[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/, policy/modules/contrib/, doc/, policy/modules/roles/

Tue, 15 Jul 2025 01:11:27 -0700 

commit:     afab42b034aed2e4f893b46d6e60bb0c0d0aeaff
Author:     Rahul Sandhu <nvraxn <AT> gmail <DOT> com>
AuthorDate: Mon Jun 23 16:31:16 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 08:10:06 2025 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=afab42b0

contrib: gorg: drop policy module

Not packaged in ::gentoo, and policy module is not upstreamed.

Signed-off-by: Rahul Sandhu <nvraxn <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 doc/policy.xml                     | 18 -----------
 policy/modules.conf                |  7 -----
 policy/modules/contrib/gorg.fc     |  3 --
 policy/modules/contrib/gorg.if     | 34 --------------------
 policy/modules/contrib/gorg.te     | 63 --------------------------------------
 policy/modules/roles/staff.te      |  4 ---
 policy/modules/roles/sysadm.te     |  4 ---
 policy/modules/roles/unprivuser.te |  4 ---
 8 files changed, 137 deletions(-)

diff --git a/doc/policy.xml b/doc/policy.xml
index f0bb57aba..ae24b1638 100644
--- a/doc/policy.xml
+++ b/doc/policy.xml
@@ -9197,24 +9197,6 @@ Grant the dropbox domains manage rights on all user 
content
 </desc>
 </tunable>
 </module>
-<module name="gorg" filename="policy/modules/contrib/gorg.if">
-<summary>Policy for gorg</summary>
-<interface name="gorg_role" lineno="18">
-<summary>
-Role access for gorg
-</summary>
-<param name="role">
-<summary>
-Role allowed access
-</summary>
-</param>
-<param name="domain">
-<summary>
-User domain for the role
-</summary>
-</param>
-</interface>
-</module>
 <module name="kdeconnect" filename="policy/modules/contrib/kdeconnect.if">
 <summary>policy for kdeconnect</summary>
 <interface name="kdeconnect_domtrans" lineno="13">

diff --git a/policy/modules.conf b/policy/modules.conf
index 71e640f37..67318cc26 100644
--- a/policy/modules.conf
+++ b/policy/modules.conf
@@ -868,13 +868,6 @@ dracut = module
 # 
 dropbox = module
 
-# Layer: contrib
-# Module: gorg
-#
-# Policy for gorg
-# 
-gorg = module
-
 # Layer: contrib
 # Module: kdeconnect
 #

diff --git a/policy/modules/contrib/gorg.fc b/policy/modules/contrib/gorg.fc
deleted file mode 100644
index bbf5693a1..000000000
--- a/policy/modules/contrib/gorg.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/etc/gorg(/.*)?                                
gen_context(system_u:object_r:gorg_config_t,s0)
-/var/cache/gorg(/.*)?                  
gen_context(system_u:object_r:gorg_cache_t,s0)
-/usr/bin/gorg                  --      
gen_context(system_u:object_r:gorg_exec_t,s0)

diff --git a/policy/modules/contrib/gorg.if b/policy/modules/contrib/gorg.if
deleted file mode 100644
index 6c5969c19..000000000
--- a/policy/modules/contrib/gorg.if
+++ /dev/null
@@ -1,34 +0,0 @@
-## <summary>Policy for gorg</summary>
-
-#######################################
-## <summary>
-##      Role access for gorg
-## </summary>
-## <param name="role">
-##      <summary>
-##      Role allowed access
-##      </summary>
-## </param>
-## <param name="domain">
-##      <summary>
-##      User domain for the role
-##      </summary>
-## </param>
-#
-interface(`gorg_role',`
-       gen_require(`
-               type gorg_t, gorg_exec_t;
-       ')
-
-       role $1 types gorg_t;
-
-       domain_auto_transition_pattern($2, gorg_exec_t, gorg_t)
-       allow $2 gorg_t:process { noatsecure siginh rlimitinh };
-       allow gorg_t $2:fd use;
-       allow gorg_t $2:process { sigchld signull };
-
-       ps_process_pattern($2, gorg_t)
-       allow $2 gorg_t:process signal_perms;
-       # Needed for command-usage (pipe)
-       allow gorg_t $2:fifo_file write;
-')

diff --git a/policy/modules/contrib/gorg.te b/policy/modules/contrib/gorg.te
deleted file mode 100644
index 59befaaa4..000000000
--- a/policy/modules/contrib/gorg.te
+++ /dev/null
@@ -1,63 +0,0 @@
-policy_module(gorg, 1.0.0)
-
-type gorg_t;
-type gorg_exec_t;
-application_domain(gorg_t, gorg_exec_t)
-
-type gorg_cache_t;
-files_type(gorg_cache_t)
-
-type gorg_config_t;
-files_type(gorg_config_t)
-
-###################################
-#
-# gorg_t local policy
-#
-allow gorg_t self:process signal;
-
-# Allow gorg_t to put files in the gorg_cache_t location(s)
-manage_dirs_pattern(gorg_t, gorg_cache_t, gorg_cache_t)
-manage_files_pattern(gorg_t, gorg_cache_t, gorg_cache_t)
-
-# Allow gorg_t to read configuration file(s)
-allow gorg_t gorg_config_t:dir list_dir_perms;
-read_files_pattern(gorg_t, gorg_config_t, gorg_config_t)
-
-# gorg logs through /dev/log
-logging_send_syslog_msg(gorg_t)
-
-# Allow gorg to bind to port 8080 (http_cache_port_t)
-sysnet_read_config(gorg_t)
-sysnet_dns_name_resolve(gorg_t)
-corenet_all_recvfrom_unlabeled(gorg_t)
-corenet_all_recvfrom_netlabel(gorg_t)
-corenet_tcp_sendrecv_generic_if(gorg_t)
-corenet_tcp_sendrecv_generic_node(gorg_t)
-#corenet_tcp_sendrecv_all_ports(gorg_t)
-corenet_tcp_bind_generic_node(gorg_t)
-corenet_tcp_bind_http_cache_port(gorg_t)
-allow gorg_t self:netlink_route_socket { create_socket_perms nlmsg_read };
-allow gorg_t self:tcp_socket { listen accept };
-
-# Allow gorg read access to user home files (usually where cvs/git pull is 
stored)
-files_search_home(gorg_t)
-userdom_search_user_home_dirs(gorg_t)
-userdom_user_home_content(gorg_t)
-userdom_list_user_home_content(gorg_t)
-userdom_read_user_home_content_symlinks(gorg_t)
-userdom_read_user_home_content_files(gorg_t)
-
-# Local policy
-allow gorg_t self:fifo_file rw_fifo_file_perms;
-
-# Read /etc files (xml/catalog, hosts.conf, ...)
-files_read_etc_files(gorg_t)
-miscfiles_read_localization(gorg_t)
-
-# Gorg is ruby, so be able to execute ruby
-corecmd_exec_bin(gorg_t)
-
-# Output to screen
-userdom_use_user_terminals(gorg_t)
-domain_use_interactive_fds(gorg_t)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 5a411b5fa..ec71f3fb3 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -243,10 +243,6 @@ ifdef(`distro_gentoo',`
                dropbox_role(staff_r, staff_t)
        ')
 
-       optional_policy(`
-               gorg_role(staff_r, staff_t)
-       ')
-
        optional_policy(`
                hadoop_role(staff, staff_t, staff_application_exec_domain, 
staff_r)
        ')

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 03561721c..34dad783c 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1397,10 +1397,6 @@ ifdef(`distro_gentoo',`
                fail2ban_run_client(sysadm_t, sysadm_r)
        ')
 
-       optional_policy(`
-               gorg_role(sysadm_r, sysadm_t)
-       ')
-
        optional_policy(`
                logsentry_admin(sysadm_t, sysadm_r)
        ')

diff --git a/policy/modules/roles/unprivuser.te 
b/policy/modules/roles/unprivuser.te
index 49a3a3d1e..aac727afd 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -222,10 +222,6 @@ ifdef(`distro_gentoo',`
                dropbox_role(user_r, user_t)
        ')
 
-       optional_policy(`
-               gorg_role(user_r, user_t)
-       ')
-
        optional_policy(`
                kdeconnect_role(user_r, user_t)
                kdeconnect_dbus_chat(user_t)

Reply via email to