[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Kenton Groombridge]

commit: b093761cac708c6320ea8588f089cb98fd974a24
Author: Christian Göttsche  googlemail  com>
AuthorDate: Thu Feb 22 17:00:44 2024 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Mar  1 17:05:50 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b093761c

systemd: binfmt updates

type=PROCTITLE msg=audit(21/02/24 22:54:36.708:53) : 
proctitle=/usr/lib/systemd/systemd-binfmt
type=SYSCALL msg=audit(21/02/24 22:54:36.708:53) : arch=x86_64 
syscall=fstatfs success=yes exit=0 a0=0x5 a1=0x7ffc547fbda0 a2=0x0 a3=0x0 
items=0 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root 
fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset 
comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt 
subj=system_u:system_r:systemd_binfmt_t:s0 key=(null)
type=AVC msg=audit(21/02/24 22:54:36.708:53) : avc:  denied  { getattr } 
for  pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 
scontext=system_u:system_r:systemd_binfmt_t:s0 
tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=filesystem permissive=1

type=PROCTITLE msg=audit(21/02/24 22:54:36.708:54) : 
proctitle=/usr/lib/systemd/systemd-binfmt
type=PATH msg=audit(21/02/24 22:54:36.708:54) : item=0 name=/proc/self/fd/4 
inode=1 dev=00:27 mode=dir,755 ouid=root ogid=root rdev=00:00 
obj=system_u:object_r:binfmt_misc_fs_t:s0 nametype=NORMAL cap_fp=none 
cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(21/02/24 22:54:36.708:54) : cwd=/
type=SYSCALL msg=audit(21/02/24 22:54:36.708:54) : arch=x86_64 
syscall=access success=yes exit=0 a0=0x7ffc547fbdf0 a1=W_OK a2=0x0 a3=0x0 
items=1 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root 
fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset 
comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt 
subj=system_u:system_r:systemd_binfmt_t:s0 key=(null)
type=AVC msg=audit(21/02/24 22:54:36.708:54) : avc:  denied  { write } for  
pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 
scontext=system_u:system_r:systemd_binfmt_t:s0 
tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir permissive=1

Signed-off-by: Christian Göttsche  googlemail.com>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/filesystem.if | 37 +
 policy/modules/system/systemd.te|  6 ++
 2 files changed, 43 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index 08ad5503d..ae022b6c0 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -602,6 +602,24 @@ interface(`fs_manage_autofs_symlinks',`
manage_lnk_files_pattern($1, autofs_t, autofs_t)
 ')
 
+
+## 
+## Get the attributes of binfmt_misc filesystems.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`fs_getattr_binfmt_misc_fs',`
+   gen_require(`
+   type binfmt_misc_fs_t;
+   ')
+
+   allow $1 binfmt_misc_fs_t:filesystem getattr;
+')
+
 
 ## 
 ## Get the attributes of directories on
@@ -622,6 +640,25 @@ interface(`fs_getattr_binfmt_misc_dirs',`
 
 ')
 
+
+## 
+## Check for permissions using access(2) of directories on
+## binfmt_misc filesystems.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`fs_check_write_binfmt_misc_dirs',`
+   gen_require(`
+   type binfmt_misc_fs_t;
+   ')
+
+   allow $1 binfmt_misc_fs_t:dir { getattr write };
+')
+
 
 ## 
 ## Register an interpreter for new binary

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 6d07466e6..63fef177b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -401,6 +401,7 @@ fs_search_cgroup_dirs(systemd_backlight_t)
 #
 
 kernel_read_kernel_sysctls(systemd_binfmt_t)
+kernel_getattr_proc(systemd_binfmt_t)
 
 systemd_log_parse_environment(systemd_binfmt_t)
 
@@ -409,6 +410,11 @@ files_read_etc_files(systemd_binfmt_t)
 
 fs_register_binary_executable_type(systemd_binfmt_t)
 
+fs_getattr_binfmt_misc_fs(systemd_binfmt_t)
+fs_check_write_binfmt_misc_dirs(systemd_binfmt_t)
+
+fs_getattr_cgroup(systemd_binfmt_t)
+fs_search_cgroup_dirs(systemd_binfmt_t)
 
 ##
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/

[Kenton Groombridge]

commit: 1d66af88aa2d390ac5783557e8d04289d16bc612
Author: Russell Coker  coker  com  au>
AuthorDate: Mon Sep 25 15:46:04 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Oct  6 15:30:09 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d66af88

small storage changes (#706)

* Changes to storage.fc, smartmon, samba and lvm

Signed-off-by: Russell Coker  coker.com.au>

* Add the interfaces this patch needs

Signed-off-by: Russell Coker  coker.com.au>

* use manage_sock_file_perms for sock_file

Signed-off-by: Russell Coker  coker.com.au>

* Renamed files_watch_all_file_type_dir to files_watch_all_dirs

Signed-off-by: Russell Coker  coker.com.au>

* Use read_files_pattern

Signed-off-by: Russell Coker  coker.com.au>

-

Signed-off-by: Russell Coker  coker.com.au>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/files.if  | 19 +++
 policy/modules/kernel/storage.fc|  1 +
 policy/modules/services/samba.te| 11 ++-
 policy/modules/services/smartmon.if | 20 
 policy/modules/services/smartmon.te |  2 +-
 policy/modules/system/lvm.te|  1 +
 policy/modules/system/userdomain.if | 18 ++
 7 files changed, 70 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index d8874ace2..a1113ff7c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1426,6 +1426,25 @@ interface(`files_unmount_all_file_type_fs',`
allow $1 file_type:filesystem unmount;
 ')
 
+
+## 
+## watch all directories of file_type
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_watch_all_dirs',`
+   gen_require(`
+   attribute file_type;
+   ')
+
+   allow $1 file_type:dir watch;
+')
+
+
 
 ## 
 ## Read all non-authentication related

diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 3033ac4de..9cd280c25 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -29,6 +29,7 @@
 /dev/lvm   -c  
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mcdx? -b  
gen_context(system_u:object_r:removable_device_t,s0)
 /dev/megadev.* -c  
gen_context(system_u:object_r:removable_device_t,s0)
+/dev/megaraid.*-c  
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mmcblk.*  -b  
gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mmcblk.*  -c  
gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mspblk.*  -b  
gen_context(system_u:object_r:removable_device_t,s0)

diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 8ec3a1c62..f78d316cc 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -408,11 +408,13 @@ tunable_policy(`samba_create_home_dirs',`
 ')
 
 tunable_policy(`samba_enable_home_dirs',`
+   files_watch_home(smbd_t)
userdom_manage_user_home_content_dirs(smbd_t)
userdom_manage_user_home_content_files(smbd_t)
userdom_manage_user_home_content_symlinks(smbd_t)
userdom_manage_user_home_content_sockets(smbd_t)
userdom_manage_user_home_content_pipes(smbd_t)
+   userdom_watch_user_home_dirs(smbd_t)
 ')
 
 tunable_policy(`samba_portmapper',`
@@ -444,11 +446,13 @@ tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
files_list_non_auth_dirs(smbd_t)
files_read_non_auth_files(smbd_t)
+   files_watch_all_dirs(smbd_t)
 ')
 
 tunable_policy(`samba_export_all_rw',`
fs_read_noxattr_fs_files(smbd_t)
files_manage_non_auth_files(smbd_t)
+   files_watch_all_dirs(smbd_t)
 ')
 
 optional_policy(`
@@ -617,13 +621,17 @@ optional_policy(`
 allow smbcontrol_t self:process signal;
 allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
 allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+allow smbcontrol_t self:unix_dgram_socket create_socket_perms;
 allow smbcontrol_t self:process { signal signull };
 
 allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
-read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t { smbd_t nmbd_t }:unix_dgram_socket sendto;
+manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t samba_runtime_t:file map;
 allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
 
 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
+allow smbcontrol_t samba_var_t:sock_file manage_sock_file_perms;
 
 samba_read_config(smbcontrol_t)
 samba_search_var(smbcontrol_t)
@@ -639,6 +647,7 @@ files_search_var_lib(smbcontrol_t)
 term_use_console(smbcontrol_t)
 
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/

[Kenton Groombridge]

commit: 3cf4d89db3171671a05868dd5ecaf933c49fcaa4
Author: Russell Coker  coker  com  au>
AuthorDate: Thu Sep 28 13:55:56 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Oct  6 15:30:52 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3cf4d89d

mon.te patches as well as some fstools patches related to it (#697)

* Patches for mon, mostly mon local monitoring.

Also added the fsdaemon_read_lib() interface and fstools patch because it
also uses fsdaemon_read_lib() and it's called by monitoring scripts

Signed-off-by: Russell Coker  coker.com.au>

* Added the files_dontaudit_tmpfs_file_getattr() and
storage_dev_filetrans_fixed_disk_control() interfaces needed

Signed-off-by: Russell Coker  coker.com.au>

* Fixed the issues from the review

Signed-off-by: Russell Coker  coker.com.au>

* Specify name to avoid conflicting file trans

Signed-off-by: Russell Coker  coker.com.au>

* fixed dontaudi_ typo

Signed-off-by: Russell Coker  coker.com.au>

* Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for 
the object class

Signed-off-by: Russell Coker  coker.com.au>

* Remove fsdaemon_read_lib as it was already merged

Signed-off-by: Russell Coker  coker.com.au>

-

Signed-off-by: Russell Coker  coker.com.au>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/files.if  | 18 ++
 policy/modules/kernel/kernel.te |  2 +-
 policy/modules/kernel/storage.if|  7 ++-
 policy/modules/services/mon.te  | 30 ++
 policy/modules/services/smartmon.te |  2 +-
 policy/modules/system/fstools.te| 17 +
 policy/modules/system/init.te   |  2 +-
 policy/modules/system/lvm.te|  2 +-
 policy/modules/system/raid.te   |  2 +-
 9 files changed, 72 insertions(+), 10 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a1113ff7c..591aa64d6 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -434,6 +434,24 @@ interface(`files_tmpfs_file',`
typeattribute $1 tmpfsfile;
 ')
 
+
+## 
+## dontaudit getattr on tmpfs files
+## 
+## 
+## 
+## Domain to not have stat on tmpfs files audited
+## 
+## 
+#
+interface(`files_dontaudit_getattr_all_tmpfs_files',`
+   gen_require(`
+   attribute tmpfsfile;
+   ')
+
+   dontaudit $1 tmpfsfile:file getattr;
+')
+
 
 ## 
 ## Get the attributes of all directories.

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 666d0e7e9..8156ac087 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -390,7 +390,7 @@ ifdef(`init_systemd',`
')
 
optional_policy(`
-   storage_dev_filetrans_fixed_disk(kernel_t)
+   storage_dev_filetrans_fixed_disk(kernel_t, blk_file)
storage_setattr_fixed_disk_dev(kernel_t)
storage_create_fixed_disk_dev(kernel_t)
storage_delete_fixed_disk_dev(kernel_t)

diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 9c581a910..777caea69 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -296,6 +296,11 @@ interface(`storage_manage_fixed_disk',`
 ## Domain allowed access.
 ## 
 ## 
+## 
+## 
+## The class of the object to be created.
+## 
+## 
 ## 
 ## 
 ## Optional filename of the block device to be created
@@ -307,7 +312,7 @@ interface(`storage_dev_filetrans_fixed_disk',`
type fixed_disk_device_t;
')
 
-   dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
+   dev_filetrans($1, fixed_disk_device_t, $2, $3)
 ')
 
 

diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te
index b9a349871..bbf0496b3 100644
--- a/policy/modules/services/mon.te
+++ b/policy/modules/services/mon.te
@@ -42,8 +42,7 @@ files_tmp_file(mon_tmp_t)
 
 allow mon_t self:fifo_file rw_fifo_file_perms;
 allow mon_t self:tcp_socket create_stream_socket_perms;
-# for mailxmpp.alert to set ulimit
-allow mon_t self:process setrlimit;
+allow mon_t self:process { setrlimit getsched signal };
 
 domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
 
@@ -104,6 +103,11 @@ optional_policy(`
mta_send_mail(mon_t)
 ')
 
+optional_policy(`
+   # for config of xmpp sending program
+   xdg_read_config_files(mon_t)
+')
+
 
 #
 # Local policy
@@ -151,6 +155,10 @@ optional_policy(`
mysql_stream_connect(mon_net_test_t)
 ')
 
+optional_policy(`
+   snmp_read_snmp_var_lib_files(mon_net_test_t)
+')
+
 
 #
 # Local policy
@@ -161,9 +169,10 @@ optional_policy(`
 #
 
 # sys_ptrace is for 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Kenton Groombridge]

commit: af8127d982e94211a2a717c9fb3249ef7456ee7a
Author: Kenton Groombridge  concord  sh>
AuthorDate: Tue Mar  7 00:19:51 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Mar 31 17:11:32 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=af8127d9

fs, init: allow systemd-init to set the attributes of efivarfs files

avc:  denied  { setattr } for  pid=1 comm="systemd" 
name="LoaderSystemToken-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" 
ino=1049 scontext=system_u:system_r:init_t:s0 
tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/filesystem.if | 20 
 policy/modules/system/init.te   |  1 +
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index a1282cf40..528eeafc0 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2439,6 +2439,26 @@ interface(`fs_read_efivarfs_files',`
read_files_pattern($1, efivarfs_t, efivarfs_t)
 ')
 
+###
+## 
+##  Set the attributes of files in efivarfs
+##  - contains Linux Kernel configuration options for UEFI systems
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+#
+interface(`fs_setattr_efivarfs_files',`
+   gen_require(`
+   type efivarfs_t;
+   ')
+
+   setattr_files_pattern($1, efivarfs_t, efivarfs_t)
+')
+
 
 ## 
 ## Create, read, write, and delete files

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 87d62741e..fca349587 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -464,6 +464,7 @@ ifdef(`init_systemd',`
fs_relabel_tmpfs_chr_files(init_t)
fs_relabel_tmpfs_fifo_files(init_t)
fs_read_efivarfs_files(init_t)
+   fs_setattr_efivarfs_files(init_t)
# for privatetmp functions
fs_relabel_tmpfs_dirs(init_t)
fs_relabel_tmpfs_files(init_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Kenton Groombridge]

commit: 71328f3f02d4765b904f1a2a6c9fe140cb116182
Author: Kenton Groombridge  concord  sh>
AuthorDate: Mon Mar  6 18:37:02 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Mar 31 17:11:32 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71328f3f

files, systemd: allow systemd-tmpfiles to relabel config file symlinks

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/files.if   | 19 +++
 policy/modules/system/systemd.te |  3 ++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a895f3734..6fe764a7a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1713,6 +1713,25 @@ interface(`files_dontaudit_relabel_config_files',`
dontaudit $1 configfile:file relabel_file_perms;
 ')
 
+###
+## 
+## Relabel configuration symlinks.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+##
+#
+interface(`files_relabel_config_symlinks',`
+   gen_require(`
+   attribute configfile;
+   ')
+
+   relabel_lnk_files_pattern($1, configfile, configfile)
+')
+
 
 ## 
 ## Mount a filesystem on all mount points.

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 778052cde..59a3fcfc5 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1704,8 +1704,9 @@ files_manage_all_locks(systemd_tmpfiles_t)
 files_purge_tmp(systemd_tmpfiles_t)
 files_read_etc_files(systemd_tmpfiles_t)
 files_read_etc_runtime_files(systemd_tmpfiles_t)
-files_relabel_config_files(systemd_tmpfiles_t)
 files_relabel_config_dirs(systemd_tmpfiles_t)
+files_relabel_config_files(systemd_tmpfiles_t)
+files_relabel_config_symlinks(systemd_tmpfiles_t)
 files_relabel_all_locks(systemd_tmpfiles_t)
 files_relabel_all_runtime_dirs(systemd_tmpfiles_t)
 files_relabel_all_tmp_dirs(systemd_tmpfiles_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Kenton Groombridge]

commit: 70226d790395660a9e086b8c0eeec28acf2c7e3b
Author: Kenton Groombridge  concord  sh>
AuthorDate: Mon Mar  6 18:18:41 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Mar 31 17:11:32 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70226d79

fs, udev: allow systemd-udevd various cgroup perms

Needed for systemd-udevd to create files under
/sys/fs/cgroup/system.slice/systemd-udevd.service/udev

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/filesystem.if | 40 -
 policy/modules/system/udev.te   |  6 +-
 2 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index af2023e62..a1282cf40 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -798,7 +798,6 @@ interface(`fs_getattr_cgroup',`
 interface(`fs_search_cgroup_dirs',`
gen_require(`
type cgroup_t;
-
')
 
search_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -843,6 +842,25 @@ interface(`fs_ioctl_cgroup_dirs', `
dev_search_sysfs($1)
 ')
 
+
+## 
+## Create cgroup directories.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`fs_create_cgroup_dirs',`
+   gen_require(`
+   type cgroup_t;
+   ')
+
+   create_dirs_pattern($1, cgroup_t, cgroup_t)
+   dev_search_sysfs($1)
+')
+
 
 ## 
 ## Delete cgroup directories.
@@ -941,6 +959,26 @@ interface(`fs_read_cgroup_files',`
dev_search_sysfs($1)
 ')
 
+
+## 
+## Create cgroup files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`fs_create_cgroup_files',`
+   gen_require(`
+   type cgroup_t;
+
+   ')
+
+   create_files_pattern($1, cgroup_t, cgroup_t)
+   dev_search_sysfs($1)
+')
+
 
 ## 
 ## Watch cgroup files.

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 56cfa2fb8..2fae88354 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -261,7 +261,11 @@ ifdef(`distro_redhat',`
 ifdef(`init_systemd',`
files_search_kernel_modules(udev_t)
 
-   fs_read_cgroup_files(udev_t)
+   # systemd-udev creates cgroup files under
+   # /sys/fs/cgroup/system.slice/systemd-udevd.service/udev
+   fs_create_cgroup_dirs(udev_t)
+   fs_create_cgroup_files(udev_t)
+   fs_rw_cgroup_files(udev_t)
 
init_dgram_send(udev_t)
init_get_generic_units_status(udev_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: fc0dd40ee53f5a1d45ee160db2d3d1e6727bff90
Author: Kenton Groombridge  concord  sh>
AuthorDate: Wed Nov 10 17:58:42 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Mar 31 02:40:53 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc0dd40e

files, init: allow init to remount filesystems mounted on /boot

The context= mount option can be used to label, for example, a DOS
filesystem mounted on boot to be boot_t instead of dosfs_t. Explicitly
allow init (systemd) to remount boot_t filesystems so that options like
ProtectSystem=full work properly.

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/files.if | 18 ++
 policy/modules/system/init.te  |  1 +
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ea29fef3..baedb52e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2238,6 +2238,24 @@ interface(`files_mounton_root',`
allow $1 root_t:dir mounton;
 ')
 
+
+## 
+## Remount a filesystem mounted on /boot.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_remount_boot',`
+   gen_require(`
+   type boot_t;
+   ')
+
+   allow $1 boot_t:filesystem remount;
+')
+
 
 ## 
 ## Get attributes of the /boot directory.

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 3f1c7d20..6e1baef9 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -417,6 +417,7 @@ ifdef(`init_systemd',`
files_mounton_tmp(init_t)
files_manage_urandom_seed(init_t)
files_read_boot_files(initrc_t)
+   files_remount_boot(init_t)
files_relabel_all_lock_dirs(init_t)
files_search_all(init_t)
files_unmount_all_file_type_fs(init_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 722e26ffd25c220056e1cdb1b48b14f95011ba1f
Author: Krzysztof Nowicki  op  pl>
AuthorDate: Wed Feb  3 09:00:35 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Feb 15 19:49:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=722e26ff

Enable factory directory support in systemd-tmpfilesd

/usr/share/factory serves as a template directory for
systemd-tmpfilesd. The copy (C) and link (L) commands can utilize this
directory as a default source for files, which should be placed in the
filesystem.

This behaiour is controlled via a tunable as it gives
systemd-tmpfilesd manage permissions over etc, which could be
considered as a security risk.

Relevant denials are silenced in case the policy is disabled.

Signed-off-by: Krzysztof Nowicki  op.pl>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/files.if   | 20 
 policy/modules/system/systemd.fc |  2 ++
 policy/modules/system/systemd.te | 24 
 3 files changed, 46 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index b493a4a1..55fbf783 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3119,6 +3119,26 @@ interface(`files_manage_etc_files',`
read_lnk_files_pattern($1, etc_t, etc_t)
 ')
 
+
+## 
+## Do not audit attempts to create, read, write,
+## and delete generic files in /etc.
+## 
+## 
+## 
+## Domain to not audit.
+## 
+## 
+## 
+#
+interface(`files_dontaudit_manage_etc_files',`
+   gen_require(`
+   type etc_t;
+   ')
+
+   dontaudit $1 etc_t:file manage_file_perms;
+')
+
 
 ## 
 ## Delete system configuration files in /etc.

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index f88fdfb4..8dcae1a9 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -55,6 +55,8 @@
 /usr/lib/systemd/system/systemd-rfkill.*   --  
gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
 /usr/lib/systemd/system/systemd-socket-proxyd\.service --  
gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0)
 
+/usr/share/factory(/.*)?   
gen_context(system_u:object_r:systemd_factory_conf_t,s0)
+
 /var/\.updated --  
gen_context(system_u:object_r:systemd_update_run_t,s0)
 
 /var/lib/systemd/backlight(/.*)?   
gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 5d34e6d2..ed2bce80 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -45,6 +45,14 @@ gen_tunable(systemd_socket_proxyd_bind_any, false)
 ## 
 gen_tunable(systemd_socket_proxyd_connect_any, false)
 
+## 
+## 
+## Allow systemd-tmpfilesd to populate missing configuration files from factory
+## template directory.
+## 
+## 
+gen_tunable(systemd_tmpfilesd_factory, false)
+
 attribute systemd_log_parse_env_type;
 attribute systemd_tmpfiles_conf_type;
 attribute systemd_user_session_type;
@@ -104,6 +112,9 @@ type systemd_detect_virt_t;
 type systemd_detect_virt_exec_t;
 init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
 
+type systemd_factory_conf_t;
+systemd_tmpfiles_conf_file(systemd_factory_conf_t)
+
 type systemd_generator_t;
 type systemd_generator_exec_t;
 typealias systemd_generator_t alias { systemd_fstab_generator_t 
systemd_gpt_generator_t };
@@ -1283,6 +1294,7 @@ allow systemd_tmpfiles_t systemd_journal_t:dir 
relabel_dir_perms;
 allow systemd_tmpfiles_t systemd_journal_t:file relabel_file_perms;
 
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
+allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:dir search_dir_perms;
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
 
 kernel_getattr_proc(systemd_tmpfiles_t)
@@ -1377,6 +1389,18 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
files_relabel_non_security_files(systemd_tmpfiles_t)
 ')
 
+tunable_policy(`systemd_tmpfilesd_factory', `
+   allow systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
+   allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
+
+   files_manage_etc_files(systemd_tmpfiles_t)
+',`
+   dontaudit systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
+   dontaudit systemd_tmpfiles_t systemd_factory_conf_t:file 
read_file_perms;
+
+   files_dontaudit_manage_etc_files(systemd_tmpfiles_t)
+')
+
 optional_policy(`
dbus_read_lib_files(systemd_tmpfiles_t)
dbus_relabel_lib_dirs(systemd_tmpfiles_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: b5319ac6961b49e3f3b83cd390c102cd39bb33fd
Author: Krzysztof Nowicki  op  pl>
AuthorDate: Wed Feb  3 14:59:22 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Feb 15 19:49:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b5319ac6

Allow systemd-tmpfilesd to relabel generic files inside /etc

Enable this only with the systemd_tmpfilesd_factory tunable, otherwise
silence the messages with a dontaudit rule.

Fixes:

avc:  denied  { relabelfrom } for comm="systemd-tmpfile"
name="pam.d" dev= ino=
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir

Signed-off-by: Krzysztof Nowicki  op.pl>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/files.if   | 38 ++
 policy/modules/system/systemd.te |  4 
 2 files changed, 42 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 55fbf783..0687a435 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1611,6 +1611,25 @@ interface(`files_relabel_config_dirs',`
relabel_dirs_pattern($1, configfile, configfile)
 ')
 
+#
+## 
+## Do not audit attempts to relabel configuration directories
+## 
+## 
+## 
+## Domain not to audit.
+## 
+## 
+##
+#
+interface(`files_dontaudit_relabel_config_dirs',`
+   gen_require(`
+   attribute configfile;
+   ')
+
+   dontaudit $1 configfile:dir relabel_dir_perms;
+')
+
 
 ## 
 ## Read config files in /etc.
@@ -1669,6 +1688,25 @@ interface(`files_relabel_config_files',`
relabel_files_pattern($1, configfile, configfile)
 ')
 
+###
+## 
+## Do not audit attempts to relabel configuration files
+## 
+## 
+## 
+## Domain not to audit.
+## 
+## 
+##
+#
+interface(`files_dontaudit_relabel_config_files',`
+   gen_require(`
+   attribute configfile;
+   ')
+
+   dontaudit $1 configfile:file relabel_file_perms;
+')
+
 
 ## 
 ## Mount a filesystem on all mount points.

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index ed2bce80..08c26078 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1394,11 +1394,15 @@ tunable_policy(`systemd_tmpfilesd_factory', `
allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
 
files_manage_etc_files(systemd_tmpfiles_t)
+   files_relabel_config_dirs(systemd_tmpfiles_t)
+   files_relabel_config_files(systemd_tmpfiles_t)
 ',`
dontaudit systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
dontaudit systemd_tmpfiles_t systemd_factory_conf_t:file 
read_file_perms;
 
files_dontaudit_manage_etc_files(systemd_tmpfiles_t)
+   files_dontaudit_relabel_config_dirs(systemd_tmpfiles_t)
+   files_dontaudit_relabel_config_files(systemd_tmpfiles_t)
 ')
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 6a9ade8f0070fb55b5e24befa2501644b412fed2
Author: Dave Sugar  tresys  com>
AuthorDate: Mon Dec  7 16:09:15 2020 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan 10 21:52:17 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6a9ade8f

Allow systemd-modules-load to search kernel keys

I was seeing the following errors from systemd-modules-load without this search 
permission.

Dec  7 14:36:19 systemd-modules-load: Failed to insert 'nf_conntrack_ftp': 
Required key not available
Dec  7 14:36:19 kernel: Request for unknown module key 'Red Hat Enterprise 
Linux kernel signing key: 3ffb026dadef6e0bc404752a7e7c29095a68eab7' err -13
Dec  7 14:36:19 systemd: systemd-modules-load.service: main process exited, 
code=exited, status=1/FAILURE
Dec  7 14:36:19 audispd: node=loacalhost type=PROCTITLE 
msg=audit(1607351779.441:3259): 
proctitle="/usr/lib/systemd/systemd-modules-load"
Dec  7 14:36:19 systemd: Failed to start Load Kernel Modules.

This is the denial:

Dec  7 15:56:52 audispd: node=localhost type=AVC 
msg=audit(1607356612.877:3815): avc:  denied { search } for  pid=11715 
comm="systemd-modules" scontext=system_u:system_r:systemd_modules_load_t:s0 
tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1

Signed-off-by: Dave Sugar  tresys.com>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/kernel.te   | 1 +
 policy/modules/system/modutils.te | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8693e800..d70f625b 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -512,6 +512,7 @@ if( ! secure_mode_insmod ) {
# gt: there seems to be no trace of the above, at
# least in kernel versions greater than 2.6.37...
allow can_load_kernmodule self:capability sys_nice;
+   kernel_search_key(can_load_kernmodule)
kernel_setsched(can_load_kernmodule)
 }
 

diff --git a/policy/modules/system/modutils.te 
b/policy/modules/system/modutils.te
index e002e6e3..a7f8e42c 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -62,7 +62,6 @@ kernel_write_proc_files(kmod_t)
 kernel_mount_debugfs(kmod_t)
 kernel_mount_kvmfs(kmod_t)
 kernel_read_debugfs(kmod_t)
-kernel_search_key(kmod_t)
 # Rules for /proc/sys/kernel/tainted
 kernel_read_kernel_sysctls(kmod_t)
 kernel_rw_kernel_sysctl(kmod_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 49688047a9eaf2a136c50ecb7ad5097a9921e870
Author: Chris PeBenito  ieee  org>
AuthorDate: Thu Nov  5 11:55:25 2020 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Nov 16 09:03:43 2020 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=49688047

filesystem, xen: Module version bump.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/system/xen.te| 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index f338e207..ef891c09 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.28.2)
+policy_module(filesystem, 1.28.3)
 
 
 #

diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 82328cbb..232c3ee4 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -1,4 +1,4 @@
-policy_module(xen, 1.18.1)
+policy_module(xen, 1.18.2)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 18b85ee49eaccaf5c2765a65234661513555c5f6
Author: Chris PeBenito  ieee  org>
AuthorDate: Sat Feb  8 14:35:13 2020 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 15 07:32:05 2020 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=18b85ee4

systemd, devices: Module version bump.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/devices.te | 2 +-
 policy/modules/system/systemd.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 70cbc49e..05c087bc 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.25.7)
+policy_module(devices, 1.25.8)
 
 
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7624d258..0c3fa6c1 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.8.12)
+policy_module(systemd, 1.8.13)
 
 #
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: /, policy/modules/kernel/, policy/modules/system/, policy/modules/services/, ...

[Jason Zaman]

commit: 3ad3fd938f3a06d4170286f9e14bbcd0765e8fb6
Author: Jason Zaman  gentoo  org>
AuthorDate: Tue Dec 17 04:17:02 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 24 09:58:27 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3ad3fd93

Fix gentoo-specific lint issues

Signed-off-by: Jason Zaman  gentoo.org>

 .travis.yml   | 2 +-
 policy/modules/admin/portage.fc   | 2 +-
 policy/modules/apps/java.fc   | 2 +-
 policy/modules/apps/qemu.fc   | 4 ++--
 policy/modules/contrib/android.fc | 2 +-
 policy/modules/contrib/dirsrv.fc  | 4 ++--
 policy/modules/contrib/openrc.fc  | 2 +-
 policy/modules/contrib/phpfpm.fc  | 8 
 policy/modules/contrib/resolvconf.fc  | 2 +-
 policy/modules/contrib/rtorrent.fc| 6 +++---
 policy/modules/contrib/uwsgi.fc   | 2 +-
 policy/modules/contrib/vde.fc | 2 +-
 policy/modules/kernel/corecommands.fc | 8 
 policy/modules/services/ntp.fc| 2 +-
 policy/modules/system/lvm.fc  | 5 -
 policy/modules/system/miscfiles.fc| 6 ++
 policy/modules/system/tmpfiles.fc | 6 +++---
 17 files changed, 29 insertions(+), 36 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 8be908cc..5dfbe090 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -25,7 +25,7 @@ env:
 matrix:
   include:
   - python: 3.7
-env: LINT=true TYPE=standard
+env: LINT=true TYPE=standard DISTRO=gentoo
 
 sudo: false
 dist: bionic

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index 8a41cfff..26850f9d 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -23,7 +23,7 @@
 /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
 /usr/portage/distfiles/cvs-src(/.*)?   
gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/egit-src(/.*)?  
gen_context(system_u:object_r:portage_srcrepo_t,s0)
-/usr/portage/distfiles/git.?-src(/.*)? 
gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/git[0-9]-src(/.*)?  
gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/go-src(/.*)?
gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/hg-src(/.*)?
gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/svn-src(/.*)?   
gen_context(system_u:object_r:portage_srcrepo_t,s0)

diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
index e8804805..d0476be2 100644
--- a/policy/modules/apps/java.fc
+++ b/policy/modules/apps/java.fc
@@ -34,5 +34,5 @@ HOME_DIR/\.java(/.*)? 
gen_context(system_u:object_r:java_home_t,s0)
 
 ifdef(`distro_gentoo',`
 # Running maven (mvn) command needs read access to this, yet the file is 
marked as bin_t otherwise
-/usr/share/maven-bin-[^/]*/bin/m2.conf --  
gen_context(system_u:object_r:usr_t,s0)
+/usr/share/maven-bin-[^/]*/bin/m2\.conf--  
gen_context(system_u:object_r:usr_t,s0)
 ')

diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc
index df3aa2d3..59dcb78b 100644
--- a/policy/modules/apps/qemu.fc
+++ b/policy/modules/apps/qemu.fc
@@ -12,8 +12,8 @@
 ifdef(`distro_gentoo',`
 /usr/bin/qemu-ga   --  gen_context(system_u:object_r:qemu_ga_exec_t,s0)
 
-/var/log/qemu-ga.log   --  gen_context(system_u:object_r:qemu_ga_log_t,s0)
+/var/log/qemu-ga\.log  --  gen_context(system_u:object_r:qemu_ga_log_t,s0)
 /var/log/qemu-ga(/.*)? --  gen_context(system_u:object_r:qemu_ga_log_t,s0)
 
-/run/qemu-ga.pid   --  gen_context(system_u:object_r:qemu_ga_run_t,s0)
+/run/qemu-ga\.pid  --  gen_context(system_u:object_r:qemu_ga_run_t,s0)
 ')

diff --git a/policy/modules/contrib/android.fc 
b/policy/modules/contrib/android.fc
index af983112..a72f5d9f 100644
--- a/policy/modules/contrib/android.fc
+++ b/policy/modules/contrib/android.fc
@@ -2,7 +2,7 @@ HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s
 HOME_DIR/\.android(/.*)?   
gen_context(system_u:object_r:android_home_t,s0)
 HOME_DIR/\.gradle(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
 
-/opt/android-studio/bin/studio.sh  
gen_context(system_u:object_r:android_java_exec_t,s0)
+/opt/android-studio/bin/studio\.sh 
gen_context(system_u:object_r:android_java_exec_t,s0)
 
 /opt/android-sdk-update-manager/platform-tools/adb --  
gen_context(system_u:object_r:android_tools_exec_t,s0)
 /opt/android-sdk-update-manager/platform-tools/fastboot--  
gen_context(system_u:object_r:android_tools_exec_t,s0)

diff --git a/policy/modules/contrib/dirsrv.fc b/policy/modules/contrib/dirsrv.fc
index 3a33d632..a675110f 100644
--- a/policy/modules/contrib/dirsrv.fc
+++ b/policy/modules/contrib/dirsrv.fc
@@ -5,8 +5,8 @@
 /var/lib/dirsrv(/.*)?  gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 94e5bdcfc5d1a49605d019ff465dd9f56bd9686d
Author: Chris PeBenito  ieee  org>
AuthorDate: Wed Dec 13 23:29:26 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Dec 14 04:55:22 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=94e5bdcf

storage, userdomain: Module version bump.

 policy/modules/kernel/storage.te| 2 +-
 policy/modules/system/userdomain.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index eb9b5b8d..d2a49c97 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,4 +1,4 @@
-policy_module(storage, 1.15.0)
+policy_module(storage, 1.15.1)
 
 
 #

diff --git a/policy/modules/system/userdomain.te 
b/policy/modules/system/userdomain.te
index a3a1802e..3db9b0c2 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.14.9)
+policy_module(userdomain, 4.14.10)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/

[Jason Zaman]

commit: 11930ca161a01e71abb6f3522e3dea4f91445ac9
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Dec  3 21:48:54 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:06:26 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=11930ca1

corcmd, fs, xserver, init, systemd, userdomain: Module version bump.

 policy/modules/kernel/corecommands.te | 2 +-
 policy/modules/kernel/filesystem.te   | 2 +-
 policy/modules/services/xserver.te| 2 +-
 policy/modules/system/init.te | 2 +-
 policy/modules/system/systemd.te  | 2 +-
 policy/modules/system/userdomain.te   | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/policy/modules/kernel/corecommands.te 
b/policy/modules/kernel/corecommands.te
index 4bc0a45c..9ea33753 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.24.5)
+policy_module(corecommands, 1.24.6)
 
 
 #

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 62c2a783..d564752f 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.23.1)
+policy_module(filesystem, 1.23.2)
 
 
 #

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index e5c5acad..c3380257 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.14.4)
+policy_module(xserver, 3.14.5)
 
 gen_require(`
class x_drawable all_x_drawable_perms;

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f495e386..4ef6d035 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.3.8)
+policy_module(init, 2.3.9)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 4f3ed091..5051b87c 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.4.5)
+policy_module(systemd, 1.4.6)
 
 #
 #

diff --git a/policy/modules/system/userdomain.te 
b/policy/modules/system/userdomain.te
index b348ccd0..0e8aa374 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.14.7)
+policy_module(userdomain, 4.14.8)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/contrib/

[Jason Zaman]

commit: 248905080e2e9840c120f1bb12d589bbec3c89bb
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Apr 30 09:57:08 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 30 14:17:45 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=24890508

Remove interfaces added upstream

 policy/modules/contrib/gnome.if | 29 -
 policy/modules/kernel/files.if  | 20 
 policy/modules/system/init.te   |  1 -
 3 files changed, 50 deletions(-)

diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index ce436cfd..4fcc6905 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -124,12 +124,6 @@ template(`gnome_role_template',`
wm_dbus_chat($1, $1_gkeyringd_t)
')
')
-
-   ifdef(`distro_gentoo',`
-   optional_policy(`
-   gnome_dbus_chat_gconfd($3)
-   ')
-   ')
 ')
 
 
@@ -841,29 +835,6 @@ interface(`gnome_stream_connect_all_gkeyringd',`
stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, 
gkeyringd_domain)
 ')
 
-# From here Gentoo specific but cannot use ifdef distro_gentoo here
-
-#
-## 
-## Send and receive messages from the gconf daemon
-## over dbus.
-## 
-## 
-## 
-## Domain allowed access.
-## 
-## 
-#
-interface(`gnome_dbus_chat_gconfd',`
-   gen_require(`
-   type gconfd_t;
-   class dbus send_msg;
-   ')
-
-   allow $1 gconfd_t:dbus send_msg;
-   allow gconfd_t $1:dbus send_msg;
-')
-
 
 ## 
 ## Manage gstreamer ORC optimized

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ef969a95..a74f7913 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -7232,26 +7232,6 @@ interface(`files_unconfined',`
 
 
 ## 
-## Create PID directories.
-## 
-## 
-## 
-## Domain allowed access.
-## 
-## 
-#
-interface(`files_create_pid_dirs',`
-   gen_require(`
-   type var_t, var_run_t;
-   ')
-
-   allow $1 var_t:dir search_dir_perms;
-   allow $1 var_run_t:lnk_file read_lnk_file_perms;
-   create_dirs_pattern($1, var_run_t, var_run_t)
-')
-
-
-## 
 ## Create, read, write, and delete symbolic links in
 ## /etc that are dynamically created on boot.
 ## 

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 5c6830f2..07238399 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1350,7 +1350,6 @@ ifdef(`distro_gentoo',`
# needs to chmod some devices in early boot
dev_setattr_generic_chr_files(initrc_t)
 
-   files_create_pid_dirs(initrc_t)
files_dontaudit_write_usr_dirs(initrc_t)
files_manage_generic_tmp_dirs(initrc_t)
files_manage_generic_tmp_files(initrc_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 5b8acde37136f75ce5a52f1b6a0604d3f35dacc7
Author: Chris PeBenito  ieee  org>
AuthorDate: Fri Feb 24 01:03:23 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 25 14:22:23 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5b8acde3

Systemd fixes from Russell Coker.

 policy/modules/kernel/devices.if|  37 +
 policy/modules/kernel/devices.te|   6 +-
 policy/modules/kernel/files.if  | 127 +++
 policy/modules/kernel/files.te  |   6 +-
 policy/modules/system/authlogin.if  |   9 +
 policy/modules/system/authlogin.te  |   6 +-
 policy/modules/system/init.fc   |   2 +
 policy/modules/system/init.if   | 183 ++---
 policy/modules/system/init.te   | 317 +---
 policy/modules/system/logging.fc|   5 +-
 policy/modules/system/logging.if|  18 ++
 policy/modules/system/logging.te|  36 +++-
 policy/modules/system/lvm.if|  18 ++
 policy/modules/system/lvm.te|   2 +-
 policy/modules/system/miscfiles.te  |   6 +-
 policy/modules/system/systemd.fc|  11 +-
 policy/modules/system/systemd.if| 122 +-
 policy/modules/system/systemd.te|  49 +-
 policy/modules/system/udev.if   |  20 +++
 policy/modules/system/udev.te   |   2 +-
 policy/modules/system/unconfined.if |  19 +++
 policy/modules/system/unconfined.te |   2 +-
 policy/modules/system/userdomain.if |  71 
 policy/modules/system/userdomain.te |   2 +-
 24 files changed, 1011 insertions(+), 65 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 08e2e8af..b51a25ac 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -154,6 +154,25 @@ interface(`dev_relabel_all_dev_nodes',`
 
 
 ## 
+## Allow full relabeling (to and from) of all device files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+#
+interface(`dev_relabel_all_dev_files',`
+   gen_require(`
+   type device_t;
+   ')
+
+   relabel_files_pattern($1, device_t, device_t)
+')
+
+
+## 
 ## List all of the device nodes in a device directory.
 ## 
 ## 
@@ -4206,6 +4225,24 @@ interface(`dev_rw_sysfs',`
 
 
 ## 
+## Relabel hardware state directories.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`dev_relabel_sysfs_dirs',`
+   gen_require(`
+   type sysfs_t;
+   ')
+
+   relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+
+## 
 ## Relabel from/to all sysfs types.
 ## 
 ## 

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 66bc754e..470f0f00 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.20.2)
+policy_module(devices, 1.20.3)
 
 
 #
@@ -22,6 +22,10 @@ files_associate_tmp(device_t)
 fs_xattr_type(device_t)
 fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
 
+optional_policy(`
+   systemd_tmpfilesd_managed(device_t, fifo_file)
+')
+
 #
 # Type for /dev/agpgart
 #

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 6babfb90..0d6fe3c5 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6531,6 +6531,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
 
 
 ## 
+## manage all pidfile directories
+## in the /var/run directory.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_manage_all_pid_dirs',`
+   gen_require(`
+   attribute pidfile;
+   ')
+
+   manage_dirs_pattern($1, pidfile, pidfile)
+')
+
+
+## 
 ## Read all process ID files.
 ## 
 ## 
@@ -6553,6 +6572,42 @@ interface(`files_read_all_pids',`
 
 
 ## 
+## Execute generic programs in /var/run in the caller domain.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_exec_generic_pid_files',`
+   gen_require(`
+   type var_run_t;
+   ')
+
+   exec_files_pattern($1, var_run_t, var_run_t)
+')
+
+
+## 
+## Relable all pid files
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_relabel_all_pid_files',`
+   gen_require(`
+   attribute pidfile;
+   ')
+
+   relabel_files_pattern($1, pidfile, pidfile)
+')
+
+
+## 
 ## Delete all process IDs.
 ## 
 ## 
@@ -6579,6 +6634,78 @@ interface(`files_delete_all_pids',`
 
 
 ## 
+## Create all 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/

[Jason Zaman]

commit: 047cdd145b3f30c17182c16be7357559e8c24b1f
Author: Chris PeBenito  ieee  org>
AuthorDate: Tue Feb  7 23:51:58 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Feb 17 08:04:15 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=047cdd14

usrmerge FC fixes from Russell Coker.

 policy/modules/kernel/corecommands.fc |  3 ++-
 policy/modules/kernel/corecommands.te |  2 +-
 policy/modules/services/xserver.fc| 12 
 policy/modules/services/xserver.te|  2 +-
 policy/modules/system/sysnetwork.fc   |  1 +
 policy/modules/system/sysnetwork.te   |  2 +-
 6 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index d8c7389c..7c1ae574 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -251,7 +251,7 @@ ifdef(`distro_gentoo',`
 
 /usr/libexec/openssh/sftp-server --gen_context(system_u:object_r:bin_t,s0)
 
-/usr/local/bin(/.*)?   gen_context(system_u:object_r:bin_t,s0)
+/usr/local/(.*/)?bin(/.*)? 
gen_context(system_u:object_r:bin_t,s0)
 /usr/local/sbin(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Brother(/.*)?   gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Printer(/.*)?   gen_context(system_u:object_r:bin_t,s0)
@@ -265,6 +265,7 @@ ifdef(`distro_gentoo',`
 /usr/sbin/sesh --  
gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/smrsh--  
gen_context(system_u:object_r:shell_exec_t,s0)
 
+/usr/share/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/share/ajaxterm/ajaxterm.py.* --   gen_context(system_u:object_r:bin_t,s0)
 /usr/share/ajaxterm/qweb.py.* --   gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apr-0/build/[^/]+\.sh --gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/kernel/corecommands.te 
b/policy/modules/kernel/corecommands.te
index ca4e75f1..a9535774 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.23.1)
+policy_module(corecommands, 1.23.2)
 
 
 #

diff --git a/policy/modules/services/xserver.fc 
b/policy/modules/services/xserver.fc
index 40b214a1..f9f541d4 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -62,10 +62,10 @@ HOME_DIR/\.Xauthority.* --  
gen_context(system_u:object_r:xauth_home_t,s0)
 # /usr
 #
 
-/usr/s?bin/gdm(3)? --  gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/s?bin/gdm-binary  --  gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/s?bin/lxdm(-binary)? --   gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/s?bin/[xkw]dm --  gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/gdm(3)?   --  gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/gdm-binary--  gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/[xkw]dm   --  gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm--  
gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth   --  gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/bin/slim  --  gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -80,7 +80,11 @@ HOME_DIR/\.Xauthority.*  --  
gen_context(system_u:object_r:xauth_home_t,s0)
 /usr/lib/xorg-server/Xorg\.wrap--  
gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/lib/X11/xdm/Xsession  --  
gen_context(system_u:object_r:xsession_exec_t,s0)
 
+/usr/sbin/[xkw]dm  --  gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/sbin/gdm(3)?  --  gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/sbin/gdm-binary   --  gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/sbin/lightdm  --  gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/sbin/lxdm(-binary)? --gen_context(system_u:object_r:xdm_exec_t,s0)
 
 # xserver default configure bug: not FHS-compliant because not read-only !
 /usr/share/X11/xkb(/.*)?   gen_context(system_u:object_r:xkb_var_lib_t,s0)

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index c622abf9..9c1a0276 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.0)
+policy_module(xserver, 3.13.1)
 
 gen_require(`
class x_drawable all_x_drawable_perms;

diff --git a/policy/modules/system/sysnetwork.fc 
b/policy/modules/system/sysnetwork.fc
index a2329a85..e887076b 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -38,6 +38,7 @@ ifdef(`distro_redhat',`
 
 /usr/sbin/dhclient.*   --  

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Sven Vermeulen]

commit: 2ee8cb27e92a136ad809c275920cc2a4fcdb5f5d
Author: Chris PeBenito  ieee  org>
AuthorDate: Tue Jan 10 01:34:15 2017 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Fri Jan 13 18:39:40 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2ee8cb27

Module version bumps for patches from cgzones.

 policy/modules/kernel/corenetwork.te.in | 2 +-
 policy/modules/kernel/files.te  | 2 +-
 policy/modules/kernel/terminal.te   | 2 +-
 policy/modules/system/logging.te| 2 +-
 policy/modules/system/mount.te  | 2 +-
 policy/modules/system/unconfined.te | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/policy/modules/kernel/corenetwork.te.in 
b/policy/modules/kernel/corenetwork.te.in
index 6e0ac9d..771064a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.22.1)
+policy_module(corenetwork, 1.22.2)
 
 
 #

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 484c7c8..306b969 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.22.3)
+policy_module(files, 1.22.4)
 
 
 #

diff --git a/policy/modules/kernel/terminal.te 
b/policy/modules/kernel/terminal.te
index ac68855..4c6c38d 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,4 +1,4 @@
-policy_module(terminal, 1.15.2)
+policy_module(terminal, 1.15.3)
 
 
 #

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 5443405..20fcd39 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.24.3)
+policy_module(logging, 1.24.4)
 
 
 #

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 4bfb93b..1700ba0 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.18.2)
+policy_module(mount, 1.18.3)
 
 
 #

diff --git a/policy/modules/system/unconfined.te 
b/policy/modules/system/unconfined.te
index 7e942fc..0e06659 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.8.1)
+policy_module(unconfined, 3.8.2)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/

[Jason Zaman]

commit: a3346de8032c55b8f109d4649cc1331e6e415dee
Author: Chris PeBenito  ieee  org>
AuthorDate: Thu Dec 22 20:54:46 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan  1 16:26:28 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a3346de8

Module version bumps for /run fc changes from cgzones.

 policy/modules/kernel/files.te| 2 +-
 policy/modules/kernel/filesystem.te   | 2 +-
 policy/modules/services/postgresql.te | 2 +-
 policy/modules/services/ssh.te| 2 +-
 policy/modules/services/xserver.te| 2 +-
 policy/modules/system/authlogin.te| 2 +-
 policy/modules/system/fstools.te  | 2 +-
 policy/modules/system/getty.te| 2 +-
 policy/modules/system/hotplug.te  | 2 +-
 policy/modules/system/init.te | 2 +-
 policy/modules/system/ipsec.te| 2 +-
 policy/modules/system/iptables.te | 2 +-
 policy/modules/system/logging.te  | 2 +-
 policy/modules/system/lvm.te  | 2 +-
 policy/modules/system/modutils.te | 2 +-
 policy/modules/system/mount.te| 2 +-
 policy/modules/system/selinuxutil.te  | 2 +-
 policy/modules/system/setrans.te  | 2 +-
 policy/modules/system/sysnetwork.te   | 2 +-
 policy/modules/system/systemd.te  | 2 +-
 policy/modules/system/udev.te | 2 +-
 policy/modules/system/userdomain.te   | 2 +-
 22 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index e004c90..1e58d9e 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.22.0)
+policy_module(files, 1.22.1)
 
 
 #

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 2e49c03..76f295d 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.21.1)
+policy_module(filesystem, 1.21.2)
 
 
 #

diff --git a/policy/modules/services/postgresql.te 
b/policy/modules/services/postgresql.te
index 627983d..9f29980 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,4 +1,4 @@
-policy_module(postgresql, 1.18.0)
+policy_module(postgresql, 1.18.1)
 
 gen_require(`
class db_database all_db_database_perms;

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 68d945a..89db98c 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.8.0)
+policy_module(ssh, 2.8.1)
 
 
 #

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index ac86b84..ba96a78 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.12.5)
+policy_module(xserver, 3.12.6)
 
 gen_require(`
class x_drawable all_x_drawable_perms;

diff --git a/policy/modules/system/authlogin.te 
b/policy/modules/system/authlogin.te
index d0b9457..3f88d37 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.9.0)
+policy_module(authlogin, 2.9.1)
 
 
 #

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 69eaf37..84a5032 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.19.0)
+policy_module(fstools, 1.19.1)
 
 
 #

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index b2358ba..38c76d1 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -1,4 +1,4 @@
-policy_module(getty, 1.11.1)
+policy_module(getty, 1.11.2)
 
 
 #

diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index 856ddff..efd92fb 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -1,4 +1,4 @@
-policy_module(hotplug, 1.17.0)
+policy_module(hotplug, 1.17.1)
 
 
 #

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a5a1610..766e037 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.1.0)
+policy_module(init, 2.1.1)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 0815149..df8a123 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,4 +1,4 @@
-policy_module(ipsec, 1.16.0)
+policy_module(ipsec, 1.16.1)
 
 
 #

diff --git a/policy/modules/system/iptables.te 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 88b49ecb49e30198138612cead9beec8eab2acbc
Author: Chris PeBenito  ieee  org>
AuthorDate: Tue Dec 27 15:56:39 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan  1 16:26:28 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=88b49ecb

Module version bump for systemd patch from Nicolas Iooss.

 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/kernel/kernel.te | 2 +-
 policy/modules/system/systemd.te| 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index a9c97ef..0471647 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.21.3)
+policy_module(filesystem, 1.21.4)
 
 
 #

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 45626b7..c6531a2 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.21.3)
+policy_module(kernel, 1.21.4)
 
 
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index cf22ba8..c93fc90 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.2.1)
+policy_module(systemd, 1.2.2)
 
 #
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 7ac4b728b69e7ed058c3c1b51f7a23863c755168
Author: Guido Trentalancia via refpolicy  oss  tresys 
 com>
AuthorDate: Sat Oct 29 15:39:46 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Nov 27 16:04:59 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7ac4b728

Let users read/manage symlinks on fs that do not support xattr

Let unprivileged and administrative users read symbolic links on
filesystems that do not support extended attributes (xattr) such
as cdroms, FAT, NTFS and so on.

Signed-off-by: Guido Trentalancia  trentalancia.net>

 policy/modules/kernel/filesystem.if | 18 ++
 policy/modules/system/userdomain.if |  4 +++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index 11fff8d..5de3a44 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1257,6 +1257,24 @@ interface(`fs_read_noxattr_fs_symlinks',`
 
 
 ## 
+## Manage all noxattrfs symbolic links.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`fs_manage_noxattr_fs_symlinks',`
+   gen_require(`
+   attribute noxattrfs;
+   ')
+
+   manage_lnk_files_pattern($1, noxattrfs, noxattrfs)
+')
+
+
+## 
 ## Relabel all objets from filesystems that
 ## do not support extended attributes.
 ## 

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index c4bef2b..e933890 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -609,10 +609,12 @@ template(`userdom_common_user_template',`
')
 
tunable_policy(`user_rw_noexattrfile',`
-   fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
+   fs_manage_noxattr_fs_files($1_t)
+   fs_manage_noxattr_fs_symlinks($1_t)
',`
fs_read_noxattr_fs_files($1_t)
+   fs_read_noxattr_fs_symlinks($1_t)
')
 
tunable_policy(`user_ttyfile_stat',`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 979cd96bf6b028a2d41af72a94d9e86c5d0b50d3
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Oct 30 18:31:50 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Nov 27 16:05:00 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=979cd96b

Module version bumps for patches from Guido Trentalancia.

 policy/modules/kernel/filesystem.te |  2 +-
 policy/modules/kernel/kernel.te |  2 +-
 policy/modules/kernel/terminal.te   |  2 +-
 policy/modules/system/modutils.te   | 10 +++---
 policy/modules/system/userdomain.te |  2 +-
 5 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 12e4814..2e49c03 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.21.0)
+policy_module(filesystem, 1.21.1)
 
 
 #

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 811494f..20b922c 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.21.0)
+policy_module(kernel, 1.21.1)
 
 
 #

diff --git a/policy/modules/kernel/terminal.te 
b/policy/modules/kernel/terminal.te
index 30eb14e..63f43f7 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,4 +1,4 @@
-policy_module(terminal, 1.15.0)
+policy_module(terminal, 1.15.1)
 
 
 #

diff --git a/policy/modules/system/modutils.te 
b/policy/modules/system/modutils.te
index 3b95f98..3bf9bff 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,16 +1,12 @@
-policy_module(modutils, 1.16.0)
+policy_module(modutils, 1.16.1)
 
 
 #
 # Declarations
 #
 
-type kmod_t;
-typealias kmod_t alias { insmod_t depmod_t update_modules_t };
-
-type kmod_exec_t;
-typealias kmod_exec_t alias { insmod_exec_t depmod_exec_t 
update_modules_exec_t };
-
+type kmod_t alias { insmod_t depmod_t update_modules_t };
+type kmod_exec_t alias { insmod_exec_t depmod_exec_t update_modules_exec_t };
 application_domain(kmod_t, kmod_exec_t)
 mls_file_write_all_levels(kmod_t)
 role system_r types kmod_t;

diff --git a/policy/modules/system/userdomain.te 
b/policy/modules/system/userdomain.te
index d147a56..67678c6 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.12.0)
+policy_module(userdomain, 4.12.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 7722827868d5bbedbfb4368816351e4e4c7a5868
Author: Chris PeBenito  tresys  com>
AuthorDate: Thu Mar 31 12:32:18 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri May 13 05:07:33 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=77228278

Module version bump for patches from Dominick Grift and Lukas Vrabec.

 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/system/systemd.te| 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 86d59bf..b45c28e 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.20.4)
+policy_module(filesystem, 1.20.5)
 
 
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 6d40952..0bed23c 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.1.3)
+policy_module(systemd, 1.1.4)
 
 #
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 812ae731d5b03900c178c14c2807ffd5ccff2dbc
Author: Chris PeBenito  tresys  com>
AuthorDate: Wed Feb  3 13:49:39 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Feb 12 03:15:07 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=812ae731

Module version bump for efivarfs patches from Dan Walsh, Vit Mojzis, and 
Laurent Bigonville

 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/system/systemd.te| 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 62d7c58..8de310b 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.20.3)
+policy_module(filesystem, 1.20.4)
 
 
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 5565fd3..60a75fa 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.1.2)
+policy_module(systemd, 1.1.3)
 
 #
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 3fdae66e37713cc8633303fdd3f09032b422b095
Author: Nicolas Iooss  m4x  org>
AuthorDate: Mon Jan 11 18:14:55 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Jan 30 17:16:56 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3fdae66e

Allow systemd services to use PrivateNetwork feature

systemd creates a new network namespace for services which are using
PrivateNetwork=yes.

In the implementation, systemd uses a socketpair as a storage buffer for
the namespace reference file descriptor (c.f.
https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
One end of this socketpair is locked (hence the need of "lock" access to
self:unix_dgram_socket for init_t) while systemd opens
/proc/self/ns/net, which lives in nsfs.

While at it, add filesystem_type attribute to nsfs_t.

 policy/modules/kernel/filesystem.if | 17 +
 policy/modules/kernel/filesystem.te |  1 +
 policy/modules/system/init.te   |  3 +++
 3 files changed, 21 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index 0db8233..b9b30da 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -3360,6 +3360,23 @@ interface(`fs_rw_nfsd_fs',`
 
 
 ## 
+## Read nsfs inodes (e.g. /proc/pid/ns/uts)
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`fs_read_nsfs_files',`
+   gen_require(`
+   type nsfs_t;
+   ')
+
+   allow $1 nsfs_t:file read_file_perms;
+')
+
+## 
 ## Getattr on pstore dirs.
 ## 
 ## 

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 89de79d..04ea6b6 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -127,6 +127,7 @@ fs_type(nfsd_fs_t)
 genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
 
 type nsfs_t;
+fs_type(nsfs_t)
 genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
 
 type oprofilefs_t;

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a7fa7c0..4006e4f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -199,6 +199,7 @@ ifdef(`init_systemd',`
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
allow init_t self:netlink_route_socket create_netlink_socket_perms;
allow init_t self:netlink_selinux_socket create_socket_perms;
+   allow init_t self:unix_dgram_socket lock;
 
manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
@@ -260,6 +261,8 @@ ifdef(`init_systemd',`
# mount-setup
fs_unmount_autofs(init_t)
fs_getattr_pstore_dirs(init_t)
+   # for network namespaces
+   fs_read_nsfs_files(init_t)
 
# systemd_socket_activated policy
mls_socket_write_all_levels(init_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: d29f9c0dde403f826f376b43cf477439586f6091
Author: Chris PeBenito  tresys  com>
AuthorDate: Mon Jan 11 18:26:55 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Jan 30 17:16:56 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d29f9c0d

Module version bump for systemd PrivateNetwork patch from Nicolas Iooss

 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/system/init.te   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 04ea6b6..6ee0996 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.20.1)
+policy_module(filesystem, 1.20.2)
 
 
 #

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4006e4f..0aafb44 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.0.0)
+policy_module(init, 2.0.1)
 
 gen_require(`
class passwd rootok;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: b0cfc980dcefdffcdcf2929394278e3ea983a88c
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Dec 17 18:38:24 2015 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Dec 18 04:12:51 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b0cfc980

Add permissions for ZFS list and send/recv

zfs list uses a pipe to get info from the kernel

avc:  granted  { write } for  pid=31602 comm="dump_list_strat" 
path="pipe:[4471132]" dev="pipefs" ino=4471132 
scontext=system_u:system_r:kernel_t:s0 
tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
avc:  granted  { read } for pid=31601 comm="zfs" path="pipe:[4471132]" 
dev="pipefs" ino=4471132 scontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 
tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file

zfs send / recv is usually piped somewhere by sysadm
zfs send tank@snap | ssh foo tank@snap

 policy/modules/kernel/kernel.te | 9 +
 policy/modules/system/mount.te  | 3 +++
 2 files changed, 12 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 4ac22e0..f1016a3 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -461,4 +461,13 @@ ifdef(`distro_gentoo',`
# See also bug 535992
#dev_manage_all_dev_nodes(kernel_t)
dev_setattr_generic_chr_files(kernel_t)
+
+   # ZFS send/recv writes to an fd
+   optional_policy(`
+   sysadm_use_fds(kernel_t)
+   ')
+   # zfs list writes to a pipe
+   optional_policy(`
+   mount_rw_pipes(kernel_t)
+   ')
 ')

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 497fa59..920abc7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -42,6 +42,9 @@ application_domain(unconfined_mount_t, mount_exec_t)
 
 # setuid/setgid needed to mount cifs
 allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override 
chown sys_tty_config setuid setgid };
+allow mount_t self:process signal;
+# zfs list uses pipes
+allow mount_t self:fifo_file rw_fifo_file_perms;
 
 mount_read_loopback_files(mount_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: fcafb3c5c807a5731ef1dca2f82dd6eae31fd76a
Author: Chris PeBenito  tresys  com>
AuthorDate: Mon Oct 12 13:31:18 2015 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Oct 13 14:21:41 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fcafb3c5

Module version bump for patches from Jason Zaman/Matthias Dahl.

 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/system/ipsec.te  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index aba6d88..3c2224e 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.19.0)
+policy_module(filesystem, 1.19.1)
 
 
 #

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index b9cfcc3..02fad03 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,4 +1,4 @@
-policy_module(ipsec, 1.15.1)
+policy_module(ipsec, 1.15.2)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/admin/, ...

[Jason Zaman]

commit: 22cac17f8861bb8095fa59015b6a9b34e682d95a
Author: Chris PeBenito cpebenito AT tresys DOT com
AuthorDate: Tue Dec  2 15:29:59 2014 +
Commit: Jason Zaman gentoo AT perfinion DOT com
CommitDate: Tue Dec  2 21:09:09 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=22cac17f

Module version bump for misc fixes from Sven Vermeulen.

---
 policy/modules/admin/bootloader.te| 2 +-
 policy/modules/admin/sudo.te  | 2 +-
 policy/modules/kernel/corecommands.te | 2 +-
 policy/modules/kernel/filesystem.te   | 2 +-
 policy/modules/services/xserver.te| 2 +-
 policy/modules/system/authlogin.te| 2 +-
 policy/modules/system/fstools.te  | 2 +-
 policy/modules/system/ipsec.te| 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/policy/modules/admin/bootloader.te 
b/policy/modules/admin/bootloader.te
index 4b837a8..8c65dd8 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,4 +1,4 @@
-policy_module(bootloader, 1.15.0)
+policy_module(bootloader, 1.15.1)
 
 
 #

diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index d9fce57..91cb186 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -1,4 +1,4 @@
-policy_module(sudo, 1.10.0)
+policy_module(sudo, 1.10.1)
 
 
 #

diff --git a/policy/modules/kernel/corecommands.te 
b/policy/modules/kernel/corecommands.te
index 873031e..08c52ba 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.19.4)
+policy_module(corecommands, 1.19.5)
 
 
 #

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index fd1e7fe..a4a68fd 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.18.3)
+policy_module(filesystem, 1.18.4)
 
 
 #

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index ee3773d..1680525 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.10.3)
+policy_module(xserver, 3.10.4)
 
 gen_require(`
class x_drawable all_x_drawable_perms;

diff --git a/policy/modules/system/authlogin.te 
b/policy/modules/system/authlogin.te
index 984fe54..edd505a 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.6.0)
+policy_module(authlogin, 2.6.1)
 
 
 #

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index b0475ea..1fc71aa 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.17.2)
+policy_module(fstools, 1.17.3)
 
 
 #

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 15d7caf..a06dabc 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,4 +1,4 @@
-policy_module(ipsec, 1.14.0)
+policy_module(ipsec, 1.14.1)
 
 
 #