subject:"\[gentoo\-commits\] proj\/hardened\-refpolicy\:master commit in\: policy\/modules\/kernel\/, policy\/modules\/services\/"

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/

2023-10-06 Thread Kenton Groombridge

commit: 345902025b3c03467a48c8b1474cbd3b3bc085cf
Author: Russell Coker  coker  com  au>
AuthorDate: Thu Sep 21 14:22:36 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Oct  6 15:27:06 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=34590202

policy for the Reliability Availability servicability daemon (#690)

* policy for the Reliability Availability servicability daemon

Signed-off-by: Russell Coker  coker.com.au>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/filesystem.if  | 37 
 policy/modules/services/rasdaemon.fc |  3 +++
 policy/modules/services/rasdaemon.if | 10 +
 policy/modules/services/rasdaemon.te | 41 
 4 files changed, 91 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index 5cdbc5644..5213df5ba 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -6154,6 +6154,43 @@ interface(`fs_getattr_tracefs_files',`
 allow $1 tracefs_t:file getattr;
 ')
 
+
+## 
+## Read/write trace filesystem files
+## 
+## 
+##  
+##  Domain allowed access.
+##  
+## 
+#
+interface(`fs_rw_tracefs_files',`
+   gen_require(`
+   type tracefs_t;
+   ')
+
+   allow $1 tracefs_t:dir list_dir_perms;
+   allow $1 tracefs_t:file rw_file_perms;
+')
+
+
+## 
+## create trace filesystem directories
+## 
+## 
+##  
+##  Domain allowed access.
+##  
+## 
+#
+interface(`fs_create_tracefs_dirs',`
+   gen_require(`
+   type tracefs_t;
+   ')
+
+   allow $1 tracefs_t:dir { create rw_dir_perms };
+')
+
 
 ## 
 ## Mount a XENFS filesystem.

diff --git a/policy/modules/services/rasdaemon.fc 
b/policy/modules/services/rasdaemon.fc
new file mode 100644
index 0..9a83feb4f
--- /dev/null
+++ b/policy/modules/services/rasdaemon.fc
@@ -0,0 +1,3 @@
+/usr/sbin/rasdaemon--  
gen_context(system_u:object_r:rasdaemon_exec_t,s0)
+/var/lib/rasdaemon(/.*)?   
gen_context(system_u:object_r:rasdaemon_var_t,s0)
+

diff --git a/policy/modules/services/rasdaemon.if 
b/policy/modules/services/rasdaemon.if
new file mode 100644
index 0..9509b0261
--- /dev/null
+++ b/policy/modules/services/rasdaemon.if
@@ -0,0 +1,10 @@
+## RAS (Reliability, Availability and Serviceability) logging 
tool
+##
+## 
+## rasdaemon is a RAS (Reliability, Availability and Serviceability) logging
+## tool.  It currently records memory errors, using the EDAC tracing events.
+## EDAC are drivers in the Linux kernel that handle detection of ECC errors
+## from memory controllers for most chipsets on x86 and ARM architectures.
+##
+## https://git.infradead.org/users/mchehab/rasdaemon.git
+## 

diff --git a/policy/modules/services/rasdaemon.te 
b/policy/modules/services/rasdaemon.te
new file mode 100644
index 0..9a65d5d74
--- /dev/null
+++ b/policy/modules/services/rasdaemon.te
@@ -0,0 +1,41 @@
+policy_module(rasdaemon)
+
+
+#
+# Declarations
+#
+
+type rasdaemon_t;
+type rasdaemon_exec_t;
+init_daemon_domain(rasdaemon_t, rasdaemon_exec_t)
+
+type rasdaemon_var_t;
+files_type(rasdaemon_var_t)
+
+
+#
+# Local policy
+#
+
+allow rasdaemon_t self:process getsched;
+allow rasdaemon_t self:capability sys_rawio;
+
+allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms;
+allow rasdaemon_t rasdaemon_var_t:file manage_file_perms;
+
+kernel_read_debugfs(rasdaemon_t)
+kernel_read_system_state(rasdaemon_t)
+kernel_read_vm_overcommit_sysctl(rasdaemon_t)
+kernel_search_fs_sysctls(rasdaemon_t)
+
+dev_read_sysfs(rasdaemon_t)
+dev_read_urand(rasdaemon_t)
+dev_rw_cpu_microcode(rasdaemon_t)
+
+files_search_var_lib(rasdaemon_t)
+fs_create_tracefs_dirs(rasdaemon_t)
+fs_rw_tracefs_files(rasdaemon_t)
+
+logging_send_syslog_msg(rasdaemon_t)
+miscfiles_read_localization(rasdaemon_t)
+

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/admin/, ...

2022-09-03 Thread Jason Zaman

commit: 8d05a891d62852e95e4dbcb3f16e299be7cd4644
Author: Chris PeBenito  microsoft  com>
AuthorDate: Wed Mar  9 20:50:22 2022 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Sep  3 19:07:49 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8d05a891

Add cloud-init.

This is used by cloud providers to set up VMs during deployment.

https://github.com/canonical/cloud-init

Signed-off-by: Chris PeBenito  microsoft.com>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/admin/cloudinit.fc   |  10 +++
 policy/modules/admin/cloudinit.if   | 108 
 policy/modules/admin/cloudinit.te   | 108 
 policy/modules/admin/usermanage.fc  |   1 +
 policy/modules/kernel/corecommands.fc   |   1 +
 policy/modules/kernel/corenetwork.if.in |  18 ++
 policy/modules/services/ssh.fc  |   2 +-
 policy/modules/services/ssh.if  |  55 
 policy/modules/system/libraries.if  |  44 +
 policy/modules/system/sysnetwork.te |   2 +-
 policy/modules/system/systemd.te|   9 +++
 11 files changed, 356 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/cloudinit.fc 
b/policy/modules/admin/cloudinit.fc
new file mode 100644
index ..f5fdc535
--- /dev/null
+++ b/policy/modules/admin/cloudinit.fc
@@ -0,0 +1,10 @@
+/run/cloud-init(/.*)?   
gen_context(system_u:object_r:cloud_init_runtime_t,s0)
+
+/usr/bin/cloud-id   --  gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/cloud-init --  gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/cloud-init-per --  gen_context(system_u:object_r:cloud_init_exec_t,s0)
+
+/var/lib/cloud(/.*)?
gen_context(system_u:object_r:cloud_init_state_t,s0)
+
+/var/log/cloud-init-output\.log -- 
gen_context(system_u:object_r:cloud_init_log_t,s0)
+/var/log/cloud-init\.log --  gen_context(system_u:object_r:cloud_init_log_t,s0)

diff --git a/policy/modules/admin/cloudinit.if 
b/policy/modules/admin/cloudinit.if
new file mode 100644
index ..4469d7b1
--- /dev/null
+++ b/policy/modules/admin/cloudinit.if
@@ -0,0 +1,108 @@
+## Init scripts for cloud VMs
+
+
+## 
+## Create cloud-init runtime directory.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`cloudinit_create_runtime_dirs',`
+   gen_require(`
+   type cloud_init_runtime_t;
+   ')
+
+   files_search_runtime($1)
+   allow $1 cloud_init_runtime_t:dir create_dir_perms;
+')
+
+
+## 
+## Write cloud-init runtime files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`cloudinit_write_runtime_files',`
+   gen_require(`
+   type cloud_init_runtime_t;
+   ')
+
+   files_search_runtime($1)
+   write_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
+')
+
+
+## 
+## Create cloud-init runtime files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`cloudinit_create_runtime_files',`
+   gen_require(`
+   type cloud_init_runtime_t;
+   ')
+
+   files_search_runtime($1)
+   create_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
+')
+
+###
+## 
+## Create files in /run with the type used for
+## cloud-init runtime files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+## 
+## The class of the object to be created.
+## 
+## 
+## 
+## 
+## The name of the object being created.
+## 
+## 
+#
+interface(`cloudinit_filetrans_runtime',`
+   gen_require(`
+   type cloud_init_runtime_t;
+   ')
+
+   files_runtime_filetrans($1, cloud_init_runtime_t, $2, $3)
+')
+
+
+## 
+## Get the attribute of cloud-init state files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`cloudinit_getattr_state_files',`
+   gen_require(`
+   type cloud_init_state_t;
+   ')
+
+   files_search_var_lib($1)
+   allow $1 cloud_init_state_t:dir list_dir_perms;
+   allow $1 cloud_init_state_t:lnk_file read_lnk_file_perms;
+   allow $1 cloud_init_state_t:file getattr;
+')

diff --git a/policy/modules/admin/cloudinit.te 
b/policy/modules/admin/cloudinit.te
new file mode 100644
index ..f531cc5d
--- /dev/null
+++ b/policy/modules/admin/cloudinit.te
@@ -0,0 +1,108 @@
+policy_module(cloudinit)
+
+
+#
+# Declarations
+#
+
+type cloud_init_t;
+type cloud_init_exec_t;
+init_system_domain(cloud_init_t, cloud_init_exec_t)
+
+type cloud_init_log_t;
+logging_log_file(cloud_init_log_t)
+
+type cloud_init_runtime_t;
+files_runtime_file(cloud_init_runtime_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/

2022-02-26 Thread Jason Zaman

commit: 5b564f3b243368edd0e083c78a99b059a10e80ed
Author: Russell Coker  coker  com  au>
AuthorDate: Fri Feb 18 01:21:52 2022 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 27 02:13:17 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5b564f3b

matrixd-synapse policy V3

Here's the latest version of the matrixd-synapse policy including all the
suggestions from a year ago.

Probably ready to merge.
Signed-off-by: Russell Coker  coker.com.au>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/corenetwork.te.in |   2 +-
 policy/modules/services/matrixd.fc  |   4 +
 policy/modules/services/matrixd.if  |   1 +
 policy/modules/services/matrixd.te  | 126 
 4 files changed, 132 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corenetwork.te.in 
b/policy/modules/kernel/corenetwork.te.in
index 547328be..077aacf0 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -156,7 +156,7 @@ network_port(hadoop_namenode, tcp,8020,s0)
 network_port(hddtemp, tcp,7634,s0)
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, 
tcp,5,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, 
tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, 
tcp,9290,s0, tcp,9291,s0)
-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, 
tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, 
tcp,8009,s0, tcp,8443,s0, tcp,8448,s0) #8443 is mod_nss default port
 network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, 
tcp,10001-10010,s0) # 8118 is for privoxy
 network_port(i18n_input, tcp,9010,s0)
 network_port(imaze, tcp,5323,s0, udp,5323,s0)

diff --git a/policy/modules/services/matrixd.fc 
b/policy/modules/services/matrixd.fc
new file mode 100644
index ..b59b1c75
--- /dev/null
+++ b/policy/modules/services/matrixd.fc
@@ -0,0 +1,4 @@
+/var/lib/matrix-synapse(/.*)?  
gen_context(system_u:object_r:matrixd_var_t,s0)
+/var/log/matrix-synapse(/.*)?  
gen_context(system_u:object_r:matrixd_log_t,s0)
+/etc/matrix-synapse(/.*)?  
gen_context(system_u:object_r:matrixd_conf_t,s0)
+/usr/bin/synctl--  
gen_context(system_u:object_r:matrixd_exec_t,s0)

diff --git a/policy/modules/services/matrixd.if 
b/policy/modules/services/matrixd.if
new file mode 100644
index ..f1eff5f0
--- /dev/null
+++ b/policy/modules/services/matrixd.if
@@ -0,0 +1 @@
+## Matrixd

diff --git a/policy/modules/services/matrixd.te 
b/policy/modules/services/matrixd.te
new file mode 100644
index ..5c217678
--- /dev/null
+++ b/policy/modules/services/matrixd.te
@@ -0,0 +1,126 @@
+policy_module(matrixd, 1.0.0)
+
+
+#
+# Declarations
+#
+
+## 
+##  
+##  Determine whether Matrixd is allowed to federate
+##  (bind all UDP ports and connect to all TCP ports).
+##  
+## 
+gen_tunable(matrix_allow_federation, true)
+
+## 
+##  
+##  Determine whether Matrixd can connect to the Postgres database.
+##  
+## 
+gen_tunable(matrix_postgresql_connect, false)
+
+
+type matrixd_t;
+type matrixd_exec_t;
+init_daemon_domain(matrixd_t, matrixd_exec_t)
+
+type matrixd_var_t;
+files_type(matrixd_var_t)
+
+type matrixd_log_t;
+logging_log_file(matrixd_log_t)
+
+type matrixd_conf_t;
+files_config_file(matrixd_conf_t)
+
+type matrixd_tmp_t;
+files_tmp_file(matrixd_tmp_t)
+
+
+#
+# Local policy
+#
+
+allow matrixd_t self:fifo_file rw_file_perms;
+allow matrixd_t self:tcp_socket create_stream_socket_perms;
+allow matrixd_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow matrixd_t self:udp_socket create_socket_perms;
+allow matrixd_t self:unix_dgram_socket create_socket_perms;
+# execmem is needed for Python callbacks
+# https://cffi.readthedocs.io/en/latest/using.html#callbacks
+allow matrixd_t self:process execmem;
+
+allow matrixd_t matrixd_tmp_t:file { manage_file_perms map };
+files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file)
+fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file)
+
+manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
+files_search_var_lib(matrixd_t)
+allow matrixd_t matrixd_var_t:file map;
+allow matrixd_t matrixd_var_t:dir manage_dir_perms;
+
+logging_search_logs(matrixd_t)
+manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t)
+
+read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t)
+allow matrixd_t matrixd_conf_t:dir list_dir_perms;
+
+kernel_read_system_state(matrixd_t)
+kernel_read_vm_overcommit_sysctl(matrixd_t)
+
+# The following in the systemd service file causes a domain transition when
+# running python3:
+# SELinuxContext=system_u:system_r:matrixd_t:s0
+corecmd_bin_entry_type(matrixd_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/, ...

2021-11-20 Thread Jason Zaman

commit: b2361fcf03d445e6710bd4ab3ba3b171fdb4ef7b
Author: Chris PeBenito  ieee  org>
AuthorDate: Mon Nov 15 20:34:27 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Nov 20 22:58:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2361fcf

various: Module version bump.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/admin/rpm.te | 2 +-
 policy/modules/admin/tmpreaper.te   | 2 +-
 policy/modules/kernel/corenetwork.te.in | 2 +-
 policy/modules/kernel/mcs.te| 2 +-
 policy/modules/services/policykit.te| 2 +-
 policy/modules/services/postfix.te  | 2 +-
 policy/modules/services/watchdog.te | 2 +-
 policy/modules/system/init.te   | 2 +-
 policy/modules/system/systemd.te| 2 +-
 policy/modules/system/udev.te   | 2 +-
 policy/modules/system/unconfined.te | 2 +-
 11 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 6823e6e3..6545e471 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.26.0)
+policy_module(rpm, 1.26.1)
 
 
 #

diff --git a/policy/modules/admin/tmpreaper.te 
b/policy/modules/admin/tmpreaper.te
index 1acefd7f..1a2a3036 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -1,4 +1,4 @@
-policy_module(tmpreaper, 1.9.0)
+policy_module(tmpreaper, 1.9.1)
 
 
 #

diff --git a/policy/modules/kernel/corenetwork.te.in 
b/policy/modules/kernel/corenetwork.te.in
index 9deaa2ed..c1bd804a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.29.0)
+policy_module(corenetwork, 1.29.1)
 
 
 #

diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
index 2da98c25..3bb823f4 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@@ -1,4 +1,4 @@
-policy_module(mcs, 1.3.0)
+policy_module(mcs, 1.3.1)
 
 
 #

diff --git a/policy/modules/services/policykit.te 
b/policy/modules/services/policykit.te
index f03614d0..2119b8de 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.12.1)
+policy_module(policykit, 1.12.2)
 
 
 #

diff --git a/policy/modules/services/postfix.te 
b/policy/modules/services/postfix.te
index b6a9bb6b..6d071347 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.25.1)
+policy_module(postfix, 1.25.2)
 
 
 #

diff --git a/policy/modules/services/watchdog.te 
b/policy/modules/services/watchdog.te
index ab9d9458..5b3c8889 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.16.0)
+policy_module(watchdog, 1.16.1)
 
 #
 #

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 565b7cb7..3802f575 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.11.0)
+policy_module(init, 2.11.1)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 118158e4..4233da20 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.12.2)
+policy_module(systemd, 1.12.3)
 
 #
 #

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a13dff43..cbc8c0dc 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.30.1)
+policy_module(udev, 1.30.2)
 
 
 #

diff --git a/policy/modules/system/unconfined.te 
b/policy/modules/system/unconfined.te
index a23a1037..95d08889 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.16.1)
+policy_module(unconfined, 3.16.2)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/, ...

2021-11-20 Thread Jason Zaman

commit: 89cbc037a65cd4e6871a32337bb9f0e1c1f4dc95
Author: Kenton Groombridge  concord  sh>
AuthorDate: Wed Oct 13 17:36:25 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Nov 20 22:58:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=89cbc037

various: deprecate mcs override interfaces

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/mcs   |  2 +-
 policy/modules/admin/rpm.te  |  2 --
 policy/modules/admin/tmpreaper.te|  2 --
 policy/modules/kernel/mcs.if | 24 
 policy/modules/services/policykit.te |  2 --
 policy/modules/services/postfix.te   | 10 --
 policy/modules/services/watchdog.te  |  2 --
 policy/modules/system/init.te|  6 --
 policy/modules/system/systemd.te |  1 -
 policy/modules/system/udev.te|  2 --
 policy/modules/system/unconfined.te  |  3 ---
 11 files changed, 5 insertions(+), 51 deletions(-)

diff --git a/policy/mcs b/policy/mcs
index cc922a02..c8c573e9 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -173,7 +173,7 @@ mlsconstrain { tcp_socket udp_socket rawip_socket } 
node_bind
 # because the subject in this particular case is the remote domain which is
 # writing data out the network node which is acting as the object
 mlsconstrain { node } { recvfrom sendto }
-   (( l1 dom l2 ) or ( t1 != msc_constrained_type ));
+   (( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { packet peer } { recv }
(( l1 dom l2 ) or

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 860207e5..6823e6e3 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -313,8 +313,6 @@ fs_mount_xattr_fs(rpm_script_t)
 fs_unmount_xattr_fs(rpm_script_t)
 fs_search_auto_mountpoints(rpm_script_t)
 
-mcs_killall(rpm_script_t)
-
 mls_file_read_all_levels(rpm_script_t)
 mls_file_write_all_levels(rpm_script_t)
 

diff --git a/policy/modules/admin/tmpreaper.te 
b/policy/modules/admin/tmpreaper.te
index f4ce8dba..1acefd7f 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -34,8 +34,6 @@ files_read_var_lib_files(tmpreaper_t)
 files_purge_tmp(tmpreaper_t)
 files_setattr_all_tmp_dirs(tmpreaper_t)
 
-mcs_file_read_all(tmpreaper_t)
-mcs_file_write_all(tmpreaper_t)
 mls_file_read_all_levels(tmpreaper_t)
 mls_file_write_all_levels(tmpreaper_t)
 

diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index eb4bcfcb..55b5a7fe 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -44,11 +44,7 @@ interface(`mcs_constrained',`
 ## 
 #
 interface(`mcs_file_read_all',`
-   gen_require(`
-   attribute mcsreadall;
-   ')
-
-   typeattribute $1 mcsreadall;
+   refpolicywarn(`$0() has been deprecated, please remove 
mcs_constrained() instead.')
 ')
 
 
@@ -64,11 +60,7 @@ interface(`mcs_file_read_all',`
 ## 
 #
 interface(`mcs_file_write_all',`
-   gen_require(`
-   attribute mcswriteall;
-   ')
-
-   typeattribute $1 mcswriteall;
+   refpolicywarn(`$0() has been deprecated, please remove 
mcs_constrained() instead.')
 ')
 
 
@@ -84,11 +76,7 @@ interface(`mcs_file_write_all',`
 ## 
 #
 interface(`mcs_killall',`
-   gen_require(`
-   attribute mcskillall;
-   ')
-
-   typeattribute $1 mcskillall;
+   refpolicywarn(`$0() has been deprecated, please remove 
mcs_constrained() instead.')
 ')
 
 
@@ -104,11 +92,7 @@ interface(`mcs_killall',`
 ## 
 #
 interface(`mcs_ptrace_all',`
-   gen_require(`
-   attribute mcsptraceall;
-   ')
-
-   typeattribute $1 mcsptraceall;
+   refpolicywarn(`$0() has been deprecated, please remove 
mcs_constrained() instead.')
 ')
 
 

diff --git a/policy/modules/services/policykit.te 
b/policy/modules/services/policykit.te
index 7e00d524..f03614d0 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -267,8 +267,6 @@ can_exec(policykit_resolve_t, policykit_resolve_exec_t)
 
 domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t)
 
-mcs_ptrace_all(policykit_resolve_t)
-
 auth_use_nsswitch(policykit_resolve_t)
 
 userdom_read_all_users_state(policykit_resolve_t)

diff --git a/policy/modules/services/postfix.te 
b/policy/modules/services/postfix.te
index 98416368..b6a9bb6b 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -292,8 +292,6 @@ domain_use_interactive_fds(postfix_master_t)
 
 files_search_tmp(postfix_master_t)
 
-mcs_file_read_all(postfix_master_t)
-
 term_dontaudit_search_ptys(postfix_master_t)
 
 hostname_exec(postfix_master_t)
@@ -568,9 +566,6 @@ allow postfix_pickup_t

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/

2019-02-09 Thread Jason Zaman

commit: f75896871e29215b93854d20fa218118dc70e45d
Author: Alexander Miroshnichenko  millerson  name>
AuthorDate: Sat Jan 26 18:50:12 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 10 04:11:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f7589687

fs_mmap_rw_hugetlbfs_files is a more appropriate name for the interface

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/kernel/filesystem.if   | 2 +-
 policy/modules/services/postgresql.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index 7d9f0f43..6da7cc22 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2350,7 +2350,7 @@ interface(`fs_rw_hugetlbfs_files',`
 ##  
 ## 
 #
-interface(`fs_rmw_hugetlbfs_files',`
+interface(`fs_mmap_rw_hugetlbfs_files',`
 gen_require(`
 type hugetlbfs_t;
 ')

diff --git a/policy/modules/services/postgresql.te 
b/policy/modules/services/postgresql.te
index 09824a8b..3bdffe4f 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -331,7 +331,7 @@ dev_read_urand(postgresql_t)
 
 fs_getattr_all_fs(postgresql_t)
 fs_search_auto_mountpoints(postgresql_t)
-fs_rmw_hugetlbfs_files(postgresql_t)
+fs_mmap_rw_hugetlbfs_files(postgresql_t)
 
 selinux_get_enforce_mode(postgresql_t)
 selinux_validate_context(postgresql_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/

2019-02-09 Thread Jason Zaman

commit: d4995122c6b1cdde1674282d58bc69494119f6d8
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Jan 27 17:58:33 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 10 04:11:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4995122

filesystem, postgresql: Module version bump.

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/kernel/filesystem.te   | 2 +-
 policy/modules/services/postgresql.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 8ddacd76..5cbf319b 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.24.0)
+policy_module(filesystem, 1.24.1)
 
 
 #

diff --git a/policy/modules/services/postgresql.te 
b/policy/modules/services/postgresql.te
index 3bdffe4f..8f7043c3 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,4 +1,4 @@
-policy_module(postgresql, 1.19.0)
+policy_module(postgresql, 1.19.1)
 
 gen_require(`
class db_database all_db_database_perms;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/admin/, ...

2014-12-03 Thread Jason Zaman

commit: 8253183963f78c69d401d0740f2f35d4cc7726b4
Author: Jason Zaman jason AT perfinion DOT com
AuthorDate: Tue Dec  2 21:20:40 2014 +
Commit: Jason Zaman gentoo AT perfinion DOT com
CommitDate: Tue Dec  2 21:20:40 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=82531839

remove things that have been upstreamed

---
 policy/modules/admin/bootloader.fc|  4 
 policy/modules/admin/sudo.if  |  7 ---
 policy/modules/kernel/corecommands.fc |  2 --
 policy/modules/services/xserver.fc|  7 ---
 policy/modules/system/authlogin.if| 34 --
 policy/modules/system/fstools.fc  |  2 --
 policy/modules/system/ipsec.fc|  4 
 7 files changed, 60 deletions(-)

diff --git a/policy/modules/admin/bootloader.fc 
b/policy/modules/admin/bootloader.fc
index 6bd044c..d908d56 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -11,7 +11,3 @@
 /usr/sbin/grub2?-install   --  
gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-mkconfig  --  
gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-probe --  
gen_context(system_u:object_r:bootloader_exec_t,s0)
-
-ifdef(`distro_gentoo',`
-/usr/sbin/grub2?-mkconfig  --  
gen_context(system_u:object_r:bootloader_exec_t,s0)
-')

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index c6140e3..56ce11c 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -160,13 +160,6 @@ template(`sudo_role_template',`
optional_policy(`
fprintd_dbus_chat($1_sudo_t)
')
-
-   ifdef(`distro_gentoo',`
-   # Set ownership of ts directory (timestamp keeping)
-   allow $1_sudo_t self:capability { chown };
-   # Create /var/run/sudo
-   auth_pid_filetrans_pam_var_run($1_sudo_t, dir, sudo)
-   ')
 ')
 
 

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index e61b52b..fdf1915 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -422,6 +422,4 @@ ifdef(`distro_suse',`
 ifdef(`distro_gentoo',`
 /usr/lib/python-exec/python-exec2  --  
gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/python-exec/python.*/.*   --  
gen_context(system_u:object_r:bin_t,s0)
-
-/usr/lib/xfce4/notifyd/xfce4-notifyd   --  
gen_context(system_u:object_r:bin_t,s0)
 ')

diff --git a/policy/modules/services/xserver.fc 
b/policy/modules/services/xserver.fc
index 49eeac1..5ef36fb 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -128,11 +128,4 @@ ifdef(`distro_suse',`
 
 ifdef(`distro_gentoo',`
 HOME_DIR/\.local/share/xorg(/.*)?  
gen_context(system_u:object_r:xserver_xdg_data_home_t,s0)
-
-/etc/lightdm/Xsession  --  
gen_context(system_u:object_r:xsession_exec_t,s0)
-
-/var/cache/lightdm(/.*)?   gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
 ')

diff --git a/policy/modules/system/authlogin.if 
b/policy/modules/system/authlogin.if
index 41004c5..f05d7bf 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1836,37 +1836,3 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
 ')
-
-# Should be in an ifdef distro_gentoo but that is not supported in the global 
if file
-
-
-## summary
-## Create specified objects in
-## pid directories with the pam var
-##  run file type using a
-##  file type transition.
-## /summary
-## param name=domain
-## summary
-## Domain allowed access.
-## /summary
-## /param
-## param name=object_class
-## summary
-## Class of the object being created.
-## /summary
-## /param
-## param name=name optional=true
-## summary
-## The name of the object being created.
-## /summary
-## /param
-#
-interface(`auth_pid_filetrans_pam_var_run',`
-   gen_require(`
-   type pam_var_run_t;
-   ')
-
-   files_pid_filetrans($1, pam_var_run_t, $2, $3)
-')
-

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index fb132f9..be77216 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -66,6 +66,4 @@
 ifdef(`distro_gentoo',`
 /sbin/mkfs\.f2fs   --  gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkfs\.f2fs   --  gen_context(system_u:object_r:fsadm_exec_t,s0)
-/usr/sbin/gdisk--

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/admin/, ...

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/, ...

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/, ...

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/admin/, ...

8 matches

Site Navigation

Mail list logo

Footer information