[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Kenton Groombridge]

commit: 9a761587cf212b96c093e2ea1d9c3ed66ff7c37d
Author: Russell Coker  coker  com  au>
AuthorDate: Thu Sep 21 14:21:25 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Oct  6 15:27:06 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9a761587

debian motd.d directory (#689)

* policy for Debian motd.d dir

Signed-off-by: Russell Coker  coker.com.au>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/services/xserver.te | 1 +
 policy/modules/system/authlogin.fc | 1 +
 policy/modules/system/authlogin.if | 1 +
 3 files changed, 3 insertions(+)

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index 68d9bd34b..58cd85626 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -472,6 +472,7 @@ auth_manage_pam_runtime_dirs(xdm_t)
 auth_manage_pam_runtime_files(xdm_t)
 auth_manage_pam_console_data(xdm_t)
 auth_read_shadow_history(xdm_t)
+auth_use_pam_motd_dynamic(xdm_t)
 auth_write_login_records(xdm_t)
 
 # Run telinit->init to shutdown.

diff --git a/policy/modules/system/authlogin.fc 
b/policy/modules/system/authlogin.fc
index b47da01a5..adb53a05a 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -59,6 +59,7 @@ ifdef(`distro_suse', `
 /run/motd  --  
gen_context(system_u:object_r:pam_motd_runtime_t,s0)
 /run/motd\.dynamic --  
gen_context(system_u:object_r:pam_motd_runtime_t,s0)
 /run/motd\.dynamic\.new--  
gen_context(system_u:object_r:pam_motd_runtime_t,s0)
+/run/motd\.d(/.*)? 
gen_context(system_u:object_r:pam_motd_runtime_t,s0)
 /run/pam_mount(/.*)?   gen_context(system_u:object_r:pam_runtime_t,s0)
 /run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
 /run/sepermit(/.*)?gen_context(system_u:object_r:pam_runtime_t,s0)

diff --git a/policy/modules/system/authlogin.if 
b/policy/modules/system/authlogin.if
index 4d11800aa..cd5ab2d7f 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -129,6 +129,7 @@ interface(`auth_use_pam_motd_dynamic',`
corecmd_exec_shell($1)
 
allow $1 pam_motd_runtime_t:file manage_file_perms;
+   allow $1 pam_motd_runtime_t:dir rw_dir_perms;
files_runtime_filetrans($1, pam_motd_runtime_t, file, 
"motd.dynamic.new")
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Kenton Groombridge]

commit: e19a19f4bb6fdd3d55ee981413ee48bd34f4860a
Author: Corentin LABBE  gmail  com>
AuthorDate: Mon Dec 26 09:25:59 2022 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Mon Feb 13 15:19:52 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e19a19f4

munin: disk-plugin: transition to fsadm

smart_ plugin currently execute smartctl on the disk_munin_plugin_t domain.
But lot of rules are still missing for a correct smartctl execution.
Instead of duplicating most of all fsadm rules, it is easier to transition to 
the correct domain.

Signed-off-by: Corentin LABBE  gmail.com>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/services/munin.if | 17 +
 policy/modules/services/munin.te |  6 +++---
 policy/modules/system/fstools.te |  4 
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index 9cf4cb20e..de654d4ea 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -189,3 +189,20 @@ interface(`munin_admin',`
 
admin_pattern($1, httpd_munin_content_t)
 ')
+
+
+## 
+## Permit to read/write Munin TCP sockets
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`munin_rw_tcp_sockets',`
+   gen_require(`
+   type munin_t;
+   ')
+   allow $1 munin_t:tcp_socket rw_socket_perms;
+')

diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 2e6b1542a..9fc77c8e9 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -52,8 +52,6 @@ munin_plugin_template(unconfined)
 allow munin_plugin_domain self:process signal;
 allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
 
-allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-
 read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
 
 allow munin_plugin_domain munin_exec_t:file read_file_perms;
@@ -79,6 +77,8 @@ fs_getattr_all_fs(munin_plugin_domain)
 
 miscfiles_read_localization(munin_plugin_domain)
 
+munin_rw_tcp_sockets(munin_plugin_domain)
+
 optional_policy(`
nscd_use(munin_plugin_domain)
 ')
@@ -260,7 +260,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-   fstools_exec(disk_munin_plugin_t)
+   fstools_domtrans(disk_munin_plugin_t)
 ')
 
 

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 3d5525cc4..079aacad3 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -208,6 +208,10 @@ optional_policy(`
modutils_read_module_deps(fsadm_t)
 ')
 
+optional_policy(`
+   munin_rw_tcp_sockets(fsadm_t)
+')
+
 optional_policy(`
nis_use_ypbind(fsadm_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Kenton Groombridge]

commit: 0d854a362ee5625add66fcb2212d27a035639f48
Author: Kenton Groombridge  concord  sh>
AuthorDate: Sat Sep 24 17:51:14 2022 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Wed Nov  2 14:07:18 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d854a36

glusterfs, selinuxutil: make modifying fcontexts a tunable

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/services/glusterfs.te | 26 +-
 policy/modules/system/selinuxutil.if | 36 
 policy/modules/system/selinuxutil.te | 11 +++
 3 files changed, 64 insertions(+), 9 deletions(-)

diff --git a/policy/modules/services/glusterfs.te 
b/policy/modules/services/glusterfs.te
index 690aa828a..85a55ed5b 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -1,5 +1,15 @@
 policy_module(glusterfs)
 
+## 
+## 
+## Allow the gluster daemon to automatically
+## add and remove file contexts from the local
+## SELinux policy when adding and removing
+## bricks.
+## 
+## 
+gen_tunable(glusterfs_modify_policy, false)
+
 
 #
 # Declarations
@@ -129,11 +139,17 @@ logging_send_syslog_msg(glusterd_t)
 miscfiles_read_generic_certs(glusterd_t)
 miscfiles_read_localization(glusterd_t)
 
-# needed by relabeling hooks when adding bricks
-seutil_domtrans_semanage(glusterd_t)
-seutil_exec_setfiles(glusterd_t)
-seutil_read_default_contexts(glusterd_t)
-
 userdom_dontaudit_search_user_runtime_root(glusterd_t)
 
 xdg_dontaudit_search_data_dirs(glusterd_t)
+
+tunable_policy(`glusterfs_modify_policy',`
+   # needed by relabeling hooks when adding bricks
+   seutil_domtrans_semanage(glusterd_t)
+   seutil_exec_setfiles(glusterd_t)
+   seutil_read_default_contexts(glusterd_t)
+',`
+   seutil_dontaudit_exec_semanage(glusterd_t)
+   seutil_dontaudit_exec_setfiles(glusterd_t)
+   seutil_dontaudit_read_file_contexts(glusterd_t)
+')

diff --git a/policy/modules/system/selinuxutil.if 
b/policy/modules/system/selinuxutil.if
index c0735f2b8..30db6a094 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -574,6 +574,24 @@ interface(`seutil_exec_setfiles',`
can_exec($1, setfiles_exec_t)
 ')
 
+
+## 
+## Do not audit attempts to execute setfiles.
+## 
+## 
+## 
+## Domain to not audit.
+## 
+## 
+#
+interface(`seutil_dontaudit_exec_setfiles',`
+   gen_require(`
+   type setfiles_exec_t;
+   ')
+
+   dontaudit $1 setfiles_exec_t:file exec_file_perms;
+')
+
 
 ## 
 ## Do not audit attempts to search the SELinux
@@ -1028,6 +1046,24 @@ interface(`seutil_run_semanage',`
roleattribute $2 semanage_roles;
 ')
 
+
+## 
+## Do not audit attempts to execute semanage.
+## 
+## 
+## 
+## Domain to not audit.
+## 
+## 
+#
+interface(`seutil_dontaudit_exec_semanage',`
+   gen_require(`
+   type semanage_exec_t;
+   ')
+
+   dontaudit $1 semanage_exec_t:file exec_file_perms;
+')
+
 
 ## 
 ## Read the semanage module store.

diff --git a/policy/modules/system/selinuxutil.te 
b/policy/modules/system/selinuxutil.te
index 14a17175f..2b823b543 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -209,8 +209,9 @@ ifdef(`distro_ubuntu',`
 ')
 
 optional_policy(`
-   # glusterd calls semanage fcontext
-   glusterfs_use_daemon_fds(load_policy_t)
+   tunable_policy(`glusterfs_modify_policy',`
+   glusterfs_use_daemon_fds(load_policy_t)
+   ')
 ')
 
 optional_policy(`
@@ -695,11 +696,13 @@ ifdef(`distro_ubuntu',`
 ')
 
 optional_policy(`
-   apt_use_fds(setfiles_t)
+   tunable_policy(`glusterfs_modify_policy',`
+   glusterfs_use_daemon_fds(setfiles_t)
+   ')
 ')
 
 optional_policy(`
-   glusterfs_use_daemon_fds(setfiles_t)
+   apt_use_fds(setfiles_t)
 ')
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/roles/

[Jason Zaman]

commit: 9084f61f91fc157eab7e43a35c13f76ff1328518
Author: Chris PeBenito  ieee  org>
AuthorDate: Fri Mar 19 19:17:54 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Mar 21 21:38:23 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9084f61f

various: Module version bump.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/roles/auditadm.te| 2 +-
 policy/modules/roles/dbadm.te   | 2 +-
 policy/modules/roles/guest.te   | 2 +-
 policy/modules/roles/logadm.te  | 2 +-
 policy/modules/roles/secadm.te  | 2 +-
 policy/modules/roles/webadm.te  | 2 +-
 policy/modules/services/dbus.te | 2 +-
 policy/modules/system/init.te   | 2 +-
 policy/modules/system/logging.te| 2 +-
 policy/modules/system/mount.te  | 2 +-
 policy/modules/system/systemd.te| 2 +-
 policy/modules/system/userdomain.te | 2 +-
 12 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 641cdb44..12a6ea1a 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -1,4 +1,4 @@
-policy_module(auditadm, 2.4.0)
+policy_module(auditadm, 2.4.1)
 
 
 #

diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index 426aec20..b0414f81 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -1,4 +1,4 @@
-policy_module(dbadm, 1.1.0)
+policy_module(dbadm, 1.1.1)
 
 
 #

diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
index 59b413cc..3f7c466a 100644
--- a/policy/modules/roles/guest.te
+++ b/policy/modules/roles/guest.te
@@ -1,4 +1,4 @@
-policy_module(guest, 1.3.0)
+policy_module(guest, 1.3.1)
 
 
 #

diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te
index 1d091045..28534edc 100644
--- a/policy/modules/roles/logadm.te
+++ b/policy/modules/roles/logadm.te
@@ -1,4 +1,4 @@
-policy_module(logadm, 1.0.0)
+policy_module(logadm, 1.0.1)
 
 
 #

diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index 4b07f0bb..3f227d0b 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -1,4 +1,4 @@
-policy_module(secadm, 2.6.0)
+policy_module(secadm, 2.6.1)
 
 
 #

diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te
index 962b5281..9d3c5026 100644
--- a/policy/modules/roles/webadm.te
+++ b/policy/modules/roles/webadm.te
@@ -1,4 +1,4 @@
-policy_module(webadm, 1.2.0)
+policy_module(webadm, 1.2.1)
 
 
 #

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index fd74c4d9..05aa8b6e 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.30.1)
+policy_module(dbus, 1.30.2)
 
 gen_require(`
class dbus all_dbus_perms;

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4c322455..d897bc48 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.10.1)
+policy_module(init, 2.10.2)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index e6e44374..0f450cb2 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.33.1)
+policy_module(logging, 1.33.2)
 
 
 #

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 0a093528..c5f140e6 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.24.0)
+policy_module(mount, 1.24.1)
 
 
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 66672243..f5b5b07a 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.11.1)
+policy_module(systemd, 1.11.2)
 
 #
 #

diff --git a/policy/modules/system/userdomain.te 
b/policy/modules/system/userdomain.te
index 45f1d1e5..68b7f102 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.21.0)
+policy_module(userdomain, 4.21.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/admin/

[Jason Zaman]

commit: 3038102c095f32eaf4df2f0a5caec52dc6106463
Author: Chris PeBenito  ieee  org>
AuthorDate: Tue Feb  2 13:47:00 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb  6 21:15:09 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3038102c

various: Module version bump.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/admin/dpkg.te | 2 +-
 policy/modules/services/aptcacher.te | 2 +-
 policy/modules/services/clamav.te| 2 +-
 policy/modules/services/ftp.te   | 2 +-
 policy/modules/services/milter.te| 2 +-
 policy/modules/services/mysql.te | 2 +-
 policy/modules/system/authlogin.te   | 2 +-
 policy/modules/system/init.te| 2 +-
 policy/modules/system/systemd.te | 2 +-
 policy/modules/system/unconfined.te  | 2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index da365bb2..a3c014d8 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.16.0)
+policy_module(dpkg, 1.16.1)
 
 
 #

diff --git a/policy/modules/services/aptcacher.te 
b/policy/modules/services/aptcacher.te
index fa3b2dd0..175afb8f 100644
--- a/policy/modules/services/aptcacher.te
+++ b/policy/modules/services/aptcacher.te
@@ -1,4 +1,4 @@
-policy_module(aptcacher, 1.1.1)
+policy_module(aptcacher, 1.1.2)
 
 
 #

diff --git a/policy/modules/services/clamav.te 
b/policy/modules/services/clamav.te
index 2bc067b6..73257d2d 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.19.0)
+policy_module(clamav, 1.19.1)
 
 ## 
 ## 

diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index e2718723..8a30de5f 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.24.1)
+policy_module(ftp, 1.24.2)
 
 
 #

diff --git a/policy/modules/services/milter.te 
b/policy/modules/services/milter.te
index 29183d47..00050d3f 100644
--- a/policy/modules/services/milter.te
+++ b/policy/modules/services/milter.te
@@ -1,4 +1,4 @@
-policy_module(milter, 1.10.0)
+policy_module(milter, 1.10.1)
 
 
 #

diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 52a4e142..b19e8672 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.22.2)
+policy_module(mysql, 1.22.3)
 
 
 #

diff --git a/policy/modules/system/authlogin.te 
b/policy/modules/system/authlogin.te
index 375884e7..96ebfa27 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.17.5)
+policy_module(authlogin, 2.17.6)
 
 
 #

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 1c9a5cdd..a07ff86d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.9.8)
+policy_module(init, 2.9.9)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 8f91f228..9e68824e 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.10.10)
+policy_module(systemd, 1.10.11)
 
 #
 #

diff --git a/policy/modules/system/unconfined.te 
b/policy/modules/system/unconfined.te
index 42879fb7..5281a6c3 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.15.0)
+policy_module(unconfined, 3.15.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Jason Zaman]

commit: 6069aa838b4f8dc5dccc14a0487eeb04916cc50e
Author: 0xC0ncord  concord  sh>
AuthorDate: Mon Nov 23 20:22:59 2020 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan 10 21:52:17 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6069aa83

userdomain, xserver: move xdg rules to userdom_xdg_user_template

xdg rules are normally set in xserver. But, if a modular policy is being
used and the xserver module is not present, the required rules for users
to be able to access xdg content are never created and thus these files
and directories cannot be interacted with by users. This change adds a
new template that can be called to grant these privileges to userdomain
types as necessary.

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/services/xserver.if  | 36 -
 policy/modules/system/userdomain.if | 62 +
 2 files changed, 62 insertions(+), 36 deletions(-)

diff --git a/policy/modules/services/xserver.if 
b/policy/modules/services/xserver.if
index d5d6c791..e18dc704 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -185,42 +185,6 @@ interface(`xserver_role',`
xserver_read_xkb_libs($2)
 
optional_policy(`
-   xdg_manage_all_cache($2)
-   xdg_relabel_all_cache($2)
-   xdg_watch_all_cache_dirs($2)
-   xdg_manage_all_config($2)
-   xdg_relabel_all_config($2)
-   xdg_watch_all_config_dirs($2)
-   xdg_manage_all_data($2)
-   xdg_relabel_all_data($2)
-   xdg_watch_all_data_dirs($2)
-
-   xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
-   xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
-   xdg_generic_user_home_dir_filetrans_data($2, dir, ".local")
-
-   xdg_generic_user_home_dir_filetrans_documents($2, dir, 
"Documents")
-   xdg_generic_user_home_dir_filetrans_downloads($2, dir, 
"Downloads")
-   xdg_generic_user_home_dir_filetrans_music($2, dir, "Music")
-   xdg_generic_user_home_dir_filetrans_pictures($2, dir, 
"Pictures")
-   xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos")
-
-   xdg_manage_documents($2)
-   xdg_relabel_documents($2)
-   xdg_watch_documents_dirs($2)
-   xdg_manage_downloads($2)
-   xdg_relabel_downloads($2)
-   xdg_watch_downloads_dirs($2)
-   xdg_manage_music($2)
-   xdg_relabel_music($2)
-   xdg_watch_music_dirs($2)
-   xdg_manage_pictures($2)
-   xdg_relabel_pictures($2)
-   xdg_watch_pictures_dirs($2)
-   xdg_manage_videos($2)
-   xdg_relabel_videos($2)
-   xdg_watch_videos_dirs($2)
-
xdg_cache_filetrans($2, mesa_shader_cache_t, dir, 
"mesa_shader_cache")
')
 ')

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index 7ce340dc..4c902bff 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1207,6 +1207,9 @@ template(`userdom_unpriv_user_template', `
fs_exec_noxattr($1_t)
')
 
+   # Allow users to manage xdg content in their home directories
+   userdom_xdg_user_template($1_t)
+
# Allow users to run TCP servers (bind to ports and accept connection 
from
# the same domain and outside users) disabling this forces FTP passive 
mode
# and may change other protocols
@@ -1529,6 +1532,65 @@ template(`userdom_security_admin_template',`
')
 ')
 
+
+## 
+## Allow user to interact with xdg content types
+## 
+## 
+## 
+##  Create rules to allow a user to manage xdg
+##  content in a user home directory with an
+##  automatic type transition to those types.
+## 
+## 
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## 
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+template(`userdom_xdg_user_template',`
+   xdg_manage_all_cache($1_t)
+   xdg_relabel_all_cache($1_t)
+   xdg_watch_all_cache_dirs($1_t)
+   xdg_manage_all_config($1_t)
+   xdg_relabel_all_config($1_t)
+   xdg_watch_all_config_dirs($1_t)
+   xdg_manage_all_data($1_t)
+   xdg_relabel_all_data($1_t)
+   xdg_watch_all_data_dirs($1_t)
+
+   xdg_generic_user_home_dir_filetrans_cache($1_t, dir, ".cache")
+   xdg_generic_user_home_dir_filetrans_config($1_t, dir, ".config")
+   xdg_generic_user_home_dir_filetrans_data($1_t, dir, ".local")
+
+   xdg_generic_user_home_dir_filetrans_documents($1_t, dir, "Documents")
+   

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Jason Zaman]

commit: e2236d7e0c64a40ec71ab835f5818e396437ec2e
Author: Jason Zaman  gentoo  org>
AuthorDate: Tue Nov 17 03:46:21 2020 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Nov 28 22:55:48 2020 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e2236d7e

userdomain: Add watch on home dirs

avc:  denied  { watch } for  pid=12351 comm="gmain" 
path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" 
ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12351 comm="gmain" path="/home/jason/Desktop" 
dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12574 comm="gmain" 
path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=11795 comm="gmain" 
path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12351 comm="gmain" 
path="/home/jason/downloads/pics" dev="zfs" ino=38173 
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman  perfinion.com>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/services/xserver.if  |  11 +-
 policy/modules/system/miscfiles.if  |  18 
 policy/modules/system/userdomain.if |  15 ++-
 policy/modules/system/xdg.if| 198 
 4 files changed, 240 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/xserver.if 
b/policy/modules/services/xserver.if
index baa39ef8..d5d6c791 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -95,6 +95,7 @@ interface(`xserver_restricted_role',`
dev_rw_usbfs($2)
 
miscfiles_read_fonts($2)
+   miscfiles_watch_fonts_dirs($2)
 
xserver_common_x_domain_template(user, $2)  #selint-disable:S-004
xserver_domtrans($2)
@@ -186,10 +187,13 @@ interface(`xserver_role',`
optional_policy(`
xdg_manage_all_cache($2)
xdg_relabel_all_cache($2)
+   xdg_watch_all_cache_dirs($2)
xdg_manage_all_config($2)
xdg_relabel_all_config($2)
+   xdg_watch_all_config_dirs($2)
xdg_manage_all_data($2)
xdg_relabel_all_data($2)
+   xdg_watch_all_data_dirs($2)
 
xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
@@ -203,14 +207,19 @@ interface(`xserver_role',`
 
xdg_manage_documents($2)
xdg_relabel_documents($2)
+   xdg_watch_documents_dirs($2)
xdg_manage_downloads($2)
xdg_relabel_downloads($2)
+   xdg_watch_downloads_dirs($2)
xdg_manage_music($2)
xdg_relabel_music($2)
+   xdg_watch_music_dirs($2)
xdg_manage_pictures($2)
xdg_relabel_pictures($2)
+   xdg_watch_pictures_dirs($2)
xdg_manage_videos($2)
xdg_relabel_videos($2)
+   xdg_watch_videos_dirs($2)
 
xdg_cache_filetrans($2, mesa_shader_cache_t, dir, 
"mesa_shader_cache")
')
@@ -508,7 +517,7 @@ interface(`xserver_use_user_fonts',`
')
 
# Read per user fonts
-   allow $1 user_fonts_t:dir list_dir_perms;
+   allow $1 user_fonts_t:dir { list_dir_perms watch };
allow $1 user_fonts_t:file { map read_file_perms };
 
# Manipulate the global font cache

diff --git a/policy/modules/system/miscfiles.if 
b/policy/modules/system/miscfiles.if
index a0b13261..751b3579 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -854,6 +854,24 @@ interface(`miscfiles_manage_public_files',`
manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
 ')
 
+
+## 
+## Watch public files
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`miscfiles_watch_public_dirs',`
+   gen_require(`
+   type public_content_rw_t;
+   ')
+
+   allow $1 public_content_rw_t:dir watch;
+')
+
 
 ## 
 ## Read TeX data

diff --git a/policy/modules/system/userdomain.if 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Jason Zaman]

commit: 568cd7e29f67a9da390dde180ca00331aac01448
Author: Daniel Burgener  tresys  com>
AuthorDate: Fri Jan 31 19:41:28 2020 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 15 07:32:05 2020 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=568cd7e2

Remove unneeded semicolons after interface and macro calls

Signed-off-by: Daniel Burgener  tresys.com>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/services/wireguard.te | 2 +-
 policy/modules/system/systemd.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/wireguard.te 
b/policy/modules/services/wireguard.te
index 4e6aad64..07c2d71f 100644
--- a/policy/modules/services/wireguard.te
+++ b/policy/modules/services/wireguard.te
@@ -42,7 +42,7 @@ allow wireguard_t self:netlink_route_socket 
r_netlink_socket_perms;
 allow wireguard_t self:udp_socket create_socket_perms;
 allow wireguard_t self:unix_stream_socket create_socket_perms;
 
-manage_files_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t);
+manage_files_pattern(wireguard_t, wireguard_etc_t, wireguard_etc_t)
 files_read_etc_files(wireguard_t)
 
 manage_files_pattern(wireguard_t, wireguard_runtime_t, wireguard_runtime_t)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index d039e2a1..f55294e3 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -99,7 +99,7 @@ type systemd_hw_exec_t;
 init_system_domain(systemd_hw_t, systemd_hw_exec_t)
 
 type systemd_hwdb_t;
-files_type(systemd_hwdb_t);
+files_type(systemd_hwdb_t)
 
 type systemd_journal_t;
 files_type(systemd_journal_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/kernel/

[Jason Zaman]

commit: 8d12e0f32ff8a5776028c854f987b9af4b7adee6
Author: Chris PeBenito  ieee  org>
AuthorDate: Sat Apr 27 14:51:06 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 28 10:00:55 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8d12e0f3

various: Module version bump.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/kernel/devices.te | 2 +-
 policy/modules/kernel/storage.te | 2 +-
 policy/modules/services/apache.te| 2 +-
 policy/modules/services/devicekit.te | 2 +-
 policy/modules/services/tuned.te | 2 +-
 policy/modules/system/init.te| 2 +-
 policy/modules/system/mount.te   | 2 +-
 policy/modules/system/systemd.te | 2 +-
 policy/modules/system/unconfined.te  | 2 +-
 policy/modules/system/userdomain.te  | 2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index f36fcdc1..a0331212 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.24.1)
+policy_module(devices, 1.24.2)
 
 
 #

diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index c10290c0..8f91eb2d 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,4 +1,4 @@
-policy_module(storage, 1.16.0)
+policy_module(storage, 1.16.1)
 
 
 #

diff --git a/policy/modules/services/apache.te 
b/policy/modules/services/apache.te
index ea541a9d..ee95b305 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.16.0)
+policy_module(apache, 2.16.1)
 
 
 #

diff --git a/policy/modules/services/devicekit.te 
b/policy/modules/services/devicekit.te
index 7b0226e0..8aadd411 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.10.0)
+policy_module(devicekit, 1.10.1)
 
 
 #

diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
index 349a757b..aafa6be5 100644
--- a/policy/modules/services/tuned.te
+++ b/policy/modules/services/tuned.te
@@ -1,4 +1,4 @@
-policy_module(tuned, 1.5.0)
+policy_module(tuned, 1.5.1)
 
 
 #

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b3385fed..aca76caa 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.6.5)
+policy_module(init, 2.6.6)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 0539abfa..1fbf3e2f 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.20.0)
+policy_module(mount, 1.20.1)
 
 
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index a5ebfdb3..29d5d4fc 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.7.6)
+policy_module(systemd, 1.7.7)
 
 #
 #

diff --git a/policy/modules/system/unconfined.te 
b/policy/modules/system/unconfined.te
index 29ed0217..1ca89af1 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.12.0)
+policy_module(unconfined, 3.12.1)
 
 
 #

diff --git a/policy/modules/system/userdomain.te 
b/policy/modules/system/userdomain.te
index e3f0f09b..81d2da73 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.17.0)
+policy_module(userdomain, 4.17.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Jason Zaman]

commit: 8eb6fcff84e1c7e037c4b5b18ab36e00283bc4ec
Author: Sugar, David  tresys  com>
AuthorDate: Tue Mar  5 22:33:50 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Mar 25 10:05:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8eb6fcff

Update cron use to pam interface

I'm seeing a many denials for cron related to faillog_t, lastlog_t
and wtmp_t.  These are all due to the fact cron is using pam (and my
system is configured with pam_faillog).  I have updated cron to use
auth_use_pam interface to grant needed permissions.

Additional change to allow systemd_logind dbus for cron.

I have included many of the denials I'm seeing, but there are probably
others I didn't capture.

type=AVC msg=audit(1551411001.389:1281): avc:  denied  { read write } for  
pid=8807 comm="crond" name="lastlog" dev="dm-14" ino=102 
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1281): avc:  denied  { open } for  pid=8807 
comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1281): arch=c03e syscall=2 
success=yes exit=3 a0=7f94f608c2ee a1=2 a2=0 a3=75646f6d6d61705f items=1 
ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key="logins"
type=AVC msg=audit(1551411001.389:1282): avc:  denied  { lock } for  pid=8807 
comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1282): arch=c03e syscall=72 
success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 
ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1551411001.389:1283): avc:  denied  { write } for  pid=8807 
comm="crond" name="wtmp" dev="dm-14" ino=103 
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1283): avc:  denied  { open } for  pid=8807 
comm="crond" path="/var/log/wtmp" dev="dm-14" ino=103 
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.489:1513): avc:  denied  { getattr } for  
pid=7323 comm="systemd-logind" path="/proc/9183/cgroup" dev="proc" ino=49836 
scontext=system_u:system_r:systemd_logind_t:s0 
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc:  denied  { read write } for  
pid=9183 comm="crond" name="lastlog" dev="dm-14" ino=102 
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc:  denied  { open } for  pid=9183 
comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1515): avc:  denied  { lock } for  pid=9183 
comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551412201.511:1515): arch=c03e syscall=72 
success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 
ppid=7345 pid=9183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) ses=7 comm="crond" exe="/usr/sbin/crond" 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=USER_START msg=audit(1551412201.511:1516): pid=9183 uid=0 auid=0 ses=7 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open 
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog 
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1551412201.512:1517): pid=9183 uid=0 auid=0 ses=7 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred 
grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" 
hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1551412201.524:1521): pid=9183 uid=0 auid=0 ses=7 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred 
grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" 
hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1551412201.525:1522): pid=9183 uid=0 auid=0 ses=7 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Jason Zaman]

commit: e6836a0e6a7d9845824ea1fd1760896b8c2bf280
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Mar 24 18:43:35 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Mar 25 10:05:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e6836a0e

authlogin, dbus, ntp: Module version bump.

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/services/dbus.te| 2 +-
 policy/modules/services/ntp.te | 2 +-
 policy/modules/system/authlogin.te | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index cfe63c4a..b164b75e 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.26.0)
+policy_module(dbus, 1.26.1)
 
 gen_require(`
class dbus all_dbus_perms;

diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index bf8d46a4..c01fe5f1 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.19.0)
+policy_module(ntp, 1.19.1)
 
 
 #

diff --git a/policy/modules/system/authlogin.te 
b/policy/modules/system/authlogin.te
index d105c58c..525977ac 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.14.1)
+policy_module(authlogin, 2.14.2)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/admin/, ...

[Jason Zaman]

commit: 640ec09767f275cab0dcfecf789a4338bc615b54
Author: Chris PeBenito  ieee  org>
AuthorDate: Fri Feb  1 20:03:42 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 10 04:11:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=640ec097

Bump module versions for release.

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/admin/apt.te   | 2 +-
 policy/modules/admin/backup.te| 2 +-
 policy/modules/admin/bootloader.te| 2 +-
 policy/modules/admin/dmidecode.te | 2 +-
 policy/modules/admin/dpkg.te  | 2 +-
 policy/modules/admin/logrotate.te | 2 +-
 policy/modules/admin/rpm.te   | 2 +-
 policy/modules/admin/sudo.te  | 2 +-
 policy/modules/admin/usermanage.te| 2 +-
 policy/modules/apps/chromium.te   | 2 +-
 policy/modules/apps/gpg.te| 2 +-
 policy/modules/apps/mozilla.te| 2 +-
 policy/modules/apps/syncthing.te  | 2 +-
 policy/modules/apps/userhelper.te | 2 +-
 policy/modules/kernel/corecommands.te | 2 +-
 policy/modules/kernel/devices.te  | 2 +-
 policy/modules/kernel/domain.te   | 2 +-
 policy/modules/kernel/files.te| 2 +-
 policy/modules/kernel/filesystem.te   | 2 +-
 policy/modules/kernel/kernel.te   | 2 +-
 policy/modules/kernel/mls.te  | 2 +-
 policy/modules/kernel/selinux.te  | 2 +-
 policy/modules/roles/staff.te | 2 +-
 policy/modules/roles/sysadm.te| 2 +-
 policy/modules/roles/unprivuser.te| 2 +-
 policy/modules/services/amavis.te | 2 +-
 policy/modules/services/apache.te | 2 +-
 policy/modules/services/boinc.te  | 2 +-
 policy/modules/services/cgmanager.te  | 2 +-
 policy/modules/services/clamav.te | 2 +-
 policy/modules/services/consolekit.te | 2 +-
 policy/modules/services/cron.te   | 2 +-
 policy/modules/services/dbus.te   | 2 +-
 policy/modules/services/devicekit.te  | 2 +-
 policy/modules/services/dhcp.te   | 2 +-
 policy/modules/services/dictd.te  | 2 +-
 policy/modules/services/dnsmasq.te| 2 +-
 policy/modules/services/dovecot.te| 2 +-
 policy/modules/services/exim.te   | 2 +-
 policy/modules/services/fetchmail.te  | 2 +-
 policy/modules/services/gdomap.te | 2 +-
 policy/modules/services/gpm.te| 2 +-
 policy/modules/services/gssproxy.te   | 2 +-
 policy/modules/services/irqbalance.te | 2 +-
 policy/modules/services/jabber.te | 2 +-
 policy/modules/services/minissdpd.te  | 2 +-
 policy/modules/services/mon.te| 2 +-
 policy/modules/services/mta.te| 2 +-
 policy/modules/services/networkmanager.te | 2 +-
 policy/modules/services/nsd.te| 2 +-
 policy/modules/services/ntp.te| 2 +-
 policy/modules/services/openvpn.te| 2 +-
 policy/modules/services/policykit.te  | 2 +-
 policy/modules/services/postfix.te| 2 +-
 policy/modules/services/postgresql.te | 2 +-
 policy/modules/services/redis.te  | 2 +-
 policy/modules/services/ssh.te| 2 +-
 policy/modules/services/tor.te| 2 +-
 policy/modules/services/xserver.te| 2 +-
 policy/modules/system/authlogin.te| 2 +-
 policy/modules/system/fstools.te  | 2 +-
 policy/modules/system/init.te | 2 +-
 policy/modules/system/ipsec.te| 2 +-
 policy/modules/system/iptables.te | 2 +-
 policy/modules/system/iscsi.te| 2 +-
 policy/modules/system/locallogin.te   | 2 +-
 policy/modules/system/logging.te  | 2 +-
 policy/modules/system/lvm.te  | 2 +-
 policy/modules/system/miscfiles.te| 2 +-
 policy/modules/system/modutils.te | 2 +-
 policy/modules/system/raid.te | 2 +-
 policy/modules/system/selinuxutil.te  | 2 +-
 policy/modules/system/setrans.te  | 2 +-
 policy/modules/system/sysnetwork.te   | 2 +-
 policy/modules/system/systemd.te  | 2 +-
 policy/modules/system/udev.te | 2 +-
 policy/modules/system/unconfined.te   | 2 +-
 policy/modules/system/userdomain.te   | 2 +-
 78 files changed, 78 insertions(+), 78 deletions(-)

diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index 48a5c54b..33b467ab 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.12.2)
+policy_module(apt, 1.13.0)
 
 
 #

diff --git a/policy/modules/admin/backup.te b/policy/modules/admin/backup.te
index 6ad9d79f..92e84693 100644
--- a/policy/modules/admin/backup.te
+++ b/policy/modules/admin/backup.te
@@ -1,4 +1,4 @@
-policy_module(backup, 1.8.1)
+policy_module(backup, 1.9.0)
 
 
 #

diff --git a/policy/modules/admin/bootloader.te 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Jason Zaman]

commit: 1404015272ed6954f662683dfc503bbaac7da319
Author: Russell Coker  coker  com  au>
AuthorDate: Mon Jan 28 08:48:40 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 10 04:11:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=14040152

yet another little patch

This should all be obvious.

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/services/devicekit.te | 2 ++
 policy/modules/system/lvm.te | 1 +
 policy/modules/system/sysnetwork.te  | 1 +
 3 files changed, 4 insertions(+)

diff --git a/policy/modules/services/devicekit.te 
b/policy/modules/services/devicekit.te
index ca9de7cc..941880ef 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -91,6 +91,7 @@ files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { 
dir file })
 kernel_getattr_message_if(devicekit_disk_t)
 kernel_list_unlabeled(devicekit_disk_t)
 kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
+kernel_read_crypto_sysctls(devicekit_disk_t)
 kernel_read_fs_sysctls(devicekit_disk_t)
 kernel_read_network_state(devicekit_disk_t)
 kernel_read_software_raid_state(devicekit_disk_t)
@@ -108,6 +109,7 @@ dev_getattr_all_chr_files(devicekit_disk_t)
 dev_getattr_mtrr_dev(devicekit_disk_t)
 dev_getattr_usbfs_dirs(devicekit_disk_t)
 dev_manage_generic_files(devicekit_disk_t)
+dev_read_rand(devicekit_disk_t)
 dev_read_urand(devicekit_disk_t)
 dev_rw_sysfs(devicekit_disk_t)
 

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index f4999e1b..bff2baa7 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -308,6 +308,7 @@ init_use_fds(lvm_t)
 init_dontaudit_getattr_initctl(lvm_t)
 init_use_script_ptys(lvm_t)
 init_read_script_state(lvm_t)
+init_read_script_tmp_files(lvm_t)
 # for systemd-cryptsetup to talk to /run/systemd/journal/socket
 init_stream_connect(lvm_t)
 

diff --git a/policy/modules/system/sysnetwork.te 
b/policy/modules/system/sysnetwork.te
index 08f62ccd..ece5a301 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -375,6 +375,7 @@ ifdef(`hide_broken_symptoms',`
 
 optional_policy(`
devicekit_read_pid_files(ifconfig_t)
+   devicekit_append_inherited_log_files(ifconfig_t)
 ')
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Jason Zaman]

commit: f26f88c6f2ab91ff413ba052b12e111d34b5ed32
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Nov 18 00:02:54 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Nov 18 10:56:47 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f26f88c6

cron, minissdpd, ntp, systemd: Module version bump.

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/services/cron.te  | 2 +-
 policy/modules/services/minissdpd.te | 2 +-
 policy/modules/services/ntp.te   | 2 +-
 policy/modules/system/systemd.te | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 2143e40c..ab1d35a2 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.14.0)
+policy_module(cron, 2.14.1)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/services/minissdpd.te 
b/policy/modules/services/minissdpd.te
index 65b1aed3..6dfa0087 100644
--- a/policy/modules/services/minissdpd.te
+++ b/policy/modules/services/minissdpd.te
@@ -1,4 +1,4 @@
-policy_module(minissdpd, 1.4.0)
+policy_module(minissdpd, 1.4.1)
 
 
 #

diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 29fb6b7e..7003693e 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.18.1)
+policy_module(ntp, 1.18.2)
 
 
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e9b74257..41448713 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.6.1)
+policy_module(systemd, 1.6.2)
 
 #
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Jason Zaman]

commit: ea5074af003a258b531cf3e84460cc456aca29e8
Author: Chris PeBenito  ieee  org>
AuthorDate: Fri Dec  8 00:02:02 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:06:27 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ea5074af

xserver, sysnetwork, systemd: Module version bump.

 policy/modules/services/xserver.te  | 2 +-
 policy/modules/system/sysnetwork.te | 2 +-
 policy/modules/system/systemd.te| 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index b512fbe7..5936018f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.14.5)
+policy_module(xserver, 3.14.6)
 
 gen_require(`
class x_drawable all_x_drawable_perms;

diff --git a/policy/modules/system/sysnetwork.te 
b/policy/modules/system/sysnetwork.te
index 1fec9b9b..e45a6a5d 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.21.2)
+policy_module(sysnetwork, 1.21.3)
 
 
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 9a65b8f6..9ab85680 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.4.6)
+policy_module(systemd, 1.4.7)
 
 #
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Jason Zaman]

commit: 4f2ec64bdbdbe5450ab7b678a7afa077f0947255
Author: Chris PeBenito  ieee  org>
AuthorDate: Tue Nov 14 23:33:06 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Wed Nov 15 01:11:22 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4f2ec64b

Module version bumps.

 policy/modules/services/xserver.te | 2 +-
 policy/modules/system/libraries.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index 7e5a97d3..673fe37c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.14.3)
+policy_module(xserver, 3.14.4)
 
 gen_require(`
class x_drawable all_x_drawable_perms;

diff --git a/policy/modules/system/libraries.te 
b/policy/modules/system/libraries.te
index a24c6796..c6ece55a 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,4 +1,4 @@
-policy_module(libraries, 2.15.1)
+policy_module(libraries, 2.15.2)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/kernel/

[Jason Zaman]

commit: 8a23415215dd0c7be0bf930e02410d9950fe647f
Author: Chris PeBenito  ieee  org>
AuthorDate: Sat Feb 18 14:39:01 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Feb 21 06:52:46 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8a234152

Little misc patches from Russell Coker.

 policy/modules/kernel/files.te   |  3 ++-
 policy/modules/services/xserver.if   | 20 
 policy/modules/services/xserver.te   |  2 +-
 policy/modules/system/init.fc|  2 +-
 policy/modules/system/init.te| 14 +-
 policy/modules/system/logging.te | 14 +-
 policy/modules/system/lvm.te |  4 +++-
 policy/modules/system/selinuxutil.te | 14 +-
 policy/modules/system/sysnetwork.te  | 14 +-
 policy/modules/system/udev.te|  3 ++-
 10 files changed, 65 insertions(+), 25 deletions(-)

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 625768e2..9b06ff6e 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.2)
+policy_module(files, 1.23.3)
 
 
 #
@@ -11,6 +11,7 @@ attribute lockfile;
 attribute mountpoint;
 attribute pidfile;
 attribute configfile;
+attribute spoolfile;
 
 # For labeling types that are to be polyinstantiated
 attribute polydir;

diff --git a/policy/modules/services/xserver.if 
b/policy/modules/services/xserver.if
index f0761c9b..7af0ab6a 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -934,6 +934,26 @@ interface(`xserver_create_xdm_tmp_sockets',`
 
 
 ## 
+## Delete a named socket in a XDM
+## temporary directory.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`xserver_delete_xdm_tmp_sockets',`
+   gen_require(`
+   type xdm_tmp_t;
+   ')
+
+   files_search_tmp($1)
+   delete_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+')
+
+
+## 
 ## Read XDM pid files.
 ## 
 ## 

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index 68014747..71786c59 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.1)
+policy_module(xserver, 3.13.2)
 
 gen_require(`
class x_drawable all_x_drawable_perms;

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 1fb15ae0..fe085d15 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -23,6 +23,7 @@ ifdef(`distro_gentoo',`
 # /usr
 #
 /usr/bin/sepg_ctl  --  gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/bin/systemd   --  gen_context(system_u:object_r:init_exec_t,s0)
 
 /usr/lib/systemd/systemd --gen_context(system_u:object_r:init_exec_t,s0)
 /usr/lib/systemd/system-preset(/.*)? 
gen_context(system_u:object_r:systemd_unit_t,s0)
@@ -34,7 +35,6 @@ ifdef(`distro_gentoo', `
 /usr/lib/rc/init\.d(/.*)?  
gen_context(system_u:object_r:initrc_state_t,s0)
 ')
 
-
 /usr/libexec/dcc/start-.* --   gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --gen_context(system_u:object_r:initrc_exec_t,s0)
 

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 03aaae53..cad90ba5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.2)
+policy_module(init, 2.2.3)
 
 gen_require(`
class passwd rootok;
@@ -307,7 +307,9 @@ ifdef(`init_systemd',`
',`
# Run the shell in the sysadm role for single-user mode.
# causes problems with upstart
-   sysadm_shell_domtrans(init_t)
+   ifndef(`distro_debian',`
+   sysadm_shell_domtrans(init_t)
+   ')
')
 ')
 
@@ -561,9 +563,6 @@ miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
 miscfiles_read_generic_certs(initrc_t)
 
-modutils_read_module_config(initrc_t)
-modutils_domtrans_insmod(initrc_t)
-
 seutil_read_config(initrc_t)
 
 userdom_read_user_home_content_files(initrc_t)
@@ -953,6 +952,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+   modutils_read_module_config(initrc_t)
+   modutils_domtrans_insmod(initrc_t)
+')
+
+optional_policy(`
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
 ')

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 94be02e5..10d2fc9f 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.25.1)
+policy_module(logging, 1.25.2)
 
 
 #
@@ -124,8 +124,6 @@ term_use_all_terms(auditctl_t)
 
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Sven Vermeulen]

commit: 4d0eb1e88ae6044142059e8c0b49867642348047
Author: Chris PeBenito  ieee  org>
AuthorDate: Wed Jan  4 00:35:56 2017 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Fri Jan 13 18:38:56 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4d0eb1e8

Module version bump for patches from Guido Trentalancia.

 policy/modules/services/xserver.te | 2 +-
 policy/modules/system/init.te  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index 2df9a3e..cef33cb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.12.8)
+policy_module(xserver, 3.12.9)
 
 gen_require(`
class x_drawable all_x_drawable_perms;

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index ce6f2f9..a47a4eb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.1.2)
+policy_module(init, 2.1.3)
 
 gen_require(`
class passwd rootok;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/roles/

[Jason Zaman]

commit: 5db0ccde4d2b0d31c480987517c14e44690f480c
Author: Chris PeBenito  ieee  org>
AuthorDate: Wed Dec  7 01:19:18 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Dec  8 04:45:02 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5db0ccde

Module version bumps for openoffice patches from Guido Trentalancia.

 policy/modules/roles/staff.te   | 2 +-
 policy/modules/roles/sysadm.te  | 2 +-
 policy/modules/roles/unprivuser.te  | 2 +-
 policy/modules/services/xserver.te  | 2 +-
 policy/modules/system/libraries.te  | 2 +-
 policy/modules/system/unconfined.te | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 67ca253..981e5ea 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -1,4 +1,4 @@
-policy_module(staff, 2.7.0)
+policy_module(staff, 2.7.1)
 
 
 #

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2071dbc..9490194 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.10.0)
+policy_module(sysadm, 2.10.1)
 
 
 #

diff --git a/policy/modules/roles/unprivuser.te 
b/policy/modules/roles/unprivuser.te
index 768dc1a..1400ea4 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,4 +1,4 @@
-policy_module(unprivuser, 2.7.0)
+policy_module(unprivuser, 2.7.1)
 
 # this module should be named user, but that is
 # a compile error since user is a keyword.

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index 9898817..92edfc0 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.12.2)
+policy_module(xserver, 3.12.3)
 
 gen_require(`
class x_drawable all_x_drawable_perms;

diff --git a/policy/modules/system/libraries.te 
b/policy/modules/system/libraries.te
index 5eac8c0..5151fd7 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,4 +1,4 @@
-policy_module(libraries, 2.13.0)
+policy_module(libraries, 2.13.1)
 
 
 #

diff --git a/policy/modules/system/unconfined.te 
b/policy/modules/system/unconfined.te
index a902e7c..7e942fc 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.8.0)
+policy_module(unconfined, 3.8.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Jason Zaman]

commit: 25f1cbbdaedcf74f0b7af03fea89063e4e401c0f
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Aug 14 18:34:19 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Wed Aug 17 16:22:44 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=25f1cbbd

Update alsa module use from Guido Trentalancia.

 policy/modules/services/xserver.fc  | 1 +
 policy/modules/services/xserver.te  | 4 
 policy/modules/system/init.te   | 2 +-
 policy/modules/system/udev.te   | 2 +-
 policy/modules/system/userdomain.if | 4 ++--
 5 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/policy/modules/services/xserver.fc 
b/policy/modules/services/xserver.fc
index a531dba..4cbba44 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -75,6 +75,7 @@ HOME_DIR/\.Xauthority.*   --  
gen_context(system_u:object_r:xauth_home_t,s0)
 /usr/lib/xorg/Xorg\.wrap   --  
gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/lib/xorg-server/Xorg  --  
gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/lib/xorg-server/Xorg\.wrap--  
gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/lib/X11/xdm/Xsession  --  
gen_context(system_u:object_r:xsession_exec_t,s0)
 
 /usr/sbin/lightdm  --  gen_context(system_u:object_r:xdm_exec_t,s0)
 

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index ca4be69..4f9826c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -507,6 +507,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+   colord_dbus_chat(xdm_t)
+')
+
+optional_policy(`
consolekit_dbus_chat(xdm_t)
 ')
 

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 0d4f74a..f646a93 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -697,7 +697,7 @@ ifdef(`distro_redhat',`
miscfiles_read_hwdata(initrc_t)
 
optional_policy(`
-   alsa_manage_rw_config(initrc_t)
+   alsa_manage_config(initrc_t)
')
 
optional_policy(`

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a7e918b..cc724ea 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -234,7 +234,7 @@ ifdef(`init_systemd',`
 optional_policy(`
alsa_domtrans(udev_t)
alsa_read_lib(udev_t)
-   alsa_read_rw_config(udev_t)
+   alsa_read_config(udev_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index f0b4778..534a249 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -603,7 +603,7 @@ template(`userdom_common_user_template',`
optional_policy(`
alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
alsa_manage_home_files($1_t)
-   alsa_read_rw_config($1_t)
+   alsa_read_config($1_t)
alsa_relabel_home_files($1_t)
')
 
@@ -982,7 +982,7 @@ template(`userdom_restricted_xwindows_user_template',`
xserver_restricted_role($1_r, $1_t)
 
optional_policy(`
-   alsa_read_rw_config($1_t)
+   alsa_read_config($1_t)
')
 
optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Jason Zaman]

commit: cdcc81664dc918aed249997137cfb8ff026d549d
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Aug 14 18:58:57 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Wed Aug 17 16:22:44 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cdcc8166

Module version bump for various patches from Guido Trentalancia.

 policy/modules/services/xserver.te  | 2 +-
 policy/modules/system/init.te   | 2 +-
 policy/modules/system/sysnetwork.te | 2 +-
 policy/modules/system/udev.te   | 2 +-
 policy/modules/system/userdomain.te | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index 4f9826c..fc19905 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.11.2)
+policy_module(xserver, 3.11.3)
 
 gen_require(`
class x_drawable all_x_drawable_perms;

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f646a93..7b9c61b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.0.3)
+policy_module(init, 2.0.4)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/system/sysnetwork.te 
b/policy/modules/system/sysnetwork.te
index 2258f90..3d49015 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.18.0)
+policy_module(sysnetwork, 1.18.1)
 
 
 #

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index cc724ea..fea0b51 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.19.0)
+policy_module(udev, 1.19.1)
 
 
 #

diff --git a/policy/modules/system/userdomain.te 
b/policy/modules/system/userdomain.te
index e67afee..b6b6d15 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.11.3)
+policy_module(userdomain, 4.11.4)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Jason Zaman]

commit: fd82f6a7dac4b340b56b14083d4198be6ae0a549
Author: Chris PeBenito cpebenito AT tresys DOT com
AuthorDate: Wed May 27 18:50:45 2015 +
Commit: Jason Zaman perfinion AT gentoo DOT org
CommitDate: Wed May 27 19:00:19 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fd82f6a7

Module version bumps for further init_startstop_service() changes from Jason 
Zaman.

 policy/modules/services/postgresql.te | 2 +-
 policy/modules/system/init.te | 2 +-
 policy/modules/system/logging.te  | 2 +-
 policy/modules/system/selinuxutil.te  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/services/postgresql.te 
b/policy/modules/services/postgresql.te
index a686088..b4ba0f1 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,4 +1,4 @@
-policy_module(postgresql, 1.17.0)
+policy_module(postgresql, 1.17.1)
 
 gen_require(`
class db_database all_db_database_perms;

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 141df45..95db0d0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.22.1)
+policy_module(init, 1.22.2)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 003af6a..72b7ff5 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.22.0)
+policy_module(logging, 1.22.1)
 
 
 #

diff --git a/policy/modules/system/selinuxutil.te 
b/policy/modules/system/selinuxutil.te
index 9b70f53..51c64be 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.19.0)
+policy_module(selinuxutil, 1.19.1)
 
 gen_require(`
bool secure_mode;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/kernel/, ...

[Sven Vermeulen]

commit: 465454fc28242165142d26bacbca592ca0565849
Author: Chris PeBenito cpebenito AT tresys DOT com
AuthorDate: Wed Sep 24 17:10:37 2014 +
Commit: Sven Vermeulen swift AT gentoo DOT org
CommitDate: Sun Oct 12 08:24:27 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=465454fc

Drop RHEL4 and RHEL5 support.

---
 Makefile   |  5 
 README |  7 +++--
 Rules.monolithic   |  7 -
 policy/modules/admin/su.if | 54 --
 policy/modules/kernel/kernel.if| 16 ---
 policy/modules/kernel/selinux.if   | 20 --
 policy/modules/kernel/selinux.te   | 10 ---
 policy/modules/services/xserver.te |  8 --
 policy/modules/system/init.if  | 24 -
 9 files changed, 3 insertions(+), 148 deletions(-)

diff --git a/Makefile b/Makefile
index 70b213a..09fae9d 100644
--- a/Makefile
+++ b/Makefile
@@ -188,11 +188,6 @@ ifneq ($(DISTRO),)
M4PARAM += -D distro_$(DISTRO)
 endif
 
-# rhel4 also implies redhat
-ifeq $(DISTRO) rhel4
-   M4PARAM += -D distro_redhat
-endif
-
 ifeq $(DISTRO) ubuntu
M4PARAM += -D distro_debian
 endif

diff --git a/README b/README
index a3e8082..9a97ecf 100644
--- a/README
+++ b/README
@@ -95,10 +95,9 @@ NAME String (optional).  Sets the name of 
the policy; the
set, the policy type (TYPE) is used.
 
 DISTRO String (optional).  Enable distribution-specific policy.
-   Available options are redhat, rhel4, gentoo, debian,
-   and suse.  This option controls distro_redhat,
-   distro_rhel4, distro_gentoo, distro_debian, and
-   distro_suse policy blocks.
+   Available options are redhat, gentoo, and debian.
+   This option controls distro_redhat, distro_gentoo, and
+   distro_debian build option policy blocks.
 
 MONOLITHIC Boolean.  If set, a monolithic policy is built,
otherwise a modular policy is built.

diff --git a/Rules.monolithic b/Rules.monolithic
index 6505550..d2de916 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -195,13 +195,6 @@ $(fcpath): $(fc) $(loadpath) $(userpath)/system.users
$(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath)
$(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath)
$(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME) 
$(USEPWD)
-ifeq $(DISTRO) rhel4
-# Setfiles in RHEL4 does not look at file_contexts.homedirs.
-   $(verbose) cat $@.homedirs  $@
-# Delete the file_contexts.homedirs in case the toolchain has
-# been updated, to prevent duplicate match errors.
-   $(verbose) rm -f $@.homedirs
-endif
 
 
 #

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 5437f9c..aea8a4f 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -100,25 +100,6 @@ template(`su_restricted_domain_template', `
')
')
 
-   ifdef(`distro_rhel4',`
-   domain_role_change_exemption($1_su_t)
-   domain_subj_id_change_exemption($1_su_t)
-   domain_obj_id_change_exemption($1_su_t)
-
-   selinux_get_fs_mount($1_su_t)
-   selinux_validate_context($1_su_t)
-   selinux_compute_access_vector($1_su_t)
-   selinux_compute_create_context($1_su_t)
-   selinux_compute_relabel_context($1_su_t)
-   selinux_compute_user_contexts($1_su_t)
-
-   seutil_read_config($1_su_t)
-   seutil_read_default_contexts($1_su_t)
-
-   # Only allow transitions to unprivileged user domains.
-   userdom_spec_domtrans_unpriv_users($1_su_t)
-   ')
-
ifdef(`hide_broken_symptoms',`
# dontaudit leaked sockets from parent
dontaudit $1_su_t $2:socket_class_set { read write };
@@ -246,41 +227,6 @@ template(`su_role_template',`
')
')
 
-   ifdef(`distro_rhel4',`
-   domain_role_change_exemption($1_su_t)
-   domain_subj_id_change_exemption($1_su_t)
-   domain_obj_id_change_exemption($1_su_t)
-
-   selinux_get_fs_mount($1_su_t)
-   selinux_validate_context($1_su_t)
-   selinux_compute_create_context($1_su_t)
-   selinux_compute_relabel_context($1_su_t)
-   selinux_compute_user_contexts($1_su_t)
-
-   # Relabel ttys and ptys.
-   term_relabel_all_ttys($1_su_t)
-   term_relabel_all_ptys($1_su_t)
-   # Close and re-open ttys and ptys to get the fd into the 
correct domain.
-   term_use_all_ttys($1_su_t)
-   

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Sven Vermeulen]

commit: 2674c787163e1e862c60468ca753b1f60230499b
Author: Sven Vermeulen sven.vermeulen AT siphos DOT be
AuthorDate: Wed Jun 25 19:53:02 2014 +
Commit: Sven Vermeulen swift AT gentoo DOT org
CommitDate: Mon Jun 30 18:58:07 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2674c787

Use init_daemon_pid_file instead of init_daemon_run_dir

Update non-contrib modules to use init_daemon_pid_file instead of
init_daemon_run_dir.

Signed-off-by: Sven Vermeulen sven.vermeulen AT siphos.be

---
 policy/modules/services/postgresql.te | 2 +-
 policy/modules/services/ssh.te| 2 +-
 policy/modules/system/setrans.te  | 2 +-
 policy/modules/system/sysnetwork.te   | 2 +-
 policy/modules/system/udev.te | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/policy/modules/services/postgresql.te 
b/policy/modules/services/postgresql.te
index c771377..c38bb46 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -63,7 +63,7 @@ files_tmp_file(postgresql_tmp_t)
 
 type postgresql_var_run_t;
 files_pid_file(postgresql_var_run_t)
-init_daemon_run_dir(postgresql_var_run_t, postgresql)
+init_daemon_pid_file(postgresql_var_run_t, dir, postgresql)
 
 # database clients attribute
 attribute sepgsql_admin_type;

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 536a2d9..43b9cc1 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -85,7 +85,7 @@ type sshd_keytab_t;
 files_type(sshd_keytab_t)
 
 ifdef(`distro_debian',`
-   init_daemon_run_dir(sshd_var_run_t, sshd)
+   init_daemon_pid_file(sshd_var_run_t, dir, sshd)
 ')
 
 ##

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index a840e70..057456c 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -21,7 +21,7 @@ files_pid_file(setrans_var_run_t)
 mls_trusted_object(setrans_var_run_t)
 
 ifdef(`distro_debian',`
-   init_daemon_run_dir(setrans_var_run_t, setrans)
+   init_daemon_pid_file(setrans_var_run_t, dir, setrans)
 ')
 
 ifdef(`enable_mcs',`

diff --git a/policy/modules/system/sysnetwork.te 
b/policy/modules/system/sysnetwork.te
index 945ffb5..35372f6 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -40,7 +40,7 @@ type net_conf_t alias resolv_conf_t;
 files_type(net_conf_t)
 
 ifdef(`distro_debian',`
-   init_daemon_run_dir(net_conf_t, network)
+   init_daemon_pid_file(net_conf_t, dir, network)
 ')
 
 

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 95de10c..246f006 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -25,7 +25,7 @@ files_type(udev_rules_t)
 
 type udev_var_run_t;
 files_pid_file(udev_var_run_t)
-init_daemon_run_dir(udev_var_run_t, udev)
+init_daemon_pid_file(udev_var_run_t, dir, udev)
 
 ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Sven Vermeulen]

commit: 0744c90f57350d1f958e93bc341c5b9461fbd30c
Author: Chris PeBenito cpebenito AT tresys DOT com
AuthorDate: Mon Jun 30 18:34:51 2014 +
Commit: Sven Vermeulen swift AT gentoo DOT org
CommitDate: Mon Jun 30 18:58:50 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0744c90f

Module version bump for init_daemon_pid_file from Sven Vermeulen.

---
 policy/modules/services/postgresql.te | 2 +-
 policy/modules/services/ssh.te| 2 +-
 policy/modules/system/init.te | 2 +-
 policy/modules/system/setrans.te  | 2 +-
 policy/modules/system/sysnetwork.te   | 2 +-
 policy/modules/system/udev.te | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/policy/modules/services/postgresql.te 
b/policy/modules/services/postgresql.te
index c38bb46..87cf69d 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,4 +1,4 @@
-policy_module(postgresql, 1.16.1)
+policy_module(postgresql, 1.16.2)
 
 gen_require(`
class db_database all_db_database_perms;

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 43b9cc1..c5f585f 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.5.0)
+policy_module(ssh, 2.5.1)
 
 
 #

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4bee18e..b73bd23 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.21.2)
+policy_module(init, 1.21.3)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 057456c..05690b3 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -1,4 +1,4 @@
-policy_module(setrans, 1.9.1)
+policy_module(setrans, 1.9.2)
 
 gen_require(`
class context contains;

diff --git a/policy/modules/system/sysnetwork.te 
b/policy/modules/system/sysnetwork.te
index 35372f6..35ca66f 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.16.1)
+policy_module(sysnetwork, 1.16.2)
 
 
 #

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 246f006..83a8b11 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.17.2)
+policy_module(udev, 1.17.3)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

[Sven Vermeulen]

commit: 68f5cc14f8f24288659272c3cd766bc0497b81aa
Author: Chris PeBenito cpebenito AT tresys DOT com
AuthorDate: Mon Jun  9 12:21:33 2014 +
Commit: Sven Vermeulen swift AT gentoo DOT org
CommitDate: Tue Jun 10 18:14:30 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=68f5cc14

Module version bump for shutdown transitions from Luis Ressel.

---
 policy/modules/services/xserver.te | 2 +-
 policy/modules/system/init.te  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index a3aa4bc..f2cc9b3 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.10.2)
+policy_module(xserver, 3.10.3)
 
 gen_require(`
class x_drawable all_x_drawable_perms;

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 2deb7e5..355892a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.21.1)
+policy_module(init, 1.21.2)
 
 gen_require(`
class passwd rootok;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/kernel/, ...

[Sven Vermeulen]

commit: 13f83f0575fad09b7904fa68baad76389d8f6d16
Author: Chris PeBenito cpebenito AT tresys DOT com
AuthorDate: Tue Mar 11 12:16:57 2014 +
Commit: Sven Vermeulen swift AT gentoo DOT org
CommitDate: Mon Mar 17 08:19:06 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=13f83f05

Bump module versions for release.

---
 policy/modules/admin/bootloader.te  | 2 +-
 policy/modules/admin/dmesg.te   | 2 +-
 policy/modules/admin/netutils.te| 2 +-
 policy/modules/admin/usermanage.te  | 2 +-
 policy/modules/kernel/corecommands.te   | 2 +-
 policy/modules/kernel/corenetwork.te.in | 2 +-
 policy/modules/kernel/devices.te| 2 +-
 policy/modules/kernel/files.te  | 2 +-
 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/kernel/kernel.te | 2 +-
 policy/modules/kernel/selinux.te| 2 +-
 policy/modules/kernel/storage.te| 2 +-
 policy/modules/kernel/terminal.te   | 2 +-
 policy/modules/roles/staff.te   | 2 +-
 policy/modules/roles/sysadm.te  | 2 +-
 policy/modules/roles/unprivuser.te  | 2 +-
 policy/modules/services/ssh.te  | 2 +-
 policy/modules/services/xserver.te  | 2 +-
 policy/modules/system/authlogin.te  | 2 +-
 policy/modules/system/clock.te  | 2 +-
 policy/modules/system/fstools.te| 2 +-
 policy/modules/system/hostname.te   | 2 +-
 policy/modules/system/hotplug.te| 2 +-
 policy/modules/system/init.te   | 2 +-
 policy/modules/system/iptables.te   | 2 +-
 policy/modules/system/libraries.te  | 2 +-
 policy/modules/system/locallogin.te | 2 +-
 policy/modules/system/logging.te| 2 +-
 policy/modules/system/lvm.te| 2 +-
 policy/modules/system/modutils.te   | 2 +-
 policy/modules/system/mount.te  | 2 +-
 policy/modules/system/selinuxutil.te| 2 +-
 policy/modules/system/setrans.te| 2 +-
 policy/modules/system/sysnetwork.te | 2 +-
 policy/modules/system/udev.te   | 2 +-
 policy/modules/system/unconfined.te | 2 +-
 policy/modules/system/userdomain.te | 2 +-
 37 files changed, 37 insertions(+), 37 deletions(-)

diff --git a/policy/modules/admin/bootloader.te 
b/policy/modules/admin/bootloader.te
index 5b21248..4b837a8 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,4 +1,4 @@
-policy_module(bootloader, 1.14.2)
+policy_module(bootloader, 1.15.0)
 
 
 #

diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 914a836..ee07743 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -1,4 +1,4 @@
-policy_module(dmesg, 1.3.1)
+policy_module(dmesg, 1.4.0)
 
 
 #

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index c44c359..7aa7384 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,4 +1,4 @@
-policy_module(netutils, 1.12.1)
+policy_module(netutils, 1.13.0)
 
 
 #

diff --git a/policy/modules/admin/usermanage.te 
b/policy/modules/admin/usermanage.te
index 7bfba16..4855693 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,4 +1,4 @@
-policy_module(usermanage, 1.19.1)
+policy_module(usermanage, 1.20.0)
 
 
 #

diff --git a/policy/modules/kernel/corecommands.te 
b/policy/modules/kernel/corecommands.te
index eabf979..3c243cb 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.18.3)
+policy_module(corecommands, 1.19.0)
 
 
 #

diff --git a/policy/modules/kernel/corenetwork.te.in 
b/policy/modules/kernel/corenetwork.te.in
index 06ae4dc..fc18a14 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.19.2)
+policy_module(corenetwork, 1.20.0)
 
 
 #

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index f87ea59..14c178e 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.15.1)
+policy_module(devices, 1.16.0)
 
 
 #

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index faaaf51..cdc1801 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.18.3)
+policy_module(files, 1.19.0)
 
 
 #

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index e3b00ef..0e09942 100644
--- a/policy/modules/kernel/filesystem.te
+++