[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2022-12-13 Thread Kenton Groombridge 
commit: 23e8700745760bb466e92befdef2a9af525cac83
Author: Kenton Groombridge  gentoo  org>
AuthorDate: Tue Dec 13 19:20:55 2022 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Tue Dec 13 19:20:55 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=23e87007

salt: use mmap_manage_file_perms

Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/contrib/salt.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index f82674f9e..c1e8cdbca 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -147,7 +147,7 @@ files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { 
file dir })
 can_exec(salt_master_t, salt_master_tmp_t)
 
 # salt_master_tmpfs_t
-allow salt_master_t salt_master_tmpfs_t:file { manage_file_perms map };
+allow salt_master_t salt_master_tmpfs_t:file mmap_manage_file_perms;
 fs_tmpfs_filetrans(salt_master_t, salt_master_tmpfs_t, file)
 
 # salt_master_runtime_t
@@ -266,7 +266,7 @@ files_tmp_filetrans(salt_minion_t, salt_minion_tmp_t, { 
file dir })
 can_exec(salt_minion_t, salt_minion_tmp_t)
 
 # salt_minion_tmpfs_t
-allow salt_minion_t salt_minion_tmpfs_t:file { manage_file_perms map };
+allow salt_minion_t salt_minion_tmpfs_t:file mmap_manage_file_perms;
 fs_tmpfs_filetrans(salt_minion_t, salt_minion_tmpfs_t, file)
 
 # salt_minion_runtime_t

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2022-09-03 Thread Kenton Groombridge 
commit: 177905ccd86a2aa56ca764bc5aa256eef76c2d91
Author: Kenton Groombridge  gentoo  org>
AuthorDate: Fri Nov 12 01:27:06 2021 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Sat Sep  3 20:04:34 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=177905cc

phpfpm: various fixes and new tunables

Minor fixes for phpfpm and add several new tunables, primarily designed
to get various webapps working under SELinux.

Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/contrib/phpfpm.te | 73 
 1 file changed, 73 insertions(+)

diff --git a/policy/modules/contrib/phpfpm.te b/policy/modules/contrib/phpfpm.te
index cffae6d7..a1044f31 100644
--- a/policy/modules/contrib/phpfpm.te
+++ b/policy/modules/contrib/phpfpm.te
@@ -19,6 +19,49 @@ gen_tunable(phpfpm_use_ldap, false)
 ## 
 gen_tunable(phpfpm_send_syslog_msg, false)
 
+## 
+## 
+## Allow phpfpm to execute shells. This
+## is needed by some webapps.
+## 
+## 
+gen_tunable(phpfpm_exec_shell, false)
+
+## 
+## 
+## Allow phpfpm to connect to http ports.
+## 
+## 
+gen_tunable(phpfpm_connect_http, false)
+
+## 
+## 
+## Allow phpfpm to connect to pop ports.
+## 
+## 
+gen_tunable(phpfpm_connect_pop, false)
+
+## 
+## 
+## Allow phpfpm to connect to redis ports.
+## 
+## 
+gen_tunable(phpfpm_connect_redis, false)
+
+## 
+## 
+## Allow phpfpm to connect to sieve ports.
+## 
+## 
+gen_tunable(phpfpm_connect_sieve, false)
+
+## 
+## 
+## Allow phpfpm to connect to smtp ports.
+## 
+## 
+gen_tunable(phpfpm_connect_smtp, false)
+
 type phpfpm_t;
 type phpfpm_exec_t;
 init_daemon_domain(phpfpm_t, phpfpm_exec_t)
@@ -44,6 +87,8 @@ allow phpfpm_t self:fifo_file rw_fifo_file_perms;
 allow phpfpm_t self:tcp_socket rw_stream_socket_perms;
 allow phpfpm_t self:udp_socket connected_socket_perms;
 allow phpfpm_t self:unix_stream_socket { accept create_stream_socket_perms };
+allow phpfpm_t self:unix_dgram_socket { create_socket_perms };
+dontaudit phpfpm_t self:capability net_admin;
 
 manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
 logging_log_filetrans(phpfpm_t, phpfpm_log_t, file)
@@ -86,6 +131,10 @@ apache_manage_all_rw_content(phpfpm_t)
 apache_read_sys_content(phpfpm_t)
 apache_dontaudit_search_modules(phpfpm_t)
 
+optional_policy(`
+   apache_map_sys_content(phpfpm_t)
+')
+
 optional_policy(`
mysql_stream_connect(phpfpm_t)
mysql_tcp_connect(phpfpm_t)
@@ -106,6 +155,30 @@ optional_policy(`
')
 ')
 
+tunable_policy(`phpfpm_exec_shell',`
+   corecmd_exec_shell(phpfpm_t)
+')
+
+tunable_policy(`phpfpm_connect_http',`
+   corenet_tcp_connect_http_port(phpfpm_t)
+')
+
+tunable_policy(`phpfpm_connect_pop',`
+   corenet_tcp_connect_pop_port(phpfpm_t)
+')
+
+tunable_policy(`phpfpm_connect_redis',`
+   corenet_tcp_connect_redis_port(phpfpm_t)
+')
+
+tunable_policy(`phpfpm_connect_sieve',`
+   corenet_tcp_connect_sieve_port(phpfpm_t)
+')
+
+tunable_policy(`phpfpm_connect_smtp',`
+   corenet_tcp_connect_smtp_port(phpfpm_t)
+')
+
 tunable_policy(`phpfpm_send_syslog_msg',`
logging_send_syslog_msg(phpfpm_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2022-09-03 Thread Kenton Groombridge 
commit: 10b3a91a0e7f0729cefb70ee4aa87eb862833b4a
Author: Kenton Groombridge  gentoo  org>
AuthorDate: Fri Nov 12 01:24:50 2021 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Sat Sep  3 20:04:30 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=10b3a91a

nginx: various fixes

Various fixes for nginx, and also allow nginx to list and read user home
content given that the httpd_read_user_content boolean is enabled.

Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/contrib/nginx.te | 15 +++
 1 file changed, 15 insertions(+)

diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te
index 57e8ceb9..0c935bb6 100644
--- a/policy/modules/contrib/nginx.te
+++ b/policy/modules/contrib/nginx.te
@@ -119,8 +119,13 @@ domain_use_interactive_fds(nginx_t)
 
 files_read_etc_files(nginx_t)
 
+auth_use_nsswitch(nginx_t)
 
+logging_send_syslog_msg(nginx_t)
+
+miscfiles_read_generic_certs(nginx_t)
 miscfiles_read_localization(nginx_t)
+
 sysnet_dns_name_resolve(nginx_t)
 
 optional_policy(`
@@ -129,10 +134,16 @@ optional_policy(`
apache_manage_log(nginx_t)
 ')
 
+tunable_policy(`httpd_read_user_content',`
+   userdom_list_user_home_content(nginx_t)
+   userdom_read_user_home_content_files(nginx_t)
+')
+
 tunable_policy(`nginx_enable_http_server',`
corenet_tcp_bind_http_port(nginx_t)
apache_read_all_content(nginx_t)
apache_manage_all_rw_content(nginx_t)
+   apache_list_sys_content(nginx_t)
 ')
 
 # We enable both binding and connecting, since nginx acts here as a reverse 
proxy
@@ -159,6 +170,10 @@ tunable_policy(`nginx_can_network_connect',`
corenet_tcp_connect_all_ports(nginx_t)
 ')
 
+optional_policy(`
+   certbot_read_lib(nginx_t)
+')
+
 optional_policy(`
phpfpm_stream_connect(nginx_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/roles/

2019-02-09 Thread Jason Zaman 
commit: 4a9fa0f6f7c5f90dc16db233210cfa4758f08bfc
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Feb 10 04:23:14 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 10 04:23:42 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4a9fa0f6

remove gentoo chromium policy that has been upstreamed

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/contrib/chromium.fc |  31 ---
 policy/modules/contrib/chromium.if | 139 --
 policy/modules/contrib/chromium.te | 375 -
 policy/modules/roles/staff.te  |   4 -
 policy/modules/roles/unprivuser.te |   4 -
 5 files changed, 553 deletions(-)

diff --git a/policy/modules/contrib/chromium.fc 
b/policy/modules/contrib/chromium.fc
deleted file mode 100644
index 534235dc..
--- a/policy/modules/contrib/chromium.fc
+++ /dev/null
@@ -1,31 +0,0 @@
-/opt/google/chrome/chrome  --  
gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome/chrome_sandbox  --  
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome/chrome-sandbox  --  
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome/google-chrome   --  
gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome/nacl_helper_bootstrap   --  
gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
-/opt/google/chrome/libudev.so.0
gen_context(system_u:object_r:lib_t,s0)
-
-/opt/google/chrome-beta/chrome --  
gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome-beta/chrome_sandbox --  
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome-beta/chrome-sandbox --  
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome-beta/google-chrome  --  
gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome-beta/nacl_helper_bootstrap  --  
gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
-/opt/google/chrome-beta/libudev.so.0   
gen_context(system_u:object_r:lib_t,s0)
-
-/opt/google/chrome-unstable/chrome --  
gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome-unstable/chrome_sandbox --  
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome-unstable/chrome-sandbox --  
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome-unstable/google-chrome  --  
gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome-unstable/nacl_helper_bootstrap  --  
gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
-/opt/google/chrome-unstable/libudev.so.0   
gen_context(system_u:object_r:lib_t,s0)
-
-/usr/lib/chromium-browser/chrome   --  
gen_context(system_u:object_r:chromium_exec_t,s0)
-/usr/lib/chromium-browser/chrome_sandbox   --  
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/usr/lib/chromium-browser/chrome-sandbox   --  
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/usr/lib/chromium-browser/chromium-launcher\.sh--  
gen_context(system_u:object_r:chromium_exec_t,s0)
-/usr/lib/chromium-browser/nacl_helper_bootstrap--  
gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
-
-HOME_DIR/\.cache/chromium(/.*)?
gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
-HOME_DIR/\.cache/google-chrome(/.*)?   
gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
-HOME_DIR/\.config/chromium(/.*)?   
gen_context(system_u:object_r:chromium_xdg_config_t,s0)
-HOME_DIR/\.config/google-chrome(/.*)?  
gen_context(system_u:object_r:chromium_xdg_config_t,s0)

diff --git a/policy/modules/contrib/chromium.if 
b/policy/modules/contrib/chromium.if
deleted file mode 100644
index 26eb0259..
--- a/policy/modules/contrib/chromium.if
+++ /dev/null
@@ -1,139 +0,0 @@
-## 
-## Chromium browser
-## 
-
-###
-## 
-## Role access for chromium
-## 
-## 
-## 
-## Role allowed access
-## 
-## 
-## 
-## 
-## User domain for the role
-## 
-## 
-#
-interface(`chromium_role',`
-   gen_require(`
-   type chromium_t;
-   type chromium_renderer_t;
-   type chromium_sandbox_t;
-   type chromium_naclhelper_t;
-   type chromium_exec_t;
-   ')
-
-   role $1 types chromium_t;
-   role $1 types chromium_renderer_t;
-   role $1 types chromium_sandbox_t;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-07-12 Thread Jason Zaman 
commit: 6ee55a36f4be584799e0ee0df5f114e0a166e583
Author: Jason Zaman  perfinion  com>
AuthorDate: Mon Jul  9 13:06:29 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Wed Jul 11 14:42:50 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6ee55a36

chromium: allow xserver_misc_device access for nvidia gpus

 policy/modules/contrib/chromium.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/contrib/chromium.te 
b/policy/modules/contrib/chromium.te
index 72621719..7e7f4490 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -160,6 +160,8 @@ dev_read_sound(chromium_t)
 dev_write_sound(chromium_t)
 dev_read_urand(chromium_t)
 dev_read_rand(chromium_t)
+dev_rw_xserver_misc(chromium_t)
+dev_map_xserver_misc(chromium_t)
 
 domain_dontaudit_search_all_domains_state(chromium_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-24 Thread Jason Zaman 
commit: 10e31b2693ba55dbdbf29e0f2a78cd4fa5f22309
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Jun 24 09:27:29 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jun 24 09:27:29 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=10e31b26

contrib: add metadata.xml for gentoo specific modules

 policy/modules/contrib/metadata.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/metadata.xml 
b/policy/modules/contrib/metadata.xml
new file mode 100644
index ..4e10f228
--- /dev/null
+++ b/policy/modules/contrib/metadata.xml
@@ -0,0 +1 @@
+Gentoo-specific policy modules

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-24 Thread Jason Zaman 
commit: 79a56036f05b18c433e3243f458c2474a20ba241
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Jun 16 04:21:25 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Jun 16 14:35:45 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79a56036

mplayer: migrate to upstream xdg interfaces

 policy/modules/contrib/mplayer.te | 44 +++
 1 file changed, 8 insertions(+), 36 deletions(-)

diff --git a/policy/modules/contrib/mplayer.te 
b/policy/modules/contrib/mplayer.te
index a1af29df..91b9569d 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -13,21 +13,6 @@ policy_module(mplayer, 2.7.1)
 ## 
 gen_tunable(allow_mplayer_execstack, false)
 
-## 
-## 
-## Allow mplayer to read user content
-## 
-## 
-gen_tunable(mplayer_read_user_content, true)
-
-## 
-## 
-## Allow mplayer to manage user content
-## 
-## 
-gen_tunable(mplayer_manage_user_content, false)
-
-
 attribute_role mencoder_roles;
 attribute_role mplayer_roles;
 
@@ -98,8 +83,6 @@ userdom_use_user_terminals(mencoder_t)
 
 userdom_manage_user_tmp_dirs(mencoder_t)
 userdom_manage_user_tmp_files(mencoder_t)
-userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
-userdom_user_runtime_filetrans_user_tmp(mplayer_t, { dir file })
 
 userdom_user_content_access_template(mplayer_mencoder, mencoder_t)
 
@@ -220,8 +203,15 @@ miscfiles_read_fonts(mplayer_t)
 
 userdom_use_user_terminals(mplayer_t)
 
+userdom_manage_user_tmp_dirs(mplayer_t)
+userdom_manage_user_tmp_files(mplayer_t)
+userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
+userdom_user_runtime_filetrans_user_tmp(mplayer_t, { dir file })
+
 userdom_user_content_access_template(mplayer, mplayer_t)
 
+userdom_write_user_tmp_sockets(mplayer_t)
+
 xdg_read_music(mplayer_t)
 xdg_read_videos(mplayer_t)
 
@@ -280,26 +270,8 @@ ifdef(`distro_gentoo',`
# Local mplayer_t policy
#
 
-   xdg_manage_videos_home(mplayer_t)
-
-   tunable_policy(`mplayer_read_user_content',`
-   userdom_read_user_home_content_files(mplayer_t)
-   userdom_read_user_home_content_symlinks(mplayer_t)
-   ')
-
-   tunable_policy(`mplayer_manage_user_content',`
-   userdom_manage_user_tmp_dirs(mplayer_t)
-   userdom_manage_user_tmp_files(mplayer_t)
+   tunable_policy(`mplayer_manage_generic_user_content',`
userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { 
dir file })
-
-   userdom_manage_user_home_content_dirs(mplayer_t)
-   userdom_manage_user_home_content_files(mplayer_t)
-
-   userdom_write_user_tmp_sockets(mplayer_t)
-   ')
-
-   optional_policy(`
-   pulseaudio_client_domain(mplayer_t, mplayer_tmpfs_t)
')
 
ifdef(`use_alsa',`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-24 Thread Jason Zaman 
commit: 91800ea6139c694b44466105595954ff72c91fb6
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Jun 16 06:43:20 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Jun 16 14:35:45 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=91800ea6

gpg: migrate to upstream xdg rules

 policy/modules/contrib/gpg.te | 19 +--
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 0e6b6f74..e763b76b 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -368,14 +368,6 @@ miscfiles_read_localization(gpg_pinentry_t)
 
 userdom_use_user_terminals(gpg_pinentry_t)
 
-ifdef(`distro_gentoo',`
-   optional_policy(`
-   mutt_read_home_files(gpg_t)
-   mutt_read_tmp_files(gpg_t)
-   mutt_rw_tmp_files(gpg_t)
-   ')
-')
-
 xdg_read_data_files(gpg_pinentry_t)
 
 tunable_policy(`use_nfs_home_dirs',`
@@ -404,10 +396,9 @@ optional_policy(`
 ')
 
 ifdef(`distro_gentoo',`
-   #
-   #
-   # gpg_pinentry_t policy
-   #
-
-   xdg_read_data_home_files(gpg_pinentry_t)
+   optional_policy(`
+   mutt_read_home_files(gpg_t)
+   mutt_read_tmp_files(gpg_t)
+   mutt_rw_tmp_files(gpg_t)
+   ')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-24 Thread Jason Zaman 
commit: 9e8e1d8565e63678d43e33a9c11130c986cd4bed
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Jun 14 14:28:31 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Jun 16 13:16:02 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9e8e1d85

gnome: update to use new upstream xdg interfaces

 policy/modules/contrib/gnome.fc | 14 +++
 policy/modules/contrib/gnome.te | 56 +
 2 files changed, 9 insertions(+), 61 deletions(-)

diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index 030f6b7b..81e9716a 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -1,5 +1,3 @@
-HOME_DIR/\.config/gtk-.*   
gen_context(system_u:object_r:gnome_xdg_config_t,s0)
-
 HOME_DIR/\.cache/dconf(/.*)?   
gen_context(system_u:object_r:gnome_xdg_cache_t,s0)
 HOME_DIR/\.cache/keyring-.*
gen_context(system_u:object_r:gnome_xdg_cache_t,s0)
 HOME_DIR/\.config/dconf(/.*)?  
gen_context(system_u:object_r:gnome_xdg_config_t,s0)
@@ -20,17 +18,11 @@ HOME_DIR/orcexec\..*
gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
 
 /usr/bin/gnome-keyring-daemon  --  
gen_context(system_u:object_r:gkeyringd_exec_t,s0)
 /usr/bin/mate-keyring-daemon   --  
gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+
 /usr/lib/[^/]*/gconf/gconfd-2  --  
gen_context(system_u:object_r:gconfd_exec_t,s0)
-/usr/libexec/gconfd-2  --  gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/libexec/gconfd-2  --  gen_context(system_u:object_r:gconfd_exec_t,s0)
 
 /run/user/%{USERID}/keyring(/.*)?  
gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
 /run/user/[^/]*/orcexec\..*--  
gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
-/run/user/%{USERID}/dconf(/.*)?
gen_context(system_u:object_r:gconf_tmp_t,s0)
 /run/user/%{USERID}/orcexec\..*--  
gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
-
-ifdef(`distro_gentoo',`
-HOME_DIR/\.config/dconf(/.*)?  
gen_context(system_u:object_r:gnome_xdg_config_home_t,s0)
-HOME_DIR/\.cache/dconf(/.*)?   
gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
-HOME_DIR/\.cache/keyring-.*
gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
-HOME_DIR/\.local/share/keyrings(/.*)?  
gen_context(system_u:object_r:gnome_xdg_data_home_t,s0)
-')
+/run/user/%{USERID}/dconf(/.*)?
gen_context(system_u:object_r:gconf_tmp_t,s0)

diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index e198bc71..340e394a 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -204,56 +204,12 @@ optional_policy(`
telepathy_mission_control_read_state(gkeyringd_domain)
 ')
 
-ifdef(`distro_gentoo',`
-   type gnome_xdg_cache_home_t;
-   type gnome_xdg_config_t; # Fase out
-   type gnome_xdg_config_home_t;
-   type gnome_xdg_data_home_t;
-
-   xdg_cache_home_content(gnome_xdg_cache_home_t)
-   xdg_config_home_content(gnome_xdg_config_t)
-   xdg_config_home_content(gnome_xdg_config_home_t)
-   xdg_data_home_content(gnome_xdg_data_home_t)
-
-   ##
-   ## Keyring
-   ##
-
-   # When gnome-keyring creates a .cache/keyring- make sure it is 
gnome_xdg_cache_home_t
-   xdg_cache_home_filetrans(gkeyringd_domain, gnome_xdg_cache_home_t, dir)
-   # Same for ~/.config and ~/.local stuff
-   xdg_config_home_filetrans(gkeyringd_domain, gnome_xdg_config_home_t, 
dir)
-   xdg_data_home_filetrans(gkeyringd_domain, gnome_xdg_data_home_t, dir)
-
-   allow gkeyringd_domain gnome_xdg_cache_home_t:file manage_file_perms;
-   allow gkeyringd_domain gnome_xdg_cache_home_t:sock_file 
manage_sock_file_perms;
-   manage_dirs_pattern(gkeyringd_domain, gnome_xdg_cache_home_t, 
gnome_xdg_cache_home_t)
-
-   allow gkeyringd_domain gnome_xdg_config_home_t:file manage_file_perms;
-   manage_dirs_pattern(gkeyringd_domain, gnome_xdg_config_home_t, 
gnome_xdg_config_home_t)
-
-   allow gkeyringd_domain gnome_xdg_data_home_t:file manage_file_perms;
-   manage_dirs_pattern(gkeyringd_domain, gnome_xdg_data_home_t, 
gnome_xdg_data_home_t)
-
-   ##
-   ## gconfd
-   ##
-
-   xdg_cache_home_filetrans(gconfd_t, gnome_xdg_cache_home_t, dir)
-   xdg_config_home_filetrans(gconfd_t, gnome_xdg_config_home_t, dir)
-   xdg_data_home_filetrans(gconfd_t, gnome_xdg_data_home_t, dir)
-
-   # gconf stores settings for gnome, it needs access
-   allow gconfd_t gnome_xdg_cache_home_t:file manage_file_perms;
-   manage_dirs_pattern(gconfd_t, gnome_xdg_cache_home_t, 
gnome_xdg_cache_home_t)
-
-   allow gconfd_t gnome_xdg_config_home_t:file manage_file_perms;
-   manage_dirs_pattern(gconfd_t, gnome_xdg_config_home_t, 
gnome_xdg_config_home_t)
-
-   allow gconfd_t gnome_xdg_data_home_t:file manage_file_perms;
-

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-24 Thread Jason Zaman 
commit: 3f70983f816e464b3071a17ca690115c61c35fba
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sun Mar 25 11:57:14 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Jun 14 12:56:53 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3f70983f

Switch syncthing to XDG config types and make user content access optional

The syncthing application can, but does not have to, be used for
synchronizing end user data. Hence, the user data access is made
optional through the support of the syncthing_*_user_content booleans.

Also, the syncthing_config_home_t type is renamed to
syncthing_xdg_config_t to be aligned with the XDG setup. An alias
is put in place to allow for a transitional period before
syncthing_config_home_t is completely phaded out.

Changes since v2:
 - Fix typo in call to userdom_user_content_access_template
Changes since v1:
 - Move tunable definition inside template

Signed-off-by: Sven Vermeulen  siphos.be>

 policy/modules/contrib/syncthing.fc |  2 +-
 policy/modules/contrib/syncthing.if |  8 
 policy/modules/contrib/syncthing.te | 19 ---
 3 files changed, 13 insertions(+), 16 deletions(-)

diff --git a/policy/modules/contrib/syncthing.fc 
b/policy/modules/contrib/syncthing.fc
index 4f7f53ed..e95b451e 100644
--- a/policy/modules/contrib/syncthing.fc
+++ b/policy/modules/contrib/syncthing.fc
@@ -1,3 +1,3 @@
 /usr/bin/syncthing  -- 
gen_context(system_u:object_r:syncthing_exec_t,s0)
 
-HOME_DIR/\.config/syncthing(/.*)?  
gen_context(system_u:object_r:syncthing_config_home_t,s0)
+HOME_DIR/\.config/syncthing(/.*)?  
gen_context(system_u:object_r:syncthing_xdg_config_t,s0)

diff --git a/policy/modules/contrib/syncthing.if 
b/policy/modules/contrib/syncthing.if
index 065800a3..2c0eb24c 100644
--- a/policy/modules/contrib/syncthing.if
+++ b/policy/modules/contrib/syncthing.if
@@ -18,14 +18,14 @@
 interface(`syncthing_role', `
gen_require(`
attribute_role syncthing_roles;
-   type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
+   type syncthing_t, syncthing_exec_t, syncthing_xdg_config_t;
')
 
roleattribute $1 syncthing_roles;
 
domtrans_pattern($2, syncthing_exec_t, syncthing_t)
 
-   allow $2 syncthing_config_home_t:file { manage_file_perms 
relabel_file_perms };
-   allow $2 syncthing_config_home_t:dir { manage_dir_perms 
relabel_dir_perms };
-   allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms 
relabel_lnk_file_perms };
+   allow $2 syncthing_xdg_config_t:file { manage_file_perms 
relabel_file_perms };
+   allow $2 syncthing_xdg_config_t:dir { manage_dir_perms 
relabel_dir_perms };
+   allow $2 syncthing_xdg_config_t:lnk_file { manage_lnk_file_perms 
relabel_lnk_file_perms };
 ')

diff --git a/policy/modules/contrib/syncthing.te 
b/policy/modules/contrib/syncthing.te
index 92d0bf51..de3b9791 100644
--- a/policy/modules/contrib/syncthing.te
+++ b/policy/modules/contrib/syncthing.te
@@ -13,8 +13,8 @@ type syncthing_exec_t;
 init_daemon_domain(syncthing_t, syncthing_exec_t)
 userdom_user_application_domain(syncthing_t, syncthing_exec_t)
 
-type syncthing_config_home_t;
-userdom_user_home_content(syncthing_config_home_t)
+type syncthing_xdg_config_t alias syncthing_config_home_t;
+xdg_config_content(syncthing_xdg_config_t)
 
 
 #
@@ -27,9 +27,10 @@ allow syncthing_t self:tcp_socket { listen accept };
 
 can_exec(syncthing_t, syncthing_exec_t)
 
-manage_dirs_pattern(syncthing_t, syncthing_config_home_t, 
syncthing_config_home_t)
-manage_files_pattern(syncthing_t, syncthing_config_home_t, 
syncthing_config_home_t)
-manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, 
syncthing_config_home_t)
+manage_dirs_pattern(syncthing_t, syncthing_xdg_config_t, 
syncthing_xdg_config_t)
+manage_files_pattern(syncthing_t, syncthing_xdg_config_t, 
syncthing_xdg_config_t)
+manage_lnk_files_pattern(syncthing_t, syncthing_xdg_config_t, 
syncthing_xdg_config_t)
+xdg_config_filetrans(syncthing_t, syncthing_xdg_config_t, dir)
 
 kernel_read_kernel_sysctls(syncthing_t)
 kernel_read_net_sysctls(syncthing_t)
@@ -58,13 +59,9 @@ auth_use_nsswitch(syncthing_t)
 miscfiles_read_generic_certs(syncthing_t)
 miscfiles_read_localization(syncthing_t)
 
-userdom_manage_user_home_content_files(syncthing_t)
-userdom_manage_user_home_content_dirs(syncthing_t)
-userdom_manage_user_home_content_symlinks(syncthing_t)
-userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
+userdom_user_content_access_template(syncthing, syncthing_t)
+
 userdom_use_user_terminals(syncthing_t)
-# newly created files in ~/.config/syncthing/ will transition to 
syncthing_config_home_t
-userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, 
"syncthing")
 
 optional_policy(`
# temporary hack for /run/NetworkManager/resolv.conf until

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-24 Thread Jason Zaman 
commit: 488f7b482a62bb25f656d38387ed44ff28c01343
Author: Jason Zaman  perfinion  com>
AuthorDate: Fri Jun 15 16:54:29 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Jun 16 14:35:45 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=488f7b48

mozilla: remove gentoo specific rules that are now upstream

 policy/modules/contrib/mozilla.fc |  21 --
 policy/modules/contrib/mozilla.te | 143 +-
 2 files changed, 95 insertions(+), 69 deletions(-)

diff --git a/policy/modules/contrib/mozilla.fc 
b/policy/modules/contrib/mozilla.fc
index 867ba3e8..15aa39b3 100644
--- a/policy/modules/contrib/mozilla.fc
+++ b/policy/modules/contrib/mozilla.fc
@@ -6,6 +6,14 @@ HOME_DIR/\.netscape(/.*)?  
gen_context(system_u:object_r:mozilla_home_t,s0)
 HOME_DIR/\.phoenix(/.*)?   gen_context(system_u:object_r:mozilla_home_t,s0)
 HOME_DIR/\.vimperator.*
gen_context(system_u:object_r:mozilla_home_t,s0)
 
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)?  
gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? 
gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.spicec(/.*)?
gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? 
gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)?  
gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+
 /usr/bin/epiphany  --  gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/epiphany-bin  --  gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/mozilla   --  gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -17,18 +25,19 @@ HOME_DIR/\.vimperator.* 
gen_context(system_u:object_r:mozilla_home_t,s0)
 /usr/bin/nspluginscan  --  
gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 /usr/bin/nspluginviewer--  
gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 
-/usr/lib/[^/]*firefox[^/]*/firefox --  
gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/[^/]*firefox[^/]*/firefox-bin -- 
gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/firefox[^/]*/mozilla-.* --
gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox --  
gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox-bin --  
gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/firefox[^/]*/firefox-.*   --  
gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/firefox[^/]*/mozilla-.*   --  
gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/lib/galeon/galeon --  gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/lib/iceweasel/iceweasel   --  
gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/lib/iceweasel/plugin-container--  
gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 /usr/lib/mozilla[^/]*/reg.+--  
gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla[^/]*/firefox-.* --
gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla[^/]*/mozilla-.* --
gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/firefox-.*   --  
gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/mozilla-.*   --  
gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/lib/mozilla/plugins-wrapped(/.*)? 
gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
 /usr/lib/netscape/base-4/wrapper   --  
gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- 
gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/netscape/.+/communicator/communicator-smotif\.real--  
gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/lib/nspluginwrapper/npviewer.bin  --  
gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 /usr/lib/nspluginwrapper/plugin-config --  
gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 /usr/lib/xulrunner[^/]*/plugin-container   --  
gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)

diff --git a/policy/modules/contrib/mozilla.te 
b/policy/modules/contrib/mozilla.te
index 5a0a0a5b..807d3431 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -13,19 +13,6 @@ policy_module(mozilla, 2.13.2)
 ## 
 gen_tunable(mozilla_execstack, false)
 
-## 
-## 
-## Allow mozilla to use java plugins
-## 
-## 
-## Some plugins use named pipes inside temporary directories created
-## by the browser to communicate with the java process. If other browsers
-## need to use java plugins as well, they will get search privileges within
-## the temporary directories of mozilla
-## 
-## 
-gen_tunable(mozilla_use_java, false)
-

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-24 Thread Jason Zaman 
commit: dbe18188f633a120c1c900140da3e824cd339ecb
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Jun 16 07:34:08 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Jun 16 14:35:45 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dbe18188

pulseaudio: deprecate gentoo-specific pulseaudio_client_domain()

 policy/modules/contrib/chromium.te|  5 +++-
 policy/modules/contrib/pulseaudio.if  | 50 ++-
 policy/modules/contrib/skype.te   |  5 +++-
 policy/modules/contrib/thunderbird.te |  3 ++-
 4 files changed, 36 insertions(+), 27 deletions(-)

diff --git a/policy/modules/contrib/chromium.te 
b/policy/modules/contrib/chromium.te
index 29e7fee7..72621719 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -74,6 +74,9 @@ userdom_user_tmp_file(chromium_tmp_t)
 
 type chromium_tmpfs_t;
 userdom_user_tmpfs_file(chromium_tmpfs_t)
+optional_policy(`
+   pulseaudio_tmpfs_content(chromium_tmpfs_t)
+')
 
 type chromium_xdg_config_t;
 xdg_config_home_content(chromium_xdg_config_t)
@@ -271,7 +274,7 @@ ifdef(`use_alsa',`
')
 
optional_policy(`
-   pulseaudio_client_domain(chromium_t, chromium_tmpfs_t)
+   pulseaudio_domtrans(chromium_t)
')
 ')
 

diff --git a/policy/modules/contrib/pulseaudio.if 
b/policy/modules/contrib/pulseaudio.if
index 3073fd4a..ca005df0 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -356,30 +356,6 @@ interface(`pulseaudio_tmpfs_content',`
typeattribute $1 pulseaudio_tmpfsfile;
 ')
 
-# Below are Gentoo specifics but ifdef distro_gentoo cannot be used in 
interfaces
-
-
-## 
-## Mark the specified domain as a PulseAudio client domain
-## and the related tmpfs file type as a (shared) PulseAudio tmpfs
-## file type used for the shared memory access
-## 
-## 
-## 
-## Domain to become a PulseAudio client domain
-## 
-## 
-## 
-## 
-## Tmpfs type used for shared memory of the given domain
-## 
-## 
-#
-interface(`pulseaudio_client_domain',`
-   pulseaudio_domtrans($1)
-   pulseaudio_tmpfs_content($2)
-')
-
 ###
 ## 
 ## Read pulseaudio tmpfs files.
@@ -418,3 +394,29 @@ interface(`pulseaudio_rw_tmpfs_files',`
fs_search_tmpfs($1)
rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
 ')
+
+# Below are Gentoo specifics but ifdef distro_gentoo cannot be used in 
interfaces
+
+
+## 
+## Mark the specified domain as a PulseAudio client domain
+## and the related tmpfs file type as a (shared) PulseAudio tmpfs
+## file type used for the shared memory access
+## 
+## 
+## 
+## Domain to become a PulseAudio client domain
+## 
+## 
+## 
+## 
+## Tmpfs type used for shared memory of the given domain
+## 
+## 
+#
+interface(`pulseaudio_client_domain',`
+   refpolicywarn(`$0($*) has been deprecated')
+
+   pulseaudio_domtrans($1)
+   pulseaudio_tmpfs_content($2)
+')

diff --git a/policy/modules/contrib/skype.te b/policy/modules/contrib/skype.te
index be0684f8..85ce3c10 100644
--- a/policy/modules/contrib/skype.te
+++ b/policy/modules/contrib/skype.te
@@ -29,6 +29,9 @@ ubac_constrained(skype_tmp_t)
 type skype_tmpfs_t;
 files_tmpfs_file(skype_tmpfs_t)
 ubac_constrained(skype_tmpfs_t)
+optional_policy(`
+   pulseaudio_tmpfs_content(skype_tmpfs_t)
+')
 
 
 #
@@ -114,7 +117,7 @@ tunable_policy(`skype_manage_user_content',`
 ')
 
 optional_policy(`
-   pulseaudio_client_domain(skype_t, skype_tmpfs_t)
+   pulseaudio_domtrans(skype_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/contrib/thunderbird.te 
b/policy/modules/contrib/thunderbird.te
index 62e0accb..4fa94a18 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -215,7 +215,8 @@ ifdef(`distro_gentoo',`
xdg_read_data_home_files(thunderbird_t)
 
optional_policy(`
-   pulseaudio_client_domain(thunderbird_t, thunderbird_tmpfs_t)
+   pulseaudio_domtrans(thunderbird_t)
+   pulseaudio_tmpfs_content(thunderbird_tmpfs_t)
')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-24 Thread Jason Zaman 
commit: 6aa6d4c122f71c70f45bc09edea0e945fc366381
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sun Mar 25 11:57:09 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Jun 14 12:56:53 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6aa6d4c1

Make java user content access optional

The java_domain attribute covers many java related domains.
Historically, the privileges on the java domain have been quite open,
including the access to the users' personal files. However, this should
not be the case at all times - some administrators might want to reduce
this scope, and only grant specific domains (rather than the generic
java ones) the necessary accesses.

In this patch, the manage rights on the user content is moved under
support of specific java-related booleans.

Changes since v1:
 - Move tunable definition inside template

Signed-off-by: Sven Vermeulen  siphos.be>

 policy/modules/contrib/java.te | 13 +++--
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index f23a330b..78a994e0 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -109,15 +109,16 @@ miscfiles_read_fonts(java_domain)
 
 userdom_dontaudit_use_user_terminals(java_domain)
 userdom_dontaudit_exec_user_home_content_files(java_domain)
-userdom_manage_user_home_content_dirs(java_domain)
-userdom_manage_user_home_content_files(java_domain)
-userdom_manage_user_home_content_symlinks(java_domain)
-userdom_manage_user_home_content_pipes(java_domain)
-userdom_manage_user_home_content_sockets(java_domain)
-userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file 
sock_file fifo_file })
 
+userdom_user_content_access_template(java, java_domain)
 userdom_write_user_tmp_sockets(java_domain)
 
+tunable_policy(`java_manage_generic_user_content',`
+   userdom_manage_user_home_content_pipes(java_domain)
+   userdom_manage_user_home_content_sockets(java_domain)
+   userdom_user_home_dir_filetrans_user_home_content(java_domain, { file 
lnk_file sock_file fifo_file })
+')
+
 ifdef(`distro_gentoo',`
# For java browser plugin accessing internet resources
allow java_domain self:netlink_route_socket 
create_netlink_socket_perms;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-24 Thread Jason Zaman 
commit: 069e44feb788fe848a3a27ed42d580f99c4aa151
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Jun 16 04:29:22 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Jun 16 14:35:45 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=069e44fe

pulseaudio: migrate to upstream xdg interfaces

 policy/modules/contrib/pulseaudio.te | 11 ---
 1 file changed, 11 deletions(-)

diff --git a/policy/modules/contrib/pulseaudio.te 
b/policy/modules/contrib/pulseaudio.te
index 167de7c9..1a58bde5 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -306,14 +306,3 @@ optional_policy(`
 optional_policy(`
unconfined_signull(pulseaudio_client)
 ')
-
-ifdef(`distro_gentoo',`
-   typealias pulseaudio_home_t alias pulseaudio_xdg_config_t;
-
-   # ~/.config/pulse/
-   xdg_config_home_filetrans(pulseaudio_t, pulseaudio_home_t, dir, "pulse")
-   xdg_config_home_filetrans(pulseaudio_client, pulseaudio_home_t, dir, 
"pulse")
-
-   # /tmp/pulse-* gets created by the clients usually as user_tmp_t, bug 
556526
-   userdom_list_user_tmp(pulseaudio_client)
-')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-24 Thread Jason Zaman 
commit: d61a937aadcff678640a712430f84c5cb9cc7443
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sun Mar 25 11:57:11 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Jun 14 12:56:53 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d61a937a

Make postfix user content access optional

The postfix virtual domain does not always need full manage rights on
the users' home directories and content. We make these rights optional
through the postfix_{read,manage}_{generic,all}_user_content booleans.

Changes since v1:
 - Move tunable definition inside template

Signed-off-by: Sven Vermeulen  siphos.be>

 policy/modules/contrib/postfix.te | 6 +-
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/policy/modules/contrib/postfix.te 
b/policy/modules/contrib/postfix.te
index 5463a21c..212d34d4 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -826,11 +826,7 @@ mta_delete_spool(postfix_virtual_t)
 mta_read_config(postfix_virtual_t)
 mta_manage_spool(postfix_virtual_t)
 
-userdom_manage_user_home_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_files(postfix_virtual_t)
-userdom_home_filetrans_user_home_dir(postfix_virtual_t)
-userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file 
dir })
+userdom_user_content_access_template(postfix, postfix_virtual_t)
 
 ifdef(`distro_gentoo',`
#

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-24 Thread Jason Zaman 
commit: beebac5c01a502b2ac5ee30864fc15cfbb63c96e
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Jun 16 06:39:33 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Jun 16 14:35:45 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=beebac5c

thunderbird: migrate to upstream xdg rules

 policy/modules/contrib/thunderbird.te | 11 +--
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/policy/modules/contrib/thunderbird.te 
b/policy/modules/contrib/thunderbird.te
index 4fa94a18..1f39efce 100644
--- a/policy/modules/contrib/thunderbird.te
+++ b/policy/modules/contrib/thunderbird.te
@@ -180,8 +180,7 @@ optional_policy(`
 ')
 
 ifdef(`distro_gentoo',`
-   type thunderbird_xdg_cache_home_t;
-   xdg_cache_home_content(thunderbird_xdg_cache_home_t)
+   typealias thunderbird_xdg_cache_t alias thunderbird_xdg_cache_home_t;
 
type thunderbird_tmp_t;
userdom_user_tmp_file(thunderbird_tmp_t)
@@ -198,10 +197,6 @@ ifdef(`distro_gentoo',`
manage_files_pattern(thunderbird_t, thunderbird_tmp_t, 
thunderbird_tmp_t)
files_tmp_filetrans(thunderbird_t, thunderbird_tmp_t, { dir file })
 
-   manage_files_pattern(thunderbird_t, thunderbird_xdg_cache_home_t, 
thunderbird_xdg_cache_home_t)
-   manage_dirs_pattern(thunderbird_t, thunderbird_xdg_cache_home_t, 
thunderbird_xdg_cache_home_t)
-   xdg_cache_home_filetrans(thunderbird_t, thunderbird_xdg_cache_home_t, 
dir)
-
# File preview apps for instance
corecmd_exec_bin(thunderbird_t)
 
@@ -209,10 +204,6 @@ ifdef(`distro_gentoo',`
dev_rw_dri(thunderbird_t)
 
userdom_use_user_ptys(thunderbird_t)
-   # User content access
-   userdom_user_content_access_template(thunderbird, thunderbird_t)
-
-   xdg_read_data_home_files(thunderbird_t)
 
optional_policy(`
pulseaudio_domtrans(thunderbird_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-24 Thread Jason Zaman 
commit: 76c143d44f9ca0f671344b247b24230c816d9ace
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sun Mar 25 11:57:10 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Jun 14 12:56:53 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=76c143d4

Make openoffice user content access optional

The openoffice domain should not have full manage rights on all user
content. Instead, it is granted manage rights on the documents
(xdg_documents_t) while the other privileges are made optional through
the openoffice_{read,manage}_{generic,all}_user_content booleans.

Changes since v1:
 - Move tunable definitions inside template

Signed-off-by: Sven Vermeulen  siphos.be>

 policy/modules/contrib/openoffice.te | 12 
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/policy/modules/contrib/openoffice.te 
b/policy/modules/contrib/openoffice.te
index d2371f57..6da6335d 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -94,18 +94,14 @@ sysnet_dns_name_resolve(ooffice_t)
 
 userdom_dontaudit_exec_user_home_content_files(ooffice_t)
 userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
-
-userdom_read_user_tmp_files(ooffice_t)
-userdom_manage_user_home_content_dirs(ooffice_t)
-userdom_manage_user_home_content_files(ooffice_t)
-userdom_manage_user_home_content_symlinks(ooffice_t)
-userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file 
lnk_file fifo_file sock_file })
-
 userdom_manage_user_tmp_dirs(ooffice_t)
 userdom_manage_user_tmp_sockets(ooffice_t)
-
 userdom_use_inherited_user_terminals(ooffice_t)
 
+userdom_user_content_access_template(openoffice, ooffice_t)
+
+xdg_manage_documents(ooffice_t)
+
 tunable_policy(`openoffice_allow_update',`
corenet_tcp_connect_http_port(ooffice_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-24 Thread Jason Zaman 
commit: e0b7ab785a4807bba64814a1763ffd76b431d116
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Jun 10 17:39:35 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Jun 14 12:56:53 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e0b7ab78

XDG module version bump.

 policy/modules/contrib/cron.te | 2 +-
 policy/modules/contrib/evolution.te| 2 +-
 policy/modules/contrib/firstboot.te| 2 +-
 policy/modules/contrib/gnome.te| 2 +-
 policy/modules/contrib/gpg.te  | 2 +-
 policy/modules/contrib/i18n_input.te   | 2 +-
 policy/modules/contrib/irc.te  | 2 +-
 policy/modules/contrib/java.te | 2 +-
 policy/modules/contrib/minidlna.te | 2 +-
 policy/modules/contrib/mozilla.te  | 2 +-
 policy/modules/contrib/mplayer.te  | 2 +-
 policy/modules/contrib/openoffice.te   | 2 +-
 policy/modules/contrib/postfix.te  | 2 +-
 policy/modules/contrib/pulseaudio.te   | 2 +-
 policy/modules/contrib/syncthing.te| 2 +-
 policy/modules/contrib/telepathy.te| 2 +-
 policy/modules/contrib/thunderbird.te  | 2 +-
 policy/modules/contrib/wireshark.te| 2 +-
 policy/modules/contrib/xscreensaver.te | 2 +-
 19 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 6479d526..49a14a6a 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.13.1)
+policy_module(cron, 2.13.2)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/contrib/evolution.te 
b/policy/modules/contrib/evolution.te
index 8fb6a5d2..e8362b8a 100644
--- a/policy/modules/contrib/evolution.te
+++ b/policy/modules/contrib/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.8.1)
+policy_module(evolution, 2.8.2)
 
 
 #

diff --git a/policy/modules/contrib/firstboot.te 
b/policy/modules/contrib/firstboot.te
index d5fed3ec..1576b498 100644
--- a/policy/modules/contrib/firstboot.te
+++ b/policy/modules/contrib/firstboot.te
@@ -1,4 +1,4 @@
-policy_module(firstboot, 1.14.0)
+policy_module(firstboot, 1.14.1)
 
 gen_require(`
class passwd { passwd chfn chsh rootok };

diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index e9b51ded..e198bc71 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.9.1)
+policy_module(gnome, 2.9.2)
 
 ##
 #

diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 12a6e44d..0e6b6f74 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.13.1)
+policy_module(gpg, 2.13.2)
 
 
 #

diff --git a/policy/modules/contrib/i18n_input.te 
b/policy/modules/contrib/i18n_input.te
index ac499495..181d3e90 100644
--- a/policy/modules/contrib/i18n_input.te
+++ b/policy/modules/contrib/i18n_input.te
@@ -1,4 +1,4 @@
-policy_module(i18n_input, 1.12.0)
+policy_module(i18n_input, 1.12.1)
 
 
 #

diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
index 7f34e532..99ddaecb 100644
--- a/policy/modules/contrib/irc.te
+++ b/policy/modules/contrib/irc.te
@@ -1,4 +1,4 @@
-policy_module(irc, 2.5.0)
+policy_module(irc, 2.5.1)
 
 
 #

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 78a994e0..c9b2487e 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.11.0)
+policy_module(java, 2.11.1)
 
 
 #

diff --git a/policy/modules/contrib/minidlna.te 
b/policy/modules/contrib/minidlna.te
index a94860a0..2d2840e0 100644
--- a/policy/modules/contrib/minidlna.te
+++ b/policy/modules/contrib/minidlna.te
@@ -1,4 +1,4 @@
-policy_module(minidlna, 1.2.0)
+policy_module(minidlna, 1.2.1)
 
 #
 #

diff --git a/policy/modules/contrib/mozilla.te 
b/policy/modules/contrib/mozilla.te
index 552db05e..5a0a0a5b 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.13.1)
+policy_module(mozilla, 2.13.2)
 
 
 #

diff --git a/policy/modules/contrib/mplayer.te 
b/policy/modules/contrib/mplayer.te
index ba19a870..a1af29df 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -1,4 +1,4 @@
-policy_module(mplayer, 2.7.0)
+policy_module(mplayer, 2.7.1)
 
 
 #

diff --git a/policy/modules/contrib/openoffice.te 
b/policy/modules/contrib/openoffice.te
index 6da6335d..2cb4d6d2 100644
--- a/policy/modules/contrib/openoffice.te
+++

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-24 Thread Jason Zaman 
commit: 417531b2a24c4ce1da7378579b265abd06a4c983
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sun Mar 25 11:57:12 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Jun 14 12:56:53 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=417531b2

Make wireshark user content access optional

The wireshark application does not need full manage rights on user
content. Hence, we make these privileges optional through support of the
wireshark_*_user_content booleans.

To allow wireshark to read recorded network traffic, wireshark is
granted read access on the downloads location.

Changes since v1:
 - Move tunable definition inside template

Signed-off-by: Sven Vermeulen  siphos.be>

 policy/modules/contrib/wireshark.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/wireshark.te 
b/policy/modules/contrib/wireshark.te
index 30dd6af8..7eabbc8b 100644
--- a/policy/modules/contrib/wireshark.te
+++ b/policy/modules/contrib/wireshark.te
@@ -102,8 +102,9 @@ miscfiles_read_localization(wireshark_t)
 
 userdom_use_user_terminals(wireshark_t)
 
-userdom_manage_user_home_content_files(wireshark_t)
-userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file)
+userdom_user_content_access_template(wireshark, wireshark_t)
+
+xdg_read_downloads(wireshark_t)
 
 tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(wireshark_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-24 Thread Jason Zaman 
commit: f097f60dd8911534016b5e356313096a2bf413df
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sun Mar 25 11:57:13 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Jun 14 12:56:53 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f097f60d

Make xscreensaver user content access optional

The xscreensaver application currently has the privileges to read user
content, to display images stored in the users' home directory. We now
grant this through xdg_pictures_t access, and make the generic user
content access optional.

Signed-off-by: Sven Vermeulen  siphos.be>

 policy/modules/contrib/xscreensaver.te | 26 +-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/xscreensaver.te 
b/policy/modules/contrib/xscreensaver.te
index 1f581107..e6f5e649 100644
--- a/policy/modules/contrib/xscreensaver.te
+++ b/policy/modules/contrib/xscreensaver.te
@@ -5,6 +5,13 @@ policy_module(xscreensaver, 1.3.0)
 # Declarations
 #
 
+## 
+## 
+## Grant the xscreensaver domains read access to generic user content
+## 
+## 
+gen_tunable(`xscreensaver_read_generic_user_content', true)
+
 attribute_role xscreensaver_roles;
 attribute_role xscreensaver_helper_roles;
 
@@ -56,11 +63,28 @@ logging_send_syslog_msg(xscreensaver_t)
 miscfiles_read_localization(xscreensaver_t)
 
 userdom_use_user_terminals(xscreensaver_t)
-userdom_read_user_home_content_files(xscreensaver_t)
+
+xdg_read_pictures(xscreensaver_t)
 
 xserver_rw_xsession_log(xscreensaver_t)
 xserver_user_x_domain_template(xscreensaver, xscreensaver_t, 
xscreensaver_tmpfs_t)
 
+tunable_policy(`xscreensaver_read_generic_user_content',`
+   userdom_list_user_tmp(xscreensaver_t)
+   userdom_list_user_home_content(xscreensaver_t)
+   userdom_read_user_home_content_files(xscreensaver_t)
+   userdom_read_user_home_content_symlinks(xscreensaver_t)
+   userdom_read_user_tmp_files(xscreensaver_t)
+',`
+   files_dontaudit_list_home(xscreensaver_t)
+   files_dontaudit_list_tmp(xscreensaver_t)
+
+   userdom_dontaudit_list_user_home_dirs(xscreensaver_t)
+   userdom_dontaudit_list_user_tmp(xscreensaver_t)
+   userdom_dontaudit_read_user_home_content_files(xscreensaver_t)
+   userdom_dontaudit_read_user_tmp_files(xscreensaver_t)
+')
+
 
 #
 # Helper local policy

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-24 Thread Jason Zaman 
commit: 3d7c163810e87958c8eed978d0297463ce958005
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Jun 14 14:32:02 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Jun 16 13:16:02 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3d7c1638

xdg: remove gentoo-specific xdg rules

 policy/modules/contrib/minidlna.te | 28 
 1 file changed, 28 deletions(-)

diff --git a/policy/modules/contrib/minidlna.te 
b/policy/modules/contrib/minidlna.te
index 2d2840e0..565f6090 100644
--- a/policy/modules/contrib/minidlna.te
+++ b/policy/modules/contrib/minidlna.te
@@ -104,31 +104,3 @@ tunable_policy(`minidlna_read_generic_user_content',`
userdom_dontaudit_read_user_home_content_files(minidlna_t)
userdom_dontaudit_read_user_tmp_files(minidlna_t)
 ')
-
-ifdef(`distro_gentoo',`
-
-## 
-## 
-## Determine whether minidlna can read all user content.
-## 
-## 
-gen_tunable(minidlna_read_all_user_content, false)
-
-## 
-## 
-## Determine whether minidlna can read users xdg videos, pictures and 
music labeled files
-## 
-## 
-gen_tunable(minidlna_read_xdg_media_content, false)
-
-   tunable_policy(`minidlna_read_all_user_content',`
-   userdom_list_user_tmp(minidlna_t)
-   userdom_read_all_user_home_content(minidlna_t)
-   ')
-   
-   tunable_policy(`minidlna_read_xdg_media_content',`
-   xdg_read_music_home(minidlna_t)
-   xdg_read_pictures_home(minidlna_t)
-   xdg_read_videos_home(minidlna_t)
-   ')
-')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-08 Thread Jason Zaman 
commit: 15024f09418e364b25ab3ba1b3c202d41b6bacd3
Author: Jason Zaman  perfinion  com>
AuthorDate: Fri Jun  8 11:09:13 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Jun  8 11:19:06 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=15024f09

portage: allow gpg for tree signature verification

 policy/modules/contrib/portage.te | 17 +++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/portage.te 
b/policy/modules/contrib/portage.te
index e0aea54c..47d7fcc6 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -227,6 +227,10 @@ optional_policy(`
cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
 ')
 
+optional_policy(`
+   gpg_spec_domtrans(portage_t, portage_fetch_t)
+')
+
 optional_policy(`
modutils_run(portage_t, portage_roles)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
@@ -253,7 +257,7 @@ allow portage_fetch_t self:process signal;
 allow portage_fetch_t self:capability { chown dac_read_search dac_override 
fowner fsetid };
 allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
 allow portage_fetch_t self:tcp_socket { accept listen };
-allow portage_fetch_t self:unix_stream_socket create_socket_perms;
+allow portage_fetch_t self:unix_stream_socket { connectto 
create_stream_socket_perms };
 
 allow portage_fetch_t portage_conf_t:dir list_dir_perms;
 
@@ -264,6 +268,7 @@ allow portage_fetch_t portage_gpg_t:file manage_file_perms;
 
 allow portage_fetch_t portage_tmp_t:dir manage_dir_perms;
 allow portage_fetch_t portage_tmp_t:file manage_file_perms;
+allow portage_fetch_t portage_tmp_t:sock_file manage_sock_file_perms;
 
 read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
 
@@ -300,8 +305,10 @@ corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
 corenet_tcp_connect_generic_port(portage_fetch_t)
 # bug 540056
 corenet_tcp_connect_all_unreserved_ports(portage_fetch_t)
+corenet_udp_bind_generic_node(portage_fetch_t)
+corenet_udp_bind_all_unreserved_ports(portage_fetch_t)
 
-dev_dontaudit_read_rand(portage_fetch_t)
+dev_read_rand(portage_fetch_t)
 
 domain_use_interactive_fds(portage_fetch_t)
 
@@ -344,7 +351,13 @@ tunable_policy(`portage_read_user_content',`
 ')
 
 optional_policy(`
+   gpg_entry_type(portage_fetch_t)
gpg_exec(portage_fetch_t)
+   gpg_exec_agent(portage_fetch_t)
+')
+
+optional_policy(`
+   dirmngr_exec(portage_fetch_t)
 ')
 
 ##

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-08 Thread Jason Zaman 
commit: b984ddb5cf16162f3b1066f71d99d010ab1779a2
Author: Jason Zaman  perfinion  com>
AuthorDate: Fri Jun  8 09:09:40 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Jun  8 11:10:51 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b984ddb5

dirmngr: allow connecting to hkps (hkp over TLS)

 policy/modules/contrib/dirmngr.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/contrib/dirmngr.te 
b/policy/modules/contrib/dirmngr.te
index f2be3f70..983de0c6 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -69,10 +69,12 @@ dev_read_rand(dirmngr_t)
 
 sysnet_dns_name_resolve(dirmngr_t)
 
+corenet_tcp_connect_http_port(dirmngr_t)
 corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
 corenet_udp_bind_generic_node(dirmngr_t)
 
 files_read_etc_files(dirmngr_t)
+files_read_usr_files(dirmngr_t)
 
 miscfiles_read_localization(dirmngr_t)
 miscfiles_read_generic_certs(dirmngr_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-08 Thread Jason Zaman 
commit: b7f21ed3852a1688dc52dc89f2f37b85e93a0d9c
Author: Jason Zaman  perfinion  com>
AuthorDate: Fri Jun  8 11:18:05 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Jun  8 11:19:06 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b7f21ed3

gpg: Introduce gpg_exec_agent()

 policy/modules/contrib/gpg.if | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 359560f8..78efb186 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -123,6 +123,25 @@ interface(`gpg_spec_domtrans',`
domain_auto_transition_pattern($1, gpg_exec_t, $2)
 ')
 
+
+## 
+## Execute the gpg-agent in the caller domain.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gpg_exec_agent',`
+   gen_require(`
+   type gpg_agent_exec_t;
+   ')
+
+   corecmd_search_bin($1)
+   can_exec($1, gpg_agent_exec_t)
+')
+
 ##
 ## 
 ## Make gpg executable files an

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-08 Thread Jason Zaman 
commit: 72a1e7f19c14ef58114bfeb4510194f0cd11cc73
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Jun  7 10:28:05 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Jun  8 11:10:51 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=72a1e7f1

redis: add log filetrans, already had log manage

 policy/modules/contrib/redis.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index fda6e5b2..2c8495b6 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -39,6 +39,7 @@ allow redis_t redis_conf_t:file rw_file_perms;
 manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
 manage_files_pattern(redis_t, redis_log_t, redis_log_t)
 manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
+logging_log_filetrans(redis_t, redis_log_t, dir)
 
 manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
 manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-06-08 Thread Jason Zaman 
commit: 42545cbd9d2a1d266e84907a669873b5b3b31ff1
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Apr 22 11:41:20 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Jun  8 11:10:51 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=42545cbd

colord: allow mapping usr files

 policy/modules/contrib/colord.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te
index 0236b279..ca3aae6e 100644
--- a/policy/modules/contrib/colord.te
+++ b/policy/modules/contrib/colord.te
@@ -83,6 +83,7 @@ domain_use_interactive_fds(colord_t)
 
 files_list_mnt(colord_t)
 files_read_usr_files(colord_t)
+files_map_usr_files(colord_t)
 
 fs_getattr_noxattr_fs(colord_t)
 fs_getattr_tmpfs(colord_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: 00d9b0fc77f8205e1a43a484bba28acc39f039fa
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Jan 24 04:40:00 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:59:13 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=00d9b0fc

xdg: allow lnk_file for home xdg types (downloads, music, videos, etc)

 policy/modules/contrib/xdg.if | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if
index 3188d96f..b48016a0 100644
--- a/policy/modules/contrib/xdg.if
+++ b/policy/modules/contrib/xdg.if
@@ -785,6 +785,8 @@ interface(`xdg_read_downloads_home',`
 
read_files_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
allow $1 xdg_downloads_home_t:file map;
+   list_dirs_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
+   read_lnk_files_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
 
userdom_search_user_home_dirs($1)
 ')
@@ -807,6 +809,7 @@ interface(`xdg_read_videos_home',`
read_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
allow $1 xdg_videos_home_t:file map;
list_dirs_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
+   read_lnk_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
 
userdom_search_user_home_dirs($1)
 ')
@@ -829,6 +832,7 @@ interface(`xdg_read_pictures_home',`
read_files_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
allow $1 xdg_pictures_home_t:file map;
list_dirs_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
+   read_lnk_files_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
 
userdom_search_user_home_dirs($1)
 ')
@@ -851,6 +855,7 @@ interface(`xdg_read_music_home',`
read_files_pattern($1, xdg_music_home_t, xdg_music_home_t)
allow $1 xdg_music_home_t:file map;
list_dirs_pattern($1, xdg_music_home_t, xdg_music_home_t)
+   read_lnk_files_pattern($1, xdg_music_home_t, xdg_music_home_t)
 
userdom_search_user_home_dirs($1)
 ')
@@ -914,6 +919,7 @@ interface(`xdg_manage_downloads_home',`
 
manage_dirs_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
manage_files_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
+   manage_lnk_files_pattern($1, xdg_downloads_home_t, xdg_downloads_home_t)
allow $1 xdg_downloads_home_t:file map;
 ')
 
@@ -934,6 +940,7 @@ interface(`xdg_manage_documents_home',`
 
manage_dirs_pattern($1, xdg_documents_home_t, xdg_documents_home_t)
manage_files_pattern($1, xdg_documents_home_t, xdg_documents_home_t)
+   manage_lnk_files_pattern($1, xdg_documents_home_t, xdg_documents_home_t)
allow $1 xdg_documents_home_t:file map;
 ')
 
@@ -954,6 +961,7 @@ interface(`xdg_manage_music_home',`
 
manage_dirs_pattern($1, xdg_music_home_t, xdg_music_home_t)
manage_files_pattern($1, xdg_music_home_t, xdg_music_home_t)
+   manage_lnk_files_pattern($1, xdg_music_home_t, xdg_music_home_t)
allow $1 xdg_music_home_t:file map;
 ')
 
@@ -974,6 +982,7 @@ interface(`xdg_manage_pictures_home',`
 
manage_dirs_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
manage_files_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
+   manage_lnk_files_pattern($1, xdg_pictures_home_t, xdg_pictures_home_t)
allow $1 xdg_pictures_home_t:file map;
 ')
 
@@ -994,5 +1003,6 @@ interface(`xdg_manage_videos_home',`
 
manage_dirs_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
manage_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
+   manage_lnk_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
allow $1 xdg_videos_home_t:file map;
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: 7d5664f48f42b70d705bb3abbafe23d372918985
Author: Chris PeBenito  ieee  org>
AuthorDate: Thu Apr 12 23:11:25 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:59 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7d5664f4

gnome, ifplugd, mozilla, mta, samba, virt: Module version bump.

 policy/modules/contrib/gnome.te   | 2 +-
 policy/modules/contrib/ifplugd.te | 2 +-
 policy/modules/contrib/mozilla.te | 2 +-
 policy/modules/contrib/mta.te | 2 +-
 policy/modules/contrib/samba.te   | 2 +-
 policy/modules/contrib/virt.te| 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 39b5ed5d..84b65163 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.9.0)
+policy_module(gnome, 2.9.1)
 
 ##
 #

diff --git a/policy/modules/contrib/ifplugd.te 
b/policy/modules/contrib/ifplugd.te
index 78bcd143..14180ac6 100644
--- a/policy/modules/contrib/ifplugd.te
+++ b/policy/modules/contrib/ifplugd.te
@@ -1,4 +1,4 @@
-policy_module(ifplugd, 1.4.0)
+policy_module(ifplugd, 1.4.1)
 
 
 #

diff --git a/policy/modules/contrib/mozilla.te 
b/policy/modules/contrib/mozilla.te
index b17ab878..0780d14b 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.13.0)
+policy_module(mozilla, 2.13.1)
 
 
 #

diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 01183ef1..b64e2322 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.10.1)
+policy_module(mta, 2.10.2)
 
 
 #

diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index e388e822..6a0978b2 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1,4 +1,4 @@
-policy_module(samba, 1.22.1)
+policy_module(samba, 1.22.2)
 
 #
 #

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 73d53004..76629885 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.13.0)
+policy_module(virt, 1.13.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: bd2b8d19d0ad21719a31065a325e8bf083dc623f
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Apr 12 11:38:05 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:59 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bd2b8d19

mta: Add msmtp fcontexts and allow ssl certs

 policy/modules/contrib/mta.fc | 3 +++
 policy/modules/contrib/mta.te | 1 +
 2 files changed, 4 insertions(+)

diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
index ace4a1f1..66634b0c 100644
--- a/policy/modules/contrib/mta.fc
+++ b/policy/modules/contrib/mta.fc
@@ -2,6 +2,7 @@ HOME_DIR/\.esmtp_queue  --  
gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/\.forward[^/]*--  
gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/dead\.letter  --  gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/\.mailrc  --  gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/\.msmtprc --  gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
 HOME_DIR/DovecotMail(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
 HOME_DIR/\.maildir(/.*)?   gen_context(system_u:object_r:mail_home_rw_t,s0)
@@ -10,10 +11,12 @@ HOME_DIR/\.maildir(/.*)?
gen_context(system_u:object_r:mail_home_rw_t,s0)
 /etc/aliases\.db   --  gen_context(system_u:object_r:etc_aliases_t,s0)
 /etc/mail(/.*)?gen_context(system_u:object_r:etc_mail_t,s0)
 /etc/mail/aliases.*--  gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/msmtprc   --  gen_context(system_u:object_r:etc_mail_t,s0)
 /etc/postfix/aliases.* --  gen_context(system_u:object_r:etc_aliases_t,s0)
 
 /usr/bin/esmtp --  gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/bin/mail(x)?  --  
gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/msmtp --  gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/bin/rmail --  gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/bin/sendmail\.postfix --  
gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/bin/sendmail(\.sendmail)? --  
gen_context(system_u:object_r:sendmail_exec_t,s0)

diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 996c1fb5..01183ef1 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -109,6 +109,7 @@ init_dontaudit_rw_utmp(user_mail_domain)
 
 logging_send_syslog_msg(user_mail_domain)
 
+miscfiles_read_all_certs(user_mail_domain)
 miscfiles_read_localization(user_mail_domain)
 
 tunable_policy(`use_samba_home_dirs',`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: c5a0ff1ec0997bf6887ccdf1620c7630d49675ed
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Apr 12 11:38:06 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:59 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c5a0ff1e

virt: Add netlink socket and filetrans

 policy/modules/contrib/virt.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index dd4ae9b5..73d53004 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -475,6 +475,7 @@ allow virtd_t self:tcp_socket { accept listen };
 allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow virtd_t self:rawip_socket create_socket_perms;
 allow virtd_t self:packet_socket create_socket_perms;
+allow virtd_t self:netlink_generic_socket create_socket_perms;
 allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow virtd_t self:netlink_route_socket nlmsg_write;
 
@@ -493,6 +494,7 @@ domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
 
 manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
 manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
+files_var_filetrans(virtd_t, virt_cache_t, { file dir })
 
 manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
 manage_files_pattern(virtd_t, virt_content_t, virt_content_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: 7d890102e3a63b001659d6ae6a636007831cc7ca
Author: Scall  prosemail  net>
AuthorDate: Thu Apr 12 11:38:02 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:03 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7d890102

Fix /run/samba context generated by samba init script

 policy/modules/contrib/samba.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index c4a2eea4..e388e822 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -114,7 +114,7 @@ init_daemon_domain(nmbd_t, nmbd_exec_t)
 
 type samba_var_run_t;
 typealias samba_var_run_t alias { nmbd_var_run_t smbd_var_run_t };
-files_pid_file(samba_var_run_t)
+init_daemon_pid_file(samba_var_run_t, dir, "samba")
 
 type samba_etc_t;
 files_config_file(samba_etc_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: 1870ca3149fcec38e799cc567cf88daccc20fba5
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Apr 12 11:38:03 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:59 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1870ca31

gnome: add fcontext gconf_tmp_t for /run/user/%{USERID}/dconf

 policy/modules/contrib/gnome.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index fa478dc8..90e46cd2 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -20,6 +20,7 @@ HOME_DIR/orcexec\..*  
gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
 
 /run/user/%{USERID}/keyring(/.*)?  
gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
 /run/user/[^/]*/orcexec\..*--  
gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+/run/user/%{USERID}/dconf(/.*)?
gen_context(system_u:object_r:gconf_tmp_t,s0)
 /run/user/%{USERID}/orcexec\..*--  
gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
 
 ifdef(`distro_gentoo',`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: 75d0432cdaaf2c2626d5e03c2838b676ab7ff2c7
Author: James Carter  tycho  nsa  gov>
AuthorDate: Wed Apr 11 18:56:31 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:03 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=75d0432c

Remove unnecessary semicolons

Removed unnecessary semicolons in alsa.te, evolution.if, and qemu.te.

Signed-off-by: James Carter  tycho.nsa.gov>

 policy/modules/contrib/alsa.te  | 2 +-
 policy/modules/contrib/evolution.if | 2 +-
 policy/modules/contrib/qemu.te  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 6caddbc8..e7943397 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -73,7 +73,7 @@ manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
 manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
 
 allow alsa_t alsa_var_lock_t:file manage_file_perms;
-files_lock_filetrans(alsa_t, alsa_var_lock_t, file);
+files_lock_filetrans(alsa_t, alsa_var_lock_t, file)
 
 kernel_read_system_state(alsa_t)
 

diff --git a/policy/modules/contrib/evolution.if 
b/policy/modules/contrib/evolution.if
index 43194431..32cc77f2 100644
--- a/policy/modules/contrib/evolution.if
+++ b/policy/modules/contrib/evolution.if
@@ -224,5 +224,5 @@ interface(`evolution_domtrans',`
')
 
corecmd_search_bin($1)
-   domtrans_pattern($1, evolution_exec_t, evolution_t);
+   domtrans_pattern($1, evolution_exec_t, evolution_t)
 ')

diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 0fe74b0f..6bdd0acc 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -26,7 +26,7 @@ type qemu_unit_t;
 init_unit_file(qemu_unit_t)
 
 type qemu_var_run_t;
-files_pid_file(qemu_var_run_t);
+files_pid_file(qemu_var_run_t)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: d24f33d87d25b3022b46807b9a94d80883eeb67e
Author: James Carter  tycho  nsa  gov>
AuthorDate: Wed Apr 11 18:56:33 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:03 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d24f33d8

Add unused parameter and mark as unused

Added unused parameters and marked them as unused in the interfaces
listed below.

setroubleshoot.if:setroubleshoot_admin()
tftp.if:tftp_admin()

Signed-off-by: James Carter  tycho.nsa.gov>

 policy/modules/contrib/setroubleshoot.if | 5 +
 policy/modules/contrib/tftp.if   | 5 +
 2 files changed, 10 insertions(+)

diff --git a/policy/modules/contrib/setroubleshoot.if 
b/policy/modules/contrib/setroubleshoot.if
index 800b545e..f7d788b8 100644
--- a/policy/modules/contrib/setroubleshoot.if
+++ b/policy/modules/contrib/setroubleshoot.if
@@ -133,6 +133,11 @@ interface(`setroubleshoot_dbus_chat_fixit',`
 ## Domain allowed access.
 ## 
 ## 
+## 
+## 
+## Role allowed access.
+## 
+## 
 ## 
 #
 interface(`setroubleshoot_admin',`

diff --git a/policy/modules/contrib/tftp.if b/policy/modules/contrib/tftp.if
index 9957e300..dae82eb7 100644
--- a/policy/modules/contrib/tftp.if
+++ b/policy/modules/contrib/tftp.if
@@ -156,6 +156,11 @@ interface(`tftp_filetrans_tftpdir',`
 ## Domain allowed access.
 ## 
 ## 
+## 
+## 
+## Role allowed access.
+## 
+## 
 ## 
 #
 interface(`tftp_admin',`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: d43361d53192784e92754e6d076032fec77490b5
Author: Chris PeBenito  ieee  org>
AuthorDate: Thu Apr 12 22:49:03 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:03 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d43361d5

Module version bumps for patches from James Carter.

 policy/modules/contrib/accountsd.te  | 2 +-
 policy/modules/contrib/alsa.te   | 2 +-
 policy/modules/contrib/apache.te | 2 +-
 policy/modules/contrib/bugzilla.te   | 2 +-
 policy/modules/contrib/ccs.te| 2 +-
 policy/modules/contrib/cfengine.te   | 2 +-
 policy/modules/contrib/cobbler.te| 2 +-
 policy/modules/contrib/cron.te   | 2 +-
 policy/modules/contrib/cups.te   | 2 +-
 policy/modules/contrib/dbus.te   | 2 +-
 policy/modules/contrib/devicekit.te  | 2 +-
 policy/modules/contrib/djbdns.te | 2 +-
 policy/modules/contrib/dspam.te  | 2 +-
 policy/modules/contrib/evolution.te  | 2 +-
 policy/modules/contrib/firewalld.te  | 2 +-
 policy/modules/contrib/ftp.te| 2 +-
 policy/modules/contrib/kismet.te | 2 +-
 policy/modules/contrib/lsm.te| 2 +-
 policy/modules/contrib/mojomojo.te   | 2 +-
 policy/modules/contrib/mta.te| 2 +-
 policy/modules/contrib/obex.te   | 2 +-
 policy/modules/contrib/plymouthd.te  | 2 +-
 policy/modules/contrib/portage.te| 2 +-
 policy/modules/contrib/qemu.te   | 2 +-
 policy/modules/contrib/rabbitmq.te   | 2 +-
 policy/modules/contrib/rpm.te| 2 +-
 policy/modules/contrib/rsync.te  | 2 +-
 policy/modules/contrib/samba.te  | 2 +-
 policy/modules/contrib/samhain.te| 2 +-
 policy/modules/contrib/sectoolm.te   | 2 +-
 policy/modules/contrib/sendmail.te   | 2 +-
 policy/modules/contrib/setroubleshoot.te | 2 +-
 policy/modules/contrib/shorewall.te  | 2 +-
 policy/modules/contrib/sosreport.te  | 2 +-
 policy/modules/contrib/sssd.te   | 2 +-
 policy/modules/contrib/tftp.te   | 2 +-
 policy/modules/contrib/wm.te | 2 +-
 37 files changed, 37 insertions(+), 37 deletions(-)

diff --git a/policy/modules/contrib/accountsd.te 
b/policy/modules/contrib/accountsd.te
index abd51292..5ae5fa50 100644
--- a/policy/modules/contrib/accountsd.te
+++ b/policy/modules/contrib/accountsd.te
@@ -1,4 +1,4 @@
-policy_module(accountsd, 1.2.0)
+policy_module(accountsd, 1.2.1)
 
 gen_require(`
class passwd all_passwd_perms;

diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index e7943397..008b6d25 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.18.0)
+policy_module(alsa, 1.18.1)
 
 
 #

diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index ad74e5cb..f04ba5c3 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.14.0)
+policy_module(apache, 2.14.1)
 
 
 #

diff --git a/policy/modules/contrib/bugzilla.te 
b/policy/modules/contrib/bugzilla.te
index 18623e39..1ff9613f 100644
--- a/policy/modules/contrib/bugzilla.te
+++ b/policy/modules/contrib/bugzilla.te
@@ -1,4 +1,4 @@
-policy_module(bugzilla, 1.1.0)
+policy_module(bugzilla, 1.1.1)
 
 
 #

diff --git a/policy/modules/contrib/ccs.te b/policy/modules/contrib/ccs.te
index 84eab68b..12865a83 100644
--- a/policy/modules/contrib/ccs.te
+++ b/policy/modules/contrib/ccs.te
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.11.0)
+policy_module(ccs, 1.11.1)
 
 
 #

diff --git a/policy/modules/contrib/cfengine.te 
b/policy/modules/contrib/cfengine.te
index be8509b5..18ffc278 100644
--- a/policy/modules/contrib/cfengine.te
+++ b/policy/modules/contrib/cfengine.te
@@ -1,4 +1,4 @@
-policy_module(cfengine, 1.3.0)
+policy_module(cfengine, 1.3.1)
 
 
 #

diff --git a/policy/modules/contrib/cobbler.te 
b/policy/modules/contrib/cobbler.te
index a3a4453a..5e8425c1 100644
--- a/policy/modules/contrib/cobbler.te
+++ b/policy/modules/contrib/cobbler.te
@@ -1,4 +1,4 @@
-policy_module(cobbler, 1.3.0)
+policy_module(cobbler, 1.3.1)
 
 
 #

diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 5ff3277a..6564d0cd 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.13.0)
+policy_module(cron, 2.13.1)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 0719ef4f..ce2694e2 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -1,4 +1,4 @@
-policy_module(cups, 1.22.0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: a84cf781659c60e5684f8759e85d9a9267a13c87
Author: James Carter  tycho  nsa  gov>
AuthorDate: Wed Apr 11 18:56:34 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:03 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a84cf781

Remove use of undeclared attribute from portage.te

Removed two dontaudit rules that referred to device_type.

This attribute was not declared in policy and its only use was in a
TODO ifdef block in portage.te.

Signed-off-by: James Carter  tycho.nsa.gov>

 policy/modules/contrib/portage.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/policy/modules/contrib/portage.te 
b/policy/modules/contrib/portage.te
index 224eedc0..b033e44f 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -241,8 +241,6 @@ ifdef(`TODO',`
 # seems to work ok without these
 dontaudit portage_t device_t:{ blk_file chr_file } getattr;
 dontaudit portage_t proc_t:dir setattr_dir_perms;
-dontaudit portage_t device_type:chr_file read_chr_file_perms;
-dontaudit portage_t device_type:blk_file read_blk_file_perms;
 ')
 
 ##

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: 31c5b9a3d82c234e5a2423a9cf49d09e474aa218
Author: James Carter  tycho  nsa  gov>
AuthorDate: Wed Apr 11 18:57:12 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:03 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=31c5b9a3

Fix interfaces that use an undeclared identifier

All the interfaces below were always being removed because of unmet requires.

ccs.if:ccs_admin()
  Use cluster_conf_t instead of ccs_conf_t.
  Called in roles/sysadm.te.

cfengine.if:cfengine_dontaudit_write_log_files()
  Use cfengine_log_t instead of cfengine_var_log_t.
  Called in contrib/sendmail.te.

cobbler.if:cobbler_admin()
  Use cobbler_content_t instead of httpd_cobbler_content_t,
  httpd_cobbler_content_ra_t, and httpd_cobbler_content_rw_t.
  Called in roles/sysadm.te.

cron.if:cron_manage_system_spool()
  Use system_cron_spool_t instead of cron_system_spool_t.
  Called in system/init.te.

rpm.if:rpm_admin()
  Use rpm_var_cache_t instead of rpm_cache_t.
  Called in roles/sysadm.te

sssd.if:sssd_admin()
  Use sssd_var_log_t instead of sssd_log_t.
  Called in roles/sysadm.te

Signed-off-by: James Carter  tycho.nsa.gov>

 policy/modules/contrib/ccs.if  | 4 ++--
 policy/modules/contrib/cfengine.if | 4 ++--
 policy/modules/contrib/cobbler.if  | 6 +++---
 policy/modules/contrib/cron.if | 4 ++--
 policy/modules/contrib/rpm.if  | 4 ++--
 policy/modules/contrib/sssd.if | 4 ++--
 6 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/policy/modules/contrib/ccs.if b/policy/modules/contrib/ccs.if
index 92f67fa4..767fb712 100644
--- a/policy/modules/contrib/ccs.if
+++ b/policy/modules/contrib/ccs.if
@@ -99,7 +99,7 @@ interface(`ccs_admin',`
gen_require(`
type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
type ccs_var_lib_t, ccs_var_log_t;
-   type ccs_var_run_t, ccs_tmp_t, ccs_conf_t;
+   type ccs_var_run_t, ccs_tmp_t;
')
 
allow $1 ccs_t:process { ptrace signal_perms };
@@ -108,7 +108,7 @@ interface(`ccs_admin',`
init_startstop_service($1, $2, ccs_t, ccs_initrc_exec_t)
 
files_search_etc($1)
-   admin_pattern($1, ccs_conf_t)
+   admin_pattern($1, cluster_conf_t)
 
files_search_var_lib($1)
admin_pattern($1, ccs_var_lib_t)

diff --git a/policy/modules/contrib/cfengine.if 
b/policy/modules/contrib/cfengine.if
index fdef5f34..ff0b0038 100644
--- a/policy/modules/contrib/cfengine.if
+++ b/policy/modules/contrib/cfengine.if
@@ -65,10 +65,10 @@ interface(`cfengine_read_lib_files',`
 #
 interface(`cfengine_dontaudit_write_log_files',`
gen_require(`
-   type cfengine_var_log_t;
+   type cfengine_log_t;
')
 
-   dontaudit $1 cfengine_var_log_t:file write_file_perms;
+   dontaudit $1 cfengine_log_t:file write_file_perms;
 ')
 
 

diff --git a/policy/modules/contrib/cobbler.if 
b/policy/modules/contrib/cobbler.if
index 40f89990..6c6b5757 100644
--- a/policy/modules/contrib/cobbler.if
+++ b/policy/modules/contrib/cobbler.if
@@ -154,8 +154,8 @@ interface(`cobbler_manage_lib_files',`
 interface(`cobbler_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
-   type cobbler_etc_t, cobblerd_initrc_exec_t, 
httpd_cobbler_content_t;
-   type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, 
cobbler_tmp_t;
+   type cobbler_etc_t, cobblerd_initrc_exec_t, cobbler_content_t;
+   type cobbler_tmp_t;
')
 
allow $1 cobblerd_t:process { ptrace signal_perms };
@@ -176,5 +176,5 @@ interface(`cobbler_admin',`
admin_pattern($1, cobbler_var_log_t)
 
apache_search_sys_content($1)
-   admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t 
httpd_cobbler_content_rw_t })
+   admin_pattern($1, cobbler_content_t)
 ')

diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 7bb5d6e6..7bb6065b 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -696,11 +696,11 @@ interface(`cron_use_system_job_fds',`
 #
 interface(`cron_manage_system_spool',`
gen_require(`
-   type cron_system_spool_t;
+   type system_cron_spool_t;
')
 
files_search_spool($1)
-   manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
+   manage_files_pattern($1, system_cron_spool_t, system_cron_spool_t)
 ')
 
 

diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index 016cdb2a..d316410d 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -613,7 +613,7 @@ interface(`rpm_pid_filetrans_rpm_pid',`
 interface(`rpm_admin',`
gen_require(`
type rpm_t, rpm_script_t, rpm_initrc_exec_t;
-   type

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: 09027956501013a775b57369b819fa2d10ee79b2
Author: James Carter  tycho  nsa  gov>
AuthorDate: Wed Apr 11 18:57:19 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:03 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=09027956

Removed call to deprecated interface xserver_manage_xdm_spool_files()

The interface xserver_manage_xdm_spool_files() used the undeclared
type xdm_spool_t and was deprecated.

Removed the call to xserver_manage_xdm_spool_files() in plymouthd.te
which means that the call to xserver_read_xdm_state() which was
in the same optional block will now be in the policy.

Signed-off-by: James Carter  tycho.nsa.gov>

 policy/modules/contrib/plymouthd.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/modules/contrib/plymouthd.te 
b/policy/modules/contrib/plymouthd.te
index 89000ec9..5e390e03 100644
--- a/policy/modules/contrib/plymouthd.te
+++ b/policy/modules/contrib/plymouthd.te
@@ -92,7 +92,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-   xserver_manage_xdm_spool_files(plymouthd_t)
xserver_read_xdm_state(plymouthd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: 0970480bdaa803f0540b597b5f386cc77461dccb
Author: James Carter  tycho  nsa  gov>
AuthorDate: Wed Apr 11 18:56:35 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:03 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0970480b

Move use of httpd_t from mojomojo.te to apache.te

The type httpd_t is actually declared in apache.te.

Created apache.if:apache_rw_stream_sockets() which allows
reading and writing unix domain stream sockets labeled httpd_t.

Modified mojomojo.te to use the new interface instead of
This is needed by the module mojomojo which had been referring to
httpd_t directly.

Signed-off-by: James Carter  tycho.nsa.gov>

 policy/modules/contrib/apache.if   | 19 +++
 policy/modules/contrib/mojomojo.te |  2 +-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 135e2f51..94878d66 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -371,6 +371,25 @@ interface(`apache_dontaudit_rw_stream_sockets',`
dontaudit $1 httpd_t:unix_stream_socket { read write };
 ')
 
+
+## 
+## Read and write httpd unix domain
+##  stream sockets.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`apache_rw_stream_sockets',`
+   gen_require(`
+   type httpd_t;
+   ')
+
+   allow $1 httpd_t:unix_stream_socket rw_stream_socket_perms;
+')
+
 
 ## 
 ## Do not audit attempts to read and

diff --git a/policy/modules/contrib/mojomojo.te 
b/policy/modules/contrib/mojomojo.te
index 8f4d4779..ea853ce1 100644
--- a/policy/modules/contrib/mojomojo.te
+++ b/policy/modules/contrib/mojomojo.te
@@ -12,7 +12,7 @@ apache_content_template(mojomojo)
 # Local policy
 #
 
-allow httpd_mojomojo_script_t httpd_t:unix_stream_socket 
rw_stream_socket_perms;
+apache_rw_stream_sockets(httpd_mojomojo_script_t)
 
 corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
 corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: 22db9ffa981508adc52f3751fb285cce44f98c29
Author: James Carter  tycho  nsa  gov>
AuthorDate: Wed Apr 11 18:56:38 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:03 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=22db9ffa

Remove undeclared identifiers from shorewall interfaces

Both shorewall_read_pid_files() and shorewall_rw_pid_files() use the
undeclared type shorewall_var_run_t. Removed statements referring to this
type and marked the interfaces as deprecated because they no longer do
anything useful.

Neither interface is called in the policy.

Signed-off-by: James Carter  tycho.nsa.gov>

 policy/modules/contrib/shorewall.if | 18 --
 1 file changed, 4 insertions(+), 14 deletions(-)

diff --git a/policy/modules/contrib/shorewall.if 
b/policy/modules/contrib/shorewall.if
index 108ce759..119ba279 100644
--- a/policy/modules/contrib/shorewall.if
+++ b/policy/modules/contrib/shorewall.if
@@ -62,38 +62,28 @@ interface(`shorewall_read_config',`
 ## 
 ## Read shorewall pid files.
 ## 
-## 
+## 
 ## 
 ## Domain allowed access.
 ## 
 ## 
 #
 interface(`shorewall_read_pid_files',`
-   gen_require(`
-   type shorewall_var_run_t;
-   ')
-
-   files_search_pids($1)
-   read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+   refpolicywarn(`$0($*) has been deprecated')
 ')
 
 ###
 ## 
 ## Read and write shorewall pid files.
 ## 
-## 
+## 
 ## 
 ## Domain allowed access.
 ## 
 ## 
 #
 interface(`shorewall_rw_pid_files',`
-   gen_require(`
-   type shorewall_var_run_t;
-   ')
-
-   files_search_pids($1)
-   rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+   refpolicywarn(`$0($*) has been deprecated')
 ')
 
 ##

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: 9e9a550bda8bd26f72427991d261486faa7d8461
Author: James Carter  tycho  nsa  gov>
AuthorDate: Wed Apr 11 18:57:04 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:03 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9e9a550b

Fix typos in identifier names

The interfaces djbdns_link_tinydns_keys(), firewalld_admin(),
tftp_etc_filetrans_config(), and wm_write_pipes() were
always being removed because of unmet requires.

In djbdns.if:djbdns_link_tinydns_keys()
  djbdns_tinydn_t should be djbdns_tinydns_t
  Called in contrib/cron.te

In firewald.if:firewalld_admin()
  firewall_etc_rw_t should be firewalld_etc_rw_t
  Called in roles/sysadm.te

In ftp.te:
  tcpd_t should be ftpd_t

In tftp.if:tftp_etc_filetrans_config()
  tftp_conf_t should be tftpd_conf_t
  Called in contrib/cobbler.te

In wm.if:wm_write_pipes()
  $_t should be $1_wm_t
  Called in wm_role_template() which is called in roles/unprivuser.te,
  roles/sysadm.te, and roles/staff.te.
  wm_role_template is also called in
  system/userdomain.if:userdom_restricted_xwindows_user_template() which
  is called in contrib/xguest.te.

Signed-off-by: James Carter  tycho.nsa.gov>

 policy/modules/contrib/djbdns.if| 4 ++--
 policy/modules/contrib/firewalld.if | 4 ++--
 policy/modules/contrib/ftp.te   | 2 +-
 policy/modules/contrib/tftp.if  | 4 ++--
 policy/modules/contrib/wm.if| 2 +-
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/policy/modules/contrib/djbdns.if b/policy/modules/contrib/djbdns.if
index 671d3c0a..dd87a12a 100644
--- a/policy/modules/contrib/djbdns.if
+++ b/policy/modules/contrib/djbdns.if
@@ -71,8 +71,8 @@ interface(`djbdns_search_tinydns_keys',`
 #
 interface(`djbdns_link_tinydns_keys',`
gen_require(`
-   type djbdns_tinydn_t;
+   type djbdns_tinydns_t;
')
 
-   allow $1 djbdns_tinydn_t:key link;
+   allow $1 djbdns_tinydns_t:key link;
 ')

diff --git a/policy/modules/contrib/firewalld.if 
b/policy/modules/contrib/firewalld.if
index d5f86696..b4fda82c 100644
--- a/policy/modules/contrib/firewalld.if
+++ b/policy/modules/contrib/firewalld.if
@@ -98,7 +98,7 @@ interface(`firewalld_read_var_run_files',`
 interface(`firewalld_admin',`
gen_require(`
type firewalld_t, firewalld_initrc_exec_t;
-   type firewall_etc_rw_t, firewalld_var_run_t;
+   type firewalld_etc_rw_t, firewalld_var_run_t;
type firewalld_var_log_t;
')
 
@@ -114,5 +114,5 @@ interface(`firewalld_admin',`
admin_pattern($1, firewalld_var_log_t)
 
files_search_etc($1)
-   admin_pattern($1, firewall_etc_rw_t)
+   admin_pattern($1, firewalld_etc_rw_t)
 ')

diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 0a5465a6..a711bfbd 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -394,7 +394,7 @@ optional_policy(`
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
 
optional_policy(`
-   tcpd_domtrans(tcpd_t)
+   tcpd_domtrans(ftpd_t)
')
 ')
 

diff --git a/policy/modules/contrib/tftp.if b/policy/modules/contrib/tftp.if
index dae82eb7..b32fa3c0 100644
--- a/policy/modules/contrib/tftp.if
+++ b/policy/modules/contrib/tftp.if
@@ -105,10 +105,10 @@ interface(`tftp_manage_config_files',`
 #
 interface(`tftp_etc_filetrans_config',`
gen_require(`
-   type tftp_conf_t;
+   type tftpd_conf_t;
')
 
-   files_etc_filetrans($1, tftp_conf_t, $2, $3)
+   files_etc_filetrans($1, tftpd_conf_t, $2, $3)
 ')
 
 

diff --git a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
index bb0d3ea7..260a7b01 100644
--- a/policy/modules/contrib/wm.if
+++ b/policy/modules/contrib/wm.if
@@ -245,7 +245,7 @@ interface(`wm_application_domain',`
 #
 interface(`wm_write_pipes',`
gen_require(`
-   type $1_t;
+   type $1_wm_t;
')
 
allow $2 $1_wm_t:fifo_file write;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: 33e79c86efaee37a32289cd31932528aaf4d4f6d
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Apr 12 11:38:01 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:03 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=33e79c86

ifplugd: Allow transition to init scripts

 policy/modules/contrib/ifplugd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/contrib/ifplugd.te 
b/policy/modules/contrib/ifplugd.te
index 9267c1b8..78bcd143 100644
--- a/policy/modules/contrib/ifplugd.te
+++ b/policy/modules/contrib/ifplugd.te
@@ -53,6 +53,8 @@ domain_dontaudit_read_all_domains_state(ifplugd_t)
 
 auth_use_nsswitch(ifplugd_t)
 
+init_domtrans_script(ifplugd_t)
+
 logging_send_syslog_msg(ifplugd_t)
 
 miscfiles_read_localization(ifplugd_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: 5daa9a0ca0dd357ea6b06fa3cadd6a4bd5f772c4
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Apr 12 11:38:04 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:59 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5daa9a0c

mozilla: allow map usr, home, tmp files

 policy/modules/contrib/mozilla.te | 5 +
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/contrib/mozilla.te 
b/policy/modules/contrib/mozilla.te
index d7a7be05..b17ab878 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -113,6 +113,7 @@ manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, 
mozilla_tmpfs_t)
 manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file 
fifo_file })
+allow mozilla_t mozilla_plugin_tmpfs_t:file map;
 
 allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms;
 allow mozilla_t mozilla_plugin_rw_t:file read_file_perms;
@@ -324,6 +325,7 @@ allow mozilla_plugin_t mozilla_t:sem create_sem_perms;
 manage_dirs_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t 
}, { mozilla_home_t mozilla_plugin_home_t })
 manage_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t 
}, mozilla_plugin_home_t)
 manage_lnk_files_pattern(mozilla_plugin_t, { mozilla_home_t 
mozilla_plugin_home_t }, mozilla_plugin_home_t)
+allow mozilla_plugin_t mozilla_home_t:file map;
 
 userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, 
".galeon")
 userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, 
".mozilla")
@@ -338,6 +340,8 @@ manage_fifo_files_pattern(mozilla_plugin_t, 
mozilla_plugin_tmp_t, mozilla_plugin
 files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file 
fifo_file })
 userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file 
fifo_file })
 
+allow mozilla_plugin_t mozilla_tmp_t:file rw_file_perms;
+
 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, 
mozilla_plugin_tmpfs_t)
 manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, 
mozilla_plugin_tmpfs_t)
 manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, 
mozilla_plugin_tmpfs_t)
@@ -444,6 +448,7 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
 files_list_mnt(mozilla_plugin_t)
 files_read_config_files(mozilla_plugin_t)
 files_read_usr_files(mozilla_plugin_t)
+files_map_usr_files(mozilla_plugin_t)
 
 fs_getattr_all_fs(mozilla_plugin_t)
 # fs_read_hugetlbfs_files(mozilla_plugin_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: 4704ab0db3680062416380525f7f14d95f9073e0
Author: James Carter  tycho  nsa  gov>
AuthorDate: Wed Apr 11 18:56:37 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:03 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4704ab0d

Fix typos in identifier names

These interfaces are not being called in the policy (or are only called by
interfaces that are not called).

In kismet.if:kismet_role()
  kistmet_tmpfs_t should be kismet_tmpfs_t

In obex.if:obex_role_template()
  obex_exec_exec_t should be obex_exec_t

In sosreport.if:sosreport_run()
  sospreport_roles should be sosreport_roles
  Called only in sosreport_role() which is not called in policy.

Signed-off-by: James Carter  tycho.nsa.gov>

 policy/modules/contrib/kismet.if| 4 ++--
 policy/modules/contrib/obex.if  | 2 +-
 policy/modules/contrib/sosreport.if | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/kismet.if b/policy/modules/contrib/kismet.if
index 7e612761..1ba783c4 100644
--- a/policy/modules/contrib/kismet.if
+++ b/policy/modules/contrib/kismet.if
@@ -18,12 +18,12 @@
 template(`kismet_role',`
gen_require(`
type kismet_exec_t, kismet_home_t, kismet_tmp_t;
-   type kistmet_tmpfs_t, kismet_t;
+   type kismet_tmpfs_t, kismet_t;
')
 
kismet_run($1, $2)
 
-   allow $2 kistmet_t:process { ptrace signal_perms };
+   allow $2 kismet_t:process { ptrace signal_perms };
ps_process_pattern($2, kismet_t)
 
allow $2 kismet_home_t:dir { manage_dir_perms relabel_dir_perms };

diff --git a/policy/modules/contrib/obex.if b/policy/modules/contrib/obex.if
index 410c0e8f..6723697e 100644
--- a/policy/modules/contrib/obex.if
+++ b/policy/modules/contrib/obex.if
@@ -24,7 +24,7 @@
 template(`obex_role_template',`
gen_require(`
attribute_role obex_roles;
-   type obex_t, obex_exec_exec_t;
+   type obex_t, obex_exec_t;
')
 


diff --git a/policy/modules/contrib/sosreport.if 
b/policy/modules/contrib/sosreport.if
index 634c6b4f..e1edfd96 100644
--- a/policy/modules/contrib/sosreport.if
+++ b/policy/modules/contrib/sosreport.if
@@ -42,7 +42,7 @@ interface(`sosreport_run',`
')
 
sosreport_domtrans($1)
-   roleattribute $2 sospreport_roles;
+   roleattribute $2 sosreport_roles;
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: 567e6837c7ed7d7a88f13cb648e1a18787b84ff1
Author: James Carter  tycho  nsa  gov>
AuthorDate: Wed Apr 11 18:56:32 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:03 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=567e6837

Mark unused parameter as unused

Marked unused paramters as unused in the interfaces listed below.

accountsd.if:accountsd_admin()
bugzilla.if:bugzilla_admin()
devicekit.if:devicekit_admin()
lsm.if:lsmd_admin()
plymouthd.if:plymouthd_admin()
rsync.if:rsync_admin()
samhain.if:samhain_admin()
sectoolm.if:sectoolm_role()

Signed-off-by: James Carter  tycho.nsa.gov>

 policy/modules/contrib/accountsd.if | 2 +-
 policy/modules/contrib/bugzilla.if  | 2 +-
 policy/modules/contrib/devicekit.if | 2 +-
 policy/modules/contrib/lsm.if   | 2 +-
 policy/modules/contrib/plymouthd.if | 2 +-
 policy/modules/contrib/rsync.if | 2 +-
 policy/modules/contrib/samhain.if   | 2 +-
 policy/modules/contrib/sectoolm.if  | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/policy/modules/contrib/accountsd.if 
b/policy/modules/contrib/accountsd.if
index bd5ec9ab..312d5692 100644
--- a/policy/modules/contrib/accountsd.if
+++ b/policy/modules/contrib/accountsd.if
@@ -129,7 +129,7 @@ interface(`accountsd_manage_lib_files',`
 ## Domain allowed access.
 ## 
 ## 
-## 
+## 
 ## 
 ## Role allowed access.
 ## 

diff --git a/policy/modules/contrib/bugzilla.if 
b/policy/modules/contrib/bugzilla.if
index 1b22262d..19fce8e0 100644
--- a/policy/modules/contrib/bugzilla.if
+++ b/policy/modules/contrib/bugzilla.if
@@ -48,7 +48,7 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
 ## Domain allowed access.
 ## 
 ## 
-## 
+## 
 ## 
 ## Role allowed access.
 ## 

diff --git a/policy/modules/contrib/devicekit.if 
b/policy/modules/contrib/devicekit.if
index 8ce99ff4..da75b8e4 100644
--- a/policy/modules/contrib/devicekit.if
+++ b/policy/modules/contrib/devicekit.if
@@ -248,7 +248,7 @@ interface(`devicekit_manage_pid_files',`
 ## Domain allowed access.
 ## 
 ## 
-## 
+## 
 ## 
 ## Role allowed access.
 ## 

diff --git a/policy/modules/contrib/lsm.if b/policy/modules/contrib/lsm.if
index 365ab6fe..44910afa 100644
--- a/policy/modules/contrib/lsm.if
+++ b/policy/modules/contrib/lsm.if
@@ -10,7 +10,7 @@
 ## Domain allowed access.
 ## 
 ## 
-## 
+## 
 ## 
 ## Role allowed access.
 ## 

diff --git a/policy/modules/contrib/plymouthd.if 
b/policy/modules/contrib/plymouthd.if
index 54cd777a..04e0c734 100644
--- a/policy/modules/contrib/plymouthd.if
+++ b/policy/modules/contrib/plymouthd.if
@@ -242,7 +242,7 @@ interface(`plymouthd_read_pid_files',`
 ## Domain allowed access.
 ## 
 ## 
-## 
+## 
 ## 
 ## Role allowed access.
 ## 

diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if
index 7a149374..097f4d3a 100644
--- a/policy/modules/contrib/rsync.if
+++ b/policy/modules/contrib/rsync.if
@@ -247,7 +247,7 @@ interface(`rsync_etc_filetrans_config',`
 ## Domain allowed access.
 ## 
 ## 
-## 
+## 
 ## 
 ## Role allowed access.
 ## 

diff --git a/policy/modules/contrib/samhain.if 
b/policy/modules/contrib/samhain.if
index 983fee57..8b6fb18b 100644
--- a/policy/modules/contrib/samhain.if
+++ b/policy/modules/contrib/samhain.if
@@ -203,7 +203,7 @@ interface(`samhain_manage_pid_files',`
 ## Domain allowed access.
 ## 
 ## 
-## 
+## 
 ## 
 ## Role allowed access.
 ## 

diff --git a/policy/modules/contrib/sectoolm.if 
b/policy/modules/contrib/sectoolm.if
index c78a569c..9e9663b5 100644
--- a/policy/modules/contrib/sectoolm.if
+++ b/policy/modules/contrib/sectoolm.if
@@ -4,7 +4,7 @@
 ## 
 ## Role access for sectoolm.
 ## 
-## 
+## 
 ## 
 ## Role allowed access.
 ##

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: 1805a99f61ca86dea7465a06a5ac3d4ba2f40b36
Author: James Carter  tycho  nsa  gov>
AuthorDate: Wed Apr 11 18:56:55 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:03 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1805a99f

Remove undeclared identifiers from interfaces

All the interfaces below were always being removed because of unmet
requires.

cups.if:cups_admin()
  Remove references to undeclared type cupsd_spool_t.
  Called in roles/sysadm.te

dspam.if:dspam_stream_connect()
  Remove references to undeclared type dspam_tmp_t.
  Called in contrib/postfix.te

samba.if:samba_admin()
  Remove references to undeclared type smbd_spool_t.
  Called in roles/sysadm.te

Signed-off-by: James Carter  tycho.nsa.gov>

 policy/modules/contrib/cups.if  | 3 +--
 policy/modules/contrib/dspam.if | 4 ++--
 policy/modules/contrib/samba.if | 3 +--
 3 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if
index 73887e50..e268b96f 100644
--- a/policy/modules/contrib/cups.if
+++ b/policy/modules/contrib/cups.if
@@ -352,7 +352,7 @@ interface(`cups_domtrans_hplip',`
 interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
-   type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+   type cupsd_etc_t, cupsd_log_t;
type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
@@ -374,7 +374,6 @@ interface(`cups_admin',`
admin_pattern($1, cupsd_log_t)
 
files_list_spool($1)
-   admin_pattern($1, cupsd_spool_t)
 
files_list_tmp($1)
admin_pattern($1, { cupsd_tmp_t  cupsd_lpd_tmp_t })

diff --git a/policy/modules/contrib/dspam.if b/policy/modules/contrib/dspam.if
index a8cd028b..969fd89d 100644
--- a/policy/modules/contrib/dspam.if
+++ b/policy/modules/contrib/dspam.if
@@ -32,12 +32,12 @@ interface(`dspam_domtrans',`
 #
 interface(`dspam_stream_connect',`
gen_require(`
-   type dspam_t, dspam_var_run_t, dspam_tmp_t;
+   type dspam_t, dspam_var_run_t;
')
 
files_search_pids($1)
files_search_tmp($1)
-   stream_connect_pattern($1, { dspam_tmp_t dspam_var_run_t }, { 
dspam_tmp_t dspam_var_run_t }, dspam_t)
+   stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t)
 ')
 
 

diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
index f863af8f..3d729f0c 100644
--- a/policy/modules/contrib/samba.if
+++ b/policy/modules/contrib/samba.if
@@ -684,7 +684,7 @@ interface(`samba_stream_connect_winbind',`
 interface(`samba_admin',`
gen_require(`
type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
-   type smbd_t, smbd_tmp_t, smbd_spool_t;
+   type smbd_t, smbd_tmp_t;
type samba_log_t, samba_var_t, samba_secrets_t;
type samba_etc_t, samba_share_t, samba_initrc_exec_t;
type swat_var_run_t, swat_tmp_t, winbind_log_t;
@@ -707,7 +707,6 @@ interface(`samba_admin',`
admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t })
 
files_list_spool($1)
-   admin_pattern($1, smbd_spool_t)
 
files_list_pids($1)
admin_pattern($1, { winbind_var_run_t smbd_var_run_t swat_var_run_t 
nmbd_var_run_t })

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: 70cfb901fc6c8a692295ebb15914e13fc6e1223e
Author: James Carter  tycho  nsa  gov>
AuthorDate: Wed Apr 11 18:56:36 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:03 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70cfb901

Move use of sendmail_exec_t from sendmail.te to mta.te

The type sendmail_exec_t is actually declared in mta.te.

Created mta.if:mta_sendmail_entry_point() to make sendmail_exec_t
usable as an entry point for a domain.

Modified sendmail.te to use the new interface along with the
application_type() interface to replace the call to
application_domain() using sendmail_exec_t.

Signed-off-by: James Carter  tycho.nsa.gov>

 policy/modules/contrib/mta.if  | 19 +++
 policy/modules/contrib/sendmail.te |  3 ++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if
index 4384caae..f98346fe 100644
--- a/policy/modules/contrib/mta.if
+++ b/policy/modules/contrib/mta.if
@@ -536,6 +536,25 @@ interface(`mta_sendmail_exec',`
can_exec($1, sendmail_exec_t)
 ')
 
+
+## 
+## Make sendmail usable as an entry
+##  point for the domain.
+## 
+## 
+## 
+## Domain to be entered.
+## 
+## 
+#
+interface(`mta_sendmail_entry_point',`
+   gen_require(`
+   type sendmail_exec_t;
+   ')
+
+   domain_entry_file($1, sendmail_exec_t)
+')
+
 
 ## 
 ## Read mail server configuration content.

diff --git a/policy/modules/contrib/sendmail.te 
b/policy/modules/contrib/sendmail.te
index 8d2669ee..3503f315 100644
--- a/policy/modules/contrib/sendmail.te
+++ b/policy/modules/contrib/sendmail.te
@@ -32,7 +32,8 @@ mta_mailserver_sender(sendmail_t)
 role sendmail_roles types sendmail_t;
 
 type unconfined_sendmail_t;
-application_domain(unconfined_sendmail_t, sendmail_exec_t)
+application_type(unconfined_sendmail_t)
+mta_sendmail_entry_point(unconfined_sendmail_t)
 role sendmail_unconfined_roles types unconfined_sendmail_t;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-22 Thread Jason Zaman 
commit: b60736bf3d0ec4cae2f1e603b110e1a7391c8a69
Author: James Carter  tycho  nsa  gov>
AuthorDate: Wed Apr 11 18:56:39 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 22 11:53:03 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b60736bf

Fix interfaces that use an undeclared identifier

These interfaces are not being called in the policy.

dbus.if:dbus_send_all_session_bus()
  Use session_bus_type instead of dbus_session_bus_type.

rabbitmq.if:rabbitmq_domtrans()
  Use rabbitmq_epmd_t and rabbitmq_beam_t instead of rabbitmq_t
  and rabbitmq_epmd_exec_t and rabbitmq_beam_exec_t instead of
  rabbitmq_exec_t.

Signed-off-by: James Carter  tycho.nsa.gov>

 policy/modules/contrib/dbus.if | 2 +-
 policy/modules/contrib/rabbitmq.if | 6 --
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index 4f62c23a..01e353ed 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -259,7 +259,7 @@ interface(`dbus_send_all_session_bus',`
class dbus send_msg;
')
 
-   allow $1 dbus_session_bus_type:dbus send_msg;
+   allow $1 session_bus_type:dbus send_msg;
 ')
 
 ###

diff --git a/policy/modules/contrib/rabbitmq.if 
b/policy/modules/contrib/rabbitmq.if
index 53efd0dd..854cd364 100644
--- a/policy/modules/contrib/rabbitmq.if
+++ b/policy/modules/contrib/rabbitmq.if
@@ -12,11 +12,13 @@
 #
 interface(`rabbitmq_domtrans',`
gen_require(`
-   type rabbitmq_t, rabbitmq_exec_t;
+   type rabbitmq_epmd_t, rabbitmq_epmd_exec_t;
+   type rabbitmq_beam_t, rabbitmq_beam_exec_t;
')
 
corecmd_search_bin($1)
-   domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
+   domtrans_pattern($1, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
+   domtrans_pattern($1, rabbitmq_beam_exec_t, rabbitmq_beam_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-04-12 Thread Jason Zaman 
commit: 5857e634aaee0f8665a884859ffc3d4cf05d16c4
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Apr 12 10:25:18 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Apr 12 11:56:59 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5857e634

dropbox: update fcontext and map usr_t

 policy/modules/contrib/dropbox.fc | 2 +-
 policy/modules/contrib/dropbox.te | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/dropbox.fc 
b/policy/modules/contrib/dropbox.fc
index a83a1bff..bcd85a60 100644
--- a/policy/modules/contrib/dropbox.fc
+++ b/policy/modules/contrib/dropbox.fc
@@ -8,7 +8,7 @@ HOME_DIR/\.dropbox-dist(/.*)?/dropboxd?  -- 
gen_context(system_u:object_r:dropbo
 
 /opt/bin/dropbox -l 
gen_context(system_u:object_r:dropbox_exec_t,s0)
 /opt/dropbox/.*py?\.?.*egg(/.*)?
gen_context(system_u:object_r:lib_t,s0)
-/opt/dropbox/lib.*\.so\..-- 
gen_context(system_u:object_r:lib_t,s0)
+/opt/dropbox/lib.*\.so\.[0-9]+   -- 
gen_context(system_u:object_r:lib_t,s0)
 /opt/dropbox/dropboxd?   -- 
gen_context(system_u:object_r:dropbox_exec_t,s0)
 /opt/dropbox/library\.zip-l 
gen_context(system_u:object_r:lib_t,s0)
 

diff --git a/policy/modules/contrib/dropbox.te 
b/policy/modules/contrib/dropbox.te
index 63f95c25..80d8af37 100644
--- a/policy/modules/contrib/dropbox.te
+++ b/policy/modules/contrib/dropbox.te
@@ -89,6 +89,7 @@ dev_read_urand(dropbox_t)
 libs_exec_ldconfig(dropbox_t)
 
 files_read_usr_files(dropbox_t)
+files_map_usr_files(dropbox_t)
 auth_use_nsswitch(dropbox_t)
 miscfiles_read_localization(dropbox_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-03-25 Thread Sven Vermeulen 
commit: 1100fd2c68b60b6ab5eb34baedb20a63a191f057
Author: Dave Sugar  tresys  com>
AuthorDate: Mon Mar  5 14:03:02 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Sun Mar 25 09:31:12 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1100fd2c

Allow execution of chronyc from commandline

 With the previous patch moving chronyc into a separate domain this adds 
interfaces to execute chronyc from the command line and have it run in the 
chronyc_t domain.

Updated interface names based on suggestion, added missing permission to allow 
chronyc_t domain access to tty.

Signed-off-by: Dave Sugar  tresys.com>

 policy/modules/contrib/chronyd.if | 46 +++
 policy/modules/contrib/chronyd.te |  8 +++
 2 files changed, 54 insertions(+)

diff --git a/policy/modules/contrib/chronyd.if 
b/policy/modules/contrib/chronyd.if
index 32988914..bc4ba691 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -19,6 +19,25 @@ interface(`chronyd_domtrans',`
domtrans_pattern($1, chronyd_exec_t, chronyd_t)
 ')
 
+#
+## 
+## Execute chronyc in the chronyc domain.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+#
+interface(`chronyd_domtrans_cli',`
+   gen_require(`
+   type chronyc_t, chronyc_exec_t;
+   ')
+
+   corecmd_search_bin($1)
+   domtrans_pattern($1, chronyc_exec_t, chronyc_t)
+')
+
 
 ## 
 ## Execute chronyd server in the
@@ -57,6 +76,33 @@ interface(`chronyd_exec',`
can_exec($1, chronyd_exec_t)
 ')
 
+
+## 
+## Execute chronyc in the chronyc domain,
+## and allow the specified roles the
+## chronyc domain.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+## 
+## 
+## Role allowed access.
+## 
+## 
+## 
+#
+interface(`chronyd_run_cli',`
+   gen_require(`
+   attribute_role chronyc_roles;
+   ')
+
+   chronyd_domtrans_cli($1)
+   roleattribute $2 chronyc_roles;
+')
+
 #
 ## 
 ## Read chronyd log files.

diff --git a/policy/modules/contrib/chronyd.te 
b/policy/modules/contrib/chronyd.te
index 0634548d..8277ef81 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -5,6 +5,8 @@ policy_module(chronyd, 1.5.0)
 # Declarations
 #
 
+attribute_role chronyc_roles;
+
 type chronyd_t;
 type chronyd_exec_t;
 init_daemon_domain(chronyd_t, chronyd_exec_t)
@@ -12,6 +14,8 @@ init_daemon_domain(chronyd_t, chronyd_exec_t)
 type chronyc_t;
 type chronyc_exec_t;
 init_daemon_domain(chronyc_t, chronyc_exec_t)
+application_domain(chronyc_t, chronyc_exec_t)
+role chronyc_roles types chronyc_t;
 
 type chronyd_conf_t;
 files_config_file(chronyd_conf_t)
@@ -132,6 +136,8 @@ corenet_udp_sendrecv_chronyd_port(chronyc_t)
 files_read_etc_files(chronyc_t)
 files_read_usr_files(chronyc_t)
 
+locallogin_use_fds(chronyc_t)
+
 logging_send_syslog_msg(chronyc_t)
 
 sysnet_read_config(chronyc_t)
@@ -139,6 +145,8 @@ sysnet_dns_name_resolve(chronyc_t)
 
 miscfiles_read_localization(chronyc_t)
 
+userdom_use_user_ttys(chronyc_t)
+
 chronyd_dgram_send(chronyc_t)
 chronyd_read_config(chronyc_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-03-25 Thread Sven Vermeulen 
commit: d124bc67058d9f7913289dec07b0b4cb27e25acf
Author: Dave Sugar  tresys  com>
AuthorDate: Mon Mar  5 14:03:01 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Sun Mar 25 09:31:07 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d124bc67

Policy for chronyc - it was running in init_t domain

This patch is creating a new domain for /usr/bin/chronyc.  This is a cli 
program that talks to a running chronyd process.  chronyc is used by 
chrony-wait.service and I was seeing chronyc running in the init_t domain when 
started this way.

Interface name updated based on suggestions.

Signed-off-by: Dave Sugar  tresys.com>

 policy/modules/contrib/chronyd.fc |  1 +
 policy/modules/contrib/chronyd.if | 20 +
 policy/modules/contrib/chronyd.te | 46 +--
 3 files changed, 65 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/chronyd.fc 
b/policy/modules/contrib/chronyd.fc
index 445f3749..7153deee 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -9,6 +9,7 @@
 /usr/lib/systemd/system/[^/]*chrony-wait.* --  
gen_context(system_u:object_r:chronyd_unit_t,s0)
 /usr/lib/systemd/system/[^/]*chronyd.* --  
gen_context(system_u:object_r:chronyd_unit_t,s0)
 
+/usr/bin/chronyc   --  
gen_context(system_u:object_r:chronyc_exec_t,s0)
 /usr/sbin/chronyd  --  
gen_context(system_u:object_r:chronyd_exec_t,s0)
 
 /var/lib/chrony(/.*)?  
gen_context(system_u:object_r:chronyd_var_lib_t,s0)

diff --git a/policy/modules/contrib/chronyd.if 
b/policy/modules/contrib/chronyd.if
index a42bc4f4..32988914 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -252,6 +252,26 @@ interface(`chronyd_status',`
allow $1 chronyd_unit_t:service status;
 ')
 
+
+## 
+## Send to chronyd command line interface using a unix domain
+## datagram socket.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`chronyd_dgram_send_cli',`
+   gen_require(`
+   type chronyc_t, chronyd_var_run_t;
+   ')
+
+   files_search_pids($1)
+   dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyc_t)
+')
+
 
 ## 
 ## All of the rules required to

diff --git a/policy/modules/contrib/chronyd.te 
b/policy/modules/contrib/chronyd.te
index f28dd5e6..0634548d 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -9,6 +9,10 @@ type chronyd_t;
 type chronyd_exec_t;
 init_daemon_domain(chronyd_t, chronyd_exec_t)
 
+type chronyc_t;
+type chronyc_exec_t;
+init_daemon_domain(chronyc_t, chronyc_exec_t)
+
 type chronyd_conf_t;
 files_config_file(chronyd_conf_t)
 
@@ -35,10 +39,10 @@ init_daemon_pid_file(chronyd_var_run_t, dir, "chrony")
 
 
 #
-# Local policy
+# chronyd local policy
 #
 
-allow chronyd_t self:capability { dac_override ipc_lock setgid setuid 
sys_resource sys_time };
+allow chronyd_t self:capability { chown dac_override ipc_lock setgid setuid 
sys_resource sys_time };
 allow chronyd_t self:process { getcap setcap setrlimit signal };
 allow chronyd_t self:shm create_shm_perms;
 allow chronyd_t self:fifo_file rw_fifo_file_perms;
@@ -91,6 +95,7 @@ logging_send_syslog_msg(chronyd_t)
 
 miscfiles_read_localization(chronyd_t)
 
+chronyd_dgram_send_cli(chronyd_t)
 chronyd_read_config(chronyd_t)
 
 optional_policy(`
@@ -100,3 +105,40 @@ optional_policy(`
 optional_policy(`
mta_send_mail(chronyd_t)
 ')
+
+
+#
+# chronyc local policy
+#
+
+allow chronyc_t self:capability { dac_override };
+allow chronyc_t self:process { signal };
+allow chronyc_t self:udp_socket create_socket_perms;
+allow chronyc_t self:netlink_route_socket create_netlink_socket_perms;
+
+manage_dirs_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_sock_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+files_pid_filetrans(chronyc_t, chronyd_var_run_t, { dir file sock_file })
+
+corenet_all_recvfrom_unlabeled(chronyc_t)
+corenet_all_recvfrom_netlabel(chronyc_t)
+corenet_udp_sendrecv_generic_if(chronyc_t)
+corenet_udp_sendrecv_generic_node(chronyc_t)
+
+corenet_sendrecv_chronyd_client_packets(chronyc_t)
+corenet_udp_sendrecv_chronyd_port(chronyc_t)
+
+files_read_etc_files(chronyc_t)
+files_read_usr_files(chronyc_t)
+
+logging_send_syslog_msg(chronyc_t)
+
+sysnet_read_config(chronyc_t)
+sysnet_dns_name_resolve(chronyc_t)
+
+miscfiles_read_localization(chronyc_t)
+
+chronyd_dgram_send(chronyc_t)
+chronyd_read_config(chronyc_t)
+

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-03-25 Thread Sven Vermeulen 
commit: 7a8275937a8628ca031dddf5f47cf2b27aaf94b3
Author: Dave Sugar  tresys  com>
AuthorDate: Mon Mar  5 14:02:59 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Sun Mar 25 09:30:44 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a827593

Add interface to start/stop/enable/disable/status of chronyd service

Add interfaces to allow process to systemctl start, stop, enable, disable, and 
status of chronyd.service

Fix summary for chronyd_startstop from previous submission

Signed-off-by: Dave Sugar  tresys.com>

 policy/modules/contrib/chronyd.if | 57 +++
 1 file changed, 57 insertions(+)

diff --git a/policy/modules/contrib/chronyd.if 
b/policy/modules/contrib/chronyd.if
index e0a751ac..a42bc4f4 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -195,6 +195,63 @@ interface(`chronyd_read_key_files',`
read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
 ')
 
+
+## 
+## Allow specified domain to enable and disable chronyd unit
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`chronyd_enabledisable',`
+   gen_require(`
+   type chronyd_unit_t;
+   class service { enable disable };
+   ')
+
+   allow $1 chronyd_unit_t:service { enable disable };
+')
+
+
+## 
+## Allow specified domain to start and stop chronyd unit
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`chronyd_startstop',`
+   gen_require(`
+   type chronyd_unit_t;
+   class service { start stop };
+   ')
+
+   allow $1 chronyd_unit_t:service { start stop };
+')
+
+
+## 
+## Allow specified domain to get status of chronyd unit
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`chronyd_status',`
+   gen_require(`
+   type chronyd_unit_t;
+   class service status;
+   ')
+
+   allow $1 chronyd_unit_t:service status;
+')
+
 
 ## 
 ## All of the rules required to

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-03-25 Thread Sven Vermeulen 
commit: d2e8b8d134bb93e896d3c2c73487abe31406323a
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Feb 18 16:25:01 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Sun Mar 25 09:30:28 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d2e8b8d1

another trivial dbus patch from Russell Coker.

 policy/modules/contrib/dbus.te | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 0d84f3dd..0b3c3d9e 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.24.1)
+policy_module(dbus, 1.24.2)
 
 gen_require(`
class dbus all_dbus_perms;
@@ -192,6 +192,10 @@ optional_policy(`
udev_read_db(system_dbusd_t)
 ')
 
+optional_policy(`
+   unconfined_dbus_send(system_dbusd_t)
+')
+
 optional_policy(`
xserver_read_xdm_lib_files(system_dbusd_t)
xserver_use_xdm_fds(system_dbusd_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-03-25 Thread Sven Vermeulen 
commit: 00fd90a80b6325005dc025fddcb990d8db9502ee
Author: Chris PeBenito  ieee  org>
AuthorDate: Wed Mar  7 22:03:15 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Sun Mar 25 09:31:15 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=00fd90a8

chronyd: Module version bump.

 policy/modules/contrib/chronyd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/chronyd.te 
b/policy/modules/contrib/chronyd.te
index 8277ef81..e89aa2fe 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.5.0)
+policy_module(chronyd, 1.5.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-03-25 Thread Sven Vermeulen 
commit: de0bc389501c938e7a739a6dc4c9812f8412f715
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Feb 18 13:19:26 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Sun Mar 25 09:30:24 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de0bc389

udisks2 and /dev/mem version 2 patch from Russell Coker.

 policy/modules/contrib/devicekit.te | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/devicekit.te 
b/policy/modules/contrib/devicekit.te
index 390564a3..27e0dae0 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.8.1)
+policy_module(devicekit, 1.8.2)
 
 
 #
@@ -151,6 +151,11 @@ miscfiles_read_localization(devicekit_disk_t)
 userdom_read_all_users_state(devicekit_disk_t)
 userdom_search_user_home_dirs(devicekit_disk_t)
 
+ifdef(`distro_debian',`
+   # /dev/mem is accessed by libparted to get EFI data
+   dev_read_raw_memory(devicekit_disk_t)
+')
+
 optional_policy(`
dbus_system_bus_client(devicekit_disk_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-03-25 Thread Sven Vermeulen 
commit: 30f047c074b82fddea4cd78aab1e2935733d29ef
Author: David Sugar  tresys  com>
AuthorDate: Sat Feb 24 14:52:17 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Sun Mar 25 09:30:30 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=30f047c0

ntp only uses UDP, remove TCP permissions

The NTP protocol states it only used UDP for network communication.  Remove 
currently allowed access to TCP that should not be needed.

Signed-off-by: Dave Sugar  tresys.com>

 policy/modules/contrib/ntp.te | 8 +---
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 66c8eaa9..50d54178 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -59,7 +59,6 @@ allow ntpd_t self:process { signal_perms getcap setcap 
setsched setrlimit };
 allow ntpd_t self:fifo_file rw_fifo_file_perms;
 allow ntpd_t self:shm create_shm_perms;
 allow ntpd_t self:socket create;
-allow ntpd_t self:tcp_socket { accept listen };
 allow ntpd_t self:unix_dgram_socket sendto;
 
 allow ntpd_t ntp_conf_t:file read_file_perms;
@@ -101,20 +100,15 @@ kernel_request_load_module(ntpd_t)
 
 corenet_all_recvfrom_unlabeled(ntpd_t)
 corenet_all_recvfrom_netlabel(ntpd_t)
-corenet_tcp_sendrecv_generic_if(ntpd_t)
 corenet_udp_sendrecv_generic_if(ntpd_t)
-corenet_tcp_sendrecv_generic_node(ntpd_t)
 corenet_udp_sendrecv_generic_node(ntpd_t)
 corenet_udp_bind_generic_node(ntpd_t)
 
+corenet_sendrecv_ntp_client_packets(ntpd_t)
 corenet_sendrecv_ntp_server_packets(ntpd_t)
 corenet_udp_bind_ntp_port(ntpd_t)
 corenet_udp_sendrecv_ntp_port(ntpd_t)
 
-corenet_sendrecv_ntp_client_packets(ntpd_t)
-corenet_tcp_connect_ntp_port(ntpd_t)
-corenet_tcp_sendrecv_ntp_port(ntpd_t)
-
 corecmd_exec_bin(ntpd_t)
 corecmd_exec_shell(ntpd_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-03-25 Thread Sven Vermeulen 
commit: 3a5a7910830b23b71b72a90d4e941f066475f613
Author: Chris PeBenito  ieee  org>
AuthorDate: Tue Feb 27 22:25:59 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Sun Mar 25 09:30:33 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3a5a7910

ntp: Module version bump.

 policy/modules/contrib/ntp.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 50d54178..da6bd145 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.17.0)
+policy_module(ntp, 1.17.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-03-25 Thread Sven Vermeulen 
commit: db9a72463f10cbb7217d816dc4a2fe7ba584e888
Author: Dave Sugar  tresys  com>
AuthorDate: Mon Mar  5 14:03:00 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Sun Mar 25 09:30:59 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=db9a7246

Chronyd talks ntp client packets to get time from server

chronyd is an NTP client along with an NTP server.  Change to allow chronyd to 
send/recv ntp client packets.

Signed-off-by: Dave Sugar  tresys.com>

 policy/modules/contrib/chronyd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/chronyd.te 
b/policy/modules/contrib/chronyd.te
index 09d7f834..f28dd5e6 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -74,6 +74,7 @@ corenet_udp_sendrecv_generic_if(chronyd_t)
 corenet_udp_sendrecv_generic_node(chronyd_t)
 corenet_udp_bind_generic_node(chronyd_t)
 
+corenet_sendrecv_ntp_client_packets(chronyd_t)
 corenet_sendrecv_ntp_server_packets(chronyd_t)
 corenet_udp_bind_ntp_port(chronyd_t)
 corenet_udp_sendrecv_ntp_port(chronyd_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-03-25 Thread Sven Vermeulen 
commit: a70aa3e3b948e30a7ed01a9d09b762419fa76d48
Author: Dave Sugar  tresys  com>
AuthorDate: Mon Mar  5 14:02:58 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Sun Mar 25 09:30:41 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a70aa3e3

Separate type for chronyd config file.

Separate label for /etc/chrony.conf (chronyd_conf_t) with interfaces to allow 
read-only or read/write access.  Needed as I have a process that alters 
chrony.conf but I didn't want this process to have access to write all etc_t 
files.

Fixed summary for chronyd_rw_config interface from previous submission.

Signed-off-by: Dave Sugar  tresys.com>

 policy/modules/contrib/chronyd.fc |  1 +
 policy/modules/contrib/chronyd.if | 38 ++
 policy/modules/contrib/chronyd.te |  5 +
 3 files changed, 44 insertions(+)

diff --git a/policy/modules/contrib/chronyd.fc 
b/policy/modules/contrib/chronyd.fc
index ca2747e7..445f3749 100644
--- a/policy/modules/contrib/chronyd.fc
+++ b/policy/modules/contrib/chronyd.fc
@@ -1,3 +1,4 @@
+/etc/chrony\.conf  --  
gen_context(system_u:object_r:chronyd_conf_t,s0)
 /etc/chrony\.keys  --  
gen_context(system_u:object_r:chronyd_keys_t,s0)
 
 /etc/rc\.d/init\.d/chronyd --  
gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)

diff --git a/policy/modules/contrib/chronyd.if 
b/policy/modules/contrib/chronyd.if
index 3d45be4c..e0a751ac 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -76,6 +76,44 @@ interface(`chronyd_read_log',`
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
 ')
 
+#
+## 
+## Read chronyd config file.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`chronyd_read_config',`
+   gen_require(`
+   type chronyd_conf_t;
+   ')
+
+   files_search_etc($1)
+   allow $1 chronyd_conf_t:file read_file_perms;
+')
+
+#
+## 
+## Read and write chronyd config file.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`chronyd_rw_config',`
+   gen_require(`
+   type chronyd_conf_t;
+   ')
+
+   files_search_etc($1)
+   allow $1 chronyd_conf_t:file rw_file_perms;
+')
+
 
 ## 
 ## Read and write chronyd shared memory.

diff --git a/policy/modules/contrib/chronyd.te 
b/policy/modules/contrib/chronyd.te
index 0de7b520..09d7f834 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -9,6 +9,9 @@ type chronyd_t;
 type chronyd_exec_t;
 init_daemon_domain(chronyd_t, chronyd_exec_t)
 
+type chronyd_conf_t;
+files_config_file(chronyd_conf_t)
+
 type chronyd_initrc_exec_t;
 init_script_file(chronyd_initrc_exec_t)
 
@@ -87,6 +90,8 @@ logging_send_syslog_msg(chronyd_t)
 
 miscfiles_read_localization(chronyd_t)
 
+chronyd_read_config(chronyd_t)
+
 optional_policy(`
gpsd_rw_shm(chronyd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-02-18 Thread Jason Zaman 
commit: f9fe55e7d7c4635f6de5b252fb1887b200601792
Author: Chris PeBenito  ieee  org>
AuthorDate: Thu Feb 15 22:06:45 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 18 11:17:07 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f9fe55e7

Misc dbus fixes from Russell Coker.

 policy/modules/contrib/apt.te| 11 ++-
 policy/modules/contrib/dbus.te   |  5 -
 policy/modules/contrib/devicekit.te  |  8 +++-
 policy/modules/contrib/networkmanager.te |  3 ++-
 4 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index c54e2126..ed05a060 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.11.0)
+policy_module(apt, 1.11.1)
 
 
 #
@@ -135,6 +135,15 @@ optional_policy(`
 
 optional_policy(`
dbus_system_domain(apt_t, apt_exec_t)
+
+   optional_policy(`
+   # for packagekitd
+   policykit_dbus_chat(apt_t)
+   ')
+
+   optional_policy(`
+   unconfined_dbus_send(apt_t)
+   ')
 ')
 
 optional_policy(`

diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 00a15e45..0d84f3dd 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.24.0)
+policy_module(dbus, 1.24.1)
 
 gen_require(`
class dbus all_dbus_perms;
@@ -136,6 +136,9 @@ init_use_script_ptys(system_dbusd_t)
 init_all_labeled_script_domtrans(system_dbusd_t)
 init_start_system(system_dbusd_t) # needed by dbus-broker
 
+# for powerdevil /usr/lib/x86_64-linux-gnu/libexec/kauth/*
+libs_exec_lib_files(system_dbusd_t)
+
 logging_send_audit_msgs(system_dbusd_t)
 logging_send_syslog_msg(system_dbusd_t)
 

diff --git a/policy/modules/contrib/devicekit.te 
b/policy/modules/contrib/devicekit.te
index 562cede8..390564a3 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.8.0)
+policy_module(devicekit, 1.8.1)
 
 
 #
@@ -163,6 +163,11 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(devicekit_disk_t)
')
+
+   optional_policy(`
+   # gwenview triggers the need for this
+   xserver_dbus_chat_xdm(devicekit_disk_t)
+   ')
 ')
 
 optional_policy(`
@@ -287,6 +292,7 @@ optional_policy(`
 
 optional_policy(`
dbus_system_bus_client(devicekit_power_t)
+   init_dbus_chat(devicekit_power_t)
 
allow devicekit_power_t devicekit_t:dbus send_msg;
 

diff --git a/policy/modules/contrib/networkmanager.te 
b/policy/modules/contrib/networkmanager.te
index 18137aed..e65eb094 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.22.0)
+policy_module(networkmanager, 1.22.1)
 
 
 #
@@ -224,6 +224,7 @@ optional_policy(`
 
 optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+   init_dbus_chat(NetworkManager_t)
 
optional_policy(`
avahi_dbus_chat(NetworkManager_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-02-18 Thread Jason Zaman 
commit: 8fdebd557db3d293e40ef47be7cbff315576beab
Author: Chris PeBenito  ieee  org>
AuthorDate: Thu Feb 15 22:09:45 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 18 11:19:30 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8fdebd55

Simple map patch from Russell Coker.

 policy/modules/contrib/dictd.te |  3 ++-
 policy/modules/contrib/dpkg.if  | 18 ++
 policy/modules/contrib/dpkg.te  |  2 +-
 policy/modules/contrib/logrotate.te |  3 ++-
 policy/modules/contrib/tor.te   |  2 +-
 5 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te
index acf5c932..6cad541b 100644
--- a/policy/modules/contrib/dictd.te
+++ b/policy/modules/contrib/dictd.te
@@ -1,4 +1,4 @@
-policy_module(dictd, 1.11.0)
+policy_module(dictd, 1.11.1)
 
 
 #
@@ -57,6 +57,7 @@ dev_read_sysfs(dictd_t)
 
 domain_use_interactive_fds(dictd_t)
 
+files_map_usr_files(dictd_t)
 files_read_etc_runtime_files(dictd_t)
 files_read_usr_files(dictd_t)
 files_search_var_lib(dictd_t)

diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if
index c753ad62..a5e88d6f 100644
--- a/policy/modules/contrib/dpkg.if
+++ b/policy/modules/contrib/dpkg.if
@@ -301,3 +301,21 @@ interface(`dpkg_manage_script_tmp_files',`
allow $1 dpkg_script_tmp_t:dir manage_dir_perms;
allow $1 dpkg_script_tmp_t:file manage_file_perms;
 ')
+
+
+## 
+## map dpkg_script_tmp_t files
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`dpkg_map_script_tmp_files',`
+   gen_require(`
+   type dpkg_script_tmp_t;
+   ')
+
+   allow $1 dpkg_script_tmp_t:file map;
+')

diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 0ff59b94..e7747bc7 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.12.0)
+policy_module(dpkg, 1.12.1)
 
 
 #

diff --git a/policy/modules/contrib/logrotate.te 
b/policy/modules/contrib/logrotate.te
index 4bb9da7b..2490cdfa 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.20.0)
+policy_module(logrotate, 1.20.1)
 
 
 #
@@ -77,6 +77,7 @@ domain_use_interactive_fds(logrotate_t)
 domain_getattr_all_entry_files(logrotate_t)
 domain_read_all_domains_state(logrotate_t)
 
+files_map_etc_files(logrotate_t)
 files_read_usr_files(logrotate_t)
 files_read_etc_runtime_files(logrotate_t)
 files_read_all_pids(logrotate_t)

diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 990ea8c4..8029630f 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.14.0)
+policy_module(tor, 1.14.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-01-18 Thread Sven Vermeulen 
commit: ad682abef88d5a18cdc7ca5daeda810b6cbfbc31
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Dec 31 12:06:27 2017 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Jan 18 16:26:14 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ad682abe

monit: Module version bump.

 policy/modules/contrib/monit.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index e9c940a1..c08fd4f3 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -1,4 +1,4 @@
-policy_module(monit, 1.1.0)
+policy_module(monit, 1.1.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-01-18 Thread Sven Vermeulen 
commit: 9ae63d2cac826369362aa84bb228823e435b57bc
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Dec 20 16:52:41 2017 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Jan 18 16:26:13 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ae63d2c

gssproxy: allow writing kerberos rcache

 policy/modules/contrib/gssproxy.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/gssproxy.te 
b/policy/modules/contrib/gssproxy.te
index c1dcc556..a2519dde 100644
--- a/policy/modules/contrib/gssproxy.te
+++ b/policy/modules/contrib/gssproxy.te
@@ -63,4 +63,5 @@ optional_policy(`
kerberos_manage_host_rcache(gssproxy_t)
kerberos_read_keytab(gssproxy_t)
kerberos_use(gssproxy_t)
+   kerberos_tmp_filetrans_host_rcache(gssproxy_t, file)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-01-18 Thread Sven Vermeulen 
commit: 52fa8fd6827120ac1b622bc6ec8f7d7899f3b5cd
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Jan 14 19:08:08 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Jan 18 16:26:15 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=52fa8fd6

Bump module versions for release.

 policy/modules/contrib/accountsd.te  | 2 +-
 policy/modules/contrib/alsa.te   | 2 +-
 policy/modules/contrib/apache.te | 2 +-
 policy/modules/contrib/bind.te   | 2 +-
 policy/modules/contrib/blueman.te| 2 +-
 policy/modules/contrib/cachefilesd.te| 2 +-
 policy/modules/contrib/cgmanager.te  | 2 +-
 policy/modules/contrib/chkrootkit.te | 2 +-
 policy/modules/contrib/cron.te   | 2 +-
 policy/modules/contrib/cyrus.te  | 2 +-
 policy/modules/contrib/dbus.te   | 2 +-
 policy/modules/contrib/devicekit.te  | 2 +-
 policy/modules/contrib/dhcp.te   | 2 +-
 policy/modules/contrib/dirmngr.te| 2 +-
 policy/modules/contrib/dkim.te   | 2 +-
 policy/modules/contrib/dmidecode.te  | 2 +-
 policy/modules/contrib/dnsmasq.te| 2 +-
 policy/modules/contrib/dovecot.te| 2 +-
 policy/modules/contrib/dphysswapfile.te  | 2 +-
 policy/modules/contrib/evolution.te  | 2 +-
 policy/modules/contrib/exim.te   | 2 +-
 policy/modules/contrib/fakehwclock.te| 2 +-
 policy/modules/contrib/gnome.te  | 2 +-
 policy/modules/contrib/gpg.te| 2 +-
 policy/modules/contrib/gssproxy.te   | 2 +-
 policy/modules/contrib/java.te   | 2 +-
 policy/modules/contrib/ldap.te   | 2 +-
 policy/modules/contrib/libmtp.te | 2 +-
 policy/modules/contrib/logrotate.te  | 2 +-
 policy/modules/contrib/mandb.te  | 2 +-
 policy/modules/contrib/milter.te | 2 +-
 policy/modules/contrib/modemmanager.te   | 2 +-
 policy/modules/contrib/mon.te| 2 +-
 policy/modules/contrib/monit.te  | 2 +-
 policy/modules/contrib/mozilla.te| 2 +-
 policy/modules/contrib/mta.te| 2 +-
 policy/modules/contrib/networkmanager.te | 2 +-
 policy/modules/contrib/openoffice.te | 2 +-
 policy/modules/contrib/pkcs.te   | 2 +-
 policy/modules/contrib/policykit.te  | 2 +-
 policy/modules/contrib/portage.te| 2 +-
 policy/modules/contrib/postfix.te| 2 +-
 policy/modules/contrib/pulseaudio.te | 2 +-
 policy/modules/contrib/radius.te | 2 +-
 policy/modules/contrib/rkhunter.te   | 2 +-
 policy/modules/contrib/rpc.te| 2 +-
 policy/modules/contrib/rpm.te| 2 +-
 policy/modules/contrib/samba.te  | 2 +-
 policy/modules/contrib/sendmail.te   | 2 +-
 policy/modules/contrib/spamassassin.te   | 2 +-
 policy/modules/contrib/squid.te  | 2 +-
 policy/modules/contrib/stunnel.te| 2 +-
 policy/modules/contrib/thunderbird.te| 2 +-
 policy/modules/contrib/virt.te   | 2 +-
 policy/modules/contrib/wireshark.te  | 2 +-
 policy/modules/contrib/wm.te | 2 +-
 56 files changed, 56 insertions(+), 56 deletions(-)

diff --git a/policy/modules/contrib/accountsd.te 
b/policy/modules/contrib/accountsd.te
index dcc0cfe2..abd51292 100644
--- a/policy/modules/contrib/accountsd.te
+++ b/policy/modules/contrib/accountsd.te
@@ -1,4 +1,4 @@
-policy_module(accountsd, 1.1.1)
+policy_module(accountsd, 1.2.0)
 
 gen_require(`
class passwd all_passwd_perms;

diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index ce97649f..6caddbc8 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.17.2)
+policy_module(alsa, 1.18.0)
 
 
 #

diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index d932339c..ad74e5cb 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.13.3)
+policy_module(apache, 2.14.0)
 
 
 #

diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index bee20f04..c96d0b82 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -1,4 +1,4 @@
-policy_module(bind, 1.19.1)
+policy_module(bind, 1.20.0)
 
 
 #

diff --git a/policy/modules/contrib/blueman.te 
b/policy/modules/contrib/blueman.te
index 06d9d1d0..718e3bf3 100644
--- a/policy/modules/contrib/blueman.te
+++ b/policy/modules/contrib/blueman.te
@@ -1,4 +1,4 @@
-policy_module(blueman, 1.1.1)
+policy_module(blueman, 1.2.0)
 
 
 #

diff --git a/policy/modules/contrib/cachefilesd.te 
b/policy/modules/contrib/cachefilesd.te
index 97a70718..cf1e0337 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.4.1)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-01-18 Thread Sven Vermeulen 
commit: 43da5040356ecd17cf2ca9c31ef4a6ea5141639b
Author: Christian Göttsche  googlemail  com>
AuthorDate: Fri Dec 29 20:20:06 2017 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Jan 18 16:26:14 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=43da5040

monit: update

- usage of socket interface (/run/monit.socket as monit_runtime_t)
- allow simple checks (entropy, systemctl is-system-running, getenforce)

 policy/modules/contrib/monit.fc |  3 ++-
 policy/modules/contrib/monit.if |  4 ++--
 policy/modules/contrib/monit.te | 40 
 3 files changed, 32 insertions(+), 15 deletions(-)

diff --git a/policy/modules/contrib/monit.fc b/policy/modules/contrib/monit.fc
index 273aad3e..1cd0238e 100644
--- a/policy/modules/contrib/monit.fc
+++ b/policy/modules/contrib/monit.fc
@@ -2,7 +2,8 @@
 
 /etc/monit(/.*)?   
gen_context(system_u:object_r:monit_conf_t,s0)
 
-/run/monit\.pid--  
gen_context(system_u:object_r:monit_pid_t,s0)
+/run/monit\.pid--  
gen_context(system_u:object_r:monit_runtime_t,s0)
+/run/monit\.socket -s  
gen_context(system_u:object_r:monit_runtime_t,s0)
 
 /usr/bin/monit --  
gen_context(system_u:object_r:monit_exec_t,s0)
 

diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if
index d249dfbd..832cdca8 100644
--- a/policy/modules/contrib/monit.if
+++ b/policy/modules/contrib/monit.if
@@ -102,7 +102,7 @@ interface(`monit_startstop_service',`
 interface(`monit_admin',`
gen_require(`
type monit_t, monit_conf_t, monit_initrc_exec_t;
-   type monit_log_t, monit_pid_t;
+   type monit_log_t, monit_runtime_t;
type monit_unit_t, monit_var_lib_t;
')
 
@@ -117,7 +117,7 @@ interface(`monit_admin',`
admin_pattern($1, monit_log_t)
 
files_search_pids($1)
-   admin_pattern($1, monit_pid_t)
+   admin_pattern($1, monit_runtime_t)
 
files_search_var_lib($1)
admin_pattern($1, monit_var_lib_t)

diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index 9b7a605b..e9c940a1 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -33,8 +33,8 @@ role monit_cli_roles types monit_cli_t;
 type monit_log_t;
 logging_log_file(monit_log_t)
 
-type monit_pid_t alias monit_run_t;
-files_pid_file(monit_pid_t)
+type monit_runtime_t alias monit_pid_t;
+files_pid_file(monit_runtime_t)
 
 type monit_unit_t;
 init_unit_file(monit_unit_t)
@@ -63,15 +63,21 @@ kernel_read_system_state(monit_domain)
 dev_read_sysfs(monit_domain)
 dev_read_urand(monit_domain)
 
+files_getattr_all_mountpoints(monit_domain)
+
 fs_getattr_dos_fs(monit_domain)
 fs_getattr_dos_dirs(monit_domain)
 fs_getattr_tmpfs(monit_domain)
 fs_getattr_xattr_fs(monit_domain)
 
+miscfiles_read_generic_certs(monit_domain)
 miscfiles_read_localization(monit_domain)
 
+logging_send_syslog_msg(monit_domain)
+
 # disk usage of sd card
 storage_getattr_removable_dev(monit_domain)
+storage_getattr_fixed_disk_dev(monit_domain)
 
 
 #
@@ -88,43 +94,50 @@ dontaudit monit_t self:capability net_admin;
 allow monit_t self:fifo_file rw_fifo_file_perms;
 allow monit_t self:rawip_socket connected_socket_perms;
 allow monit_t self:tcp_socket server_stream_socket_perms;
-allow monit_t self:unix_dgram_socket { connect create };
 
 allow monit_t monit_log_t:file { create read_file_perms append_file_perms };
 logging_log_filetrans(monit_t, monit_log_t, file)
 
-allow monit_t monit_pid_t:file manage_file_perms;
-files_pid_filetrans(monit_t, monit_pid_t, file)
+allow monit_t monit_runtime_t:file manage_file_perms;
+allow monit_t monit_runtime_t:sock_file manage_sock_file_perms;
+files_pid_filetrans(monit_t, monit_runtime_t, { file sock_file })
 
 allow monit_t monit_var_lib_t:dir manage_dir_perms;
 allow monit_t monit_var_lib_t:file manage_file_perms;
 
+# entropy
+kernel_read_kernel_sysctls(monit_t)
+kernel_read_vm_overcommit_sysctl(monit_t)
+
 auth_use_nsswitch(monit_t)
 
 corecmd_exec_bin(monit_t)
+corecmd_exec_shell(monit_t)
 
 corenet_tcp_bind_generic_node(monit_t)
 corenet_tcp_bind_monit_port(monit_t)
 corenet_tcp_connect_all_ports(monit_t)
 
+domain_getattr_all_domains(monit_t)
 domain_getpgid_all_domains(monit_t)
 domain_read_all_domains_state(monit_t)
 
 files_read_all_pids(monit_t)
 
-logging_send_syslog_msg(monit_t)
+selinux_get_enforce_mode(monit_t)
 
-ifdef(`hide_broken_symptoms',`
-   # kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6
-   dontaudit monit_t self:capability dac_override;
+userdom_dontaudit_search_user_home_dirs(monit_t)
+
+ifdef(`init_systemd',`
+   # systemctl is-system-running
+   init_stream_connect(monit_t)
+   init_get_system_status(monit_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-01-18 Thread Sven Vermeulen 
commit: d356cc2603d590a9ad14d47b09fb3a84ff7f2fce
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Jan 14 19:08:09 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Jan 18 16:26:15 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d356cc26

Update Changelog for release.

 policy/modules/contrib/Changelog | 156 +++
 1 file changed, 156 insertions(+)

diff --git a/policy/modules/contrib/Changelog b/policy/modules/contrib/Changelog
index 2a6e15b4..1596ba77 100644
--- a/policy/modules/contrib/Changelog
+++ b/policy/modules/contrib/Changelog
@@ -1,3 +1,159 @@
+* Sun Jan 14 2018 Chris PeBenito  - 2.20180114
+Chad Hanson (1):
+  Allow rpm to relabel files at all levels
+
+Chris PeBenito (46):
+  Remove deprecated interfaces more than one year old.
+  Remove complement and wildcard in allow rules.
+  Merge branch 'master' of git://github.com/teg/refpolicy-contrib
+  dbus: Module version bump for dbus-broker patch from Tom Gundersen.
+  Module version bump for patches from Guido Trentalancia.
+  Module version bumps for patches from David Sugar.
+  dhcp, logrotate: Module version bump.
+  Module version bumps for chkrootkit, dkim, dmidecode, portage, and
+ rkhunter.
+  Module version bumps.
+  spamassassin: Move lines.
+  mandb, spamassassin: Module version bumps.
+  spamassassin: Fix build error.
+  spamassassin: Add missing requirement in spamassassin_admin().
+  dphysswapfile: Module version bump.
+  gpg, pulseaudio, rpc: Module version bump.
+  dnsmasq, gnome, mon, mta, openoffice, pulseaudio, wm: Version bumps.
+  Revert "postfix: Some table drivers (notably cdb) need to mmap() their
+ databases"
+  java, mozilla, mta, postfix: Module version bump.
+  portage: Fix usr_t map interface usage.
+  apache, portage: Module version bump.
+  dbus, policykit, wm: Module version bump.
+  dbus: Add comment.
+  Merge branch 'nm_audit' of git://github.com/bigon/refpolicy-contrib
+  networkmanager: Module version bump.
+  virt: Move a line.
+  alsa, mon, virt: Module version bump.
+  gpg, mozilla, rpc: Module version bump.
+  Several module version bumps.
+  blueman, evolution, gpg, mozilla, openoffice, thunderbird, wireshark, wm:
+ Module version bump.
+  wm: Module version bump.
+  networkmanager: Move line.
+  networkmanager: Module version bump.
+  Merge branch 'pkcs' of https://github.com/dodys/refpolicy-contrib
+  pkcs: Rename pkcs_slotd_unit_file_t.
+  pkcs: Module version bump.
+  accountsd, policykit: Module version bump.
+  dbus, devicekit, modemmanager, networkmanager, virt: Module version bump.
+  modemmanager: Move lines.
+  rpm: Module version bump.
+  cachefilesd, dbus, dirmngr, gnome, gpg, pulseaudio: Module version bump.
+  Replace deprecated mmap perm sets and pattern usage.
+  gssproxy: Module version bump.
+  monit: Module version bump.
+  apache, dkim, monit: Module version bump.
+  spamassassin: Module version bump.
+  Bump module versions for release.
+
+Christian Göttsche (20):
+  dkim: align filecontexts
+  dkim: update
+  milter: align filecontexts
+  apache: align filecontexts
+  dmidecode: use userdom_use_inherited_user_terminals
+  spamassassin: align filecontexts
+  chkrootkit: update
+  rkhunter: add several missing permission
+  fakehwclock: update
+  milter: update
+  mandb: fixes for systemd timer and /usr/local/man label
+  spamassassin: update
+  dphysswapfile: fix swapfile creation
+  apache: update
+  monit: update
+  dkim: align file contexts
+  dkim: update
+  apache: update
+  monit: read /usr/share/ca-certificates for cert verification
+  spamassassin: fix missing perms
+
+Daniel Jurgens (1):
+  networkmanager: Grant access to unlabeled PKeys
+
+David Sugar (5):
+  mon: move rpc_* into optional
+  wm: consolidate networkmanger interface calls into single optional
+  cron: optional_policy for mta_* interfaces
+  Label /usr/bin/mutter
+  Allow to read /proc/sys/crypto/fips_enabled
+
+Eduardo Barretto (2):
+  Update pkcs policy to include pkccsslotd.service
+  Update missing permissions for pkcs
+
+Guido Trentalancia (13):
+  libmtp: read symlinks in user home directories
+  spamassassin: update rules for the Bayesian classifier trainer
+  wm: let gnome-shell start properly
+  gnome: keyring daemon dbus policy update
+  gnome: keyring daemon read SELinux config
+  openoffice: improve temporary directories' operations
+  pulseaudio: general update
+  wm: gnome-shell SELinux integration
+  mozilla: run Java Web Start applications
+  wm: run PolicyKit
+  dbus: read user home content files
+  mozilla:

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-01-18 Thread Sven Vermeulen 
commit: 809e957e64f147b25cc5bdb1f02d0cfe9669af96
Author: Christian Göttsche  googlemail  com>
AuthorDate: Mon Jan  1 11:22:30 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Jan 18 16:26:14 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=809e957e

dkim: update

 policy/modules/contrib/dkim.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 4ddefbf8..29880efb 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -23,23 +23,24 @@ init_daemon_pid_file(dkim_milter_data_t, dir, "opendkim")
 # Local policy
 #
 
-allow dkim_milter_t self:capability { dac_override setgid setuid };
+allow dkim_milter_t self:capability { dac_read_search dac_override setgid 
setuid };
 allow dkim_milter_t self:process { signal signull };
 allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
 
 read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, 
dkim_milter_private_key_t)
 
+# /proc/sys/kernel/ngroups_max
 kernel_read_kernel_sysctls(dkim_milter_t)
 kernel_read_vm_overcommit_sysctl(dkim_milter_t)
 
 corenet_udp_bind_generic_node(dkim_milter_t)
 corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
-corenet_dontaudit_udp_bind_all_ports(dkim_milter_t)
 
 dev_read_urand(dkim_milter_t)
 # for cpu/online
 dev_read_sysfs(dkim_milter_t)
 
+files_pid_filetrans(dkim_milter_t, dkim_milter_data_t, { dir file })
 files_read_usr_files(dkim_milter_t)
 files_search_spool(dkim_milter_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-01-18 Thread Sven Vermeulen 
commit: 78a19a3f7cbb0596156dc9c50dadfaf629111ccf
Author: Christian Göttsche  googlemail  com>
AuthorDate: Wed Jan  3 23:40:06 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Jan 18 16:26:15 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=78a19a3f

spamassassin: fix missing perms

version 2:

 * fix non existent interface kernel_search_crypto_sysctls
 * add spamd-gpg permissions on update

 policy/modules/contrib/spamassassin.te | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/spamassassin.te 
b/policy/modules/contrib/spamassassin.te
index 9bc81030..7d34829d 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -549,10 +549,13 @@ optional_policy(`
allow spamd_gpg_t spamd_update_t:fd use;
allow spamd_gpg_t spamd_update_t:process sigchld;
allow spamd_gpg_t spamd_update_t:fifo_file { getattr write };
-   allow spamd_gpg_t spamd_var_lib_t:dir search_dir_perms;
-   allow spamd_gpg_t spamd_var_lib_t:file rw_file_perms;
+   allow spamd_gpg_t spamd_var_lib_t:dir rw_dir_perms;
+   allow spamd_gpg_t spamd_var_lib_t:file manage_file_perms;
allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms;
 
+   # fips
+   kernel_read_crypto_sysctls(spamd_gpg_t)
+
domain_use_interactive_fds(spamd_gpg_t)
 
files_read_etc_files(spamd_gpg_t)
@@ -562,6 +565,7 @@ optional_policy(`
files_search_tmp(spamd_gpg_t)
 
init_use_fds(spamd_gpg_t)
+   init_rw_inherited_stream_socket(spamd_gpg_t)
 
miscfiles_read_localization(spamd_gpg_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-01-18 Thread Sven Vermeulen 
commit: ed84591411e71acf518d0660feed05318f57fbdb
Author: Chris PeBenito  ieee  org>
AuthorDate: Wed Jan  3 21:52:45 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Jan 18 16:26:15 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ed845914

apache, dkim, monit: Module version bump.

 policy/modules/contrib/apache.te | 2 +-
 policy/modules/contrib/dkim.te   | 2 +-
 policy/modules/contrib/monit.te  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 30f9755d..d932339c 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.13.2)
+policy_module(apache, 2.13.3)
 
 
 #

diff --git a/policy/modules/contrib/dkim.te b/policy/modules/contrib/dkim.te
index 29880efb..3c116507 100644
--- a/policy/modules/contrib/dkim.te
+++ b/policy/modules/contrib/dkim.te
@@ -1,4 +1,4 @@
-policy_module(dkim, 1.6.1)
+policy_module(dkim, 1.6.2)
 
 
 #

diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index 79d3d1bf..7c5be707 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -1,4 +1,4 @@
-policy_module(monit, 1.1.1)
+policy_module(monit, 1.1.2)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-01-18 Thread Sven Vermeulen 
commit: 57f4342adb2522941718def593aa88b860fe32d9
Author: Christian Göttsche  googlemail  com>
AuthorDate: Mon Jan  1 11:34:16 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Jan 18 16:26:14 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=57f4342a

apache: update

 policy/modules/contrib/apache.fc | 1 -
 policy/modules/contrib/apache.te | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/apache.fc b/policy/modules/contrib/apache.fc
index 094344ca..f3202453 100644
--- a/policy/modules/contrib/apache.fc
+++ b/policy/modules/contrib/apache.fc
@@ -196,7 +196,6 @@ ifdef(`distro_suse',`
 /var/www(/.*)?/nextcloud/config(/.*)?  
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/www(/.*)?/nextcloud/data(.*)? 
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/www(/.*)?/nextcloud/apps(/.*)?
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www(/.*)?/nextcloud/\.htaccess--  
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/www/perl(/.*)?
gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /var/www/sessions(/.*)?
gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/www/svn(/.*)? 
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)

diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index be12966a..30f9755d 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -503,6 +503,7 @@ fs_search_auto_mountpoints(httpd_t)
 
 fs_getattr_all_fs(httpd_t)
 fs_read_anon_inodefs_files(httpd_t)
+fs_rw_inherited_hugetlbfs_files(httpd_t)
 fs_read_iso9660_files(httpd_t)
 fs_search_auto_mountpoints(httpd_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-01-18 Thread Sven Vermeulen 
commit: f090e17ce1ab4dbb518f5c9216fb603c37619f3f
Author: Christian Göttsche  googlemail  com>
AuthorDate: Mon Jan  1 11:54:04 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Jan 18 16:26:14 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f090e17c

monit: read /usr/share/ca-certificates for cert verification

 policy/modules/contrib/monit.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index c08fd4f3..79d3d1bf 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -123,6 +123,7 @@ domain_getpgid_all_domains(monit_t)
 domain_read_all_domains_state(monit_t)
 
 files_read_all_pids(monit_t)
+files_read_usr_files(monit_t)
 
 selinux_get_enforce_mode(monit_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-01-18 Thread Sven Vermeulen 
commit: 7e89b19207d85c82d3d6ffef921bdea4ab0b3a5c
Author: Chris PeBenito  ieee  org>
AuthorDate: Fri Jan  5 21:20:21 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Jan 18 16:26:15 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7e89b192

spamassassin: Module version bump.

 policy/modules/contrib/spamassassin.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/spamassassin.te 
b/policy/modules/contrib/spamassassin.te
index 7d34829d..37226963 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.11.4)
+policy_module(spamassassin, 2.11.5)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-01-18 Thread Sven Vermeulen 
commit: ee15243311266d2947b10a7a2e3d8a1a7f399748
Author: Christian Göttsche  googlemail  com>
AuthorDate: Mon Jan  1 11:22:29 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Jan 18 16:26:14 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ee152433

dkim: align file contexts

 policy/modules/contrib/dkim.fc | 26 +-
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/policy/modules/contrib/dkim.fc b/policy/modules/contrib/dkim.fc
index 621180ab..08b65263 100644
--- a/policy/modules/contrib/dkim.fc
+++ b/policy/modules/contrib/dkim.fc
@@ -1,25 +1,25 @@
-/etc/opendkim/keys(/.*)?   
gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+/etc/opendkim/keys(/.*)?   
gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
 
 /etc/rc\.d/init\.d/((opendkim)|(dkim-milter))  --  
gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0)
 
-/usr/bin/dkim-filter   --  
gen_context(system_u:object_r:dkim_milter_exec_t,s0)
-/usr/bin/opendkim  --  
gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/bin/dkim-filter   --  
gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/bin/opendkim  --  
gen_context(system_u:object_r:dkim_milter_exec_t,s0)
 
 /usr/lib/systemd/system/opendkim\.service  --  
gen_context(system_u:object_r:dkim_milter_unit_t,s0)
 
-/usr/sbin/dkim-filter  --  
gen_context(system_u:object_r:dkim_milter_exec_t,s0)
-/usr/sbin/opendkim --  
gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/dkim-filter  --  
gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/opendkim --  
gen_context(system_u:object_r:dkim_milter_exec_t,s0)
 
-/var/db/dkim(/.*)? 
gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+/var/db/dkim(/.*)? 
gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
 
-/var/lib/dkim-milter(/.*)? 
gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/lib/dkim-milter(/.*)? 
gen_context(system_u:object_r:dkim_milter_data_t,s0)
 
-/var/spool/postfix/opendkim(/.*)?  
gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/spool/postfix/opendkim(/.*)?  
gen_context(system_u:object_r:dkim_milter_data_t,s0)
 
-/run/dkim-filter(/.*)? 
gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/run/dkim-milter(/.*)? 
gen_context(system_u:object_r:dkim_milter_data_t,s0)
-/run/dkim-milter\.pid  --  
gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/run/dkim-filter(/.*)? 
gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/run/dkim-milter(/.*)? 
gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/run/dkim-milter\.pid  --  
gen_context(system_u:object_r:dkim_milter_data_t,s0)
 
-/run/opendkim(/.*)?
gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/run/opendkim(/.*)?
gen_context(system_u:object_r:dkim_milter_data_t,s0)
 
-/var/spool/opendkim(/.*)?  
gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/spool/opendkim(/.*)?  
gen_context(system_u:object_r:dkim_milter_data_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2018-01-18 Thread Sven Vermeulen 
commit: 5f2f2b2576d4ecf0955e04e6b469288f431cec60
Author: Chris PeBenito  ieee  org>
AuthorDate: Tue Dec 26 10:38:25 2017 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Jan 18 16:26:13 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5f2f2b25

gssproxy: Module version bump.

 policy/modules/contrib/gssproxy.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/gssproxy.te 
b/policy/modules/contrib/gssproxy.te
index a2519dde..3ad1f620 100644
--- a/policy/modules/contrib/gssproxy.te
+++ b/policy/modules/contrib/gssproxy.te
@@ -1,4 +1,4 @@
-policy_module(gssproxy, 1.0.0)
+policy_module(gssproxy, 1.0.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-23 Thread Jason Zaman 
commit: 0cb16fbd5d7bc0dfa8c5201e6dbb3f450f6e97a1
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Dec 23 15:26:22 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Dec 23 15:26:22 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0cb16fbd

dropbox: mmap_file_perms is deprecated, use mmap_exec_file_perms instead

 policy/modules/contrib/dropbox.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/dropbox.te 
b/policy/modules/contrib/dropbox.te
index f7f6125f..63f95c25 100644
--- a/policy/modules/contrib/dropbox.te
+++ b/policy/modules/contrib/dropbox.te
@@ -40,7 +40,7 @@ userdom_user_tmpfs_file(dropbox_tmpfs_t)
 
 allow dropbox_t self:process { execmem signal_perms };
 allow dropbox_t self:fifo_file rw_fifo_file_perms;
-allow dropbox_t dropbox_home_t:file mmap_file_perms;
+allow dropbox_t dropbox_home_t:file mmap_exec_file_perms;
 
 # dropbox updates itself in /tmp then in ~/.dropbox-dist/
 can_exec(dropbox_t, dropbox_exec_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-23 Thread Jason Zaman 
commit: 6f30ae2e7e7c4cc92ce84b78423ecafe721d3dea
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Dec 23 15:23:38 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Dec 23 15:23:38 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6f30ae2e

portage: allow to map font files

 policy/modules/contrib/portage.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/portage.te 
b/policy/modules/contrib/portage.te
index 067afc97..44bdca53 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -207,6 +207,7 @@ init_exec(portage_t)
 libs_run_ldconfig(portage_t, portage_roles)
 
 miscfiles_read_localization(portage_t)
+miscfiles_read_fonts(portage_t)
 
 # run setfiles -r
 seutil_run_setfiles(portage_t, portage_roles)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-23 Thread Jason Zaman 
commit: bbccb371e1eb5326abda8f934a66471c29fe4290
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Dec 23 15:01:03 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Dec 23 15:01:03 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bbccb371

portage: sandbox must be able to map usr_t files

 policy/modules/contrib/portage.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/portage.if 
b/policy/modules/contrib/portage.if
index a81a4d0d..240838d2 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -164,6 +164,7 @@ interface(`portage_compile_domain',`
 
files_exec_etc_files($1)
files_exec_usr_src_files($1)
+   files_map_usr_files($1)
 
# Came up with bug #496328
fs_getattr_tmpfs($1)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-23 Thread Jason Zaman 
commit: 2fc780e90665d3d003fa879a83d478c9f7da2196
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Dec 23 15:41:47 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Dec 23 15:41:47 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2fc780e9

portage: allow compile domains to map portage_tmp_t

 policy/modules/contrib/portage.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/portage.if 
b/policy/modules/contrib/portage.if
index 240838d2..23c15ba7 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -117,7 +117,7 @@ interface(`portage_compile_domain',`
manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t)
files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file 
fifo_file })
# SELinux-enabled programs running in the sandbox
-   allow $1 portage_tmp_t:file relabel_file_perms;
+   allow $1 portage_tmp_t:file { relabel_file_perms map };
allow $1 portage_tmp_t:dir relabel_dir_perms;
 
manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-13 Thread Jason Zaman 
commit: 45bc0742f768a7c1e1b180e6580ac471bba8f12a
Author: Chris PeBenito  ieee  org>
AuthorDate: Wed Dec 13 01:25:08 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Wed Dec 13 14:29:19 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=45bc0742

rpm: Module version bump.

 policy/modules/contrib/rpm.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 9b1c1048..52c78614 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.20.0)
+policy_module(rpm, 1.20.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-13 Thread Jason Zaman 
commit: f884129ee59182688f70ddba6600f0b63d3afa94
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Dec 13 18:17:20 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Dec 14 05:09:40 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f884129e

gpg: Add gpg_agent_use_card boolean for OpenPGP cards

 policy/modules/contrib/gpg.te | 13 +
 1 file changed, 13 insertions(+)

diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index ca600218..6e8f80d5 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -14,6 +14,14 @@ policy_module(gpg, 2.12.3)
 ## 
 gen_tunable(gpg_agent_env_file, false)
 
+## 
+## 
+## Determine whether GPG agent can use OpenPGP
+## cards or Yubikeys over USB
+## 
+## 
+gen_tunable(gpg_agent_use_card, false)
+
 attribute_role gpg_roles;
 roleattribute system_r gpg_roles;
 
@@ -274,6 +282,11 @@ tunable_policy(`gpg_agent_env_file',`
userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
 ')
 
+tunable_policy(`gpg_agent_use_card',`
+   dev_read_sysfs(gpg_agent_t)
+   dev_rw_generic_usb_dev(gpg_agent_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(gpg_agent_t)
fs_manage_nfs_files(gpg_agent_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-13 Thread Jason Zaman 
commit: d56f72e0072b149d996caa98425c90be16aa5410
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Dec 13 18:17:19 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Dec 14 05:09:40 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d56f72e0

dirmngr: allow filetrans in gpg_runtime_t

commit 1b9cd3bd9c44732bdf756301408582bcfe9073c9
("gpg: manage user runtime socket files and directories")
changed /run/user/%{USERID}/gnupg/ to gpg_runtime_t, so the filetrans
for gpg_agent_tmp_t needs updating.

 policy/modules/contrib/dirmngr.te |  3 +++
 policy/modules/contrib/gpg.if | 19 +++
 2 files changed, 22 insertions(+)

diff --git a/policy/modules/contrib/dirmngr.te 
b/policy/modules/contrib/dirmngr.te
index 8f4cb991..75833a42 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -69,6 +69,7 @@ dev_read_rand(dirmngr_t)
 sysnet_dns_name_resolve(dirmngr_t)
 
 corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
+corenet_udp_bind_generic_node(dirmngr_t)
 
 files_read_etc_files(dirmngr_t)
 
@@ -81,5 +82,7 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
 
 optional_policy(`
gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+   gpg_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
+   gpg_stream_connect_agent(dirmngr_t)
 ')

diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 6266019b..359560f8 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -239,6 +239,25 @@ interface(`gpg_agent_tmp_filetrans',`
 
 
 ## 
+## filetrans in gpg_runtime_t dirs
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gpg_runtime_filetrans',`
+   gen_require(`
+   type gpg_runtime_t;
+   ')
+
+   filetrans_pattern($1, gpg_runtime_t, $2, $3, $4)
+   userdom_search_user_runtime($1)
+')
+
+
+## 
 ## filetrans in gpg_secret_t dirs
 ## 
 ##

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-13 Thread Jason Zaman 
commit: a7744e40641af7c4564f532f5711709ae46e69ab
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Dec 13 18:17:22 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Dec 14 05:09:40 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a7744e40

Set user_runtime_content_type for all remaining types in /run/user/%{UID}/

 policy/modules/contrib/dbus.te   | 1 +
 policy/modules/contrib/dirmngr.te| 1 +
 policy/modules/contrib/gnome.te  | 2 ++
 policy/modules/contrib/gpg.te| 2 ++
 policy/modules/contrib/pulseaudio.te | 1 +
 5 files changed, 7 insertions(+)

diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 1aa6dba1..142b02e6 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -49,6 +49,7 @@ init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
 
 type session_dbusd_runtime_t;
 files_pid_file(session_dbusd_runtime_t)
+userdom_user_runtime_content(session_dbusd_runtime_t)
 
 ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - 
mcs_systemhigh)

diff --git a/policy/modules/contrib/dirmngr.te 
b/policy/modules/contrib/dirmngr.te
index 75833a42..fa5898e4 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -20,6 +20,7 @@ logging_log_file(dirmngr_log_t)
 
 type dirmngr_tmp_t;
 userdom_user_tmp_file(dirmngr_tmp_t)
+userdom_user_runtime_content(dirmngr_tmp_t)
 
 type dirmngr_var_lib_t;
 files_type(dirmngr_var_lib_t)

diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index b6f14dbc..2988a541 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -45,9 +45,11 @@ userdom_user_home_content(gnome_keyring_home_t)
 
 type gnome_keyring_tmp_t;
 userdom_user_tmp_file(gnome_keyring_tmp_t)
+userdom_user_runtime_content(gnome_keyring_tmp_t)
 
 type gstreamer_orcexec_t;
 application_executable_file(gstreamer_orcexec_t)
+userdom_user_runtime_content(gstreamer_orcexec_t)
 
 ##
 #

diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 6e8f80d5..f020c0a1 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -39,6 +39,7 @@ role gpg_roles types gpg_t;
 
 type gpg_runtime_t;
 files_pid_file(gpg_runtime_t)
+userdom_user_runtime_content(gpg_runtime_t)
 
 type gpg_agent_t;
 type gpg_agent_exec_t;
@@ -47,6 +48,7 @@ role gpg_agent_roles types gpg_agent_t;
 
 type gpg_agent_tmp_t;
 userdom_user_tmp_file(gpg_agent_tmp_t)
+userdom_user_runtime_content(gpg_agent_tmp_t)
 
 type gpg_secret_t;
 userdom_user_home_content(gpg_secret_t)

diff --git a/policy/modules/contrib/pulseaudio.te 
b/policy/modules/contrib/pulseaudio.te
index cc1db3d4..aa6042d7 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -29,6 +29,7 @@ userdom_user_home_content(pulseaudio_home_t)
 
 type pulseaudio_tmp_t;
 userdom_user_tmp_file(pulseaudio_tmp_t)
+userdom_user_runtime_content(pulseaudio_tmp_t)
 
 type pulseaudio_tmpfs_t;
 userdom_user_tmpfs_file(pulseaudio_tmpfs_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-13 Thread Jason Zaman 
commit: 5e18d3eb437717c6ad25e614c617b0cad5700879
Author: Chris PeBenito  ieee  org>
AuthorDate: Wed Dec 13 23:55:43 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Dec 14 05:09:40 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5e18d3eb

Replace deprecated mmap perm sets and pattern usage.

 policy/modules/contrib/apache.te| 2 +-
 policy/modules/contrib/cobbler.te   | 2 +-
 policy/modules/contrib/dpkg.te  | 2 +-
 policy/modules/contrib/firewalld.te | 2 +-
 policy/modules/contrib/ftp.if   | 2 +-
 policy/modules/contrib/gnome.if | 2 +-
 policy/modules/contrib/pingd.te | 2 +-
 policy/modules/contrib/portage.te   | 2 +-
 policy/modules/contrib/postfix.te   | 4 ++--
 policy/modules/contrib/prelink.te   | 6 +++---
 policy/modules/contrib/samba.te | 2 +-
 policy/modules/contrib/ulogd.te | 2 +-
 12 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index d28f4c2f..be12966a 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -415,7 +415,7 @@ read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 logging_log_filetrans(httpd_t, httpd_log_t, file)
 
 allow httpd_t httpd_modules_t:dir list_dir_perms;
-mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+mmap_exec_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 

diff --git a/policy/modules/contrib/cobbler.te 
b/policy/modules/contrib/cobbler.te
index 6177ef41..a3a4453a 100644
--- a/policy/modules/contrib/cobbler.te
+++ b/policy/modules/contrib/cobbler.te
@@ -72,7 +72,7 @@ allow cobblerd_t cobbler_etc_t:dir list_dir_perms;
 allow cobblerd_t cobbler_etc_t:file read_file_perms;
 allow cobblerd_t cobbler_etc_t:lnk_file read_lnk_file_perms;
 
-allow cobblerd_t cobbler_tmp_t:file mmap_file_perms;
+allow cobblerd_t cobbler_tmp_t:file mmap_exec_file_perms;
 manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
 manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
 files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })

diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index e165fec3..0ff59b94 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -84,7 +84,7 @@ manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
 manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
 fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file 
fifo_file })
 
-allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
+allow dpkg_t dpkg_var_lib_t:file mmap_exec_file_perms;
 manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t)
 files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
 

diff --git a/policy/modules/contrib/firewalld.te 
b/policy/modules/contrib/firewalld.te
index 2c930fe5..aa1c637d 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -47,7 +47,7 @@ logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
 
 manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
 files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
-allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
+allow firewalld_t firewalld_tmp_t:file mmap_exec_file_perms;
 
 manage_dirs_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
 manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)

diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
index 349d1b3b..3bfe581d 100644
--- a/policy/modules/contrib/ftp.if
+++ b/policy/modules/contrib/ftp.if
@@ -53,7 +53,7 @@ interface(`ftp_check_exec',`
')
 
corecmd_search_bin($1)
-   allow $1 ftpd_exec_t:file mmap_file_perms;
+   allow $1 ftpd_exec_t:file mmap_exec_file_perms;
 ')
 
 

diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 8ed95ee2..8b27d15a 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -805,5 +805,5 @@ interface(`gnome_mmap_gstreamer_orcexec',`
type gstreamer_orcexec_t;
')
 
-   allow $1 gstreamer_orcexec_t:file mmap_file_perms;
+   allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms;
 ')

diff --git a/policy/modules/contrib/pingd.te b/policy/modules/contrib/pingd.te
index 8dad7633..e20b15f8 100644
--- a/policy/modules/contrib/pingd.te
+++ b/policy/modules/contrib/pingd.te
@@ -30,7 +30,7 @@ allow pingd_t self:rawip_socket create_socket_perms;
 allow pingd_t pingd_etc_t:file read_file_perms;
 
 read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
-mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
+mmap_exec_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-13 Thread Jason Zaman 
commit: d959ec112471aa95de755bc7ec46fc0ca06031d7
Author: Chad Hanson  gmail  com>
AuthorDate: Mon Dec 11 04:04:36 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Wed Dec 13 14:26:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d959ec11

Allow rpm to relabel files at all levels

This patch adds MLS relabel ability to rpm per the previous email request: 
http://oss.tresys.com/pipermail/refpolicy/2016-July/008038.html

Signed-off-by: Chad Hanson  gmail.com>

 policy/modules/contrib/rpm.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 44e8c7b5..9b1c1048 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -174,6 +174,7 @@ fs_search_auto_mountpoints(rpm_t)
 
 mls_file_read_all_levels(rpm_t)
 mls_file_write_all_levels(rpm_t)
+mls_file_relabel(rpm_t)
 mls_file_upgrade(rpm_t)
 mls_file_downgrade(rpm_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-13 Thread Jason Zaman 
commit: f535dde10ac78ef53ae5dae23f848c2a2cafa55c
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Dec 13 18:17:21 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Dec 14 05:09:40 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f535dde1

cachefilesd: make cachefilesd_cache_t a mountpoint

 policy/modules/contrib/cachefilesd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/cachefilesd.te 
b/policy/modules/contrib/cachefilesd.te
index d225d745..d09ac561 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -13,7 +13,7 @@ type cachefilesd_initrc_exec_t;
 init_script_file(cachefilesd_initrc_exec_t)
 
 type cachefilesd_cache_t;
-files_type(cachefilesd_cache_t)
+files_mountpoint(cachefilesd_cache_t)
 
 type cachefilesd_var_run_t;
 files_pid_file(cachefilesd_var_run_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-13 Thread Jason Zaman 
commit: 1979ea290f6c6e381a1c1cd9219a68227f2febb5
Author: Chris PeBenito  ieee  org>
AuthorDate: Wed Dec 13 23:29:02 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Dec 14 05:09:40 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1979ea29

cachefilesd, dbus, dirmngr, gnome, gpg, pulseaudio: Module version bump.

 policy/modules/contrib/cachefilesd.te | 2 +-
 policy/modules/contrib/dbus.te| 2 +-
 policy/modules/contrib/dirmngr.te | 2 +-
 policy/modules/contrib/gnome.te   | 2 +-
 policy/modules/contrib/gpg.te | 2 +-
 policy/modules/contrib/pulseaudio.te  | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/policy/modules/contrib/cachefilesd.te 
b/policy/modules/contrib/cachefilesd.te
index d09ac561..97a70718 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.4.0)
+policy_module(cachefilesd, 1.4.1)
 
 
 #

diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 142b02e6..395f0981 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.23.3)
+policy_module(dbus, 1.23.4)
 
 gen_require(`
class dbus all_dbus_perms;

diff --git a/policy/modules/contrib/dirmngr.te 
b/policy/modules/contrib/dirmngr.te
index fa5898e4..064750e1 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -1,4 +1,4 @@
-policy_module(dirmngr, 1.3.0)
+policy_module(dirmngr, 1.3.1)
 
 
 #

diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 2988a541..502e23e8 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.8.1)
+policy_module(gnome, 2.8.2)
 
 ##
 #

diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index f020c0a1..96b9cd12 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.12.3)
+policy_module(gpg, 2.12.4)
 
 
 #

diff --git a/policy/modules/contrib/pulseaudio.te 
b/policy/modules/contrib/pulseaudio.te
index aa6042d7..27c7c27c 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.10.2)
+policy_module(pulseaudio, 1.10.3)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-13 Thread Jason Zaman 
commit: 46ecc9be82dfb821a26ecee1787c3261d79cf04c
Author: Jason Zaman  perfinion  com>
AuthorDate: Tue Dec 12 09:05:17 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 09:05:17 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=46ecc9be

chromium: map mime types

 policy/modules/contrib/chromium.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/contrib/chromium.te 
b/policy/modules/contrib/chromium.te
index 76f2583a..29e7fee7 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -132,6 +132,7 @@ manage_dirs_pattern(chromium_t, chromium_xdg_config_t, 
chromium_xdg_config_t)
 xdg_config_home_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium")
 
 manage_files_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
+allow chromium_t chromium_xdg_cache_t:file map;
 manage_dirs_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
 xdg_cache_home_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium")
 
@@ -162,6 +163,7 @@ domain_dontaudit_search_all_domains_state(chromium_t)
 files_list_home(chromium_t)
 files_search_home(chromium_t)
 files_read_usr_files(chromium_t)
+files_map_usr_files(chromium_t)
 files_read_etc_files(chromium_t)
 # During find for /etc/whatever-release we get lots of output otherwise
 files_dontaudit_getattr_all_dirs(chromium_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-12 Thread Jason Zaman 
commit: 3610cece6a9ea23c3ee52d6dda6605c78443df34
Author: Chris PeBenito  ieee  org>
AuthorDate: Tue Dec 12 00:14:55 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:07:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3610cece

dbus, devicekit, modemmanager, networkmanager, virt: Module version bump.

 policy/modules/contrib/dbus.te   | 2 +-
 policy/modules/contrib/devicekit.te  | 2 +-
 policy/modules/contrib/modemmanager.te   | 2 +-
 policy/modules/contrib/networkmanager.te | 2 +-
 policy/modules/contrib/virt.te   | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index d7e41c7e..1aa6dba1 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.23.2)
+policy_module(dbus, 1.23.3)
 
 gen_require(`
class dbus all_dbus_perms;

diff --git a/policy/modules/contrib/devicekit.te 
b/policy/modules/contrib/devicekit.te
index 53dff76e..ecb13e14 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.7.0)
+policy_module(devicekit, 1.7.1)
 
 
 #

diff --git a/policy/modules/contrib/modemmanager.te 
b/policy/modules/contrib/modemmanager.te
index 9e064a40..3a7fa066 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -1,4 +1,4 @@
-policy_module(modemmanager, 1.5.0)
+policy_module(modemmanager, 1.5.1)
 
 
 #

diff --git a/policy/modules/contrib/networkmanager.te 
b/policy/modules/contrib/networkmanager.te
index 779b3c69..b66e1ca4 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.21.2)
+policy_module(networkmanager, 1.21.3)
 
 
 #

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 546f3375..1b783ca7 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.12.2)
+policy_module(virt, 1.12.3)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-12 Thread Jason Zaman 
commit: 9709ab7f3b847dc842f51e899d3495af5aa39eb7
Author: Chris PeBenito  ieee  org>
AuthorDate: Wed Nov 29 01:32:31 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:07:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9709ab7f

networkmanager: Move line.

 policy/modules/contrib/networkmanager.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/networkmanager.te 
b/policy/modules/contrib/networkmanager.te
index b94e7ef3..ead66d15 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -127,6 +127,8 @@ corenet_tcp_connect_all_ports(NetworkManager_t)
 corenet_rw_tun_tap_dev(NetworkManager_t)
 corenet_getattr_ppp_dev(NetworkManager_t)
 
+corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
+
 corecmd_exec_shell(NetworkManager_t)
 corecmd_exec_bin(NetworkManager_t)
 
@@ -189,8 +191,6 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
 userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
 userdom_dontaudit_use_user_ttys(NetworkManager_t)
 
-corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
-
 optional_policy(`
avahi_domtrans(NetworkManager_t)
avahi_kill(NetworkManager_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-12 Thread Jason Zaman 
commit: 6bf6d37d86061151c0b5340c3ebafc931c3027ff
Author: Chris PeBenito  ieee  org>
AuthorDate: Fri Dec  1 21:34:24 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:07:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6bf6d37d

pkcs: Rename pkcs_slotd_unit_file_t.

 policy/modules/contrib/pkcs.fc | 2 +-
 policy/modules/contrib/pkcs.te | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/contrib/pkcs.fc b/policy/modules/contrib/pkcs.fc
index 9dbb5d54..e920f427 100644
--- a/policy/modules/contrib/pkcs.fc
+++ b/policy/modules/contrib/pkcs.fc
@@ -2,7 +2,7 @@
 
 /usr/bin/pkcsslotd --  
gen_context(system_u:object_r:pkcs_slotd_exec_t,s0)
 
-/usr/lib/systemd/system/pkcsslotd.service  
gen_context(system_u:object_r:pkcs_slotd_unit_file_t,s0)
+/usr/lib/systemd/system/pkcsslotd.service  
gen_context(system_u:object_r:pkcs_slotd_unit_t,s0)
 
 /usr/sbin/pkcsslotd--  
gen_context(system_u:object_r:pkcs_slotd_exec_t,s0)
 

diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index 339b1176..b150fad9 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -24,8 +24,8 @@ files_tmp_file(pkcs_slotd_tmp_t)
 type pkcs_slotd_tmpfs_t;
 files_tmpfs_file(pkcs_slotd_tmpfs_t)
 
-type pkcs_slotd_unit_file_t;
-init_unit_file(pkcs_slotd_unit_file_t)
+type pkcs_slotd_unit_t;
+init_unit_file(pkcs_slotd_unit_t)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-12 Thread Jason Zaman 
commit: 9fd7c1d7cd40977f22af7970e1d4d943912ed5d2
Author: David Sugar  tresys  com>
AuthorDate: Wed Dec  6 18:23:41 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:07:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9fd7c1d7

Allow to read /proc/sys/crypto/fips_enabled

Allow accountsd_t and policykitd_t to read /proc/sys/crypto/fips_enabled

 policy/modules/contrib/accountsd.te | 1 +
 policy/modules/contrib/policykit.te | 1 +
 2 files changed, 2 insertions(+)

diff --git a/policy/modules/contrib/accountsd.te 
b/policy/modules/contrib/accountsd.te
index d435a2d6..f56058cc 100644
--- a/policy/modules/contrib/accountsd.te
+++ b/policy/modules/contrib/accountsd.te
@@ -30,6 +30,7 @@ manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, 
accountsd_var_lib_t)
 manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
 files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, dir)
 
+kernel_read_crypto_sysctls(accountsd_t)
 kernel_read_kernel_sysctls(accountsd_t)
 kernel_read_system_state(accountsd_t)
 

diff --git a/policy/modules/contrib/policykit.te 
b/policy/modules/contrib/policykit.te
index 9a0c4d5c..8f2035a0 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -85,6 +85,7 @@ can_exec(policykit_t, policykit_exec_t)
 domtrans_pattern(policykit_t, policykit_auth_exec_t, policykit_auth_t)
 domtrans_pattern(policykit_t, policykit_resolve_exec_t, policykit_resolve_t)
 
+kernel_read_crypto_sysctls(policykit_t)
 kernel_read_kernel_sysctls(policykit_t)
 kernel_read_system_state(policykit_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-12 Thread Jason Zaman 
commit: bc4e25c63e5f4ec7536c59e64867e0ff97b4ffb4
Author: Laurent Bigonville  debian  org>
AuthorDate: Mon Dec 11 10:23:44 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:07:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bc4e25c6

Call systemd_write_inherited_logind_inhibit_pipes() where needed

Multiple domains need to talk to logind to set inhibits

 policy/modules/contrib/dbus.te   | 2 +-
 policy/modules/contrib/devicekit.te  | 4 
 policy/modules/contrib/modemmanager.te   | 4 
 policy/modules/contrib/networkmanager.te | 1 +
 policy/modules/contrib/virt.te   | 4 
 5 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 7281c0a4..d7e41c7e 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -164,8 +164,8 @@ ifdef(`init_systemd', `
 optional_policy(`
# for /run/systemd/users/*
systemd_read_logind_pids(system_dbusd_t)
+   systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
-   systemd_write_logind_pid_pipes(system_dbusd_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/contrib/devicekit.te 
b/policy/modules/contrib/devicekit.te
index 1730193d..53dff76e 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -345,6 +345,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+   systemd_write_inherited_logind_inhibit_pipes(devicekit_power_t)
+')
+
+optional_policy(`
udev_read_db(devicekit_power_t)
udev_manage_pid_files(devicekit_power_t)
 ')

diff --git a/policy/modules/contrib/modemmanager.te 
b/policy/modules/contrib/modemmanager.te
index 8dcbeead..9e064a40 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -56,3 +56,7 @@ optional_policy(`
udev_read_db(modemmanager_t)
udev_manage_pid_files(modemmanager_t)
 ')
+
+optional_policy(`
+   systemd_write_inherited_logind_inhibit_pipes(modemmanager_t)
+')

diff --git a/policy/modules/contrib/networkmanager.te 
b/policy/modules/contrib/networkmanager.te
index 1aecd329..779b3c69 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -350,6 +350,7 @@ optional_policy(`
 
 optional_policy(`
systemd_read_logind_sessions_files(NetworkManager_t)
+   systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index de57096e..546f3375 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -818,6 +818,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+   systemd_write_inherited_logind_inhibit_pipes(virtd_t)
+')
+
+optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-11 Thread Jason Zaman 
commit: 13592efb44efe763f5794527560eaca1ec81290b
Author: Chris PeBenito  ieee  org>
AuthorDate: Fri Dec  1 21:40:12 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:07:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=13592efb

pkcs: Module version bump.

 policy/modules/contrib/pkcs.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index b150fad9..b98a9f1e 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -1,4 +1,4 @@
-policy_module(pkcs, 1.4.0)
+policy_module(pkcs, 1.4.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-11 Thread Jason Zaman 
commit: b134083f41043e5d688992b5da43208e75fcedd6
Author: Chris PeBenito  ieee  org>
AuthorDate: Tue Dec 12 00:15:52 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:07:31 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b134083f

modemmanager: Move lines.

 policy/modules/contrib/modemmanager.te | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/contrib/modemmanager.te 
b/policy/modules/contrib/modemmanager.te
index 3a7fa066..32493977 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -53,10 +53,10 @@ optional_policy(`
 ')
 
 optional_policy(`
-   udev_read_db(modemmanager_t)
-   udev_manage_pid_files(modemmanager_t)
+   systemd_write_inherited_logind_inhibit_pipes(modemmanager_t)
 ')
 
 optional_policy(`
-   systemd_write_inherited_logind_inhibit_pipes(modemmanager_t)
+   udev_read_db(modemmanager_t)
+   udev_manage_pid_files(modemmanager_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-11 Thread Jason Zaman 
commit: b1a1e693bd27051324b2d7b1f3af2f5ed5576a1b
Author: Eduardo Barretto  linux  vnet  ibm  
com>
AuthorDate: Wed Nov 29 13:29:55 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:07:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1a1e693

Update pkcs policy to include pkccsslotd.service

pkcsslotd.service was running, incorrectly, with default systemd label. Fixed it
by creating the pkcs_slotd_unit_file_t type and updating the file context.

Signed-off-by: Eduardo Barretto  linux.vnet.ibm.com>

 policy/modules/contrib/pkcs.fc | 2 ++
 policy/modules/contrib/pkcs.te | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/policy/modules/contrib/pkcs.fc b/policy/modules/contrib/pkcs.fc
index 148293a9..9dbb5d54 100644
--- a/policy/modules/contrib/pkcs.fc
+++ b/policy/modules/contrib/pkcs.fc
@@ -2,6 +2,8 @@
 
 /usr/bin/pkcsslotd --  
gen_context(system_u:object_r:pkcs_slotd_exec_t,s0)
 
+/usr/lib/systemd/system/pkcsslotd.service  
gen_context(system_u:object_r:pkcs_slotd_unit_file_t,s0)
+
 /usr/sbin/pkcsslotd--  
gen_context(system_u:object_r:pkcs_slotd_exec_t,s0)
 
 /var/lib/opencryptoki(/.*)?
gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0)

diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index 17b471d6..1ede749f 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -24,6 +24,9 @@ files_tmp_file(pkcs_slotd_tmp_t)
 type pkcs_slotd_tmpfs_t;
 files_tmpfs_file(pkcs_slotd_tmpfs_t)
 
+type pkcs_slotd_unit_file_t;
+init_unit_file(pkcs_slotd_unit_file_t)
+
 
 #
 # Local policy

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-11 Thread Jason Zaman 
commit: 5cfc4edfbba3ddfa0f748596ce6dfee08f091d7b
Author: David Sugar  tresys  com>
AuthorDate: Fri Nov 17 14:48:11 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:07:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5cfc4edf

Label /usr/bin/mutter

Label /usr/bin/mutter as wm_exec_t

 policy/modules/contrib/wm.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/wm.fc b/policy/modules/contrib/wm.fc
index 304ae09d..05129fea 100644
--- a/policy/modules/contrib/wm.fc
+++ b/policy/modules/contrib/wm.fc
@@ -1,4 +1,5 @@
 /usr/bin/gnome-shell   --  gen_context(system_u:object_r:wm_exec_t,s0)
 /usr/bin/openbox   --  gen_context(system_u:object_r:wm_exec_t,s0)
 /usr/bin/metacity  --  gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/mutter--  
gen_context(system_u:object_r:wm_exec_t,s0)
 /usr/bin/twm   --  gen_context(system_u:object_r:wm_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-11 Thread Jason Zaman 
commit: def337a58787d041b4f6161cf1ee16bc70eed400
Author: Chris PeBenito  ieee  org>
AuthorDate: Fri Dec  8 00:01:43 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:07:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=def337a5

accountsd, policykit: Module version bump.

 policy/modules/contrib/accountsd.te | 2 +-
 policy/modules/contrib/policykit.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/accountsd.te 
b/policy/modules/contrib/accountsd.te
index f56058cc..dcc0cfe2 100644
--- a/policy/modules/contrib/accountsd.te
+++ b/policy/modules/contrib/accountsd.te
@@ -1,4 +1,4 @@
-policy_module(accountsd, 1.1.0)
+policy_module(accountsd, 1.1.1)
 
 gen_require(`
class passwd all_passwd_perms;

diff --git a/policy/modules/contrib/policykit.te 
b/policy/modules/contrib/policykit.te
index 8f2035a0..cd042c51 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.7.1)
+policy_module(policykit, 1.7.2)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-11 Thread Jason Zaman 
commit: ef41fd3bd8a365f6a83bb32707f053dfa0d07203
Author: Chris PeBenito  ieee  org>
AuthorDate: Wed Nov 29 01:36:39 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:07:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef41fd3b

networkmanager: Module version bump.

 policy/modules/contrib/networkmanager.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/networkmanager.te 
b/policy/modules/contrib/networkmanager.te
index ead66d15..1aecd329 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.21.1)
+policy_module(networkmanager, 1.21.2)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-11 Thread Jason Zaman 
commit: bd251f8ed143ea319b0ee449ab9397480ae5adda
Author: Chris PeBenito  ieee  org>
AuthorDate: Sat Nov 18 12:28:47 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:07:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bd251f8e

wm: Module version bump.

 policy/modules/contrib/wm.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index bba860b1..f9f0fd2d 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -1,4 +1,4 @@
-policy_module(wm, 1.7.4)
+policy_module(wm, 1.7.5)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

2017-12-11 Thread Jason Zaman 
commit: b271394b4c9d85aa2bc49c5c3542365f7af575ec
Author: Daniel Jurgens  mellanox  com>
AuthorDate: Mon Nov 27 14:23:08 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:07:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b271394b

networkmanager: Grant access to unlabeled PKeys

For controlling IPoIB VLANs

Reported-by: Honggang LI  redhat.com>
Signed-off-by: Daniel Jurgens  mellanox.com>
Tested-by: Honggang LI  redhat.com>

 policy/modules/contrib/networkmanager.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/contrib/networkmanager.te 
b/policy/modules/contrib/networkmanager.te
index e8a60aec..b94e7ef3 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -189,6 +189,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
 userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
 userdom_dontaudit_use_user_ttys(NetworkManager_t)
 
+corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
+
 optional_policy(`
avahi_domtrans(NetworkManager_t)
avahi_kill(NetworkManager_t)

  1   2   3   4   5   6   7   8   >