From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-947063-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 3E140139694
	for <garchives@archives.gentoo.org>; Sun, 30 Apr 2017 09:41:14 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 4A545E0CC2;
	Sun, 30 Apr 2017 09:40:54 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 1718BE0CC2
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Apr 2017 09:40:49 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 054F33416B4
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Apr 2017 09:40:43 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 1C05D744D
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Apr 2017 09:40:40 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1493544071.2c0150452aa2f181971677e246b38487c7df8d75.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/apt.if policy/modules/contrib/apt.te policy/modules/contrib/cron.te policy/modules/contrib/mrtg.if policy/modules/contrib/mrtg.te policy/modules/contrib/rsync.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 2c0150452aa2f181971677e246b38487c7df8d75
X-VCS-Branch: next
Date: Sun, 30 Apr 2017 09:40:40 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 6193d7de-15be-4bb8-8cbd-cf3e15497ba7
X-Archives-Hash: 70c8a3134fd8f3502b57afea193b5e4c
Message-ID: <20170430094040.mFYNmGDYkVOTZv-9wTSPgh3zrPCuZBz32H0QZuZRLjc@z>

commit:     2c0150452aa2f181971677e246b38487c7df8d75
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 26 22:02:08 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:21:11 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2c015045

some little misc things from Russell Coker.

This patch allows setfiles to use file handles inherited from apt (for dpkg
postinst scripts), adds those rsync permissions that were rejected previously
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
allows system_cronjob_t some access it requires (including net_admin for
when it runs utilities that set buffers).

 policy/modules/contrib/apt.if   | 20 ++++++++++++++++++++
 policy/modules/contrib/apt.te   |  2 +-
 policy/modules/contrib/cron.te  | 25 +++++++++++++++++++++----
 policy/modules/contrib/mrtg.if  | 18 ++++++++++++++++++
 policy/modules/contrib/mrtg.te  |  2 +-
 policy/modules/contrib/rsync.te |  4 +++-
 6 files changed, 64 insertions(+), 7 deletions(-)

diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if
index 0a1bc49f..568aa97d 100644
--- a/policy/modules/contrib/apt.if
+++ b/policy/modules/contrib/apt.if
@@ -176,6 +176,26 @@ interface(`apt_read_cache',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete apt package cache content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_manage_cache',`
+	gen_require(`
+		type apt_var_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 apt_var_cache_t:dir manage_dir_perms;
+	allow $1 apt_var_cache_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read apt package database content.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index 05197c4c..dc6f09b1 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.10.1)
+policy_module(apt, 1.10.2)
 
 ########################################
 #

diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 5cb7dac1..15e6bdb4 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.3)
+policy_module(cron, 2.11.4)
 
 gen_require(`
 	class passwd rootok;
@@ -338,6 +338,13 @@ ifdef(`distro_debian',`
 	allow crond_t self:process setrlimit;
 
 	optional_policy(`
+		apt_manage_cache(system_cronjob_t)
+		apt_read_db(system_cronjob_t)
+
+		dpkg_manage_db(system_cronjob_t)
+	')
+
+	optional_policy(`
 		logwatch_search_cache_dir(crond_t)
 	')
 ')
@@ -429,6 +436,7 @@ optional_policy(`
 	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
 	# so cron jobs can restart daemons
 	init_stream_connect(system_cronjob_t)
+	init_manage_script_service(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -440,7 +448,7 @@ optional_policy(`
 # System local policy
 #
 
-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
 allow system_cronjob_t self:process { signal_perms getsched setsched };
 allow system_cronjob_t self:fd use;
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
@@ -461,10 +469,11 @@ allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
 allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms;
 files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, { file lnk_file })
 
+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
 
 manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 
@@ -475,7 +484,7 @@ allow system_cronjob_t crond_t:process sigchld;
 allow system_cronjob_t cron_spool_t:dir list_dir_perms;
 allow system_cronjob_t cron_spool_t:file rw_file_perms;
 
-allow system_cronjob_t crond_tmp_t:file { read write };
+allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
 
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
@@ -560,10 +569,15 @@ tunable_policy(`cron_can_relabel',`
 ')
 
 optional_policy(`
+	acct_manage_data(system_cronjob_t)
+')
+
+optional_policy(`
 	apache_exec_modules(system_cronjob_t)
 	apache_read_config(system_cronjob_t)
 	apache_read_log(system_cronjob_t)
 	apache_read_sys_content(system_cronjob_t)
+	apache_delete_lib_files(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -607,6 +621,7 @@ optional_policy(`
 
 optional_policy(`
 	mrtg_append_create_logs(system_cronjob_t)
+	mrtg_read_config(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -649,6 +664,8 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
 allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
 allow cronjob_t self:unix_dgram_socket create_socket_perms;
 
+allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
+
 kernel_read_system_state(cronjob_t)
 kernel_read_kernel_sysctls(cronjob_t)
 

diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if
index 0a71bd89..b25b0894 100644
--- a/policy/modules/contrib/mrtg.if
+++ b/policy/modules/contrib/mrtg.if
@@ -2,6 +2,24 @@
 
 ########################################
 ## <summary>
+##	Read mrtg configuration
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mrtg_read_config',`
+	gen_require(`
+		type mrtg_etc_t;
+	')
+
+	allow $1 mrtg_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create and append mrtg log files.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
index 5126d9d5..96d48f37 100644
--- a/policy/modules/contrib/mrtg.te
+++ b/policy/modules/contrib/mrtg.te
@@ -1,4 +1,4 @@
-policy_module(mrtg, 1.11.0)
+policy_module(mrtg, 1.11.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
index 2fce98b0..11c7041a 100644
--- a/policy/modules/contrib/rsync.te
+++ b/policy/modules/contrib/rsync.te
@@ -1,4 +1,4 @@
-policy_module(rsync, 1.15.0)
+policy_module(rsync, 1.15.1)
 
 ########################################
 #
@@ -123,6 +123,8 @@ dev_read_urand(rsync_t)
 fs_getattr_all_fs(rsync_t)
 fs_search_auto_mountpoints(rsync_t)
 
+files_getattr_all_pipes(rsync_t)
+files_getattr_all_sockets(rsync_t)
 files_search_home(rsync_t)
 
 auth_can_read_shadow_passwords(rsync_t)