subject:"\[gentoo\-commits\] proj\/hardened\-refpolicy\:master commit in\: policy\/modules\/kernel\/, policy\/modules\/roles\/, policy\/modules\/system\/"

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/, policy/modules/system/, ...

2019-02-09 Thread Jason Zaman

commit: 6821d0d812722efa73ccba5bee8410241b622721
Author: Russell Coker  coker  com  au>
AuthorDate: Thu Jan 31 02:58:52 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 10 04:11:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6821d0d8

more misc stuff

Here's the latest stuff, most of which is to make staff_t usable as a login
domain.  Please merge whatever you think is good and skip the rest.

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/kernel/corecommands.fc | 2 ++
 policy/modules/roles/staff.te | 4 
 policy/modules/roles/unprivuser.te| 4 
 policy/modules/services/ssh.te| 1 +
 policy/modules/system/locallogin.te   | 1 +
 policy/modules/system/systemd.te  | 3 ++-
 6 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 6a94f6ef..3b5f9c4d 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -168,6 +168,7 @@ ifdef(`distro_gentoo',`
 
 /usr/lib/at-spi2-core(/.*)?gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/avahi/avahi-daemon-check-dns\.sh  --  
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/bluetooth/.*  --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/bridge-utils/.*\.sh   --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ccache/bin(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 #/usr/lib/dhcpcd/dhcpcd-hooks(/.*)?gen_context(system_u:object_r:bin_t,s0)
@@ -200,6 +201,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/gvfs/gvfs.*   --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ipsec/.*  --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/kde4/libexec/.*   --  gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]+/libexec/kf5/.*  --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/mailman/mail(/.*)?gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/mediawiki/math/texvc.*
gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 803cca2a..1db51e0f 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -31,6 +31,10 @@ optional_policy(`
git_role(staff_r, staff_t)
 ')
 
+optional_policy(`
+   modemmanager_dbus_chat(staff_t)
+')
+
 optional_policy(`
postgresql_role(staff_r, staff_t)
 ')

diff --git a/policy/modules/roles/unprivuser.te 
b/policy/modules/roles/unprivuser.te
index 0e21b2ad..f3241612 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -20,6 +20,10 @@ optional_policy(`
git_role(user_r, user_t)
 ')
 
+optional_policy(`
+   modemmanager_dbus_chat(user_t)
+')
+
 optional_policy(`
screen_role_template(user, user_r, user_t)
 ')

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 9a9b1061..ccc29001 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -178,6 +178,7 @@ logging_read_generic_logs(ssh_t)
 
 auth_use_nsswitch(ssh_t)
 
+miscfiles_read_generic_certs(ssh_t)
 miscfiles_read_localization(ssh_t)
 
 seutil_read_config(ssh_t)

diff --git a/policy/modules/system/locallogin.te 
b/policy/modules/system/locallogin.te
index 9908a645..adbe775e 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -209,6 +209,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+   xserver_link_xdm_keys(local_login_t)
xserver_read_xdm_tmp_files(local_login_t)
xserver_rw_xdm_tmp_files(local_login_t)
xserver_rw_xdm_keys(local_login_t)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e5f37321..34c38cad 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1008,6 +1008,7 @@ files_create_lock_dirs(systemd_tmpfiles_t)
 files_manage_all_pid_dirs(systemd_tmpfiles_t)
 files_delete_usr_files(systemd_tmpfiles_t)
 files_list_home(systemd_tmpfiles_t)
+files_list_locks(systemd_tmpfiles_t)
 files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
 files_manage_var_dirs(systemd_tmpfiles_t)
 files_manage_var_lib_dirs(systemd_tmpfiles_t)
@@ -1026,8 +1027,8 @@ files_relabelto_etc_dirs(systemd_tmpfiles_t)
 files_manage_etc_symlinks(systemd_tmpfiles_t)
 
 fs_getattr_tmpfs(systemd_tmpfiles_t)
-fs_getattr_tmpfs_dirs(systemd_tmpfiles_t)
 fs_getattr_xattr_fs(systemd_tmpfiles_t)
+fs_list_tmpfs(systemd_tmpfiles_t)
 
 selinux_get_fs_mount(systemd_tmpfiles_t)
 selinux_search_fs(systemd_tmpfiles_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/, policy/modules/system/

2017-06-13 Thread Jason Zaman

commit: cdd50f44b7b658e9478e9c968a299919a679396c
Author: cgzones  googlemail  com>
AuthorDate: Fri Jun  9 13:37:16 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Jun 13 08:02:15 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cdd50f44

chkrootkit: add interfaces and sysadm permit

v2:
 - add bin_t fc to corecommands

 policy/modules/kernel/corecommands.fc |  1 +
 policy/modules/roles/sysadm.te|  4 
 policy/modules/system/init.if | 18 ++
 3 files changed, 23 insertions(+)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 320044e9..f1cb22b3 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -426,6 +426,7 @@ ifdef(`distro_suse', `
 /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
 
 /var/lib/asterisk/agi-bin(/.*)?
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/chkrootkit/.* --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/yp/.+ --  gen_context(system_u:object_r:bin_t,s0)
 
 /var/qmail/bin -d  gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 17e1e26f..e28a28bd 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -236,6 +236,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+   chkrootkit_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
chronyd_admin(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 05fa767f..b9878d02 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -679,6 +679,24 @@ interface(`init_getpgid',`
 
 
 ## 
+## Send init a generic signal.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`init_signal',`
+   gen_require(`
+   type init_t;
+   ')
+
+   allow $1 init_t:process signal;
+')
+
+
+## 
 ## Send init a null signal.
 ## 
 ##

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/, policy/modules/system/, ...

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/, policy/modules/system/

2 matches

Site Navigation

Mail list logo

Footer information