[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/kernel/

2024-05-14 Thread Kenton Groombridge 
commit: da28221423dba9c102a06afb6c7eac7cd2d0117a
Author: Kenton Groombridge  gentoo  org>
AuthorDate: Mon May  6 20:31:46 2024 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Tue May 14 17:41:44 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da282214

bootloader: allow systemd-boot to manage EFI binaries

systemd-boot's bootctl utility is used to install and update its EFI
binaries in the EFI partition. If it is mounted with boot_t, bootctl
needs to be able to manage boot_t files.

Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/admin/bootloader.te |  4 
 policy/modules/kernel/files.if | 19 +++
 2 files changed, 23 insertions(+)

diff --git a/policy/modules/admin/bootloader.te 
b/policy/modules/admin/bootloader.te
index 294ce7e0c..81748a5f3 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -225,6 +225,10 @@ ifdef(`init_systemd',`
fs_getattr_cgroup(bootloader_t)
init_read_state(bootloader_t)
init_rw_inherited_stream_socket(bootloader_t)
+
+   # for systemd-boot-update to manage EFI binaries
+   domain_obj_id_change_exemption(bootloader_t)
+   files_mmap_read_boot_files(bootloader_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index e0337d044..b9c451321 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2590,6 +2590,25 @@ interface(`files_read_boot_files',`
read_files_pattern($1, boot_t, boot_t)
 ')
 
+
+## 
+## Read and memory map files in the /boot directory.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+#
+interface(`files_mmap_read_boot_files',`
+   gen_require(`
+   type boot_t;
+   ')
+
+   mmap_read_files_pattern($1, boot_t, boot_t)
+')
+
 
 ## 
 ## Create, read, write, and delete files

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/kernel/, policy/modules/system/, ...

2021-11-11 Thread Jason Zaman 
commit: 9f2bab2173d07f9337a6003bf39f771d22b9df22
Author: Chris PeBenito  ieee  org>
AuthorDate: Tue Nov  9 16:13:37 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Nov 11 21:26:50 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f2bab21

various: Module version bump.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/admin/netutils.te| 2 +-
 policy/modules/admin/usbguard.te| 2 +-
 policy/modules/admin/usermanage.te  | 2 +-
 policy/modules/kernel/devices.te| 2 +-
 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/roles/sysadm.te  | 2 +-
 policy/modules/services/apache.te   | 2 +-
 policy/modules/services/asterisk.te | 2 +-
 policy/modules/services/bind.te | 2 +-
 policy/modules/services/certbot.te  | 2 +-
 policy/modules/services/dbus.te | 2 +-
 policy/modules/services/dovecot.te  | 2 +-
 policy/modules/services/exim.te | 2 +-
 policy/modules/services/git.te  | 2 +-
 policy/modules/services/jabber.te   | 2 +-
 policy/modules/services/mta.te  | 2 +-
 policy/modules/services/policykit.te| 2 +-
 policy/modules/services/postfix.te  | 2 +-
 policy/modules/services/rngd.te | 2 +-
 policy/modules/services/spamassassin.te | 2 +-
 policy/modules/services/ssh.te  | 2 +-
 policy/modules/services/virt.te | 2 +-
 policy/modules/system/systemd.te| 2 +-
 policy/modules/system/userdomain.te | 2 +-
 24 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index ec753a88..7210c776 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,4 +1,4 @@
-policy_module(netutils, 1.21.0)
+policy_module(netutils, 1.21.1)
 
 
 #

diff --git a/policy/modules/admin/usbguard.te b/policy/modules/admin/usbguard.te
index cca00cdb..cdca7ff0 100644
--- a/policy/modules/admin/usbguard.te
+++ b/policy/modules/admin/usbguard.te
@@ -1,4 +1,4 @@
-policy_module(usbguard, 1.2.0)
+policy_module(usbguard, 1.2.1)
 
 
 #

diff --git a/policy/modules/admin/usermanage.te 
b/policy/modules/admin/usermanage.te
index ca60a09e..6ead66f2 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,4 +1,4 @@
-policy_module(usermanage, 1.25.1)
+policy_module(usermanage, 1.25.2)
 
 
 #

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 5a06ea82..50bfdecf 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.29.0)
+policy_module(devices, 1.29.1)
 
 
 #

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index ddd10c2a..d39648b3 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.30.2)
+policy_module(filesystem, 1.30.3)
 
 
 #

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 3deec0a8..f52086cf 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.19.0)
+policy_module(sysadm, 2.19.1)
 
 
 #

diff --git a/policy/modules/services/apache.te 
b/policy/modules/services/apache.te
index 79fdf1ae..d3b6c829 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.21.1)
+policy_module(apache, 2.21.2)
 
 
 #

diff --git a/policy/modules/services/asterisk.te 
b/policy/modules/services/asterisk.te
index e1dbff10..a188c2f4 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -1,4 +1,4 @@
-policy_module(asterisk, 1.21.0)
+policy_module(asterisk, 1.21.1)
 
 
 #

diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 0081ed52..fcf74fa1 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.23.0)
+policy_module(bind, 1.23.1)
 
 
 #

diff --git a/policy/modules/services/certbot.te 
b/policy/modules/services/certbot.te
index 19ebe75f..3f2778f3 100644
--- a/policy/modules/services/certbot.te
+++ b/policy/modules/services/certbot.te
@@ -1,4 +1,4 @@
-policy_module(certbot, 1.1.0)
+policy_module(certbot, 1.1.1)
 
 ## 
 ## 

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 9d2942f5..7535509d 100644
--- a/policy/modules/services/dbus.te
+++

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/kernel/

2017-02-17 Thread Jason Zaman 
commit: b3a86dde9757f48af1abc124e9b000f47dbf0cfd
Author: Chris PeBenito  ieee  org>
AuthorDate: Sat Feb 11 19:51:21 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Feb 17 08:13:37 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b3a86dde

Module version bump for bootloader patch revert. Plus compat alias.

 policy/modules/admin/bootloader.te | 2 +-
 policy/modules/kernel/files.te | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/bootloader.te 
b/policy/modules/admin/bootloader.te
index bd69d431..8ed70327 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,4 +1,4 @@
-policy_module(bootloader, 1.17.1)
+policy_module(bootloader, 1.17.2)
 
 
 #

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 2d8fa232..625768e2 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.1)
+policy_module(files, 1.23.2)
 
 
 #
@@ -48,6 +48,8 @@ attribute usercanread;
 #
 type boot_t;
 files_mountpoint(boot_t)
+# compatibility aliases for removed types:
+typealias boot_t alias bootloader_run_t;
 
 # default_t is the default type for files that do not
 # match any specification in the file_contexts configuration