[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: a4c6f2483b5025b63c5d42837f9eabd73d9866fe Author: Guido Trentalancia trentalancia com> AuthorDate: Fri Sep 29 20:30:14 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4c6f248 Let openoffice perform temporary file transitions and manage link files. Signed-off-by: Guido Trentalancia trentalancia.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/apps/openoffice.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te index 37ac6720c..f8cccacd4 100644 --- a/policy/modules/apps/openoffice.te +++ b/policy/modules/apps/openoffice.te @@ -61,8 +61,9 @@ userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice") manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) +manage_lnk_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) -files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file }) +files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file lnk_file sock_file }) can_exec(ooffice_t, ooffice_exec_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: 9139acd456b4a49f7d8286023ac6abc09725ccb7 Author: Yi Zhao windriver com> AuthorDate: Wed Sep 20 06:43:34 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:27:06 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9139acd4 loadkeys: do not audit attempts to get attributes for all directories Fixes: avc: denied { getattr } for pid=239 comm="loadkeys" path="/boot" dev="vda" ino=15 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1 avc: denied { getattr } for pid=239 comm="loadkeys" path="/home" dev="vda" ino=806 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023 tcontext=system_u:object_r:home_root_t:s0-s15:c0.c1023 tclass=dir permissive=1 avc: denied { getattr } for pid=239 comm="loadkeys" path="/lost+found" dev="vda" ino=11 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lost_found_t:s15:c0.c1023 tclass=dir permissive=1 avc: denied { getattr } for pid=239 comm="loadkeys" path="/media" dev="vda" ino=810 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=1 Signed-off-by: Yi Zhao windriver.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/apps/loadkeys.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te index b9558dccc..56fb45114 100644 --- a/policy/modules/apps/loadkeys.te +++ b/policy/modules/apps/loadkeys.te @@ -35,6 +35,7 @@ files_read_usr_files(loadkeys_t) files_search_runtime(loadkeys_t) files_search_src(loadkeys_t) files_search_tmp(loadkeys_t) +files_dontaudit_getattr_all_dirs(loadkeys_t) term_dontaudit_use_console(loadkeys_t) term_use_unallocated_ttys(loadkeys_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: 0ace931ace4b0f237c27301c052bd1d3571349d8 Author: Corentin LABBE gmail com> AuthorDate: Thu Jan 5 15:42:10 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Mon Feb 13 15:24:01 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0ace931a mandb: permit to read inherited cron files Each night /etc/cron.daily/man-db generates some AVC: allow mandb_t system_cronjob_tmp_t:file { read write }; Add the necessary rules for it. Signed-off-by: Corentin LABBE gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/apps/mandb.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/apps/mandb.te b/policy/modules/apps/mandb.te index f136a90ae..5dd7cf7a5 100644 --- a/policy/modules/apps/mandb.te +++ b/policy/modules/apps/mandb.te @@ -59,5 +59,6 @@ ifdef(`init_systemd',` ') optional_policy(` + cron_rw_inherited_system_job_tmp_files(mandb_t) cron_system_entry(mandb_t, mandb_exec_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/admin/, policy/modules/services/
commit: edc91c3a2edac1ca2915691a16060d6b53704b40 Author: Kenton Groombridge concord sh> AuthorDate: Mon Dec 12 15:35:32 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue Dec 13 19:07:47 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=edc91c3a various: use mmap_manage_file_perms Replace instances of manage_file_perms and map with mmap_manage_file_perms Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/alsa.te | 2 +- policy/modules/admin/apt.if | 2 +- policy/modules/apps/mozilla.te | 2 +- policy/modules/apps/pulseaudio.if| 2 +- policy/modules/apps/pulseaudio.te| 2 +- policy/modules/services/aptcacher.te | 2 +- policy/modules/services/mailman.te | 8 policy/modules/services/matrixd.te | 2 +- policy/modules/services/nsd.te | 2 +- policy/modules/services/postfix.te | 2 +- 10 files changed, 13 insertions(+), 13 deletions(-) diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index 2f6efcbeb..3b6a129c1 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -68,7 +68,7 @@ manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) -allow alsa_t alsa_tmpfs_t:file { manage_file_perms map }; +allow alsa_t alsa_tmpfs_t:file mmap_manage_file_perms; fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file) manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if index 6d5d3f33a..5787e9804 100644 --- a/policy/modules/admin/apt.if +++ b/policy/modules/admin/apt.if @@ -191,7 +191,7 @@ interface(`apt_manage_cache',` files_search_var($1) allow $1 apt_var_cache_t:dir manage_dir_perms; - allow $1 apt_var_cache_t:file { manage_file_perms map }; + allow $1 apt_var_cache_t:file mmap_manage_file_perms; ') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 03a9b9d6e..ba6b2376c 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -86,7 +86,7 @@ allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms; allow mozilla_t mozilla_plugin_t:fd use; allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms; -allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms map }; +allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file mmap_manage_file_perms; allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms; userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon") userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla") diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if index b2d2f1d43..c7df8b8a7 100644 --- a/policy/modules/apps/pulseaudio.if +++ b/policy/modules/apps/pulseaudio.if @@ -45,7 +45,7 @@ template(`pulseaudio_role',` allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms map }; + allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { mmap_manage_file_perms relabel_file_perms }; allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms }; diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te index 2bb0ee79e..b26123e86 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -59,7 +59,7 @@ allow pulseaudio_t self:tcp_socket { accept listen }; allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms; -allow pulseaudio_t pulseaudio_home_t:file { manage_file_perms map }; +allow pulseaudio_t pulseaudio_home_t:file mmap_manage_file_perms; allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms; userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse") diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te index ac29c8728..10a0e54e1 100644 --- a/policy/modules/services/aptcacher.te +++ b/policy/modules/services/aptcacher.te @@ -51,7 +51,7 @@ allow aptcacher_t aptcacher_conf_t:file mmap_read_file_perms; allow aptcacher_t aptcacher_conf_t:lnk_file read_lnk_file_perms; allow aptcacher_t aptcacher_cache_t:dir manage_dir_perms; -allow aptcacher_t aptcacher_cache_t:file { manage_file_perms map }; +allow aptcacher_t aptcacher_cache_t:file mmap_manage_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: 5f17e5ac1d12a5bb6d264a4e9e127fb3f28cd0e2 Author: Kenton Groombridge concord sh> AuthorDate: Tue Nov 16 17:11:59 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5f17e5ac wine: fix roleattribute statement Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/apps/wine.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if index 2050167d..37f10d03 100644 --- a/policy/modules/apps/wine.if +++ b/policy/modules/apps/wine.if @@ -33,7 +33,7 @@ template(`wine_role',` type wine_home_t; ') - roleattribute $1 wine_roles; + roleattribute $4 wine_roles; domtrans_pattern($3, wine_exec_t, wine_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: 1dea46140374ccd2b67ed5daf6563e5917df519c Author: Kenton Groombridge concord sh> AuthorDate: Wed Oct 13 22:44:14 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1dea4614 wine: use user exec domain attribute Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/apps/wine.if | 58 + 1 file changed, 37 insertions(+), 21 deletions(-) diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if index 25e09d6e..2050167d 100644 --- a/policy/modules/apps/wine.if +++ b/policy/modules/apps/wine.if @@ -4,18 +4,29 @@ ## ## Role access for wine. ## -## +## ## -## Role allowed access. +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## ## User domain for the role. ## ## +## +## +## User exec domain for execute and transition access. +## +## +## +## +## Role allowed access +## +## # -interface(`wine_role',` +template(`wine_role',` gen_require(` attribute_role wine_roles; type wine_exec_t, wine_t, wine_tmp_t; @@ -24,18 +35,18 @@ interface(`wine_role',` roleattribute $1 wine_roles; - domtrans_pattern($2, wine_exec_t, wine_t) + domtrans_pattern($3, wine_exec_t, wine_t) - allow wine_t $2:unix_stream_socket connectto; - allow wine_t $2:process signull; + allow wine_t $3:unix_stream_socket connectto; + allow wine_t $3:process signull; - ps_process_pattern($2, wine_t) - allow $2 wine_t:process { ptrace signal_perms }; + ps_process_pattern($3, wine_t) + allow $3 wine_t:process { ptrace signal_perms }; - allow $2 wine_t:fd use; - allow $2 wine_t:shm { associate getattr }; - allow $2 wine_t:shm rw_shm_perms; - allow $2 wine_t:unix_stream_socket connectto; + allow $3 wine_t:fd use; + allow $3 wine_t:shm { associate getattr }; + allow $3 wine_t:shm rw_shm_perms; + allow $3 wine_t:unix_stream_socket connectto; allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms }; @@ -55,18 +66,23 @@ interface(`wine_role',` ## ## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## -## The role associated with the user domain. +## User domain for the role. ## ## -## +## +## +## User exec domain for execute and transition access. +## +## +## ## -## The type of the user domain. +## Role allowed access ## ## # @@ -86,7 +102,7 @@ template(`wine_role_template',` domtrans_pattern($3, wine_exec_t, $1_wine_t) - corecmd_bin_domtrans($1_wine_t, $3) + corecmd_bin_domtrans($1_wine_t, $2) userdom_manage_user_tmpfs_files($1_wine_t) @@ -97,7 +113,7 @@ template(`wine_role_template',` ') optional_policy(` - xserver_role($1, $1_wine_t, $1_application_exec_domain, $1_r) + xserver_role($1, $1_wine_t, $3, $4) ') ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/services/
commit: c41bce39e4cc5a7ae57a5a305ab8e7bb1618fcf7 Author: Kenton Groombridge concord sh> AuthorDate: Wed Oct 13 18:42:42 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c41bce39 mpd, pulseaudio: split domtrans and client access Split `pulseaudio_domtrans()` into two interfaces: one that grants transition access and the other the `pulseaudio_client` attribute. This fixes a build error because calls to `pulseaudio_domtrans()` by the role would associate the client attribute with the user exec domain attribute. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/apps/pulseaudio.if | 26 -- policy/modules/services/mpd.te| 1 + 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if index 5a2c2a83..1796b771 100644 --- a/policy/modules/apps/pulseaudio.if +++ b/policy/modules/apps/pulseaudio.if @@ -59,6 +59,25 @@ template(`pulseaudio_role',` ') ') + +## +## Connect to pulseaudio and manage +## pulseaudio config data. +## +## +## +## Domain allowed access. +## +## +# +interface(`pulseaudio_client_domain',` + gen_require(` + attribute pulseaudio_client; + ') + + typeattribute $1 pulseaudio_client; +') + ## ## Execute a domain transition to run pulseaudio. @@ -71,12 +90,9 @@ template(`pulseaudio_role',` # interface(`pulseaudio_domtrans',` gen_require(` - attribute pulseaudio_client; type pulseaudio_t, pulseaudio_exec_t; ') - typeattribute $1 pulseaudio_client; - corecmd_search_bin($1) domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t) ') @@ -100,12 +116,10 @@ interface(`pulseaudio_domtrans',` # interface(`pulseaudio_run',` gen_require(` - attribute pulseaudio_client; attribute_role pulseaudio_roles; ') - typeattribute $1 pulseaudio_client; - + pulseaudio_client_domain($1) pulseaudio_domtrans($1) roleattribute $2 pulseaudio_roles; ') diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te index 4a0650df..3ba4a896 100644 --- a/policy/modules/services/mpd.te +++ b/policy/modules/services/mpd.te @@ -182,6 +182,7 @@ optional_policy(` ') optional_policy(` + pulseaudio_client_domain(mpd_t) pulseaudio_domtrans(mpd_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/roles/
commit: 280eb10e71337401487dd51dc3cb9243b16be783 Author: Kenton Groombridge concord sh> AuthorDate: Sun Aug 8 16:54:41 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=280eb10e cryfs, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/apps/cryfs.if | 31 +++ policy/modules/roles/sysadm.te | 2 +- 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/policy/modules/apps/cryfs.if b/policy/modules/apps/cryfs.if index 300a00ad..d0bece91 100644 --- a/policy/modules/apps/cryfs.if +++ b/policy/modules/apps/cryfs.if @@ -4,18 +4,29 @@ ## ## Role access for CryFS. ## -## +## ## -## Role allowed access. +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## ## User domain for the role. ## ## +## +## +## User exec domain for execute and transition access. +## +## +## +## +## Role allowed access +## +## # -interface(`cryfs_role',` +template(`cryfs_role',` gen_require(` attribute_role cryfs_roles; type cryfs_t, cryfs_exec_t; @@ -26,15 +37,19 @@ interface(`cryfs_role',` # Declarations # - roleattribute $1 cryfs_roles; + roleattribute $4 cryfs_roles; # # Policy # - domtrans_pattern($2, cryfs_exec_t, cryfs_t) + domtrans_pattern($3, cryfs_exec_t, cryfs_t) - allow $2 cryfs_t:process signal_perms; - ps_process_pattern($2, cryfs_t) + allow $3 cryfs_t:process signal_perms; + ps_process_pattern($3, cryfs_t) + + optional_policy(` + systemd_user_app_status($1, cryfs_t) + ') ') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 44b80516..d5d61098 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1230,7 +1230,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - cryfs_role(sysadm_r, sysadm_t) + cryfs_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: 830377badedee4af85544b6f5c856c71031520e5 Author: Kenton Groombridge concord sh> AuthorDate: Wed Oct 13 22:46:07 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=830377ba mono: use user exec domain attribute Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/apps/mono.if | 23 ++- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if index f37db3e8..ef116c39 100644 --- a/policy/modules/apps/mono.if +++ b/policy/modules/apps/mono.if @@ -12,18 +12,23 @@ ## ## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## -## The role associated with the user domain. +## User domain for the role. ## ## -## +## +## +## User exec domain for execute and transition access. +## +## +## ## -## The type of the user domain. +## Role allowed access ## ## # @@ -54,16 +59,16 @@ template(`mono_role_template',` domtrans_pattern($3, mono_exec_t, $1_mono_t) allow $3 $1_mono_t:process { ptrace noatsecure signal_perms }; - ps_process_pattern($2, $1_mono_t) + ps_process_pattern($3, $1_mono_t) - corecmd_bin_domtrans($1_mono_t, $3) + corecmd_bin_domtrans($1_mono_t, $2) userdom_manage_user_tmpfs_files($1_mono_t) optional_policy(` fs_dontaudit_rw_tmpfs_files($1_mono_t) - xserver_role($1, $1_mono_t, $1_application_exec_domain, $1_r) + xserver_role($1, $1_mono_t, $3, $4) ') ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/services/
commit: 2c0357f7e69e0d75c52933bd88771b17d0c39aa6 Author: Jason Zaman gentoo org> AuthorDate: Sun Feb 21 05:18:52 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Mar 21 22:07:35 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2c0357f7 bluetooth: Add bluetooth_socket perms - Needs bluetooth/alg_socket access - pulse needs shutdown perms on the socket - also needs to read udev db Signed-off-by: Jason Zaman gentoo.org> policy/modules/apps/pulseaudio.te| 1 + policy/modules/services/bluetooth.if | 3 ++- policy/modules/services/bluetooth.te | 6 ++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te index fd2df71a..ceb954e4 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -54,6 +54,7 @@ allow pulseaudio_t self:process { getcap getsched setcap setrlimit setsched sign allow pulseaudio_t self:fifo_file rw_fifo_file_perms; allow pulseaudio_t self:unix_stream_socket { accept connectto listen }; allow pulseaudio_t self:unix_dgram_socket sendto; +allow pulseaudio_t self:bluetooth_socket shutdown; allow pulseaudio_t self:tcp_socket { accept listen }; allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index e35e8631..3e4b0e5f 100644 --- a/policy/modules/services/bluetooth.if +++ b/policy/modules/services/bluetooth.if @@ -66,7 +66,8 @@ interface(`bluetooth_stream_connect',` ') files_search_runtime($1) - allow $1 bluetooth_t:socket rw_socket_perms; + allow $1 bluetooth_t:fd use; + allow $1 bluetooth_t:socket { rw_socket_perms shutdown }; stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t) ') diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te index 69a38543..fcf0c177 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -60,6 +60,8 @@ allow bluetooth_t self:socket create_stream_socket_perms; allow bluetooth_t self:unix_stream_socket { accept connectto listen }; allow bluetooth_t self:tcp_socket { accept listen }; allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms; +allow bluetooth_t self:bluetooth_socket server_stream_socket_perms; +allow bluetooth_t self:alg_socket create_stream_socket_perms; read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t) @@ -156,6 +158,10 @@ optional_policy(` ppp_domtrans(bluetooth_t) ') +optional_policy(` + udev_read_runtime_files(bluetooth_t) +') + # # Helper local policy
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: bf51bea5131ee562ef22444e34aab06f69422cbc Author: Chris PeBenito ieee org> AuthorDate: Tue Feb 2 13:47:55 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 6 21:15:09 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bf51bea5 screen: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/apps/screen.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te index 58575bc9..bcfba653 100644 --- a/policy/modules/apps/screen.te +++ b/policy/modules/apps/screen.te @@ -1,4 +1,4 @@ -policy_module(screen, 2.11.0) +policy_module(screen, 2.11.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: f633f22afb5aff7f1173813fe7559851bc62b557 Author: Jonathan Davies protonmail com> AuthorDate: Fri Jan 29 14:56:40 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 6 21:15:09 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f633f22a apps/screen.te: Allow screen to search xdg directories. Signed-off-by: Jonathan Davies protonmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/apps/screen.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te index f8546e84..58575bc9 100644 --- a/policy/modules/apps/screen.te +++ b/policy/modules/apps/screen.te @@ -111,6 +111,10 @@ tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_symlinks(screen_domain) ') +optional_policy(` + xdg_search_config_dirs(screen_domain) +') + ifdef(`distro_gentoo',` ## #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: e27adab96f63c43ee299bf65dc9234ab898c9a95 Author: Jonathan Davies protonmail com> AuthorDate: Fri Jan 29 14:56:29 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 6 20:54:11 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e27adab9 apps/screen.fc: Added fcontext for tmux xdg directory. Signed-off-by: Jonathan Davies protonmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/apps/screen.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc index 7196c598..e51e01d9 100644 --- a/policy/modules/apps/screen.fc +++ b/policy/modules/apps/screen.fc @@ -1,3 +1,4 @@ +HOME_DIR/\.config/tmux(/.*)? -- gen_context(system_u:object_r:screen_home_t,s0) HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) HOME_DIR/\.screenrc-- gen_context(system_u:object_r:screen_home_t,s0) HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/system/
commit: aca741873cf293fc54247ea147c4fae4e62929b8 Author: Chris PeBenito ieee org> AuthorDate: Fri Jan 29 13:35:12 2021 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 1 01:21:42 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aca74187 userdomain, gpg: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/apps/gpg.te | 2 +- policy/modules/system/userdomain.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te index 376e1a9f..608575be 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -1,4 +1,4 @@ -policy_module(gpg, 2.17.1) +policy_module(gpg, 2.17.2) # diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index d17f3c81..034f6af5 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,4 +1,4 @@ -policy_module(userdomain, 4.20.6) +policy_module(userdomain, 4.20.7) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: 51312761c615ffb7bef402a32c96a7d992f0d70e Author: bauen1 gmail com> AuthorDate: Sat Feb 8 15:07:32 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 15 07:32:05 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51312761 loadkeys: remove redundant ifdef Signed-off-by: Jason Zaman gentoo.org> policy/modules/apps/loadkeys.te | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te index 5c3b18d5..57274992 100644 --- a/policy/modules/apps/loadkeys.te +++ b/policy/modules/apps/loadkeys.te @@ -48,10 +48,8 @@ miscfiles_read_localization(loadkeys_t) userdom_use_user_ttys(loadkeys_t) userdom_list_user_home_content(loadkeys_t) -ifdef(`distro_debian',` - optional_policy(` - consolesetup_read_conf(loadkeys_t) - ') +optional_policy(` + consolesetup_read_conf(loadkeys_t) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/system/, policy/modules/kernel/, ...
commit: ff5f7b324ebc47437839440da340593c3266a095 Author: Chris PeBenito ieee org> AuthorDate: Sun Jun 9 18:05:19 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 13 06:43:14 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff5f7b32 Bump module versions for release. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/aide.te| 2 +- policy/modules/admin/logrotate.te | 2 +- policy/modules/admin/usermanage.te | 2 +- policy/modules/apps/cdrecord.te | 2 +- policy/modules/kernel/corenetwork.te.in | 2 +- policy/modules/kernel/devices.te| 2 +- policy/modules/kernel/filesystem.te | 2 +- policy/modules/kernel/kernel.te | 2 +- policy/modules/kernel/storage.te| 2 +- policy/modules/roles/sysadm.te | 2 +- policy/modules/services/apache.te | 2 +- policy/modules/services/clamav.te | 2 +- policy/modules/services/cron.te | 2 +- policy/modules/services/dbus.te | 2 +- policy/modules/services/devicekit.te| 2 +- policy/modules/services/dovecot.te | 2 +- policy/modules/services/ntp.te | 2 +- policy/modules/services/plymouthd.te| 2 +- policy/modules/services/tuned.te| 2 +- policy/modules/services/xserver.te | 2 +- policy/modules/system/authlogin.te | 2 +- policy/modules/system/init.te | 2 +- policy/modules/system/logging.te| 2 +- policy/modules/system/lvm.te| 2 +- policy/modules/system/miscfiles.te | 2 +- policy/modules/system/mount.te | 2 +- policy/modules/system/selinuxutil.te| 2 +- policy/modules/system/systemd.te| 2 +- policy/modules/system/udev.te | 2 +- policy/modules/system/unconfined.te | 2 +- policy/modules/system/userdomain.te | 2 +- 31 files changed, 31 insertions(+), 31 deletions(-) diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te index 687d72bc..69ec0e63 100644 --- a/policy/modules/admin/aide.te +++ b/policy/modules/admin/aide.te @@ -1,4 +1,4 @@ -policy_module(aide, 1.8.2) +policy_module(aide, 1.9.0) # diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index adc3101d..6609e4a7 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -1,4 +1,4 @@ -policy_module(logrotate, 1.22.2) +policy_module(logrotate, 1.23.0) # diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index fad8ef96..3605da43 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,4 +1,4 @@ -policy_module(usermanage, 1.22.2) +policy_module(usermanage, 1.23.0) # diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te index daf4c58c..b5fba05c 100644 --- a/policy/modules/apps/cdrecord.te +++ b/policy/modules/apps/cdrecord.te @@ -1,4 +1,4 @@ -policy_module(cdrecord, 2.6.1) +policy_module(cdrecord, 2.7.0) # diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index e9ff9e95..06b53d3f 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,4 +1,4 @@ -policy_module(corenetwork, 1.25.1) +policy_module(corenetwork, 1.26.0) # diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 5f793c52..67f0d9fb 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.24.3) +policy_module(devices, 1.25.0) # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 3d321072..61f419a8 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.25.1) +policy_module(filesystem, 1.26.0) # diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index d6a653fc..7c3cc772 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,4 +1,4 @@ -policy_module(kernel, 1.25.3) +policy_module(kernel, 1.26.0) # diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te index 0b5a4245..d1cd9ea9 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -1,4 +1,4 @@ -policy_module(storage, 1.16.2) +policy_module(storage, 1.17.0) # diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index a9bdbee7..35164073 100644 ---
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: 46b8592baa68cac9ec8519827408c91521cf0bce Author: Chris PeBenito ieee org> AuthorDate: Wed Jan 23 23:43:16 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 10 04:11:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=46b8592b chromium: Whitespace fixes. Signed-off-by: Jason Zaman perfinion.com> policy/modules/apps/chromium.if | 4 +--- policy/modules/apps/chromium.te | 5 ++--- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if index 26eb0259..2ded3279 100644 --- a/policy/modules/apps/chromium.if +++ b/policy/modules/apps/chromium.if @@ -1,6 +1,4 @@ -## -## Chromium browser -## +## Chromium browser ### ## diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te index 5219cb87..dbf3a620 100644 --- a/policy/modules/apps/chromium.te +++ b/policy/modules/apps/chromium.te @@ -71,8 +71,6 @@ xdg_config_content(chromium_xdg_config_t) type chromium_xdg_cache_t; xdg_cache_content(chromium_xdg_cache_t) - - # # chromium local policy @@ -229,9 +227,11 @@ optional_policy(` optional_policy(` unconfined_dbus_chat(chromium_t) ') + optional_policy(` gnome_dbus_chat_all_gkeyringd(chromium_t) ') + optional_policy(` devicekit_dbus_chat_power(chromium_t) ') @@ -339,4 +339,3 @@ tunable_policy(`chromium_read_system_info',` kernel_dontaudit_read_kernel_sysctl(chromium_naclhelper_t) kernel_dontaudit_read_system_state(chromium_naclhelper_t) ') -
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: f5a0a7c4574aaa7179d9f693db9d8e07b1afd7c1 Author: Jason Zaman perfinion com> AuthorDate: Sat Jan 12 08:03:44 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 10 04:11:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f5a0a7c4 Add chromium policy upstreamed from Gentoo Signed-off-by: Jason Zaman perfinion.com> policy/modules/apps/chromium.fc | 31 policy/modules/apps/chromium.if | 139 policy/modules/apps/chromium.te | 342 3 files changed, 512 insertions(+) diff --git a/policy/modules/apps/chromium.fc b/policy/modules/apps/chromium.fc new file mode 100644 index ..534235dc --- /dev/null +++ b/policy/modules/apps/chromium.fc @@ -0,0 +1,31 @@ +/opt/google/chrome/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) +/opt/google/chrome/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) +/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) +/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) +/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0) +/opt/google/chrome/libudev.so.0 gen_context(system_u:object_r:lib_t,s0) + +/opt/google/chrome-beta/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) +/opt/google/chrome-beta/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) +/opt/google/chrome-beta/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) +/opt/google/chrome-beta/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) +/opt/google/chrome-beta/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0) +/opt/google/chrome-beta/libudev.so.0 gen_context(system_u:object_r:lib_t,s0) + +/opt/google/chrome-unstable/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) +/opt/google/chrome-unstable/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) +/opt/google/chrome-unstable/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) +/opt/google/chrome-unstable/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) +/opt/google/chrome-unstable/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0) +/opt/google/chrome-unstable/libudev.so.0 gen_context(system_u:object_r:lib_t,s0) + +/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) +/usr/lib/chromium-browser/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) +/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) +/usr/lib/chromium-browser/chromium-launcher\.sh-- gen_context(system_u:object_r:chromium_exec_t,s0) +/usr/lib/chromium-browser/nacl_helper_bootstrap-- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0) + +HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_cache_t,s0) +HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chromium_xdg_cache_t,s0) +HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_config_t,s0) +HOME_DIR/\.config/google-chrome(/.*)? gen_context(system_u:object_r:chromium_xdg_config_t,s0) diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if new file mode 100644 index ..26eb0259 --- /dev/null +++ b/policy/modules/apps/chromium.if @@ -0,0 +1,139 @@ +## +## Chromium browser +## + +### +## +## Role access for chromium +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`chromium_role',` + gen_require(` + type chromium_t; + type chromium_renderer_t; + type chromium_sandbox_t; + type chromium_naclhelper_t; + type chromium_exec_t; + ') + + role $1 types chromium_t; + role $1 types chromium_renderer_t; + role $1 types chromium_sandbox_t; + role $1 types chromium_naclhelper_t; + + # Transition from the user domain to the derived domain +
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: 2727cf5aaf4f714dcb9d2dfa83a7378b87ed222b Author: Chris PeBenito ieee org> AuthorDate: Wed Jan 23 23:44:45 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 10 04:11:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2727cf5a chromium: Move line. Signed-off-by: Jason Zaman perfinion.com> policy/modules/apps/chromium.te | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te index dbf3a620..59c75491 100644 --- a/policy/modules/apps/chromium.te +++ b/policy/modules/apps/chromium.te @@ -253,7 +253,7 @@ ifdef(`use_alsa',` # allow chromium_renderer_t self:process execmem; - +dontaudit chromium_renderer_t self:process getsched; allow chromium_renderer_t self:fifo_file rw_fifo_file_perms; allow chromium_renderer_t self:shm create_shm_perms; allow chromium_renderer_t self:unix_dgram_socket { create read sendto }; @@ -264,7 +264,6 @@ allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms; allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms; dontaudit chromium_renderer_t chromium_t:dir search; # /proc/... access -dontaudit chromium_renderer_t self:process getsched; read_files_pattern(chromium_renderer_t, chromium_xdg_config_t, chromium_xdg_config_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/system/, policy/modules/services/, ...
commit: 2e88191ba4aceb370fa048002db91879d0688e5e Author: Chris PeBenito ieee org> AuthorDate: Wed Jul 11 00:11:40 2018 + Commit: Jason Zaman gentoo org> CommitDate: Wed Jul 11 14:41:35 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2e88191b mozilla, devices, selinux, xserver, init, iptables: Module version bump. policy/modules/apps/mozilla.te | 2 +- policy/modules/kernel/devices.te | 2 +- policy/modules/kernel/selinux.te | 2 +- policy/modules/services/xserver.te | 2 +- policy/modules/system/init.te | 2 +- policy/modules/system/iptables.te | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 1ae38bbf..12e1d39a 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -1,4 +1,4 @@ -policy_module(mozilla, 2.14.0) +policy_module(mozilla, 2.14.1) # diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 88471926..4ce5fecf 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.23.0) +policy_module(devices, 1.23.1) # diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index 66a89daa..e87b92ab 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -1,4 +1,4 @@ -policy_module(selinux, 1.15.0) +policy_module(selinux, 1.15.1) # diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 2e85c3bd..4fc46f4f 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,4 +1,4 @@ -policy_module(xserver, 3.16.0) +policy_module(xserver, 3.16.1) gen_require(` class x_drawable all_x_drawable_perms; diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index a172..475f5fa4 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.5.0) +policy_module(init, 2.5.1) gen_require(` class passwd rootok; diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 9ccb8e9f..bc459711 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -1,4 +1,4 @@ -policy_module(iptables, 1.20.0) +policy_module(iptables, 1.20.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: c3e2c66e2e2789edab5f851bb70428c590e9fbd9 Author: Jason Zaman perfinion com> AuthorDate: Tue Jul 10 15:03:15 2018 + Commit: Jason Zaman gentoo org> CommitDate: Wed Jul 11 14:41:35 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c3e2c66e mozilla: xdg updates policy/modules/apps/mozilla.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index e57821da..1ae38bbf 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -206,6 +206,7 @@ userdom_use_user_ptys(mozilla_t) userdom_manage_user_tmp_dirs(mozilla_t) userdom_manage_user_tmp_files(mozilla_t) +userdom_map_user_tmp_files(mozilla_t) userdom_user_content_access_template(mozilla, { mozilla_t mozilla_plugin_t }) userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) @@ -219,6 +220,7 @@ xdg_read_config_files(mozilla_t) xdg_read_data_files(mozilla_t) xdg_manage_downloads(mozilla_t) +xserver_rw_mesa_shader_cache(mozilla_t) xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files(mozilla_t) xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) @@ -519,6 +521,7 @@ miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) userdom_manage_user_tmp_dirs(mozilla_plugin_t) userdom_manage_user_tmp_files(mozilla_plugin_t) +userdom_map_user_tmp_files(mozilla_plugin_t) userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: 654fd93a51b7dd39e7ccf167f260515964c5eb62 Author: Jason Zaman perfinion com> AuthorDate: Sun Jun 24 09:56:11 2018 + Commit: Jason Zaman gentoo org> CommitDate: Mon Jun 25 05:31:59 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=654fd93a apps: rw mesa_shader_cache policy/modules/apps/games.te | 1 + policy/modules/apps/mplayer.te | 1 + 2 files changed, 2 insertions(+) diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te index 0cdebe62..7389bd74 100644 --- a/policy/modules/apps/games.te +++ b/policy/modules/apps/games.te @@ -194,4 +194,5 @@ optional_policy(` xserver_user_x_domain_template(games, games_t, games_tmpfs_t) xserver_create_xdm_tmp_sockets(games_t) xserver_read_xdm_lib_files(games_t) + xserver_rw_mesa_shader_cache(games_t) ') diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te index 91b9569d..33eef8ed 100644 --- a/policy/modules/apps/mplayer.te +++ b/policy/modules/apps/mplayer.te @@ -216,6 +216,7 @@ xdg_read_music(mplayer_t) xdg_read_videos(mplayer_t) xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) +xserver_rw_mesa_shader_cache(mplayer_t) ifndef(`enable_mls',` fs_list_dos(mplayer_t)