* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/, policy/modules/system/
@ 2021-02-01 2:10 Jason Zaman
0 siblings, 0 replies; 2+ messages in thread
From: Jason Zaman @ 2021-02-01 2:10 UTC (permalink / raw
To: gentoo-commits
commit: 56d8835e88a2d97f33e8ed66fa8914979378b9c6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 28 16:39:49 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 1 01:21:42 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=56d8835e
various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/netutils.te | 2 +-
policy/modules/services/apache.te | 2 +-
policy/modules/services/aptcacher.te | 2 +-
policy/modules/services/bind.te | 2 +-
policy/modules/services/colord.te | 2 +-
policy/modules/services/cron.te | 2 +-
policy/modules/services/cups.te | 2 +-
policy/modules/services/devicekit.te | 2 +-
policy/modules/services/dkim.te | 2 +-
policy/modules/services/entropyd.te | 2 +-
policy/modules/services/fail2ban.te | 2 +-
policy/modules/services/jabber.te | 2 +-
policy/modules/services/l2tp.te | 2 +-
policy/modules/services/mailman.te | 2 +-
policy/modules/services/mon.te | 2 +-
policy/modules/services/mysql.te | 2 +-
policy/modules/services/openvpn.te | 2 +-
policy/modules/services/postgrey.te | 2 +-
policy/modules/services/rpc.te | 2 +-
policy/modules/services/samba.te | 2 +-
policy/modules/services/smartmon.te | 2 +-
policy/modules/services/squid.te | 2 +-
policy/modules/services/tor.te | 2 +-
policy/modules/services/watchdog.te | 2 +-
policy/modules/services/xserver.te | 2 +-
policy/modules/system/sysnetwork.te | 2 +-
26 files changed, 26 insertions(+), 26 deletions(-)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 1a0d3d7b..c4fc0286 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,4 +1,4 @@
-policy_module(netutils, 1.20.1)
+policy_module(netutils, 1.20.2)
########################################
#
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 35fafe56..229848c0 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.19.2)
+policy_module(apache, 2.19.3)
########################################
#
diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te
index d9089a77..fa3b2dd0 100644
--- a/policy/modules/services/aptcacher.te
+++ b/policy/modules/services/aptcacher.te
@@ -1,4 +1,4 @@
-policy_module(aptcacher, 1.1.0)
+policy_module(aptcacher, 1.1.1)
########################################
#
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 57ae7be3..11949946 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.22.2)
+policy_module(bind, 1.22.3)
########################################
#
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
index ca035d5e..c41d827b 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -1,4 +1,4 @@
-policy_module(colord, 1.6.1)
+policy_module(colord, 1.6.2)
########################################
#
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index c4342f05..23e990ad 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.18.3)
+policy_module(cron, 2.18.4)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index f6e4a0e6..b6d8d41c 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.25.2)
+policy_module(cups, 1.25.3)
########################################
#
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index 25f93898..feff1026 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.13.2)
+policy_module(devicekit, 1.13.3)
########################################
#
diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te
index 864d5b07..0b111b46 100644
--- a/policy/modules/services/dkim.te
+++ b/policy/modules/services/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.8.0)
+policy_module(dkim, 1.8.1)
########################################
#
diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te
index f2405692..c46f0445 100644
--- a/policy/modules/services/entropyd.te
+++ b/policy/modules/services/entropyd.te
@@ -1,4 +1,4 @@
-policy_module(entropyd, 1.14.1)
+policy_module(entropyd, 1.14.2)
########################################
#
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index 1e97cdfa..640905d4 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -1,4 +1,4 @@
-policy_module(fail2ban, 1.9.1)
+policy_module(fail2ban, 1.9.2)
########################################
#
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 30d53a8c..69e6a49c 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -1,4 +1,4 @@
-policy_module(jabber, 1.16.1)
+policy_module(jabber, 1.16.2)
########################################
#
diff --git a/policy/modules/services/l2tp.te b/policy/modules/services/l2tp.te
index 6a429835..94de30c9 100644
--- a/policy/modules/services/l2tp.te
+++ b/policy/modules/services/l2tp.te
@@ -1,4 +1,4 @@
-policy_module(l2tp, 1.6.0)
+policy_module(l2tp, 1.6.1)
########################################
#
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index 47bb174b..68b0bc48 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -1,4 +1,4 @@
-policy_module(mailman, 1.15.0)
+policy_module(mailman, 1.15.1)
########################################
#
diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te
index 50a9c82f..d8d35a38 100644
--- a/policy/modules/services/mon.te
+++ b/policy/modules/services/mon.te
@@ -1,4 +1,4 @@
-policy_module(mon, 1.5.0)
+policy_module(mon, 1.5.1)
########################################
#
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 84a49b16..52a4e142 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.22.1)
+policy_module(mysql, 1.22.2)
########################################
#
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 9aa0afaf..bc0ef589 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.19.0)
+policy_module(openvpn, 1.19.1)
########################################
#
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index da47d1e0..2a49602a 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -1,4 +1,4 @@
-policy_module(postgrey, 1.14.1)
+policy_module(postgrey, 1.14.2)
########################################
#
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 844a8038..1d82da7e 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.23.1)
+policy_module(rpc, 1.23.2)
########################################
#
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 1d7683a2..9f8ef0f1 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.25.1)
+policy_module(samba, 1.25.2)
#################################
#
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index a6351969..04745574 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -1,4 +1,4 @@
-policy_module(smartmon, 1.17.1)
+policy_module(smartmon, 1.17.2)
########################################
#
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index 263574f5..04c65074 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -1,4 +1,4 @@
-policy_module(squid, 1.19.1)
+policy_module(squid, 1.19.2)
########################################
#
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index 0da1a599..7e08e17e 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.18.0)
+policy_module(tor, 1.18.1)
########################################
#
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
index 4a677a3f..628fdc62 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.15.1)
+policy_module(watchdog, 1.15.2)
#################################
#
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 15ec1678..074e105d 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.20.7)
+policy_module(xserver, 3.20.8)
gen_require(`
class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index ee768012..ef0aab49 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.26.5)
+policy_module(sysnetwork, 1.26.6)
########################################
#
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/, policy/modules/system/
@ 2024-05-14 19:42 Kenton Groombridge
0 siblings, 0 replies; 2+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
To: gentoo-commits
commit: 89eef551684761379a5dd51221485b025d0014e5
Author: Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Thu Feb 29 18:31:57 2024 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:40:59 2024 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=89eef551
xen: Drop xend/xm stack.
Xend/xm was replaced with xl in Xen 4.5 (Jan 2015).
https://xenproject.org/2015/01/15/less-is-more-in-the-new-xen-project-4-5-release/
Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/admin/brctl.te | 1 -
policy/modules/admin/consoletype.te | 2 -
policy/modules/admin/sblim.te | 1 -
policy/modules/services/nscd.te | 1 -
policy/modules/services/pegasus.te | 1 -
policy/modules/services/snmp.te | 1 -
policy/modules/services/vhostmd.te | 1 -
policy/modules/services/virt.te | 8 +-
policy/modules/system/hostname.te | 1 -
policy/modules/system/lvm.te | 1 -
policy/modules/system/sysnetwork.te | 2 -
policy/modules/system/xen.fc | 21 +--
policy/modules/system/xen.if | 149 +++-----------------
policy/modules/system/xen.te | 272 ++++--------------------------------
14 files changed, 54 insertions(+), 408 deletions(-)
diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
index 7ce029c05..026b0002d 100644
--- a/policy/modules/admin/brctl.te
+++ b/policy/modules/admin/brctl.te
@@ -43,5 +43,4 @@ miscfiles_read_localization(brctl_t)
optional_policy(`
xen_append_log(brctl_t)
- xen_dontaudit_rw_unix_stream_sockets(brctl_t)
')
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index dda9e62ff..1989db82c 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -109,6 +109,4 @@ optional_policy(`
kernel_read_xen_state(consoletype_t)
kernel_write_xen_state(consoletype_t)
xen_append_log(consoletype_t)
- xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
- xen_dontaudit_use_fds(consoletype_t)
')
diff --git a/policy/modules/admin/sblim.te b/policy/modules/admin/sblim.te
index 5e2978c5f..d9bab1a79 100644
--- a/policy/modules/admin/sblim.te
+++ b/policy/modules/admin/sblim.te
@@ -106,7 +106,6 @@ optional_policy(`
')
optional_policy(`
- xen_stream_connect(sblim_gatherd_t)
xen_stream_connect_xenstore(sblim_gatherd_t)
')
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index f63b75f4f..ffc60497c 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -132,6 +132,5 @@ optional_policy(`
')
optional_policy(`
- xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index a5aa3a285..e7287b49a 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -184,6 +184,5 @@ optional_policy(`
')
optional_policy(`
- xen_stream_connect(pegasus_t)
xen_stream_connect_xenstore(pegasus_t)
')
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index 846ab288a..b498e894b 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -167,6 +167,5 @@ optional_policy(`
kernel_read_xen_state(snmpd_t)
kernel_write_xen_state(snmpd_t)
- xen_stream_connect(snmpd_t)
xen_stream_connect_xenstore(snmpd_t)
')
diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te
index 94ee048d1..9a866deea 100644
--- a/policy/modules/services/vhostmd.te
+++ b/policy/modules/services/vhostmd.te
@@ -79,7 +79,6 @@ optional_policy(`
optional_policy(`
xen_domtrans_xm(vhostmd_t)
- xen_stream_connect(vhostmd_t)
xen_stream_connect_xenstore(vhostmd_t)
xen_stream_connect_xm(vhostmd_t)
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index a6161d739..f0c4c2d65 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -820,8 +820,8 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
- xen_exec(virtd_t)
- xen_stream_connect(virtd_t)
+ xen_domtrans_xm(virtd_t)
+ xen_stream_connect_xm(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
')
@@ -944,9 +944,9 @@ optional_policy(`
optional_policy(`
xen_manage_image_dirs(virsh_t)
xen_append_log(virsh_t)
- xen_domtrans(virsh_t)
+ xen_domtrans_xm(virsh_t)
xen_read_xenstored_runtime_files(virsh_t)
- xen_stream_connect(virsh_t)
+ xen_stream_connect_xm(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index c3f7c579b..39e2b2027 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -64,7 +64,6 @@ optional_policy(`
optional_policy(`
xen_append_log(hostname_t)
- xen_dontaudit_use_fds(hostname_t)
')
optional_policy(`
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index d8dbac059..3785a9d73 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -280,7 +280,6 @@ optional_policy(`
optional_policy(`
xen_append_log(lvm_t)
- xen_dontaudit_rw_unix_stream_sockets(lvm_t)
')
ifdef(`distro_gentoo',`
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index dc3be6a07..4134eceac 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -280,7 +280,6 @@ optional_policy(`
kernel_read_xen_state(dhcpc_t)
kernel_write_xen_state(dhcpc_t)
xen_append_log(dhcpc_t)
- xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
')
########################################
@@ -425,7 +424,6 @@ optional_policy(`
kernel_read_xen_state(ifconfig_t)
kernel_write_xen_state(ifconfig_t)
xen_append_log(ifconfig_t)
- xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
ifdef(`distro_gentoo',`
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
index 6f529706f..896085201 100644
--- a/policy/modules/system/xen.fc
+++ b/policy/modules/system/xen.fc
@@ -1,50 +1,39 @@
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
-/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
/usr/lib/xen-[^/]*/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
-/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
/usr/lib/xen-[^/]*/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
/usr/bin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
/usr/bin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
/usr/bin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
/usr/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
-/usr/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
/usr/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
/usr/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
-/usr/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
-/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
-/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
-/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xen(/.*)? gen_context(system_u:object_r:xen_state_t,s0)
/var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
-/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
/var/lock/xl -- gen_context(system_u:object_r:xen_lock_t,s0)
/var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
-/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
-/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
-/var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
-/var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xen(/.*)? gen_context(system_u:object_r:xen_log_t,s0)
+/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xen_log_t,s0)
/run/evtchnd -s gen_context(system_u:object_r:evtchnd_runtime_t,s0)
/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_runtime_t,s0)
/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_runtime_t,s0)
-/run/xend(/.*)? gen_context(system_u:object_r:xend_runtime_t,s0)
-/run/xen -d gen_context(system_u:object_r:xend_runtime_t,s0)
-/run/xend\.pid -- gen_context(system_u:object_r:xend_runtime_t,s0)
-/run/xenner(/.*)? gen_context(system_u:object_r:xend_runtime_t,s0)
+/run/xen -d gen_context(system_u:object_r:xen_runtime_t,s0)
+/run/xenner(/.*)? gen_context(system_u:object_r:xen_runtime_t,s0)
/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_runtime_t,s0)
/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_runtime_t,s0)
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
index 7f5301580..24100075b 100644
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
@@ -1,80 +1,5 @@
## <summary>Xen hypervisor.</summary>
-########################################
-## <summary>
-## Execute a domain transition to run xend.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`xen_domtrans',`
- gen_require(`
- type xend_t, xend_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, xend_exec_t, xend_t)
-')
-
-########################################
-## <summary>
-## Execute xend in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xen_exec',`
- gen_require(`
- type xend_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1, xend_exec_t)
-')
-
-########################################
-## <summary>
-## Inherit and use xen file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xen_use_fds',`
- gen_require(`
- type xend_t;
- ')
-
- allow $1 xend_t:fd use;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to inherit
-## xen file descriptors.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`xen_dontaudit_use_fds',`
- gen_require(`
- type xend_t;
- ')
-
- dontaudit $1 xend_t:fd use;
-')
-
########################################
## <summary>
## Create, read, write, and delete
@@ -88,11 +13,11 @@ interface(`xen_dontaudit_use_fds',`
#
interface(`xen_manage_image_dirs',`
gen_require(`
- type xend_var_lib_t;
+ type xen_state_t;
')
files_search_var_lib($1)
- manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
+ manage_dirs_pattern($1, xen_state_t, xen_state_t)
')
########################################
@@ -107,12 +32,12 @@ interface(`xen_manage_image_dirs',`
#
interface(`xen_read_image_files',`
gen_require(`
- type xen_image_t, xend_var_lib_t;
+ type xen_image_t, xen_state_t;
')
files_list_var_lib($1)
- list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
- read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t)
+ list_dirs_pattern($1, xen_state_t, xen_state_t)
+ read_files_pattern($1, { xen_state_t xen_image_t }, xen_image_t)
')
########################################
@@ -127,11 +52,11 @@ interface(`xen_read_image_files',`
#
interface(`xen_rw_image_files',`
gen_require(`
- type xen_image_t, xend_var_lib_t;
+ type xen_image_t, xen_state_t;
')
files_list_var_lib($1)
- allow $1 xend_var_lib_t:dir search_dir_perms;
+ allow $1 xen_state_t:dir search_dir_perms;
rw_files_pattern($1, xen_image_t, xen_image_t)
')
@@ -147,12 +72,12 @@ interface(`xen_rw_image_files',`
#
interface(`xen_append_log',`
gen_require(`
- type xend_var_log_t;
+ type xen_log_t;
')
logging_search_logs($1)
- append_files_pattern($1, xend_var_log_t, xend_var_log_t)
- dontaudit $1 xend_var_log_t:file write;
+ append_files_pattern($1, xen_log_t, xen_log_t)
+ dontaudit $1 xen_log_t:file write;
')
########################################
@@ -168,12 +93,12 @@ interface(`xen_append_log',`
#
interface(`xen_manage_log',`
gen_require(`
- type xend_var_log_t;
+ type xen_log_t;
')
logging_search_logs($1)
- manage_dirs_pattern($1, xend_var_log_t, xend_var_log_t)
- manage_files_pattern($1, xend_var_log_t, xend_var_log_t)
+ manage_dirs_pattern($1, xen_log_t, xen_log_t)
+ manage_files_pattern($1, xen_log_t, xen_log_t)
')
#######################################
@@ -195,25 +120,6 @@ interface(`xen_read_xenstored_runtime_files',`
read_files_pattern($1, xenstored_runtime_t, xenstored_runtime_t)
')
-########################################
-## <summary>
-## Do not audit attempts to read and write
-## Xen unix domain stream sockets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`xen_dontaudit_rw_unix_stream_sockets',`
- gen_require(`
- type xend_t;
- ')
-
- dontaudit $1 xend_t:unix_stream_socket { read write };
-')
-
########################################
## <summary>
## Connect to xenstored with a unix
@@ -236,30 +142,7 @@ interface(`xen_stream_connect_xenstore',`
########################################
## <summary>
-## Connect to xend with a unix
-## domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xen_stream_connect',`
- gen_require(`
- type xend_t, xend_runtime_t, xend_var_lib_t;
- ')
-
- files_search_runtime($1)
- stream_connect_pattern($1, xend_runtime_t, xend_runtime_t, xend_t)
-
- files_search_var_lib($1)
- stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t)
-')
-
-########################################
-## <summary>
-## Create in a xend_runtime_t directory
+## Create in a xen_runtime_t directory
## </summary>
## <param name="domain">
## <summary>
@@ -279,10 +162,10 @@ interface(`xen_stream_connect',`
#
interface(`xen_runtime_filetrans',`
gen_require(`
- type xend_runtime_t;
+ type xen_runtime_t;
')
- filetrans_pattern($1, xend_runtime_t, $2, $3)
+ filetrans_pattern($1, xen_runtime_t, $2, $3)
')
########################################
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index d633dfef7..6202a1053 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -5,14 +5,6 @@ policy_module(xen)
# Declarations
#
-## <desc>
-## <p>
-## Determine whether xend can
-## run blktapctrl and tapdisk.
-## </p>
-## </desc>
-gen_tunable(xend_run_blktap, false)
-
## <desc>
## <p>
## Determine whether xen can
@@ -68,29 +60,25 @@ optional_policy(`
virt_image(xen_image_t)
')
-type xenctl_t;
-files_type(xenctl_t)
-
-type xend_t;
-type xend_exec_t;
-init_daemon_domain(xend_t, xend_exec_t)
-
type xen_lock_t;
files_lock_file(xen_lock_t)
-type xend_runtime_t alias xend_var_run_t;
-files_runtime_file(xend_runtime_t)
-files_mountpoint(xend_runtime_t)
+type xen_log_t;
+typealias xen_log_t alias xend_var_log_t;
+logging_log_file(xen_log_t)
-type xend_tmp_t;
-files_tmp_file(xend_tmp_t)
+type xen_runtime_t;
+typealias xen_runtime_t alias xend_runtime_t;
+files_runtime_file(xen_runtime_t)
+files_mountpoint(xen_runtime_t)
-type xend_var_lib_t;
-files_type(xend_var_lib_t)
-files_mountpoint(xend_var_lib_t)
+type xen_state_t;
+typealias xen_state_t alias xend_var_lib_t;
+files_type(xen_state_t)
+files_mountpoint(xen_state_t)
-type xend_var_log_t;
-logging_log_file(xend_var_log_t)
+type xenctl_t;
+files_type(xenctl_t)
type xenstored_t;
type xenstored_exec_t;
@@ -126,24 +114,18 @@ init_system_domain(xm_t, xm_exec_t)
# blktap local policy
#
-tunable_policy(`xend_run_blktap',`
- domtrans_pattern(xend_t, blktap_exec_t, blktap_t)
+allow blktap_t self:fifo_file rw_inherited_fifo_file_perms;
- allow blktap_t self:fifo_file rw_inherited_fifo_file_perms;
+dev_read_sysfs(blktap_t)
+dev_rw_xen(blktap_t)
- dev_read_sysfs(blktap_t)
- dev_rw_xen(blktap_t)
+files_read_etc_files(blktap_t)
- files_read_etc_files(blktap_t)
+logging_send_syslog_msg(blktap_t)
- logging_send_syslog_msg(blktap_t)
+miscfiles_read_localization(blktap_t)
- miscfiles_read_localization(blktap_t)
-
- xen_stream_connect_xenstore(blktap_t)
-',`
- dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
-')
+xen_stream_connect_xenstore(blktap_t)
#######################################
#
@@ -161,200 +143,6 @@ manage_files_pattern(evtchnd_t, evtchnd_runtime_t, evtchnd_runtime_t)
manage_sock_files_pattern(evtchnd_t, evtchnd_runtime_t, evtchnd_runtime_t)
files_runtime_filetrans(evtchnd_t, evtchnd_runtime_t, { file sock_file dir })
-########################################
-#
-# xend local policy
-#
-
-allow xend_t self:capability { dac_override ipc_lock net_admin net_raw setuid sys_admin sys_nice sys_rawio sys_resource sys_tty_config };
-dontaudit xend_t self:capability { sys_ptrace };
-allow xend_t self:process { setrlimit signal sigkill };
-dontaudit xend_t self:process ptrace;
-allow xend_t self:fifo_file rw_fifo_file_perms;
-allow xend_t self:unix_stream_socket { accept listen };
-allow xend_t self:tcp_socket { accept listen };
-allow xend_t self:packet_socket create_socket_perms;
-allow xend_t self:tun_socket create_socket_perms;
-
-allow xend_t xen_image_t:dir list_dir_perms;
-manage_dirs_pattern(xend_t, xen_image_t, xen_image_t)
-manage_fifo_files_pattern(xend_t, xen_image_t, xen_image_t)
-manage_files_pattern(xend_t, xen_image_t, xen_image_t)
-read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t)
-read_sock_files_pattern(xend_t, xen_image_t, xen_image_t)
-rw_chr_files_pattern(xend_t, xen_image_t, xen_image_t)
-rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t)
-fs_hugetlbfs_filetrans(xend_t, xen_image_t, file)
-
-allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
-dev_filetrans(xend_t, xenctl_t, fifo_file)
-
-manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t)
-manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t)
-files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
-
-manage_dirs_pattern(xend_t, xend_runtime_t, xend_runtime_t)
-manage_files_pattern(xend_t, xend_runtime_t, xend_runtime_t)
-manage_sock_files_pattern(xend_t, xend_runtime_t, xend_runtime_t)
-manage_fifo_files_pattern(xend_t, xend_runtime_t, xend_runtime_t)
-files_runtime_filetrans(xend_t, xend_runtime_t, { file sock_file fifo_file dir })
-
-manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t)
-append_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
-create_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
-setattr_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
-manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
-logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir })
-
-manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
-manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
-manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
-manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
-files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir })
-
-manage_files_pattern(xend_t, xenstored_runtime_t, xenstored_runtime_t)
-
-allow xend_t xenstored_var_lib_t:dir list_dir_perms;
-
-domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
-domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
-
-xen_stream_connect_xenstore(xend_t)
-
-kernel_read_kernel_sysctls(xend_t)
-kernel_read_system_state(xend_t)
-kernel_write_xen_state(xend_t)
-kernel_read_xen_state(xend_t)
-kernel_rw_net_sysctls(xend_t)
-kernel_read_network_state(xend_t)
-kernel_read_vm_sysctls(xend_t)
-
-corecmd_exec_bin(xend_t)
-corecmd_exec_shell(xend_t)
-
-corenet_all_recvfrom_netlabel(xend_t)
-corenet_tcp_sendrecv_generic_if(xend_t)
-corenet_tcp_sendrecv_generic_node(xend_t)
-corenet_tcp_bind_generic_node(xend_t)
-
-corenet_sendrecv_xen_server_packets(xend_t)
-corenet_tcp_bind_xen_port(xend_t)
-
-corenet_sendrecv_soundd_server_packets(xend_t)
-corenet_tcp_bind_soundd_port(xend_t)
-
-corenet_sendrecv_generic_server_packets(xend_t)
-corenet_tcp_bind_generic_port(xend_t)
-
-corenet_sendrecv_vnc_server_packets(xend_t)
-corenet_tcp_bind_vnc_port(xend_t)
-
-corenet_sendrecv_xserver_client_packets(xend_t)
-corenet_tcp_connect_xserver_port(xend_t)
-
-corenet_sendrecv_xen_client_packets(xend_t)
-corenet_tcp_connect_xen_port(xend_t)
-
-corenet_rw_tun_tap_dev(xend_t)
-
-dev_getattr_all_chr_files(xend_t)
-dev_read_urand(xend_t)
-dev_filetrans_xen(xend_t)
-dev_rw_sysfs(xend_t)
-dev_rw_xen(xend_t)
-
-domain_dontaudit_read_all_domains_state(xend_t)
-domain_dontaudit_ptrace_all_domains(xend_t)
-
-files_read_etc_files(xend_t)
-files_read_kernel_symbol_table(xend_t)
-files_read_kernel_img(xend_t)
-files_manage_etc_runtime_files(xend_t)
-files_etc_filetrans_etc_runtime(xend_t, file)
-files_read_usr_files(xend_t)
-files_read_default_symlinks(xend_t)
-files_search_mnt(xend_t)
-
-fs_getattr_all_fs(xend_t)
-fs_list_auto_mountpoints(xend_t)
-fs_read_dos_files(xend_t)
-fs_read_removable_blk_files(xend_t)
-fs_manage_xenfs_dirs(xend_t)
-fs_manage_xenfs_files(xend_t)
-
-storage_read_scsi_generic(xend_t)
-# for lsscsi
-storage_getattr_fixed_disk_dev(xend_t)
-
-term_setattr_generic_ptys(xend_t)
-term_getattr_all_ptys(xend_t)
-term_setattr_all_ptys(xend_t)
-term_use_generic_ptys(xend_t)
-term_use_ptmx(xend_t)
-term_getattr_pty_fs(xend_t)
-
-init_stream_connect_script(xend_t)
-
-locallogin_dontaudit_use_fds(xend_t)
-
-logging_send_syslog_msg(xend_t)
-
-miscfiles_read_localization(xend_t)
-miscfiles_read_hwdata(xend_t)
-
-sysnet_domtrans_dhcpc(xend_t)
-sysnet_signal_dhcpc(xend_t)
-sysnet_domtrans_ifconfig(xend_t)
-sysnet_dns_name_resolve(xend_t)
-sysnet_delete_dhcpc_runtime_files(xend_t)
-sysnet_read_dhcpc_runtime_files(xend_t)
-sysnet_rw_dhcp_config(xend_t)
-
-userdom_dontaudit_search_user_home_dirs(xend_t)
-
-tunable_policy(`xen_use_fusefs',`
- fs_manage_fusefs_dirs(xend_t)
- fs_manage_fusefs_files(xend_t)
- fs_read_fusefs_symlinks(xend_t)
-')
-
-tunable_policy(`xen_use_nfs',`
- fs_manage_nfs_dirs(xend_t)
- fs_manage_nfs_files(xend_t)
- fs_read_nfs_symlinks(xend_t)
-')
-
-tunable_policy(`xen_use_samba',`
- fs_manage_cifs_dirs(xend_t)
- fs_manage_cifs_files(xend_t)
- fs_read_cifs_symlinks(xend_t)
-')
-
-optional_policy(`
- brctl_domtrans(xend_t)
-')
-
-optional_policy(`
- consoletype_exec(xend_t)
-')
-
-optional_policy(`
- lvm_domtrans(xend_t)
-')
-
-optional_policy(`
- mount_domtrans(xend_t)
-')
-
-optional_policy(`
- netutils_domtrans(xend_t)
-')
-
-optional_policy(`
- virt_search_images(xend_t)
- virt_read_config(xend_t)
-')
-
########################################
#
# Xen console local policy
@@ -367,10 +155,10 @@ allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms };
-manage_dirs_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
-append_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
-create_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
-setattr_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
+manage_dirs_pattern(xenconsoled_t, xen_log_t, xen_log_t)
+append_files_pattern(xenconsoled_t, xen_log_t, xen_log_t)
+create_files_pattern(xenconsoled_t, xen_log_t, xen_log_t)
+setattr_files_pattern(xenconsoled_t, xen_log_t, xen_log_t)
manage_files_pattern(xenconsoled_t, xenconsoled_runtime_t, xenconsoled_runtime_t)
manage_sock_files_pattern(xenconsoled_t, xenconsoled_runtime_t, xenconsoled_runtime_t)
@@ -475,16 +263,16 @@ allow xm_t self:fifo_file rw_fifo_file_perms;
allow xm_t self:unix_stream_socket { accept connectto listen };
allow xm_t self:tcp_socket { accept listen };
-allow xm_t xend_runtime_t:dir rw_dir_perms;
+allow xm_t xen_runtime_t:dir rw_dir_perms;
allow xm_t xen_lock_t:file manage_file_perms;
files_lock_filetrans(xm_t, xen_lock_t, file)
-manage_files_pattern(xm_t, xend_var_log_t, xend_var_log_t)
+manage_files_pattern(xm_t, xen_log_t, xen_log_t)
-manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
+manage_files_pattern(xm_t, xen_state_t, xen_state_t)
+manage_fifo_files_pattern(xm_t, xen_state_t, xen_state_t)
+manage_sock_files_pattern(xm_t, xen_state_t, xen_state_t)
manage_files_pattern(xm_t, xen_image_t, xen_image_t)
manage_blk_files_pattern(xm_t, xen_image_t, xen_image_t)
@@ -494,8 +282,6 @@ read_files_pattern(xm_t, xenstored_runtime_t, xenstored_runtime_t)
xen_manage_image_dirs(xm_t)
xen_append_log(xm_t)
-xen_domtrans(xm_t)
-xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
can_exec(xm_t, xm_exec_t)
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-05-14 19:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-14 19:42 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/, policy/modules/system/ Kenton Groombridge
-- strict thread matches above, loose matches on Subject: below --
2021-02-01 2:10 Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox