subject:"\[gentoo\-commits\] proj\/hardened\-refpolicy\:master commit in\: policy\/modules\/apps\/"

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

2023-10-06 Thread Kenton Groombridge

commit: a4c6f2483b5025b63c5d42837f9eabd73d9866fe
Author: Guido Trentalancia  trentalancia  com>
AuthorDate: Fri Sep 29 20:30:14 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Oct  6 15:31:45 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4c6f248

Let openoffice perform temporary file transitions and manage link files.

Signed-off-by: Guido Trentalancia  trentalancia.com>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/apps/openoffice.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/apps/openoffice.te 
b/policy/modules/apps/openoffice.te
index 37ac6720c..f8cccacd4 100644
--- a/policy/modules/apps/openoffice.te
+++ b/policy/modules/apps/openoffice.te
@@ -61,8 +61,9 @@ userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, 
dir, ".openoffice")
 
 manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
 manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_lnk_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
 manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
-files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file lnk_file sock_file })
 
 can_exec(ooffice_t, ooffice_exec_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

2023-10-06 Thread Kenton Groombridge

commit: 9139acd456b4a49f7d8286023ac6abc09725ccb7
Author: Yi Zhao  windriver  com>
AuthorDate: Wed Sep 20 06:43:34 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Oct  6 15:27:06 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9139acd4

loadkeys: do not audit attempts to get attributes for all directories

Fixes:
avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/boot"
dev="vda" ino=15 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/home"
dev="vda" ino=806 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:home_root_t:s0-s15:c0.c1023 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/lost+found"
dev="vda" ino=11 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:lost_found_t:s15:c0.c1023 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/media"
dev="vda" ino=810 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=1

Signed-off-by: Yi Zhao  windriver.com>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/apps/loadkeys.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index b9558dccc..56fb45114 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -35,6 +35,7 @@ files_read_usr_files(loadkeys_t)
 files_search_runtime(loadkeys_t)
 files_search_src(loadkeys_t)
 files_search_tmp(loadkeys_t)
+files_dontaudit_getattr_all_dirs(loadkeys_t)
 
 term_dontaudit_use_console(loadkeys_t)
 term_use_unallocated_ttys(loadkeys_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

2023-02-13 Thread Kenton Groombridge

commit: 0ace931ace4b0f237c27301c052bd1d3571349d8
Author: Corentin LABBE  gmail  com>
AuthorDate: Thu Jan  5 15:42:10 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Mon Feb 13 15:24:01 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0ace931a

mandb: permit to read inherited cron files

Each night /etc/cron.daily/man-db generates some AVC:
allow mandb_t system_cronjob_tmp_t:file { read write };

Add the necessary rules for it.

Signed-off-by: Corentin LABBE  gmail.com>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/apps/mandb.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/apps/mandb.te b/policy/modules/apps/mandb.te
index f136a90ae..5dd7cf7a5 100644
--- a/policy/modules/apps/mandb.te
+++ b/policy/modules/apps/mandb.te
@@ -59,5 +59,6 @@ ifdef(`init_systemd',`
 ')
 
 optional_policy(`
+   cron_rw_inherited_system_job_tmp_files(mandb_t)
cron_system_entry(mandb_t, mandb_exec_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/admin/, policy/modules/services/

2022-12-13 Thread Kenton Groombridge

commit: edc91c3a2edac1ca2915691a16060d6b53704b40
Author: Kenton Groombridge  concord  sh>
AuthorDate: Mon Dec 12 15:35:32 2022 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Tue Dec 13 19:07:47 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=edc91c3a

various: use mmap_manage_file_perms

Replace instances of manage_file_perms and map with
mmap_manage_file_perms

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/admin/alsa.te | 2 +-
 policy/modules/admin/apt.if  | 2 +-
 policy/modules/apps/mozilla.te   | 2 +-
 policy/modules/apps/pulseaudio.if| 2 +-
 policy/modules/apps/pulseaudio.te| 2 +-
 policy/modules/services/aptcacher.te | 2 +-
 policy/modules/services/mailman.te   | 8 
 policy/modules/services/matrixd.te   | 2 +-
 policy/modules/services/nsd.te   | 2 +-
 policy/modules/services/postfix.te   | 2 +-
 10 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index 2f6efcbeb..3b6a129c1 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -68,7 +68,7 @@ manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
 files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
 userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
 
-allow alsa_t alsa_tmpfs_t:file { manage_file_perms map };
+allow alsa_t alsa_tmpfs_t:file mmap_manage_file_perms;
 fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
 
 manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)

diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index 6d5d3f33a..5787e9804 100644
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
 
files_search_var($1)
allow $1 apt_var_cache_t:dir manage_dir_perms;
-   allow $1 apt_var_cache_t:file { manage_file_perms map };
+   allow $1 apt_var_cache_t:file mmap_manage_file_perms;
 ')
 
 

diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 03a9b9d6e..ba6b2376c 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -86,7 +86,7 @@ allow mozilla_t mozilla_plugin_t:unix_stream_socket 
rw_socket_perms;
 allow mozilla_t mozilla_plugin_t:fd use;
 
 allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms;
-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file { 
manage_file_perms map };
+allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file 
mmap_manage_file_perms;
 allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms;
 userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon")
 userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla")

diff --git a/policy/modules/apps/pulseaudio.if 
b/policy/modules/apps/pulseaudio.if
index b2d2f1d43..c7df8b8a7 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -45,7 +45,7 @@ template(`pulseaudio_role',`
allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms 
relabel_lnk_file_perms };
 
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { 
manage_dir_perms relabel_dir_perms };
-   allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { 
manage_file_perms relabel_file_perms map };
+   allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { 
mmap_manage_file_perms relabel_file_perms };
 
allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };

diff --git a/policy/modules/apps/pulseaudio.te 
b/policy/modules/apps/pulseaudio.te
index 2bb0ee79e..b26123e86 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -59,7 +59,7 @@ allow pulseaudio_t self:tcp_socket { accept listen };
 allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
-allow pulseaudio_t pulseaudio_home_t:file { manage_file_perms map };
+allow pulseaudio_t pulseaudio_home_t:file mmap_manage_file_perms;
 allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms;
 
 userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse")

diff --git a/policy/modules/services/aptcacher.te 
b/policy/modules/services/aptcacher.te
index ac29c8728..10a0e54e1 100644
--- a/policy/modules/services/aptcacher.te
+++ b/policy/modules/services/aptcacher.te
@@ -51,7 +51,7 @@ allow aptcacher_t aptcacher_conf_t:file mmap_read_file_perms;
 allow aptcacher_t aptcacher_conf_t:lnk_file read_lnk_file_perms;
 
 allow aptcacher_t aptcacher_cache_t:dir manage_dir_perms;
-allow aptcacher_t aptcacher_cache_t:file { manage_file_perms map };
+allow aptcacher_t aptcacher_cache_t:file mmap_manage_file_perms;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

2021-11-20 Thread Jason Zaman

commit: 5f17e5ac1d12a5bb6d264a4e9e127fb3f28cd0e2
Author: Kenton Groombridge  concord  sh>
AuthorDate: Tue Nov 16 17:11:59 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Nov 20 22:58:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5f17e5ac

wine: fix roleattribute statement

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/apps/wine.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index 2050167d..37f10d03 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -33,7 +33,7 @@ template(`wine_role',`
type wine_home_t;
')
 
-   roleattribute $1 wine_roles;
+   roleattribute $4 wine_roles;
 
domtrans_pattern($3, wine_exec_t, wine_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

2021-11-20 Thread Jason Zaman

commit: 1dea46140374ccd2b67ed5daf6563e5917df519c
Author: Kenton Groombridge  concord  sh>
AuthorDate: Wed Oct 13 22:44:14 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Nov 20 22:58:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1dea4614

wine: use user exec domain attribute

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/apps/wine.if | 58 +
 1 file changed, 37 insertions(+), 21 deletions(-)

diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index 25e09d6e..2050167d 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -4,18 +4,29 @@
 ## 
 ## Role access for wine.
 ## 
-## 
+## 
 ## 
-## Role allowed access.
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
 ## 
 ## 
-## 
+## 
 ## 
 ## User domain for the role.
 ## 
 ## 
+## 
+## 
+## User exec domain for execute and transition access.
+## 
+## 
+## 
+## 
+## Role allowed access
+## 
+## 
 #
-interface(`wine_role',`
+template(`wine_role',`
gen_require(`
attribute_role wine_roles;
type wine_exec_t, wine_t, wine_tmp_t;
@@ -24,18 +35,18 @@ interface(`wine_role',`
 
roleattribute $1 wine_roles;
 
-   domtrans_pattern($2, wine_exec_t, wine_t)
+   domtrans_pattern($3, wine_exec_t, wine_t)
 
-   allow wine_t $2:unix_stream_socket connectto;
-   allow wine_t $2:process signull;
+   allow wine_t $3:unix_stream_socket connectto;
+   allow wine_t $3:process signull;
 
-   ps_process_pattern($2, wine_t)
-   allow $2 wine_t:process { ptrace signal_perms };
+   ps_process_pattern($3, wine_t)
+   allow $3 wine_t:process { ptrace signal_perms };
 
-   allow $2 wine_t:fd use;
-   allow $2 wine_t:shm { associate getattr };
-   allow $2 wine_t:shm rw_shm_perms;
-   allow $2 wine_t:unix_stream_socket connectto;
+   allow $3 wine_t:fd use;
+   allow $3 wine_t:shm { associate getattr };
+   allow $3 wine_t:shm rw_shm_perms;
+   allow $3 wine_t:unix_stream_socket connectto;
 
allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms 
relabel_dir_perms };
allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms 
relabel_file_perms };
@@ -55,18 +66,23 @@ interface(`wine_role',`
 ## 
 ## 
 ## 
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
 ## 
 ## 
-## 
+## 
 ## 
-## The role associated with the user domain.
+## User domain for the role.
 ## 
 ## 
-## 
+## 
+## 
+## User exec domain for execute and transition access.
+## 
+## 
+## 
 ## 
-## The type of the user domain.
+## Role allowed access
 ## 
 ## 
 #
@@ -86,7 +102,7 @@ template(`wine_role_template',`
 
domtrans_pattern($3, wine_exec_t, $1_wine_t)
 
-   corecmd_bin_domtrans($1_wine_t, $3)
+   corecmd_bin_domtrans($1_wine_t, $2)
 
userdom_manage_user_tmpfs_files($1_wine_t)
 
@@ -97,7 +113,7 @@ template(`wine_role_template',`
')
 
optional_policy(`
-   xserver_role($1, $1_wine_t, $1_application_exec_domain, $1_r)
+   xserver_role($1, $1_wine_t, $3, $4)
')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/services/

2021-11-20 Thread Jason Zaman

commit: c41bce39e4cc5a7ae57a5a305ab8e7bb1618fcf7
Author: Kenton Groombridge  concord  sh>
AuthorDate: Wed Oct 13 18:42:42 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Nov 20 22:58:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c41bce39

mpd, pulseaudio: split domtrans and client access

Split `pulseaudio_domtrans()` into two interfaces: one that grants
transition access and the other the `pulseaudio_client` attribute. This
fixes a build error because calls to `pulseaudio_domtrans()` by the role
would associate the client attribute with the user exec domain
attribute.

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/apps/pulseaudio.if | 26 --
 policy/modules/services/mpd.te|  1 +
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/policy/modules/apps/pulseaudio.if 
b/policy/modules/apps/pulseaudio.if
index 5a2c2a83..1796b771 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -59,6 +59,25 @@ template(`pulseaudio_role',`
')
 ')
 
+
+## 
+## Connect to pulseaudio and manage
+## pulseaudio config data.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`pulseaudio_client_domain',`
+   gen_require(`
+   attribute pulseaudio_client;
+   ')
+
+   typeattribute $1 pulseaudio_client;
+')
+
 
 ## 
 ## Execute a domain transition to run pulseaudio.
@@ -71,12 +90,9 @@ template(`pulseaudio_role',`
 #
 interface(`pulseaudio_domtrans',`
gen_require(`
-   attribute pulseaudio_client;
type pulseaudio_t, pulseaudio_exec_t;
')
 
-   typeattribute $1 pulseaudio_client;
-
corecmd_search_bin($1)
domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t)
 ')
@@ -100,12 +116,10 @@ interface(`pulseaudio_domtrans',`
 #
 interface(`pulseaudio_run',`
gen_require(`
-   attribute pulseaudio_client;
attribute_role pulseaudio_roles;
')
 
-   typeattribute $1 pulseaudio_client;
-
+   pulseaudio_client_domain($1)
pulseaudio_domtrans($1)
roleattribute $2 pulseaudio_roles;
 ')

diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
index 4a0650df..3ba4a896 100644
--- a/policy/modules/services/mpd.te
+++ b/policy/modules/services/mpd.te
@@ -182,6 +182,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+   pulseaudio_client_domain(mpd_t)
pulseaudio_domtrans(mpd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/roles/

2021-11-20 Thread Jason Zaman

commit: 280eb10e71337401487dd51dc3cb9243b16be783
Author: Kenton Groombridge  concord  sh>
AuthorDate: Sun Aug  8 16:54:41 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Nov 20 22:58:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=280eb10e

cryfs, roles: use user exec domain attribute

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/apps/cryfs.if   | 31 +++
 policy/modules/roles/sysadm.te |  2 +-
 2 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/policy/modules/apps/cryfs.if b/policy/modules/apps/cryfs.if
index 300a00ad..d0bece91 100644
--- a/policy/modules/apps/cryfs.if
+++ b/policy/modules/apps/cryfs.if
@@ -4,18 +4,29 @@
 ## 
 ## Role access for CryFS.
 ## 
-## 
+## 
 ## 
-## Role allowed access.
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
 ## 
 ## 
-## 
+## 
 ## 
 ## User domain for the role.
 ## 
 ## 
+## 
+## 
+## User exec domain for execute and transition access.
+## 
+## 
+## 
+## 
+## Role allowed access
+## 
+## 
 #
-interface(`cryfs_role',`
+template(`cryfs_role',`
gen_require(`
attribute_role cryfs_roles;
type cryfs_t, cryfs_exec_t;
@@ -26,15 +37,19 @@ interface(`cryfs_role',`
# Declarations
#
 
-   roleattribute $1 cryfs_roles;
+   roleattribute $4 cryfs_roles;
 

#
# Policy
#
 
-   domtrans_pattern($2, cryfs_exec_t, cryfs_t)
+   domtrans_pattern($3, cryfs_exec_t, cryfs_t)
 
-   allow $2 cryfs_t:process signal_perms;
-   ps_process_pattern($2, cryfs_t)
+   allow $3 cryfs_t:process signal_perms;
+   ps_process_pattern($3, cryfs_t)
+
+   optional_policy(`
+   systemd_user_app_status($1, cryfs_t)
+   ')
 ')

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 44b80516..d5d61098 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1230,7 +1230,7 @@ ifndef(`distro_redhat',`
')
 
optional_policy(`
-   cryfs_role(sysadm_r, sysadm_t)
+   cryfs_role(sysadm, sysadm_t, sysadm_application_exec_domain, 
sysadm_r)
')
 
optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

2021-11-20 Thread Jason Zaman

commit: 830377badedee4af85544b6f5c856c71031520e5
Author: Kenton Groombridge  concord  sh>
AuthorDate: Wed Oct 13 22:46:07 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Nov 20 22:58:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=830377ba

mono: use user exec domain attribute

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/apps/mono.if | 23 ++-
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
index f37db3e8..ef116c39 100644
--- a/policy/modules/apps/mono.if
+++ b/policy/modules/apps/mono.if
@@ -12,18 +12,23 @@
 ## 
 ## 
 ## 
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
 ## 
 ## 
-## 
+## 
 ## 
-## The role associated with the user domain.
+## User domain for the role.
 ## 
 ## 
-## 
+## 
+## 
+## User exec domain for execute and transition access.
+## 
+## 
+## 
 ## 
-## The type of the user domain.
+## Role allowed access
 ## 
 ## 
 #
@@ -54,16 +59,16 @@ template(`mono_role_template',`
domtrans_pattern($3, mono_exec_t, $1_mono_t)
 
allow $3 $1_mono_t:process { ptrace noatsecure signal_perms };
-   ps_process_pattern($2, $1_mono_t)
+   ps_process_pattern($3, $1_mono_t)
 
-   corecmd_bin_domtrans($1_mono_t, $3)
+   corecmd_bin_domtrans($1_mono_t, $2)
 
userdom_manage_user_tmpfs_files($1_mono_t)
 
optional_policy(`
fs_dontaudit_rw_tmpfs_files($1_mono_t)
 
-   xserver_role($1, $1_mono_t, $1_application_exec_domain, $1_r)
+   xserver_role($1, $1_mono_t, $3, $4)
')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/services/

2021-03-21 Thread Jason Zaman

commit: 2c0357f7e69e0d75c52933bd88771b17d0c39aa6
Author: Jason Zaman  gentoo  org>
AuthorDate: Sun Feb 21 05:18:52 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Mar 21 22:07:35 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2c0357f7

bluetooth: Add bluetooth_socket perms

- Needs bluetooth/alg_socket access
- pulse needs shutdown perms on the socket
- also needs to read udev db

Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/apps/pulseaudio.te| 1 +
 policy/modules/services/bluetooth.if | 3 ++-
 policy/modules/services/bluetooth.te | 6 ++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/policy/modules/apps/pulseaudio.te 
b/policy/modules/apps/pulseaudio.te
index fd2df71a..ceb954e4 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -54,6 +54,7 @@ allow pulseaudio_t self:process { getcap getsched setcap 
setrlimit setsched sign
 allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
 allow pulseaudio_t self:unix_stream_socket { accept connectto listen };
 allow pulseaudio_t self:unix_dgram_socket sendto;
+allow pulseaudio_t self:bluetooth_socket shutdown;
 allow pulseaudio_t self:tcp_socket { accept listen };
 allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
 

diff --git a/policy/modules/services/bluetooth.if 
b/policy/modules/services/bluetooth.if
index e35e8631..3e4b0e5f 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -66,7 +66,8 @@ interface(`bluetooth_stream_connect',`
')
 
files_search_runtime($1)
-   allow $1 bluetooth_t:socket rw_socket_perms;
+   allow $1 bluetooth_t:fd use;
+   allow $1 bluetooth_t:socket { rw_socket_perms shutdown };
stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, 
bluetooth_t)
 ')
 

diff --git a/policy/modules/services/bluetooth.te 
b/policy/modules/services/bluetooth.te
index 69a38543..fcf0c177 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -60,6 +60,8 @@ allow bluetooth_t self:socket create_stream_socket_perms;
 allow bluetooth_t self:unix_stream_socket { accept connectto listen };
 allow bluetooth_t self:tcp_socket { accept listen };
 allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow bluetooth_t self:bluetooth_socket server_stream_socket_perms;
+allow bluetooth_t self:alg_socket create_stream_socket_perms;
 
 read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
 
@@ -156,6 +158,10 @@ optional_policy(`
ppp_domtrans(bluetooth_t)
 ')
 
+optional_policy(`
+   udev_read_runtime_files(bluetooth_t)
+')
+
 
 #
 # Helper local policy

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

2021-02-06 Thread Jason Zaman

commit: bf51bea5131ee562ef22444e34aab06f69422cbc
Author: Chris PeBenito  ieee  org>
AuthorDate: Tue Feb  2 13:47:55 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb  6 21:15:09 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bf51bea5

screen: Module version bump.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/apps/screen.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
index 58575bc9..bcfba653 100644
--- a/policy/modules/apps/screen.te
+++ b/policy/modules/apps/screen.te
@@ -1,4 +1,4 @@
-policy_module(screen, 2.11.0)
+policy_module(screen, 2.11.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

2021-02-06 Thread Jason Zaman

commit: f633f22afb5aff7f1173813fe7559851bc62b557
Author: Jonathan Davies  protonmail  com>
AuthorDate: Fri Jan 29 14:56:40 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb  6 21:15:09 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f633f22a

apps/screen.te: Allow screen to search xdg directories.

Signed-off-by: Jonathan Davies  protonmail.com>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/apps/screen.te | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
index f8546e84..58575bc9 100644
--- a/policy/modules/apps/screen.te
+++ b/policy/modules/apps/screen.te
@@ -111,6 +111,10 @@ tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_symlinks(screen_domain)
 ')
 
+optional_policy(`
+   xdg_search_config_dirs(screen_domain)
+')
+
 ifdef(`distro_gentoo',`
##
#

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

2021-02-06 Thread Jason Zaman

commit: e27adab96f63c43ee299bf65dc9234ab898c9a95
Author: Jonathan Davies  protonmail  com>
AuthorDate: Fri Jan 29 14:56:29 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb  6 20:54:11 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e27adab9

apps/screen.fc: Added fcontext for tmux xdg directory.

Signed-off-by: Jonathan Davies  protonmail.com>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/apps/screen.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
index 7196c598..e51e01d9 100644
--- a/policy/modules/apps/screen.fc
+++ b/policy/modules/apps/screen.fc
@@ -1,3 +1,4 @@
+HOME_DIR/\.config/tmux(/.*)?   --  
gen_context(system_u:object_r:screen_home_t,s0)
 HOME_DIR/\.screen(/.*)?
gen_context(system_u:object_r:screen_home_t,s0)
 HOME_DIR/\.screenrc--  gen_context(system_u:object_r:screen_home_t,s0)
 HOME_DIR/\.tmux\.conf  --  gen_context(system_u:object_r:screen_home_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/system/

2021-01-31 Thread Jason Zaman

commit: aca741873cf293fc54247ea147c4fae4e62929b8
Author: Chris PeBenito  ieee  org>
AuthorDate: Fri Jan 29 13:35:12 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Feb  1 01:21:42 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aca74187

userdomain, gpg: Module version bump.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/apps/gpg.te  | 2 +-
 policy/modules/system/userdomain.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 376e1a9f..608575be 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.17.1)
+policy_module(gpg, 2.17.2)
 
 
 #

diff --git a/policy/modules/system/userdomain.te 
b/policy/modules/system/userdomain.te
index d17f3c81..034f6af5 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.20.6)
+policy_module(userdomain, 4.20.7)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

2020-02-14 Thread Jason Zaman

commit: 51312761c615ffb7bef402a32c96a7d992f0d70e
Author: bauen1  gmail  com>
AuthorDate: Sat Feb  8 15:07:32 2020 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 15 07:32:05 2020 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51312761

loadkeys: remove redundant ifdef

Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/apps/loadkeys.te | 6 ++
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index 5c3b18d5..57274992 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -48,10 +48,8 @@ miscfiles_read_localization(loadkeys_t)
 userdom_use_user_ttys(loadkeys_t)
 userdom_list_user_home_content(loadkeys_t)
 
-ifdef(`distro_debian',`
-   optional_policy(`
-   consolesetup_read_conf(loadkeys_t)
-   ')
+optional_policy(`
+   consolesetup_read_conf(loadkeys_t)
 ')
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/system/, policy/modules/kernel/, ...

2019-07-13 Thread Jason Zaman

commit: ff5f7b324ebc47437839440da340593c3266a095
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Jun  9 18:05:19 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Jul 13 06:43:14 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff5f7b32

Bump module versions for release.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/admin/aide.te| 2 +-
 policy/modules/admin/logrotate.te   | 2 +-
 policy/modules/admin/usermanage.te  | 2 +-
 policy/modules/apps/cdrecord.te | 2 +-
 policy/modules/kernel/corenetwork.te.in | 2 +-
 policy/modules/kernel/devices.te| 2 +-
 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/kernel/kernel.te | 2 +-
 policy/modules/kernel/storage.te| 2 +-
 policy/modules/roles/sysadm.te  | 2 +-
 policy/modules/services/apache.te   | 2 +-
 policy/modules/services/clamav.te   | 2 +-
 policy/modules/services/cron.te | 2 +-
 policy/modules/services/dbus.te | 2 +-
 policy/modules/services/devicekit.te| 2 +-
 policy/modules/services/dovecot.te  | 2 +-
 policy/modules/services/ntp.te  | 2 +-
 policy/modules/services/plymouthd.te| 2 +-
 policy/modules/services/tuned.te| 2 +-
 policy/modules/services/xserver.te  | 2 +-
 policy/modules/system/authlogin.te  | 2 +-
 policy/modules/system/init.te   | 2 +-
 policy/modules/system/logging.te| 2 +-
 policy/modules/system/lvm.te| 2 +-
 policy/modules/system/miscfiles.te  | 2 +-
 policy/modules/system/mount.te  | 2 +-
 policy/modules/system/selinuxutil.te| 2 +-
 policy/modules/system/systemd.te| 2 +-
 policy/modules/system/udev.te   | 2 +-
 policy/modules/system/unconfined.te | 2 +-
 policy/modules/system/userdomain.te | 2 +-
 31 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
index 687d72bc..69ec0e63 100644
--- a/policy/modules/admin/aide.te
+++ b/policy/modules/admin/aide.te
@@ -1,4 +1,4 @@
-policy_module(aide, 1.8.2)
+policy_module(aide, 1.9.0)
 
 
 #

diff --git a/policy/modules/admin/logrotate.te 
b/policy/modules/admin/logrotate.te
index adc3101d..6609e4a7 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.22.2)
+policy_module(logrotate, 1.23.0)
 
 
 #

diff --git a/policy/modules/admin/usermanage.te 
b/policy/modules/admin/usermanage.te
index fad8ef96..3605da43 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,4 +1,4 @@
-policy_module(usermanage, 1.22.2)
+policy_module(usermanage, 1.23.0)
 
 
 #

diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
index daf4c58c..b5fba05c 100644
--- a/policy/modules/apps/cdrecord.te
+++ b/policy/modules/apps/cdrecord.te
@@ -1,4 +1,4 @@
-policy_module(cdrecord, 2.6.1)
+policy_module(cdrecord, 2.7.0)
 
 
 #

diff --git a/policy/modules/kernel/corenetwork.te.in 
b/policy/modules/kernel/corenetwork.te.in
index e9ff9e95..06b53d3f 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.25.1)
+policy_module(corenetwork, 1.26.0)
 
 
 #

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 5f793c52..67f0d9fb 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.24.3)
+policy_module(devices, 1.25.0)
 
 
 #

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 3d321072..61f419a8 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.25.1)
+policy_module(filesystem, 1.26.0)
 
 
 #

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index d6a653fc..7c3cc772 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.25.3)
+policy_module(kernel, 1.26.0)
 
 
 #

diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index 0b5a4245..d1cd9ea9 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,4 +1,4 @@
-policy_module(storage, 1.16.2)
+policy_module(storage, 1.17.0)
 
 
 #

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index a9bdbee7..35164073 100644
---

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

2019-02-09 Thread Jason Zaman

commit: 46b8592baa68cac9ec8519827408c91521cf0bce
Author: Chris PeBenito  ieee  org>
AuthorDate: Wed Jan 23 23:43:16 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 10 04:11:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=46b8592b

chromium: Whitespace fixes.

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/apps/chromium.if | 4 +---
 policy/modules/apps/chromium.te | 5 ++---
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if
index 26eb0259..2ded3279 100644
--- a/policy/modules/apps/chromium.if
+++ b/policy/modules/apps/chromium.if
@@ -1,6 +1,4 @@
-## 
-## Chromium browser
-## 
+## Chromium browser
 
 ###
 ## 

diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te
index 5219cb87..dbf3a620 100644
--- a/policy/modules/apps/chromium.te
+++ b/policy/modules/apps/chromium.te
@@ -71,8 +71,6 @@ xdg_config_content(chromium_xdg_config_t)
 type chromium_xdg_cache_t;
 xdg_cache_content(chromium_xdg_cache_t)
 
-
-
 
 #
 # chromium local policy
@@ -229,9 +227,11 @@ optional_policy(`
optional_policy(`
unconfined_dbus_chat(chromium_t)
')
+
optional_policy(`
gnome_dbus_chat_all_gkeyringd(chromium_t)
')
+
optional_policy(`
devicekit_dbus_chat_power(chromium_t)
')
@@ -339,4 +339,3 @@ tunable_policy(`chromium_read_system_info',`
kernel_dontaudit_read_kernel_sysctl(chromium_naclhelper_t)
kernel_dontaudit_read_system_state(chromium_naclhelper_t)
 ')
-

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

2019-02-09 Thread Jason Zaman

commit: f5a0a7c4574aaa7179d9f693db9d8e07b1afd7c1
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Jan 12 08:03:44 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 10 04:11:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f5a0a7c4

Add chromium policy upstreamed from Gentoo

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/apps/chromium.fc |  31 
 policy/modules/apps/chromium.if | 139 
 policy/modules/apps/chromium.te | 342 
 3 files changed, 512 insertions(+)

diff --git a/policy/modules/apps/chromium.fc b/policy/modules/apps/chromium.fc
new file mode 100644
index ..534235dc
--- /dev/null
+++ b/policy/modules/apps/chromium.fc
@@ -0,0 +1,31 @@
+/opt/google/chrome/chrome  --  
gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome/chrome_sandbox  --  
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome/chrome-sandbox  --  
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome/google-chrome   --  
gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome/nacl_helper_bootstrap   --  
gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+/opt/google/chrome/libudev.so.0
gen_context(system_u:object_r:lib_t,s0)
+
+/opt/google/chrome-beta/chrome --  
gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-beta/chrome_sandbox --  
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-beta/chrome-sandbox --  
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-beta/google-chrome  --  
gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-beta/nacl_helper_bootstrap  --  
gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+/opt/google/chrome-beta/libudev.so.0   
gen_context(system_u:object_r:lib_t,s0)
+
+/opt/google/chrome-unstable/chrome --  
gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-unstable/chrome_sandbox --  
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-unstable/chrome-sandbox --  
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-unstable/google-chrome  --  
gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-unstable/nacl_helper_bootstrap  --  
gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+/opt/google/chrome-unstable/libudev.so.0   
gen_context(system_u:object_r:lib_t,s0)
+
+/usr/lib/chromium-browser/chrome   --  
gen_context(system_u:object_r:chromium_exec_t,s0)
+/usr/lib/chromium-browser/chrome_sandbox   --  
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/usr/lib/chromium-browser/chrome-sandbox   --  
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/usr/lib/chromium-browser/chromium-launcher\.sh--  
gen_context(system_u:object_r:chromium_exec_t,s0)
+/usr/lib/chromium-browser/nacl_helper_bootstrap--  
gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+
+HOME_DIR/\.cache/chromium(/.*)?
gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
+HOME_DIR/\.cache/google-chrome(/.*)?   
gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
+HOME_DIR/\.config/chromium(/.*)?   
gen_context(system_u:object_r:chromium_xdg_config_t,s0)
+HOME_DIR/\.config/google-chrome(/.*)?  
gen_context(system_u:object_r:chromium_xdg_config_t,s0)

diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if
new file mode 100644
index ..26eb0259
--- /dev/null
+++ b/policy/modules/apps/chromium.if
@@ -0,0 +1,139 @@
+## 
+## Chromium browser
+## 
+
+###
+## 
+## Role access for chromium
+## 
+## 
+## 
+## Role allowed access
+## 
+## 
+## 
+## 
+## User domain for the role
+## 
+## 
+#
+interface(`chromium_role',`
+   gen_require(`
+   type chromium_t;
+   type chromium_renderer_t;
+   type chromium_sandbox_t;
+   type chromium_naclhelper_t;
+   type chromium_exec_t;
+   ')
+
+   role $1 types chromium_t;
+   role $1 types chromium_renderer_t;
+   role $1 types chromium_sandbox_t;
+   role $1 types chromium_naclhelper_t;
+
+   # Transition from the user domain to the derived domain
+

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

2019-02-09 Thread Jason Zaman

commit: 2727cf5aaf4f714dcb9d2dfa83a7378b87ed222b
Author: Chris PeBenito  ieee  org>
AuthorDate: Wed Jan 23 23:44:45 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 10 04:11:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2727cf5a

chromium: Move line.

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/apps/chromium.te | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te
index dbf3a620..59c75491 100644
--- a/policy/modules/apps/chromium.te
+++ b/policy/modules/apps/chromium.te
@@ -253,7 +253,7 @@ ifdef(`use_alsa',`
 #
 
 allow chromium_renderer_t self:process execmem;
-
+dontaudit chromium_renderer_t self:process getsched;
 allow chromium_renderer_t self:fifo_file rw_fifo_file_perms;
 allow chromium_renderer_t self:shm create_shm_perms;
 allow chromium_renderer_t self:unix_dgram_socket { create read sendto };
@@ -264,7 +264,6 @@ allow chromium_renderer_t chromium_t:unix_stream_socket 
rw_stream_socket_perms;
 allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms;
 
 dontaudit chromium_renderer_t chromium_t:dir search;   # /proc/... access
-dontaudit chromium_renderer_t self:process getsched;
 
 read_files_pattern(chromium_renderer_t, chromium_xdg_config_t, 
chromium_xdg_config_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/system/, policy/modules/services/, ...

2018-07-12 Thread Jason Zaman

commit: 2e88191ba4aceb370fa048002db91879d0688e5e
Author: Chris PeBenito  ieee  org>
AuthorDate: Wed Jul 11 00:11:40 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Wed Jul 11 14:41:35 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2e88191b

mozilla, devices, selinux, xserver, init, iptables: Module version bump.

 policy/modules/apps/mozilla.te | 2 +-
 policy/modules/kernel/devices.te   | 2 +-
 policy/modules/kernel/selinux.te   | 2 +-
 policy/modules/services/xserver.te | 2 +-
 policy/modules/system/init.te  | 2 +-
 policy/modules/system/iptables.te  | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 1ae38bbf..12e1d39a 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.14.0)
+policy_module(mozilla, 2.14.1)
 
 
 #

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 88471926..4ce5fecf 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.23.0)
+policy_module(devices, 1.23.1)
 
 
 #

diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 66a89daa..e87b92ab 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -1,4 +1,4 @@
-policy_module(selinux, 1.15.0)
+policy_module(selinux, 1.15.1)
 
 
 #

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index 2e85c3bd..4fc46f4f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.16.0)
+policy_module(xserver, 3.16.1)
 
 gen_require(`
class x_drawable all_x_drawable_perms;

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a172..475f5fa4 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.5.0)
+policy_module(init, 2.5.1)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/system/iptables.te 
b/policy/modules/system/iptables.te
index 9ccb8e9f..bc459711 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,4 +1,4 @@
-policy_module(iptables, 1.20.0)
+policy_module(iptables, 1.20.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

2018-07-12 Thread Jason Zaman

commit: c3e2c66e2e2789edab5f851bb70428c590e9fbd9
Author: Jason Zaman  perfinion  com>
AuthorDate: Tue Jul 10 15:03:15 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Wed Jul 11 14:41:35 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c3e2c66e

mozilla: xdg updates

 policy/modules/apps/mozilla.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index e57821da..1ae38bbf 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -206,6 +206,7 @@ userdom_use_user_ptys(mozilla_t)
 
 userdom_manage_user_tmp_dirs(mozilla_t)
 userdom_manage_user_tmp_files(mozilla_t)
+userdom_map_user_tmp_files(mozilla_t)
 
 userdom_user_content_access_template(mozilla, { mozilla_t mozilla_plugin_t })
 userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
@@ -219,6 +220,7 @@ xdg_read_config_files(mozilla_t)
 xdg_read_data_files(mozilla_t)
 xdg_manage_downloads(mozilla_t)
 
+xserver_rw_mesa_shader_cache(mozilla_t)
 xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
 xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
 xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
@@ -519,6 +521,7 @@ 
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
 
 userdom_manage_user_tmp_dirs(mozilla_plugin_t)
 userdom_manage_user_tmp_files(mozilla_plugin_t)
+userdom_map_user_tmp_files(mozilla_plugin_t)
 
 userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file 
})

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

2018-06-24 Thread Jason Zaman

commit: 654fd93a51b7dd39e7ccf167f260515964c5eb62
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Jun 24 09:56:11 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Jun 25 05:31:59 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=654fd93a

apps: rw mesa_shader_cache

 policy/modules/apps/games.te   | 1 +
 policy/modules/apps/mplayer.te | 1 +
 2 files changed, 2 insertions(+)

diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index 0cdebe62..7389bd74 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -194,4 +194,5 @@ optional_policy(`
xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
xserver_create_xdm_tmp_sockets(games_t)
xserver_read_xdm_lib_files(games_t)
+   xserver_rw_mesa_shader_cache(games_t)
 ')

diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index 91b9569d..33eef8ed 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -216,6 +216,7 @@ xdg_read_music(mplayer_t)
 xdg_read_videos(mplayer_t)
 
 xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+xserver_rw_mesa_shader_cache(mplayer_t)
 
 ifndef(`enable_mls',`
fs_list_dos(mplayer_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/admin/, policy/modules/services/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/services/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/roles/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/services/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/system/, policy/modules/kernel/, ...

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/system/, policy/modules/services/, ...

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

22 matches

Site Navigation

Mail list logo

Footer information