commit: 606ce20297b1815ca6ea395c19c0471fdad55d46
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Apr 8 15:54:11 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr 8 15:54:11 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=606ce202
Remove merged code, reshuffle gentoo specific ones
---
policy/modules/admin/sudo.if | 5 --
policy/modules/kernel/devices.fc | 4 -
policy/modules/kernel/devices.if | 155 ++++++++++++++++++------------------
policy/modules/system/userdomain.if | 40 +++++-----
4 files changed, 99 insertions(+), 105 deletions(-)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 07e5db8..d9114b3 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -160,11 +160,6 @@ template(`sudo_role_template',`
fprintd_dbus_chat($1_sudo_t)
')
- ifdef(`distro_gentoo',`
- # Massive amount of getattr denials but no mention in logs or
functional issues, so dontaudit it
- term_dontaudit_getattr_unallocated_ttys($1_sudo_t)
- ')
-
')
########################################
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 053cfa7..d6ebfcd 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -208,7 +208,3 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/random -c
gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
-
-ifdef(`distro_gentoo',`
-/sys/devices/system/cpu/online --
gen_context(system_u:object_r:cpu_online_t,s0)
-')
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 56dd021..8c14b43 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -588,25 +588,6 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
########################################
## <summary>
-## Setattr for generic character device files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-#
-interface(`dev_setattr_generic_chr_files',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:chr_file setattr;
-')
-
-
-########################################
-## <summary>
## Read generic character device files.
## </summary>
## <param name="domain">
@@ -3856,42 +3837,6 @@ interface(`dev_manage_smartcard',`
########################################
## <summary>
-## Get the attributes of sysfs filesystem
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_getattr_sysfs_fs',`
- gen_require(`
- type sysfs_t;
- ')
-
- allow $1 sysfs_t:filesystem getattr;
-')
-
-########################################
-## <summary>
-## Do not audit getting the attributes of sysfs filesystem
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to dontaudit access from
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_getattr_sysfs_fs',`
- gen_require(`
- type sysfs_t;
- ')
-
- dontaudit $1 sysfs_t:filesystem getattr;
-')
-
-########################################
-## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
## <param name="file_type">
@@ -4038,26 +3983,6 @@ interface(`dev_manage_sysfs_dirs',`
########################################
## <summary>
-## Dont audit attempts to read hardware state information
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain for which the attempts do not need to be audited
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_read_sysfs',`
- gen_require(`
- type sysfs_t;
- ')
-
- dontaudit $1 sysfs_t:file read_file_perms;
- dontaudit $1 sysfs_t:dir list_dir_perms;
- dontaudit $1 sysfs_t:lnk_file read_lnk_file_perms;
-')
-
-########################################
-## <summary>
## Read hardware state information.
## </summary>
## <desc>
@@ -4947,11 +4872,11 @@ interface(`dev_read_cpu_online',`
type cpu_online_t;
')
+ allow $1 cpu_online_t:file read_file_perms;
+
dev_search_sysfs($1)
- read_files_pattern($1, cpu_online_t, cpu_online_t)
')
-
########################################
## <summary>
## Unconfined access to devices.
@@ -4974,6 +4899,82 @@ interface(`dev_unconfined',`
########################################
## <summary>
+## Dont audit attempts to read hardware state information
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain for which the attempts do not need to be audited
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ dontaudit $1 sysfs_t:file read_file_perms;
+ dontaudit $1 sysfs_t:dir list_dir_perms;
+ dontaudit $1 sysfs_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit getting the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access from
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ dontaudit $1 sysfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem getattr;
+')
+
+
+########################################
+## <summary>
+## Setattr for generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:chr_file setattr;
+')
+
+
+########################################
+## <summary>
## Relabel cpu online hardware state information.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index 822e21f..2f51389 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -243,9 +243,6 @@ interface(`userdom_manage_home_role',`
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file
sock_file fifo_file })
files_list_home($2)
- miscfiles_manage_user_certs($2)
- miscfiles_relabel_user_certs($2)
-
# cjp: this should probably be removed:
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
@@ -271,23 +268,28 @@ interface(`userdom_manage_home_role',`
fs_dontaudit_manage_cifs_files($2)
')
- optional_policy(`
- flash_manage_home($2)
- flash_relabel_home($2)
- ')
+ ifdef(`distro_gentoo',`
+ miscfiles_manage_user_certs($2)
+ miscfiles_relabel_user_certs($2)
- optional_policy(`
- xdg_manage_all_cache_home($2)
- xdg_manage_all_config_home($2)
- xdg_manage_all_data_home($2)
- xdg_manage_all_runtime_home($2)
- xdg_manage_downloads_home($2)
- xdg_manage_videos_home($2)
- xdg_relabel_all_cache_home($2)
- xdg_relabel_all_config_home($2)
- xdg_relabel_all_data_home($2)
- xdg_relabel_all_runtime_home($2)
- ')
+ optional_policy(`
+ flash_manage_home($2)
+ flash_relabel_home($2)
+ ')
+
+ optional_policy(`
+ xdg_manage_all_cache_home($2)
+ xdg_manage_all_config_home($2)
+ xdg_manage_all_data_home($2)
+ xdg_manage_all_runtime_home($2)
+ xdg_manage_downloads_home($2)
+ xdg_manage_videos_home($2)
+ xdg_relabel_all_cache_home($2)
+ xdg_relabel_all_config_home($2)
+ xdg_relabel_all_data_home($2)
+ xdg_relabel_all_runtime_home($2)
+ ')
+ ')
')
#######################################
