subject:"\[gentoo\-commits\] proj\/hardened\-refpolicy\:master commit in\: policy\/modules\/system\/, policy\/modules\/roles\/"

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

2019-03-26 Thread Jason Zaman

commit: a7ec244c351f1fcccd2547b2b94554b29b69c07a
Author: Sugar, David  tresys  com>
AuthorDate: Fri Mar 15 02:27:10 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Mar 25 10:05:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a7ec244c

Separate out udevadm into a new domain

This is the update I have made based on suggestions for the previous
patches to add a udev_run interface.  This adds the new domain udevadm_t
which is entered from /usr/bin/udevadm.

It seems to meet the needs that I have, but there are some things to
note that are probably important.
1) There are a few systemd services that use udevadm during startup.
   I have granted the permisssions that I need based on denials I was
   seeing during startup (the machine would fail to start without the
   permisions).
2) In the udev.fc file there are other binaries that I don't have on a
   RHEL7 box that maybe should also be labeled udevadm_exec_t.
   e.g. /usr/bin/udevinfo and /usr/bin/udevsend
   But as I don't have those binaries to test, I have not updated the
   type of that binary.
3) There are some places that call udev_domtrans that maybe should now
   be using udevadm_domtrans - rpm.te, hal.te, hotplug.te.  Again,
   these are not things that I am using in my current situation and am
   unable to test the interactions to know if the change is correct.

Other than that, I think this was a good suggestion to split udevadm
into a different domain.

Only change for v4 is to use stream_connect_pattern as suggested.

Signed-off-by: Dave Sugar  tresys.com>
Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/roles/sysadm.te |  4 +++
 policy/modules/system/udev.fc  |  4 +--
 policy/modules/system/udev.if  | 62 ++
 policy/modules/system/udev.te  | 40 ++-
 4 files changed, 107 insertions(+), 3 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index b600e379..6827561f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1140,6 +1140,10 @@ optional_policy(`
tzdata_domtrans(sysadm_t)
 ')
 
+optional_policy(`
+   udevadm_run(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
ulogd_admin(sysadm_t, sysadm_r)
 ')

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 84705e32..7e27287e 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -10,7 +10,7 @@
 /etc/udev/scripts/.+ --
gen_context(system_u:object_r:udev_helper_exec_t,s0)
 
 /usr/bin/udev  --  gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/bin/udevadm   --  gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/bin/udevadm   --  gen_context(system_u:object_r:udevadm_exec_t,s0)
 /usr/bin/udevd --  gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevinfo  --  gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevsend  --  gen_context(system_u:object_r:udev_exec_t,s0)
@@ -22,7 +22,7 @@ ifdef(`distro_debian',`
 ')
 
 /usr/sbin/udev --  gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/sbin/udevadm  --  gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/sbin/udevadm  --  gen_context(system_u:object_r:udevadm_exec_t,s0)
 /usr/sbin/udevd--  
gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevsend --  gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevstart--  gen_context(system_u:object_r:udev_exec_t,s0)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 2ecdf5f0..fc8577bd 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -518,6 +518,68 @@ interface(`udev_generic_pid_filetrans_run_dirs',`
refpolicywarn(`$0($*) has been deprecated.')
 ')
 
+
+## 
+## Execute udev admin in the udevadm domain.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+#
+interface(`udevadm_domtrans',`
+   gen_require(`
+   type udevadm_t, udevadm_exec_t;
+   ')
+
+   domtrans_pattern($1, udevadm_exec_t, udevadm_t)
+')
+
+
+## 
+## Execute udevadm in the udevadm domain, and
+## allow the specified role the udevadm domain.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+## 
+## 
+## Role allowed access.
+## 
+## 
+## 
+#
+interface(`udevadm_run',`
+   gen_require(`
+   attribute_role udevadm_roles;
+   ')
+
+   udevadm_domtrans($1)
+   roleattribute $2 udevadm_roles;
+')
+
+
+## 
+## Execute udevadm in the caller domain.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`udevadm_exec',`
+   gen_require(`
+   type udevadm_exec_t;
+   ')
+

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

2017-09-16 Thread Jason Zaman

commit: 49d93dd3845f17a8e9bd86c6f17697abedd0c000
Author: Chris PeBenito  ieee  org>
AuthorDate: Thu Sep 14 21:21:56 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 17 03:17:39 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=49d93dd3

sysadm,fstools: Module version bump.

 policy/modules/roles/sysadm.te   | 2 +-
 policy/modules/system/fstools.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index a6e7ba61..47179088 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.12.0)
+policy_module(sysadm, 2.12.1)
 
 
 #

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index e0f72464..6459f17d 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.21.0)
+policy_module(fstools, 1.21.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/, policy/modules/services/

2016-12-07 Thread Jason Zaman

commit: 26cfb137599281b3669132f1828bd8dcab5b9848
Author: Guido Trentalancia  trentalancia  net>
AuthorDate: Tue Dec  6 20:41:39 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Dec  8 04:44:05 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26cfb137

Apache OpenOffice module (base policy part)

This is a patch that I have created and tested to support Apache
OpenOffice with its own module (base policy part, 1/2).

The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.

Since the second version it includes revisions from Dominick Grift.

Since the third version it should correctly manage files in home
directories and allow some other major functionality.

The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).

The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.

The sixth version of this patch removes obsolete executable
permission from the unconfined module.

The seventh, eighth and nineth versions brings no changes in the base
part of the patch.

All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.

Signed-off-by: Guido Trentalancia  trentalancia.net>

 policy/modules/roles/staff.te   |  4 
 policy/modules/roles/sysadm.te  |  4 
 policy/modules/roles/unprivuser.te  |  4 
 policy/modules/services/xserver.if  | 19 +++
 policy/modules/system/libraries.fc  |  2 ++
 policy/modules/system/unconfined.fc |  1 -
 6 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2f12250..67ca253 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -141,6 +141,10 @@ ifndef(`distro_redhat',`
')
 
optional_policy(`
+   ooffice_role(staff_r, staff_t)
+   ')
+
+   optional_policy(`
pyzor_role(staff_r, staff_t)
')
 

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7631551..2071dbc 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -721,6 +721,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+   ooffice_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
openct_admin(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/roles/unprivuser.te 
b/policy/modules/roles/unprivuser.te
index 6c2cd55..768dc1a 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -114,6 +114,10 @@ ifndef(`distro_redhat',`
')
 
optional_policy(`
+   ooffice_role(user_r, user_t)
+   ')
+
+   optional_policy(`
postgresql_role(user_r, user_t)
')
 

diff --git a/policy/modules/services/xserver.if 
b/policy/modules/services/xserver.if
index f6dc616..3b55a08 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -621,6 +621,25 @@ interface(`xserver_read_user_dmrc',`
 
 
 ## 
+## Read all users .ICEauthority.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`xserver_read_user_iceauth',`
+   gen_require(`
+   type iceauth_home_t;
+   ')
+
+   allow $1 iceauth_home_t:file read_file_perms;
+   userdom_search_user_home_dirs($1)
+')
+
+
+## 
 ## Set the attributes of the X windows console named pipes.
 ## 
 ## 

diff --git a/policy/modules/system/libraries.fc 
b/policy/modules/system/libraries.fc
index 2e92f7e..f6d1e7c 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
 /opt/(.*/)?jre.*/.+\.so(\.[^/]*)*  --  
gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/(.*/)?jre/.+\.jar --  
gen_context(system_u:object_r:lib_t,s0)
 
+/opt/openoffice4/program/.+\.so(\.[^/]*)*  --  
gen_context(system_u:object_r:lib_t,s0)
+
 /opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- 
gen_context(system_u:object_r:textrel_shlib_t,s0)
 # despite the extensions, they are actually libs
 /opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- 
gen_context(system_u:object_r:lib_t,s0)

diff --git a/policy/modules/system/unconfined.fc 
b/policy/modules/system/unconfined.fc
index 0abaf84..519f2bf 100644
--- a/policy/modules/system/unconfined.fc
+++ b/policy/modules/system/unconfined.fc
@@ -6,7 +6,6 @@
 /usr/bin/vncserver --  
gen_context(system_u:object_r:unconfined_exec_t,s0)
 
 /usr/lib/ia32el/i

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

2016-05-12 Thread Jason Zaman

commit: 8e0eff5279a8f7dc13708530d047efbd29d5f52b
Author: Chris PeBenito  tresys  com>
AuthorDate: Mon May  2 12:32:42 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri May 13 05:08:43 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8e0eff52

Module version bump for hwloc-dump-hwdata from Dominick Grift and Grzegorz 
Andrejczuk.

 policy/modules/roles/sysadm.te  | 2 +-
 policy/modules/system/userdomain.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index e9e3e43..aa85384 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.9.1)
+policy_module(sysadm, 2.9.2)
 
 
 #

diff --git a/policy/modules/system/userdomain.te 
b/policy/modules/system/userdomain.te
index c6b9fc3..2a36851 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.11.0)
+policy_module(userdomain, 4.11.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

2016-03-11 Thread Jason Zaman

commit: 88e2b31ca43dca81887800346b3a66194f101815
Author: Chris PeBenito  tresys  com>
AuthorDate: Tue Mar  8 13:52:25 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Mar 11 17:15:38 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=88e2b31c

Module version bump for tboot utils from Luis Ressel and systemd fix from Jason 
Zaman.

Update contrib.

 policy/modules/roles/sysadm.te | 2 +-
 policy/modules/system/init.te  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2426d84..6c46905 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.9.0)
+policy_module(sysadm, 2.9.1)
 
 
 #

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 1f59e2a..8e8c163 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.0.2)
+policy_module(init, 2.0.3)
 
 gen_require(`
class passwd rootok;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

2015-07-31 Thread Jason Zaman

commit: c7833ecb2f3fe1c42ec15a2245803980bcb5109f
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Jul 11 09:15:44 2015 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Jul 30 16:41:27 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c7833ecb

Introduce lvm_admin interface

 policy/modules/roles/sysadm.te |  1 +
 policy/modules/system/lvm.if   | 44 ++
 2 files changed, 45 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index e0442db..1ee88cd 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -578,6 +578,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+   lvm_admin(sysadm_t, sysadm_r)
lvm_run(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 58bc27f..86b223c 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -123,3 +123,47 @@ interface(`lvm_domtrans_clvmd',`
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
 ')
+
+##
+## 
+## All of the rules required to
+## administrate an lvm environment.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+## 
+## Role allowed access.
+## 
+## 
+#
+interface(`lvm_admin',`
+   gen_require(`
+   type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t;
+   type lvm_etc_t, lvm_lock_t, lvm_metadata_t;
+   type lvm_var_lib_t, lvm_var_run_t, clvmd_var_run_t, lvm_tmp_t;
+   ')
+
+   allow $1 clvmd_t:process { ptrace signal_perms };
+   ps_process_pattern($1, clvmd_t)
+
+   init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t)
+
+   files_search_etc($1)
+   admin_pattern($1, lvm_etc_t)
+
+   files_search_locks($1)
+   admin_pattern($1, lvm_lock_t)
+
+   files_search_var_lib($1)
+   admin_pattern($1, lvm_var_lib_t)
+
+   files_search_pids($1)
+   admin_pattern($1, { lvm_var_run_t clvmd_var_run_t })
+
+   files_search_tmp($1)
+   admin_pattern($1, lvm_tmp_t)
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

2015-06-09 Thread Jason Zaman

commit: 8a2e9526fe60459f6ce9b81530da19d86bae4ca4
Author: Jason Zaman  perfinion  com>
AuthorDate: Mon Jun  8 20:38:21 2015 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Jun  9 13:06:34 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8a2e9526

Introduce iptables_admin

 policy/modules/roles/sysadm.te|  1 +
 policy/modules/system/iptables.if | 39 +++
 2 files changed, 40 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 4cfb014..9169215 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -178,6 +178,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+   iptables_admin(sysadm_t, sysadm_r)
iptables_run(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/system/iptables.if 
b/policy/modules/system/iptables.if
index c42fbc3..26ce647 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -163,3 +163,42 @@ interface(`iptables_manage_config',`
files_search_etc($1)
manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
 ')
+
+
+## 
+## All of the rules required to
+## administrate an iptables
+## environment.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+## 
+## Role allowed access.
+## 
+## 
+## 
+#
+interface(`iptables_admin',`
+   gen_require(`
+   type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
+   type iptables_tmp_t, iptables_var_run_t;
+   ')
+
+   allow $1 iptables_t:process { ptrace signal_perms };
+   ps_process_pattern($1, iptables_t)
+
+   init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
+
+   files_list_etc($1)
+   admin_pattern($1, iptables_conf_t)
+
+   files_list_tmp($1)
+   admin_pattern($1, iptables_tmp_t)
+
+   files_list_pids($1)
+   admin_pattern($1, iptables_var_run_t)
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

2014-09-21 Thread Sven Vermeulen

commit: 2e1248b773552252b513c39d806a4da0baf28a97
Author: Chris PeBenito  tresys  com>
AuthorDate: Wed Sep 17 18:00:08 2014 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Sun Sep 21 14:02:18 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2e1248b7

Module version bump for CIL fixes from Yuli Khodorkovskiy.

---
 policy/modules/roles/auditadm.te| 2 +-
 policy/modules/roles/staff.te   | 2 +-
 policy/modules/roles/sysadm.te  | 2 +-
 policy/modules/roles/unprivuser.te  | 2 +-
 policy/modules/system/userdomain.te | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 9275a2d..cec5b2b 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -1,4 +1,4 @@
-policy_module(auditadm, 2.2.0)
+policy_module(auditadm, 2.2.1)
 
 
 #

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 631c70b..8081d0b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -1,4 +1,4 @@
-policy_module(staff, 2.5.1)
+policy_module(staff, 2.5.2)
 
 
 #

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index e4ae74e..af9d2cf 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.7.1)
+policy_module(sysadm, 2.7.2)
 
 
 #

diff --git a/policy/modules/roles/unprivuser.te 
b/policy/modules/roles/unprivuser.te
index 5d89d99..c0d6204 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,4 +1,4 @@
-policy_module(unprivuser, 2.5.1)
+policy_module(unprivuser, 2.5.2)
 
 # this module should be named user, but that is
 # a compile error since user is a keyword.

diff --git a/policy/modules/system/userdomain.te 
b/policy/modules/system/userdomain.te
index 912849c..2614b91 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.10.2)
+policy_module(userdomain, 4.10.3)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

2014-09-21 Thread Sven Vermeulen

commit: 40c1924391dda3a767afbd9c10d19183b5b2bb0e
Author: Yuli Khodorkovskiy  tresys  com>
AuthorDate: Mon Sep 15 17:22:27 2014 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Sun Sep 21 14:02:16 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=40c19243

Remove duplicate role declarations

-This patch is needed since CIL does not allow duplicate
role declarations. The roles for system_r, staff_r, sysadm_r, and
user_r were already declared in kernel.te. Since the roles are
pulled in from require statements in the appropriate interfaces,
the duplicate role declarations could be deleted in modules for
auditadm, staff, sysadm, and userdomain.

-Move a role declaration that used an argument passed into the
userdom_base_user_template into a gen_require statement.

---
 policy/modules/roles/auditadm.te| 1 -
 policy/modules/roles/staff.te   | 2 +-
 policy/modules/roles/sysadm.te  | 2 +-
 policy/modules/roles/unprivuser.te  | 2 +-
 policy/modules/system/userdomain.if | 2 +-
 5 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 834a065..9275a2d 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -6,7 +6,6 @@ policy_module(auditadm, 2.2.0)
 #
 
 role auditadm_r;
-role system_r;
 userdom_unpriv_user_template(auditadm)
 
 

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 27b49b1..631c70b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -5,7 +5,7 @@ policy_module(staff, 2.5.1)
 # Declarations
 #
 
-role staff_r;
+#role staff_r;
 
 userdom_unpriv_user_template(staff)
 

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 6265657..e4ae74e 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -12,7 +12,7 @@ policy_module(sysadm, 2.7.1)
 ## 
 gen_tunable(allow_ptrace, false)
 
-role sysadm_r;
+#role sysadm_r;
 
 userdom_admin_user_template(sysadm)
 

diff --git a/policy/modules/roles/unprivuser.te 
b/policy/modules/roles/unprivuser.te
index 27431c7..5d89d99 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -8,7 +8,7 @@ policy_module(unprivuser, 2.5.1)
 # Declarations
 #
 
-role user_r;
+#role user_r;
 
 userdom_unpriv_user_template(user)
 

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index 08139d9..16a95cc 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -27,6 +27,7 @@ template(`userdom_base_user_template',`
attribute userdomain;
type user_devpts_t, user_tty_device_t;
class context contains;
+   role $1_r;
')
 
attribute $1_file_type;
@@ -37,7 +38,6 @@ template(`userdom_base_user_template',`
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
ubac_constrained($1_t)
-   role $1_r;
role $1_r types $1_t;
allow system_r $1_r;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/, policy/modules/services/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

9 matches

Site Navigation

Mail list logo

Footer information