[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/apps/, policy/modules/services/, ...
commit: bfdeaa0b370b1e42000599bfc89d6ad4f24a506b Author: Markus Linnala cybercom com> AuthorDate: Wed Jun 30 08:03:44 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 5 14:26:44 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bfdeaa0b policy: interfaces: doc: indent param blocks consistently There is more than 5000 parameter documentations. Only about 300 are differently done. Change them to be consistently indented. param with one space and content inside with one tab This was done with: sed -ri ' /^##[[:space:]]*/{ s/^##[[:space:]]*/##\t/; s/^##[[:space:]]*(<[/]?summary)/##\t\1/; s/^##[[:space:]]*(<[/]?param)/## \1/; }' policy/modules/*/*.if Signed-off-by: Markus Linnala cybercom.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/blueman.if | 4 +- policy/modules/admin/brctl.if | 4 +- policy/modules/admin/kismet.if| 4 +- policy/modules/admin/ncftool.if | 4 +- policy/modules/admin/puppet.if| 4 +- policy/modules/admin/quota.if | 6 +- policy/modules/admin/shorewall.if | 8 +- policy/modules/admin/shutdown.if | 10 +- policy/modules/admin/sosreport.if | 4 +- policy/modules/apps/chromium.if | 8 +- policy/modules/apps/gitosis.if| 4 +- policy/modules/apps/java.if | 6 +- policy/modules/apps/livecd.if | 4 +- policy/modules/apps/mozilla.if| 8 +- policy/modules/apps/pulseaudio.if | 18 +- policy/modules/apps/screen.if | 6 +- policy/modules/apps/seunshare.if | 4 +- policy/modules/apps/syncthing.if | 12 +- policy/modules/kernel/devices.if | 66 +++--- policy/modules/kernel/domain.if | 8 +- policy/modules/kernel/files.if| 102 policy/modules/kernel/filesystem.if | 54 ++--- policy/modules/kernel/selinux.if | 6 +- policy/modules/roles/sysadm.if| 6 +- policy/modules/services/afs.if| 8 +- policy/modules/services/aisexec.if| 4 +- policy/modules/services/apcupsd.if| 12 +- policy/modules/services/certbot.if| 18 +- policy/modules/services/certmaster.if | 6 +- policy/modules/services/certmonger.if | 4 +- policy/modules/services/cgroup.if | 12 +- policy/modules/services/cobbler.if| 4 +- policy/modules/services/colord.if | 4 +- policy/modules/services/cron.if | 20 +- policy/modules/services/cyphesis.if | 4 +- policy/modules/services/dbus.if | 4 +- policy/modules/services/ddclient.if | 2 +- policy/modules/services/devicekit.if | 4 +- policy/modules/services/dnsmasq.if| 8 +- policy/modules/services/drbd.if | 4 +- policy/modules/services/exim.if | 12 +- policy/modules/services/fail2ban.if | 8 +- policy/modules/services/firewalld.if | 4 +- policy/modules/services/fprintd.if| 4 +- policy/modules/services/gnomeclock.if | 4 +- policy/modules/services/gpsd.if | 4 +- policy/modules/services/gssproxy.if | 4 +- policy/modules/services/icecast.if| 8 +- policy/modules/services/ifplugd.if| 4 +- policy/modules/services/kerberos.if | 8 +- policy/modules/services/kerneloops.if | 4 +- policy/modules/services/knot.if | 36 +-- policy/modules/services/ksmtuned.if | 4 +- policy/modules/services/lircd.if | 8 +- policy/modules/services/memcached.if | 4 +- policy/modules/services/modemmanager.if | 4 +- policy/modules/services/mon.if| 12 +- policy/modules/services/monit.if | 12 +- policy/modules/services/mta.if| 6 +- policy/modules/services/networkmanager.if | 12 +- policy/modules/services/nslcd.if | 4 +- policy/modules/services/ntp.if| 6 +- policy/modules/services/oddjob.if | 4 +- policy/modules/services/openct.if | 8 +- policy/modules/services/pingd.if | 4 +- policy/modules/services/plymouthd.if | 16 +- policy/modules/services/policykit.if | 12 +- policy/modules/services/postgresql.if | 2 +- policy/modules/services/ppp.if| 8 +- policy/modules/services/rabbitmq.if | 4 +- policy/modules/services/realmd.if | 4 +- policy/modules/services/rpcbind.if| 4 +- policy/modules/services/rsync.if | 8 +- policy/modules/services/rtkit.if | 4 +- policy/modules/services/rwho.if | 4 +- policy/modules/services/sanlock.if| 4 +- policy/modules/services/snort.if | 4 +- policy/modules/services/sssd.if | 6 +- policy/modules/services/tpm2.if | 6 +- policy/modules/services/xserver.if
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/apps/, policy/modules/services/, ...
commit: 20b5a7c3306cd2c08c705f87f66caaf705494457 Author: Chris PeBenito ieee org> AuthorDate: Tue Feb 2 18:58:24 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 6 21:15:09 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=20b5a7c3 various: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/apt.te | 2 +- policy/modules/admin/bootloader.te | 2 +- policy/modules/admin/logrotate.te | 2 +- policy/modules/apps/games.te| 2 +- policy/modules/apps/mplayer.te | 2 +- policy/modules/services/dbus.te | 2 +- policy/modules/services/ssh.te | 2 +- policy/modules/system/authlogin.te | 2 +- policy/modules/system/locallogin.te | 2 +- policy/modules/system/systemd.te| 4 ++-- 10 files changed, 11 insertions(+), 11 deletions(-) diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te index 8e5f72b7..e4bfcae7 100644 --- a/policy/modules/admin/apt.te +++ b/policy/modules/admin/apt.te @@ -1,4 +1,4 @@ -policy_module(apt, 1.15.0) +policy_module(apt, 1.15.1) # diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index cbaf65cd..e2848169 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -1,4 +1,4 @@ -policy_module(bootloader, 1.21.1) +policy_module(bootloader, 1.21.2) # diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index c13f0a73..563237b6 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -1,4 +1,4 @@ -policy_module(logrotate, 1.24.0) +policy_module(logrotate, 1.24.1) # diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te index c66b382b..59eaf328 100644 --- a/policy/modules/apps/games.te +++ b/policy/modules/apps/games.te @@ -1,4 +1,4 @@ -policy_module(games, 2.7.1) +policy_module(games, 2.7.2) # diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te index d885b0b8..c0f38ca8 100644 --- a/policy/modules/apps/mplayer.te +++ b/policy/modules/apps/mplayer.te @@ -1,4 +1,4 @@ -policy_module(mplayer, 2.10.0) +policy_module(mplayer, 2.10.1) # diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index cbbbd45b..1f1b33c1 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -1,4 +1,4 @@ -policy_module(dbus, 1.29.5) +policy_module(dbus, 1.29.6) gen_require(` class dbus all_dbus_perms; diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index c5749682..21109ae6 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -1,4 +1,4 @@ -policy_module(ssh, 2.14.3) +policy_module(ssh, 2.14.4) # diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index f5da5048..7fcacf32 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -1,4 +1,4 @@ -policy_module(authlogin, 2.17.6) +policy_module(authlogin, 2.17.7) # diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index ed004fb8..c55f4c3c 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -1,4 +1,4 @@ -policy_module(locallogin, 1.21.2) +policy_module(locallogin, 1.21.3) # diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 9ef509dc..abf62148 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.10.11) +policy_module(systemd, 1.10.12) # # @@ -731,7 +731,7 @@ allow systemd_machined_t self:process setfscreate; allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect }; term_create_pty(systemd_machined_t, systemd_machined_devpts_t) -allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms; +allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_chr_file_perms; manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t) allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/apps/
commit: 82dbbae293b2fe9a7a5f85590ea17dc1916ee529 Author: Dave Sugar tresys com> AuthorDate: Thu Jan 28 22:13:57 2021 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 1 01:21:42 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=82dbbae2 Work with xdg module disabled These two cases I see when building on a system without graphical interface. Move userdom_xdg_user_template into optional block gpg module doesn't require a graphical front end, move xdg_read_data_files into optional block Signed-off-by: Dave Sugar tresys.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/apps/gpg.te | 6 -- policy/modules/system/userdomain.if | 8 +--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te index cfdb685a..376e1a9f 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -359,8 +359,6 @@ miscfiles_read_localization(gpg_pinentry_t) userdom_use_user_terminals(gpg_pinentry_t) -xdg_read_data_files(gpg_pinentry_t) - tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(gpg_pinentry_t) ') @@ -382,6 +380,10 @@ optional_policy(` pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles) ') +optional_policy(` + xdg_read_data_files(gpg_pinentry_t) +') + optional_policy(` xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) ') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 01135696..e14bdc01 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1194,9 +1194,6 @@ template(`userdom_unpriv_user_template', ` fs_exec_noxattr($1_t) ') - # Allow users to manage xdg content in their home directories - userdom_xdg_user_template($1) - # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols @@ -1239,6 +1236,11 @@ template(`userdom_unpriv_user_template', ` systemd_write_inherited_logind_inhibit_pipes($1_t) ') + # Allow users to manage xdg content in their home directories + optional_policy(` + userdom_xdg_user_template($1) + ') + # Allow controlling usbguard optional_policy(` tunable_policy(`usbguard_user_modify_rule_files',`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/apps/, policy/modules/kernel/, ...
commit: 0b43c7867705de4ae377de61aefe59fe43e4486d Author: Jason Zaman gentoo org> AuthorDate: Mon Oct 12 00:58:21 2020 + Commit: Jason Zaman gentoo org> CommitDate: Mon Oct 12 01:57:46 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0b43c786 Fix selint issues Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/portage.fc | 3 --- policy/modules/admin/puppet.te| 2 +- policy/modules/admin/shorewall.fc | 11 --- policy/modules/apps/java.fc | 5 - policy/modules/apps/mozilla.fc| 1 - policy/modules/contrib/ceph.if| 2 +- policy/modules/contrib/ceph.te| 2 +- policy/modules/contrib/dirsrv.if | 4 ++-- policy/modules/contrib/dirsrv.te | 4 ++-- policy/modules/contrib/dropbox.fc | 4 policy/modules/contrib/dropbox.if | 1 + policy/modules/contrib/gorg.te| 4 ++-- policy/modules/contrib/links.if | 6 +++--- policy/modules/contrib/logsentry.te | 4 ++-- policy/modules/contrib/mutt.if| 4 ++-- policy/modules/contrib/nginx.if | 2 +- policy/modules/contrib/pan.te | 2 +- policy/modules/contrib/resolvconf.fc | 2 -- policy/modules/contrib/skype.if | 8 policy/modules/contrib/uwsgi.if | 4 ++-- policy/modules/contrib/vde.if | 5 ++--- policy/modules/kernel/corecommands.fc | 18 ++ policy/modules/kernel/corenetwork.if.in | 18 ++ policy/modules/kernel/devices.if | 2 +- policy/modules/kernel/files.fc| 5 + policy/modules/services/mysql.fc | 5 - policy/modules/services/networkmanager.if | 2 +- policy/modules/services/postgresql.if | 2 +- policy/modules/services/snmp.if | 4 ++-- policy/modules/system/init.te | 2 +- policy/modules/system/libraries.fc| 6 +- policy/modules/system/logging.if | 2 +- policy/modules/system/modutils.te | 2 +- 33 files changed, 69 insertions(+), 79 deletions(-) diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index 6a7e4582..5757deaa 100644 --- a/policy/modules/admin/portage.fc +++ b/policy/modules/admin/portage.fc @@ -2,7 +2,6 @@ /etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0) /etc/make\.profile -l gen_context(system_u:object_r:portage_conf_t,s0) /etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0) -/etc/portage/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0) /usr/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) @@ -11,11 +10,9 @@ /usr/bin/layman-- gen_context(system_u:object_r:portage_fetch_exec_t,s0) /usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/portage/bin/ebuild-- gen_context(system_u:object_r:bin_t,s0) /usr/lib/portage/bin/emerge-- gen_context(system_u:object_r:portage_exec_t,s0) /usr/lib/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) /usr/lib/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/portage/bin/ebuild\.sh-- gen_context(system_u:object_r:bin_t,s0) /usr/lib/portage/bin/regenworld-- gen_context(system_u:object_r:portage_exec_t,s0) /usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te index fdb2640b..e0e7127e 100644 --- a/policy/modules/admin/puppet.te +++ b/policy/modules/admin/puppet.te @@ -376,7 +376,7 @@ ifdef(`distro_gentoo',` # So, we duplicate the content of files_relabel_all_files except for # the policy configuration stuff and hope users do that through Portage - gen_require(` + gen_require(` #selint-disable:S-001 attribute file_type; attribute security_file_type; type policy_config_t; diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc index aae46ecb..b18aab7e 100644 --- a/policy/modules/admin/shorewall.fc +++ b/policy/modules/admin/shorewall.fc @@ -16,14 +16,3 @@ /var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0) /var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) - -ifdef(`distro_gentoo',` -/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall/configpath-- gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0) -/usr/share
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/apps/
commit: 8b99c01c1874036f73b221274066a3fa1526ed60 Author: Chris PeBenito ieee org> AuthorDate: Tue Feb 11 18:13:20 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 15 07:32:05 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8b99c01c loadkeys, init, systemd, udev: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/apps/loadkeys.te | 2 +- policy/modules/system/init.te| 2 +- policy/modules/system/systemd.te | 2 +- policy/modules/system/udev.te| 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te index 57274992..52c41c03 100644 --- a/policy/modules/apps/loadkeys.te +++ b/policy/modules/apps/loadkeys.te @@ -1,4 +1,4 @@ -policy_module(loadkeys, 1.12.0) +policy_module(loadkeys, 1.12.1) # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index b06e258e..0e56036b 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.7.9) +policy_module(init, 2.7.10) gen_require(` class passwd rootok; diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 3edbc98e..601a994c 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.8.14) +policy_module(systemd, 1.8.15) # # diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 0371da7a..6b3578e9 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,4 +1,4 @@ -policy_module(udev, 1.26.5) +policy_module(udev, 1.26.6) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/apps/
commit: cbb17a7e783f777c56f806584b008a6db411665f Author: bauen1 gmail com> AuthorDate: Sat Feb 1 20:53:36 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 15 07:32:05 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cbb17a7e udev: run consolesetup Signed-off-by: Jason Zaman gentoo.org> policy/modules/apps/loadkeys.te | 6 ++ policy/modules/system/udev.te | 6 ++ 2 files changed, 12 insertions(+) diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te index 1976e2cb..5c3b18d5 100644 --- a/policy/modules/apps/loadkeys.te +++ b/policy/modules/apps/loadkeys.te @@ -48,6 +48,12 @@ miscfiles_read_localization(loadkeys_t) userdom_use_user_ttys(loadkeys_t) userdom_list_user_home_content(loadkeys_t) +ifdef(`distro_debian',` + optional_policy(` + consolesetup_read_conf(loadkeys_t) + ') +') + optional_policy(` keyboardd_read_pipes(loadkeys_t) ') diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 71d98fc8..0371da7a 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -215,6 +215,12 @@ ifdef(`distro_debian',` avahi_setattr_pid_dirs(udev_t) avahi_filetrans_pid(udev_t, dir, "avahi-daemon") ') + + optional_policy(` + consolesetup_exec_conf(udev_t) + consolesetup_manage_runtime(udev_t) + consolesetup_pid_filetrans_runtime(udev_t) + ') ') ifdef(`distro_gentoo',`