commit: 8c603f3c8d2287b778473a09b4576bee12401b59
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 19 01:17:16 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c603f3c
kmod, lvm, brctl patches from Russell Coker
Patches for modutils, at least one of which is needed to generate an initramfs
on Debian.
Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts
etc.
Patch for brctl to allow it to create sysfs files.
policy/modules/contrib/brctl.te | 3 ++-
policy/modules/contrib/dpkg.if | 39 +++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/dpkg.te | 2 +-
3 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/brctl.te b/policy/modules/contrib/brctl.te
index c5a91138..fd789b5f 100644
--- a/policy/modules/contrib/brctl.te
+++ b/policy/modules/contrib/brctl.te
@@ -1,4 +1,4 @@
-policy_module(brctl, 1.7.0)
+policy_module(brctl, 1.7.1)
########################################
#
@@ -29,6 +29,7 @@ kernel_read_sysctl(brctl_t)
corenet_rw_tun_tap_dev(brctl_t)
+dev_create_sysfs_files(brctl_t)
dev_rw_sysfs(brctl_t)
dev_write_sysfs_dirs(brctl_t)
diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if
index fdc06d69..081134f2 100644
--- a/policy/modules/contrib/dpkg.if
+++ b/policy/modules/contrib/dpkg.if
@@ -62,6 +62,25 @@ interface(`dpkg_domtrans_script',`
########################################
## <summary>
+## access dpkg_script fifos
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`dpkg_script_rw_pipes',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ allow $1 dpkg_script_t:fd use;
+ allow $1 dpkg_script_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
## Execute dpkg programs in the dpkg domain.
## </summary>
## <param name="domain">
@@ -242,3 +261,23 @@ interface(`dpkg_lock_db',`
allow $1 dpkg_var_lib_t:dir list_dir_perms;
allow $1 dpkg_lock_t:file manage_file_perms;
')
+
+########################################
+## <summary>
+## manage dpkg_script_tmp_t files and dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_manage_script_tmp_files',`
+ gen_require(`
+ type dpkg_script_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 dpkg_script_tmp_t:dir manage_dir_perms;
+ allow $1 dpkg_script_tmp_t:file manage_file_perms;
+')
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index a3d3f2e5..a91e4896 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.5)
+policy_module(dpkg, 1.11.6)
########################################
#
