-22 0:03 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-02 14:42 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/ Kenton Groombridge
-- strict thread matches above, loose matches on Subject: below --
2024-09-22 0:03 Jason Zaman
2023-10-06 16:44 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2021-01-11 1:27 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-02-15 7:33 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-02-10 4:14 Jason Zaman
2018-12-09 11:48 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-11-17 14:59 Jason Zaman
2017-01-13 18:43 Sven Vermeulen
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 Jason Zaman
2015-05-27 20:00 Jason Zaman
2014-06-30 19:03 Sven Vermeulen
2014-06-30 19:03 Sven Vermeulen
2014-06-10 18:17 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2012-12-07 15:36 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox