[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/kernel/

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     ea33f9c5072845e60486b6584aca32458156806b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:22:23 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 14:22:23 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ea33f9c5

Add bitcoin ports

---
 policy/modules/kernel/corenetwork.te.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index a118109..5c6af72 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -93,6 +93,7 @@ network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
 network_port(audit, tcp,60,s0)
 network_port(auth, tcp,113,s0)
 network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
+network_port(bitcoin, tcp,8332,s0, tcp,8333,s0)
 network_port(boinc, tcp,31416,s0)
 network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
 network_port(biff) # no defined portcon

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     f65b4a5c66cee88e554361b57195a47e21b90d9d
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:04:38 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:04:38 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f65b4a5c

Reshuffle to better match upstream

---
 policy/modules/kernel/files.if | 285 ++++++++++++++++++++---------------------
 1 file changed, 142 insertions(+), 143 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index fd1f8e9..dd16f74 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1450,7 +1450,6 @@ interface(`files_relabel_non_auth_files',`
 	# to allow files_relabel_non_auth_files to be an optional setting (tunable).
 ')
 
-
 #############################################
 ## <summary>
 ##	Manage all configuration directories on filesystem
@@ -1604,6 +1603,24 @@ interface(`files_setattr_all_mountpoints',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to set the attributes on all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_setattr_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	dontaudit $1 mountpoint:dir setattr;
+')
+
+########################################
+## <summary>
 ##	Search all mount points.
 ## </summary>
 ## <param name="domain">
@@ -1676,11 +1693,11 @@ interface(`files_dontaudit_list_all_mountpoints',`
 
 ########################################
 ## <summary>
-##	Do not audit write attempts on mount points.
+##	Do not audit attempts to write to mount points.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to ignore write attempts from
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -1694,24 +1711,6 @@ interface(`files_dontaudit_write_all_mountpoints',`
 
 ########################################
 ## <summary>
-##	Do not audit setattr attempts on mount points.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to ignore setattr attempts from
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_setattr_all_mountpoints',`
-	gen_require(`
-		attribute mountpoint;
-	')
-
-	dontaudit $1 mountpoint:dir setattr;
-')
-
-########################################
-## <summary>
 ##	List the contents of the root directory.
 ## </summary>
 ## <param name="domain">
@@ -2669,25 +2668,6 @@ interface(`files_manage_etc_dirs',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read files
-##	in /etc 
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_read_etc_files',`
-	gen_require(`
-		type etc_t;
-	')
-
-	dontaudit $1 etc_t:file { getattr read };
-')
-
-########################################
-## <summary>
 ##	Read generic files in /etc.
 ## </summary>
 ## <desc>
@@ -3003,24 +2983,6 @@ interface(`files_dontaudit_setattr_etc_runtime_files',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read etc_runtime resources
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_read_etc_runtime',`
-	gen_require(`
-		type etc_runtime_t;
-	')
-
-	dontaudit $1 etc_runtime_t:file read_file_perms;
-')
-
-########################################
-## <summary>
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
 ## </summary>
@@ -3142,26 +3104,6 @@ interface(`files_manage_etc_runtime_files',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete symbolic links in
-##	/etc that are dynamically created on boot.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`files_manage_etc_runtime_lnk_files',`
-	gen_require(`
-		type etc_t, etc_runtime_t;
-	')
-
-	manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
-')
-
-########################################
-## <summary>
 ##	Create, etc runtime objects with an automatic
 ##	type transition.
 ## </summary>
@@ -5660,6 +5602,24 @@ interface(`files_manage_mounttab',`
 
 ########################################
 ## <summary>
+##	Set the attributes of the generic lock directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_setattr_lock_dirs',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	setattr_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
 ##	Search the locks directory (/var/lock).
 ## </summary>
 ## <param name="domain">
@@ -5738,11 +5698,11 @@ interface(`files_rw_lock_dirs',`
 
 ########################################
 ## <summary>
-##	Create lock directories.
+## 	Create lock directories
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
+## 	<summary>
+##	Domain allowed access
 ##	</summary>
 ## </param>
 #
@@ -5756,7 +5716,6 @@ interface(`files_create_lock_dirs',`
 	create_dirs_pattern($1, var_lock_t, var_lock_t)
 ')
 
-
 ########################################
 ## <summary>
 ##	Relabel to and from all lock directory types.
@@ -5802,24 +5761,6 @@ interface(`files_getattr_generic_locks',`
 
 ########################################
 ## <summary>
-##	Set the attributes of generic lock directories
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_setattr_lock_dirs',`
-	gen_require(`
-		type var_t, var_lock_t;
-	')
-
-	setattr_dirs_pattern($1, var_t, var_lock_t)
-')
-
-########################################
-## <summary>
 ##	Delete generic lock files.
 ## </summary>
 ## <param name="domain">
@@ -6101,29 +6042,6 @@ interface(`files_write_generic_pid_pipes',`
 	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	allow $1 var_run_t:fifo_file write;
 ')
-########################################
-## <summary>
-##	Write dirs in /var/run with the lock file type
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	Name of the directory that the file transition will work on
-##	</summary>
-## </param>
-#
-interface(`files_pid_filetrans_lock_dir',`
-	gen_require(`
-		type var_t, var_run_t;
-	')
-
-	files_pid_filetrans($1, var_lock_t, dir, $2)
-')
-
 
 ########################################
 ## <summary>
@@ -6189,6 +6107,29 @@ interface(`files_pid_filetrans',`
 
 ########################################
 ## <summary>
+## 	Create a generic lock directory within the run directories
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_pid_filetrans_lock_dir',`
+	gen_require(`
+		type var_lock_t;
+	')
+
+	files_pid_filetrans($1, var_lock_t, dir, $2)
+')
+
+########################################
+## <summary>
 ##	Read and write generic process ID files.
 ## </summary>
 ## <param name="domain">
@@ -6291,26 +6232,6 @@ interface(`files_read_all_pids',`
 
 ########################################
 ## <summary>
-##	Create PID directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_create_pid_dirs',`
-	gen_require(`
-		type var_t, var_run_t;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-	create_dirs_pattern($1, var_run_t, var_run_t)
-')
-
-########################################
-## <summary>
 ##	Delete all process IDs.
 ## </summary>
 ## <param name="domain">
@@ -6623,6 +6544,84 @@ interface(`files_unconfined',`
 
 # should be in an ifdef distro_gentoo but cannot do so for interfaces
 
+########################################
+## <summary>
+##	Create PID directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_pid_dirs',`
+	gen_require(`
+		type var_t, var_run_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+	create_dirs_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic links in
+##	/etc that are dynamically created on boot.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_etc_runtime_lnk_files',`
+	gen_require(`
+		type etc_t, etc_runtime_t;
+	')
+
+	manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read etc_runtime resources
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_read_etc_runtime',`
+	gen_require(`
+		type etc_runtime_t;
+	')
+
+	dontaudit $1 etc_runtime_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read files
+##	in /etc 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_read_etc_files',`
+	gen_require(`
+		type etc_t;
+	')
+
+	dontaudit $1 etc_t:file { getattr read };
+')
+
+
 #########################################
 ## <summary>
 ##	List usr/src files

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     8379e35ded31dd45bffe5357bd3e95f6e2c17455
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 17:42:58 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 17:42:58 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8379e35d

Use same whitespace as upstream (better comparison)

---
 policy/modules/kernel/corecommands.fc | 37 +++++++++++++++++------------------
 1 file changed, 18 insertions(+), 19 deletions(-)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index d63b547..406a11e 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -77,6 +77,7 @@ ifdef(`distro_redhat',`
 ifdef(`distro_redhat',`
 /etc/mcelog/triggers(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 ')
+
 /etc/mgetty\+sendfax/new_fax	--	gen_context(system_u:object_r:bin_t,s0)
 
 /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
@@ -193,7 +194,6 @@ ifdef(`distro_gentoo',`
 /usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
-
 /usr/lib(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@@ -261,12 +261,12 @@ ifdef(`distro_gentoo',`
 /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 
-/usr/lib/[^/]*thunderbird[^/]*/thunderbird	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh --	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/[^/]*/run-mozilla\.sh			--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/[^/]*/mozilla-xremote-client		--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/thunderbird.*/mozilla-xremote-client	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]*/run-mozilla\.sh --	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/nspluginwrapper/i386/linux/npviewer.bin --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/nspluginwrapper/i386/linux/npviewer	--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/lib/xulrunner-.*/plugin-container		--	gen_context(system_u:object_r:bin_t,s0)
@@ -283,15 +283,14 @@ ifdef(`distro_gentoo',`
 /usr/local/Printer(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/local/linuxprinter/filters(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 
-
 /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
 /usr/share/ajaxterm/ajaxterm.py.* --	gen_context(system_u:object_r:bin_t,s0)
-/usr/share/ajaxterm/qweb.py.*	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/ajaxterm/qweb.py.* --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
-/usr/share/apr-0/build/libtool	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/build-1/mkdir.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/dayplanner/dayplanner --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/debconf/.+		--	gen_context(system_u:object_r:bin_t,s0)
@@ -302,14 +301,14 @@ ifdef(`distro_gentoo',`
 /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cvs/contrib/rcs2log	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/e16/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-/usr/share/gedit-2/plugins/externaltools/tools(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-/usr/share/gitolite/hooks/common/update		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/gnucash/finance-quote-check		--	gen_context(system_u:object_r:bin_t,s0)
-/usr/share/gnucash/finance-quote-helper		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/GNUstep/Makefiles/*\.sh		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/GNUstep/Makefiles/mkinstalldirs	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/share/hal/device-manager/hal-device-manager --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hal/scripts(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/mc/extfs/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/Modules/init(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -328,9 +327,9 @@ ifdef(`distro_gentoo',`
 /usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_debian',`
-/usr/lib/ConsoleKit/.*	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/gdm3/.*	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/udisks/.*	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/gdm3/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/udisks/.*		--	gen_context(system_u:object_r:bin_t,s0)
 ')
 
 ifdef(`distro_gentoo', `
@@ -397,7 +396,7 @@ ifdef(`distro_redhat', `
 ifdef(`distro_suse', `
 /usr/lib/cron/run-crons		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/samba/classic/.*	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/ssh/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ssh/.*			--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apache2/[^/]*	--	gen_context(system_u:object_r:bin_t,s0)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     2773893962d4db7159e88a38b0bf3528af35a1ea
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 17:34:21 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 17:34:21 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=27738939

Remove trailing space (messed up comparison with upstream)

---
 policy/modules/kernel/corecommands.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 58b5a6e..d63b547 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -243,7 +243,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/lib/tumbler-1/tumblerd	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/vte/gnome-pty-helper 	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vte/gnome-pty-helper	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0)

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     f65b4a5c66cee88e554361b57195a47e21b90d9d
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:04:38 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:04:38 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f65b4a5c

Reshuffle to better match upstream

---
 policy/modules/kernel/files.if | 285 ++++++++++++++++++++---------------------
 1 file changed, 142 insertions(+), 143 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index fd1f8e9..dd16f74 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1450,7 +1450,6 @@ interface(`files_relabel_non_auth_files',`
 	# to allow files_relabel_non_auth_files to be an optional setting (tunable).
 ')
 
-
 #############################################
 ## <summary>
 ##	Manage all configuration directories on filesystem
@@ -1604,6 +1603,24 @@ interface(`files_setattr_all_mountpoints',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to set the attributes on all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_setattr_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	dontaudit $1 mountpoint:dir setattr;
+')
+
+########################################
+## <summary>
 ##	Search all mount points.
 ## </summary>
 ## <param name="domain">
@@ -1676,11 +1693,11 @@ interface(`files_dontaudit_list_all_mountpoints',`
 
 ########################################
 ## <summary>
-##	Do not audit write attempts on mount points.
+##	Do not audit attempts to write to mount points.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to ignore write attempts from
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -1694,24 +1711,6 @@ interface(`files_dontaudit_write_all_mountpoints',`
 
 ########################################
 ## <summary>
-##	Do not audit setattr attempts on mount points.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to ignore setattr attempts from
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_setattr_all_mountpoints',`
-	gen_require(`
-		attribute mountpoint;
-	')
-
-	dontaudit $1 mountpoint:dir setattr;
-')
-
-########################################
-## <summary>
 ##	List the contents of the root directory.
 ## </summary>
 ## <param name="domain">
@@ -2669,25 +2668,6 @@ interface(`files_manage_etc_dirs',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read files
-##	in /etc 
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_read_etc_files',`
-	gen_require(`
-		type etc_t;
-	')
-
-	dontaudit $1 etc_t:file { getattr read };
-')
-
-########################################
-## <summary>
 ##	Read generic files in /etc.
 ## </summary>
 ## <desc>
@@ -3003,24 +2983,6 @@ interface(`files_dontaudit_setattr_etc_runtime_files',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read etc_runtime resources
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_read_etc_runtime',`
-	gen_require(`
-		type etc_runtime_t;
-	')
-
-	dontaudit $1 etc_runtime_t:file read_file_perms;
-')
-
-########################################
-## <summary>
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
 ## </summary>
@@ -3142,26 +3104,6 @@ interface(`files_manage_etc_runtime_files',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete symbolic links in
-##	/etc that are dynamically created on boot.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`files_manage_etc_runtime_lnk_files',`
-	gen_require(`
-		type etc_t, etc_runtime_t;
-	')
-
-	manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
-')
-
-########################################
-## <summary>
 ##	Create, etc runtime objects with an automatic
 ##	type transition.
 ## </summary>
@@ -5660,6 +5602,24 @@ interface(`files_manage_mounttab',`
 
 ########################################
 ## <summary>
+##	Set the attributes of the generic lock directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_setattr_lock_dirs',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	setattr_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
 ##	Search the locks directory (/var/lock).
 ## </summary>
 ## <param name="domain">
@@ -5738,11 +5698,11 @@ interface(`files_rw_lock_dirs',`
 
 ########################################
 ## <summary>
-##	Create lock directories.
+## 	Create lock directories
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
+## 	<summary>
+##	Domain allowed access
 ##	</summary>
 ## </param>
 #
@@ -5756,7 +5716,6 @@ interface(`files_create_lock_dirs',`
 	create_dirs_pattern($1, var_lock_t, var_lock_t)
 ')
 
-
 ########################################
 ## <summary>
 ##	Relabel to and from all lock directory types.
@@ -5802,24 +5761,6 @@ interface(`files_getattr_generic_locks',`
 
 ########################################
 ## <summary>
-##	Set the attributes of generic lock directories
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_setattr_lock_dirs',`
-	gen_require(`
-		type var_t, var_lock_t;
-	')
-
-	setattr_dirs_pattern($1, var_t, var_lock_t)
-')
-
-########################################
-## <summary>
 ##	Delete generic lock files.
 ## </summary>
 ## <param name="domain">
@@ -6101,29 +6042,6 @@ interface(`files_write_generic_pid_pipes',`
 	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	allow $1 var_run_t:fifo_file write;
 ')
-########################################
-## <summary>
-##	Write dirs in /var/run with the lock file type
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	Name of the directory that the file transition will work on
-##	</summary>
-## </param>
-#
-interface(`files_pid_filetrans_lock_dir',`
-	gen_require(`
-		type var_t, var_run_t;
-	')
-
-	files_pid_filetrans($1, var_lock_t, dir, $2)
-')
-
 
 ########################################
 ## <summary>
@@ -6189,6 +6107,29 @@ interface(`files_pid_filetrans',`
 
 ########################################
 ## <summary>
+## 	Create a generic lock directory within the run directories
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_pid_filetrans_lock_dir',`
+	gen_require(`
+		type var_lock_t;
+	')
+
+	files_pid_filetrans($1, var_lock_t, dir, $2)
+')
+
+########################################
+## <summary>
 ##	Read and write generic process ID files.
 ## </summary>
 ## <param name="domain">
@@ -6291,26 +6232,6 @@ interface(`files_read_all_pids',`
 
 ########################################
 ## <summary>
-##	Create PID directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_create_pid_dirs',`
-	gen_require(`
-		type var_t, var_run_t;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-	create_dirs_pattern($1, var_run_t, var_run_t)
-')
-
-########################################
-## <summary>
 ##	Delete all process IDs.
 ## </summary>
 ## <param name="domain">
@@ -6623,6 +6544,84 @@ interface(`files_unconfined',`
 
 # should be in an ifdef distro_gentoo but cannot do so for interfaces
 
+########################################
+## <summary>
+##	Create PID directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_pid_dirs',`
+	gen_require(`
+		type var_t, var_run_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+	create_dirs_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic links in
+##	/etc that are dynamically created on boot.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_etc_runtime_lnk_files',`
+	gen_require(`
+		type etc_t, etc_runtime_t;
+	')
+
+	manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read etc_runtime resources
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_read_etc_runtime',`
+	gen_require(`
+		type etc_runtime_t;
+	')
+
+	dontaudit $1 etc_runtime_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read files
+##	in /etc 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_read_etc_files',`
+	gen_require(`
+		type etc_t;
+	')
+
+	dontaudit $1 etc_t:file { getattr read };
+')
+
+
 #########################################
 ## <summary>
 ##	List usr/src files

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     4bc28deb133ceea1ad0b9d38866aa4dcca5de458
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:22:23 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 23 14:05:12 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4bc28deb

Add bitcoin ports

---
 policy/modules/kernel/corenetwork.te.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index a118109..5c6af72 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -93,6 +93,7 @@ network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
 network_port(audit, tcp,60,s0)
 network_port(auth, tcp,113,s0)
 network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
+network_port(bitcoin, tcp,8332,s0, tcp,8333,s0)
 network_port(boinc, tcp,31416,s0)
 network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
 network_port(biff) # no defined portcon

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     0b661b0c7e5a893fdf7697930e3dcaf8bcf55cee
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:10:09 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:10:09 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0b661b0c

Match whitespace with upstream

---
 policy/modules/kernel/terminal.if | 1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 9f6d7c3..cbb729b 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -1531,4 +1531,3 @@ interface(`term_use_virtio_console',`
 	dev_list_all_dev_nodes($1)
 	allow $1 virtio_device_t:chr_file rw_term_perms;
 ')
-

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     f65b4a5c66cee88e554361b57195a47e21b90d9d
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:04:38 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:04:38 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f65b4a5c

Reshuffle to better match upstream

---
 policy/modules/kernel/files.if | 285 ++++++++++++++++++++---------------------
 1 file changed, 142 insertions(+), 143 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index fd1f8e9..dd16f74 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1450,7 +1450,6 @@ interface(`files_relabel_non_auth_files',`
 	# to allow files_relabel_non_auth_files to be an optional setting (tunable).
 ')
 
-
 #############################################
 ## <summary>
 ##	Manage all configuration directories on filesystem
@@ -1604,6 +1603,24 @@ interface(`files_setattr_all_mountpoints',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to set the attributes on all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_setattr_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	dontaudit $1 mountpoint:dir setattr;
+')
+
+########################################
+## <summary>
 ##	Search all mount points.
 ## </summary>
 ## <param name="domain">
@@ -1676,11 +1693,11 @@ interface(`files_dontaudit_list_all_mountpoints',`
 
 ########################################
 ## <summary>
-##	Do not audit write attempts on mount points.
+##	Do not audit attempts to write to mount points.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to ignore write attempts from
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -1694,24 +1711,6 @@ interface(`files_dontaudit_write_all_mountpoints',`
 
 ########################################
 ## <summary>
-##	Do not audit setattr attempts on mount points.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to ignore setattr attempts from
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_setattr_all_mountpoints',`
-	gen_require(`
-		attribute mountpoint;
-	')
-
-	dontaudit $1 mountpoint:dir setattr;
-')
-
-########################################
-## <summary>
 ##	List the contents of the root directory.
 ## </summary>
 ## <param name="domain">
@@ -2669,25 +2668,6 @@ interface(`files_manage_etc_dirs',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read files
-##	in /etc 
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_read_etc_files',`
-	gen_require(`
-		type etc_t;
-	')
-
-	dontaudit $1 etc_t:file { getattr read };
-')
-
-########################################
-## <summary>
 ##	Read generic files in /etc.
 ## </summary>
 ## <desc>
@@ -3003,24 +2983,6 @@ interface(`files_dontaudit_setattr_etc_runtime_files',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read etc_runtime resources
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_dontaudit_read_etc_runtime',`
-	gen_require(`
-		type etc_runtime_t;
-	')
-
-	dontaudit $1 etc_runtime_t:file read_file_perms;
-')
-
-########################################
-## <summary>
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
 ## </summary>
@@ -3142,26 +3104,6 @@ interface(`files_manage_etc_runtime_files',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete symbolic links in
-##	/etc that are dynamically created on boot.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`files_manage_etc_runtime_lnk_files',`
-	gen_require(`
-		type etc_t, etc_runtime_t;
-	')
-
-	manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
-')
-
-########################################
-## <summary>
 ##	Create, etc runtime objects with an automatic
 ##	type transition.
 ## </summary>
@@ -5660,6 +5602,24 @@ interface(`files_manage_mounttab',`
 
 ########################################
 ## <summary>
+##	Set the attributes of the generic lock directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_setattr_lock_dirs',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	setattr_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
 ##	Search the locks directory (/var/lock).
 ## </summary>
 ## <param name="domain">
@@ -5738,11 +5698,11 @@ interface(`files_rw_lock_dirs',`
 
 ########################################
 ## <summary>
-##	Create lock directories.
+## 	Create lock directories
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
+## 	<summary>
+##	Domain allowed access
 ##	</summary>
 ## </param>
 #
@@ -5756,7 +5716,6 @@ interface(`files_create_lock_dirs',`
 	create_dirs_pattern($1, var_lock_t, var_lock_t)
 ')
 
-
 ########################################
 ## <summary>
 ##	Relabel to and from all lock directory types.
@@ -5802,24 +5761,6 @@ interface(`files_getattr_generic_locks',`
 
 ########################################
 ## <summary>
-##	Set the attributes of generic lock directories
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_setattr_lock_dirs',`
-	gen_require(`
-		type var_t, var_lock_t;
-	')
-
-	setattr_dirs_pattern($1, var_t, var_lock_t)
-')
-
-########################################
-## <summary>
 ##	Delete generic lock files.
 ## </summary>
 ## <param name="domain">
@@ -6101,29 +6042,6 @@ interface(`files_write_generic_pid_pipes',`
 	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	allow $1 var_run_t:fifo_file write;
 ')
-########################################
-## <summary>
-##	Write dirs in /var/run with the lock file type
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	Name of the directory that the file transition will work on
-##	</summary>
-## </param>
-#
-interface(`files_pid_filetrans_lock_dir',`
-	gen_require(`
-		type var_t, var_run_t;
-	')
-
-	files_pid_filetrans($1, var_lock_t, dir, $2)
-')
-
 
 ########################################
 ## <summary>
@@ -6189,6 +6107,29 @@ interface(`files_pid_filetrans',`
 
 ########################################
 ## <summary>
+## 	Create a generic lock directory within the run directories
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_pid_filetrans_lock_dir',`
+	gen_require(`
+		type var_lock_t;
+	')
+
+	files_pid_filetrans($1, var_lock_t, dir, $2)
+')
+
+########################################
+## <summary>
 ##	Read and write generic process ID files.
 ## </summary>
 ## <param name="domain">
@@ -6291,26 +6232,6 @@ interface(`files_read_all_pids',`
 
 ########################################
 ## <summary>
-##	Create PID directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_create_pid_dirs',`
-	gen_require(`
-		type var_t, var_run_t;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-	create_dirs_pattern($1, var_run_t, var_run_t)
-')
-
-########################################
-## <summary>
 ##	Delete all process IDs.
 ## </summary>
 ## <param name="domain">
@@ -6623,6 +6544,84 @@ interface(`files_unconfined',`
 
 # should be in an ifdef distro_gentoo but cannot do so for interfaces
 
+########################################
+## <summary>
+##	Create PID directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_pid_dirs',`
+	gen_require(`
+		type var_t, var_run_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+	create_dirs_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic links in
+##	/etc that are dynamically created on boot.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_etc_runtime_lnk_files',`
+	gen_require(`
+		type etc_t, etc_runtime_t;
+	')
+
+	manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read etc_runtime resources
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_read_etc_runtime',`
+	gen_require(`
+		type etc_runtime_t;
+	')
+
+	dontaudit $1 etc_runtime_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read files
+##	in /etc 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_read_etc_files',`
+	gen_require(`
+		type etc_t;
+	')
+
+	dontaudit $1 etc_t:file { getattr read };
+')
+
+
 #########################################
 ## <summary>
 ##	List usr/src files