[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 1d66af88aa2d390ac5783557e8d04289d16bc612 Author: Russell Coker coker com au> AuthorDate: Mon Sep 25 15:46:04 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:09 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d66af88 small storage changes (#706) * Changes to storage.fc, smartmon, samba and lvm Signed-off-by: Russell Coker coker.com.au> * Add the interfaces this patch needs Signed-off-by: Russell Coker coker.com.au> * use manage_sock_file_perms for sock_file Signed-off-by: Russell Coker coker.com.au> * Renamed files_watch_all_file_type_dir to files_watch_all_dirs Signed-off-by: Russell Coker coker.com.au> * Use read_files_pattern Signed-off-by: Russell Coker coker.com.au> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/files.if | 19 +++ policy/modules/kernel/storage.fc| 1 + policy/modules/services/samba.te| 11 ++- policy/modules/services/smartmon.if | 20 policy/modules/services/smartmon.te | 2 +- policy/modules/system/lvm.te| 1 + policy/modules/system/userdomain.if | 18 ++ 7 files changed, 70 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index d8874ace2..a1113ff7c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1426,6 +1426,25 @@ interface(`files_unmount_all_file_type_fs',` allow $1 file_type:filesystem unmount; ') + +## +## watch all directories of file_type +## +## +## +## Domain allowed access. +## +## +# +interface(`files_watch_all_dirs',` + gen_require(` + attribute file_type; + ') + + allow $1 file_type:dir watch; +') + + ## ## Read all non-authentication related diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index 3033ac4de..9cd280c25 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -29,6 +29,7 @@ /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) /dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0) +/dev/megaraid.*-c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mmcblk.* -c gen_context(system_u:object_r:removable_device_t,s0) /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 8ec3a1c62..f78d316cc 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -408,11 +408,13 @@ tunable_policy(`samba_create_home_dirs',` ') tunable_policy(`samba_enable_home_dirs',` + files_watch_home(smbd_t) userdom_manage_user_home_content_dirs(smbd_t) userdom_manage_user_home_content_files(smbd_t) userdom_manage_user_home_content_symlinks(smbd_t) userdom_manage_user_home_content_sockets(smbd_t) userdom_manage_user_home_content_pipes(smbd_t) + userdom_watch_user_home_dirs(smbd_t) ') tunable_policy(`samba_portmapper',` @@ -444,11 +446,13 @@ tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) files_list_non_auth_dirs(smbd_t) files_read_non_auth_files(smbd_t) + files_watch_all_dirs(smbd_t) ') tunable_policy(`samba_export_all_rw',` fs_read_noxattr_fs_files(smbd_t) files_manage_non_auth_files(smbd_t) + files_watch_all_dirs(smbd_t) ') optional_policy(` @@ -617,13 +621,17 @@ optional_policy(` allow smbcontrol_t self:process signal; allow smbcontrol_t self:fifo_file rw_fifo_file_perms; allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; +allow smbcontrol_t self:unix_dgram_socket create_socket_perms; allow smbcontrol_t self:process { signal signull }; allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull }; -read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t) +allow smbcontrol_t { smbd_t nmbd_t }:unix_dgram_socket sendto; +manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t) +allow smbcontrol_t samba_runtime_t:file map; allow smbcontrol_t samba_runtime_t:dir rw_dir_perms; manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) +allow smbcontrol_t samba_var_t:sock_file manage_sock_file_perms; samba_read_config(smbcontrol_t) samba_search_var(smbcontrol_t) @@ -639,6 +647,7 @@ files_search_var_lib(smbcontrol_t) term_use_console(smbcontrol_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 3cf4d89db3171671a05868dd5ecaf933c49fcaa4 Author: Russell Coker coker com au> AuthorDate: Thu Sep 28 13:55:56 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:52 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3cf4d89d mon.te patches as well as some fstools patches related to it (#697) * Patches for mon, mostly mon local monitoring. Also added the fsdaemon_read_lib() interface and fstools patch because it also uses fsdaemon_read_lib() and it's called by monitoring scripts Signed-off-by: Russell Coker coker.com.au> * Added the files_dontaudit_tmpfs_file_getattr() and storage_dev_filetrans_fixed_disk_control() interfaces needed Signed-off-by: Russell Coker coker.com.au> * Fixed the issues from the review Signed-off-by: Russell Coker coker.com.au> * Specify name to avoid conflicting file trans Signed-off-by: Russell Coker coker.com.au> * fixed dontaudi_ typo Signed-off-by: Russell Coker coker.com.au> * Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for the object class Signed-off-by: Russell Coker coker.com.au> * Remove fsdaemon_read_lib as it was already merged Signed-off-by: Russell Coker coker.com.au> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/files.if | 18 ++ policy/modules/kernel/kernel.te | 2 +- policy/modules/kernel/storage.if| 7 ++- policy/modules/services/mon.te | 30 ++ policy/modules/services/smartmon.te | 2 +- policy/modules/system/fstools.te| 17 + policy/modules/system/init.te | 2 +- policy/modules/system/lvm.te| 2 +- policy/modules/system/raid.te | 2 +- 9 files changed, 72 insertions(+), 10 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index a1113ff7c..591aa64d6 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -434,6 +434,24 @@ interface(`files_tmpfs_file',` typeattribute $1 tmpfsfile; ') + +## +## dontaudit getattr on tmpfs files +## +## +## +## Domain to not have stat on tmpfs files audited +## +## +# +interface(`files_dontaudit_getattr_all_tmpfs_files',` + gen_require(` + attribute tmpfsfile; + ') + + dontaudit $1 tmpfsfile:file getattr; +') + ## ## Get the attributes of all directories. diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 666d0e7e9..8156ac087 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -390,7 +390,7 @@ ifdef(`init_systemd',` ') optional_policy(` - storage_dev_filetrans_fixed_disk(kernel_t) + storage_dev_filetrans_fixed_disk(kernel_t, blk_file) storage_setattr_fixed_disk_dev(kernel_t) storage_create_fixed_disk_dev(kernel_t) storage_delete_fixed_disk_dev(kernel_t) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 9c581a910..777caea69 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -296,6 +296,11 @@ interface(`storage_manage_fixed_disk',` ## Domain allowed access. ## ## +## +## +## The class of the object to be created. +## +## ## ## ## Optional filename of the block device to be created @@ -307,7 +312,7 @@ interface(`storage_dev_filetrans_fixed_disk',` type fixed_disk_device_t; ') - dev_filetrans($1, fixed_disk_device_t, blk_file, $2) + dev_filetrans($1, fixed_disk_device_t, $2, $3) ') diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te index b9a349871..bbf0496b3 100644 --- a/policy/modules/services/mon.te +++ b/policy/modules/services/mon.te @@ -42,8 +42,7 @@ files_tmp_file(mon_tmp_t) allow mon_t self:fifo_file rw_fifo_file_perms; allow mon_t self:tcp_socket create_stream_socket_perms; -# for mailxmpp.alert to set ulimit -allow mon_t self:process setrlimit; +allow mon_t self:process { setrlimit getsched signal }; domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t) @@ -104,6 +103,11 @@ optional_policy(` mta_send_mail(mon_t) ') +optional_policy(` + # for config of xmpp sending program + xdg_read_config_files(mon_t) +') + # # Local policy @@ -151,6 +155,10 @@ optional_policy(` mysql_stream_connect(mon_net_test_t) ') +optional_policy(` + snmp_read_snmp_var_lib_files(mon_net_test_t) +') + # # Local policy @@ -161,9 +169,10 @@ optional_policy(` # # sys_ptrace is for
[gentoo-commits] proj/hardened-refpolicy:master commit in: /, policy/modules/kernel/, policy/modules/system/, policy/modules/services/, ...
commit: 3ad3fd938f3a06d4170286f9e14bbcd0765e8fb6 Author: Jason Zaman gentoo org> AuthorDate: Tue Dec 17 04:17:02 2019 + Commit: Jason Zaman gentoo org> CommitDate: Tue Dec 24 09:58:27 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3ad3fd93 Fix gentoo-specific lint issues Signed-off-by: Jason Zaman gentoo.org> .travis.yml | 2 +- policy/modules/admin/portage.fc | 2 +- policy/modules/apps/java.fc | 2 +- policy/modules/apps/qemu.fc | 4 ++-- policy/modules/contrib/android.fc | 2 +- policy/modules/contrib/dirsrv.fc | 4 ++-- policy/modules/contrib/openrc.fc | 2 +- policy/modules/contrib/phpfpm.fc | 8 policy/modules/contrib/resolvconf.fc | 2 +- policy/modules/contrib/rtorrent.fc| 6 +++--- policy/modules/contrib/uwsgi.fc | 2 +- policy/modules/contrib/vde.fc | 2 +- policy/modules/kernel/corecommands.fc | 8 policy/modules/services/ntp.fc| 2 +- policy/modules/system/lvm.fc | 5 - policy/modules/system/miscfiles.fc| 6 ++ policy/modules/system/tmpfiles.fc | 6 +++--- 17 files changed, 29 insertions(+), 36 deletions(-) diff --git a/.travis.yml b/.travis.yml index 8be908cc..5dfbe090 100644 --- a/.travis.yml +++ b/.travis.yml @@ -25,7 +25,7 @@ env: matrix: include: - python: 3.7 -env: LINT=true TYPE=standard +env: LINT=true TYPE=standard DISTRO=gentoo sudo: false dist: bionic diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index 8a41cfff..26850f9d 100644 --- a/policy/modules/admin/portage.fc +++ b/policy/modules/admin/portage.fc @@ -23,7 +23,7 @@ /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) /usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /usr/portage/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) -/usr/portage/distfiles/git.?-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) +/usr/portage/distfiles/git[0-9]-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /usr/portage/distfiles/go-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /usr/portage/distfiles/hg-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc index e8804805..d0476be2 100644 --- a/policy/modules/apps/java.fc +++ b/policy/modules/apps/java.fc @@ -34,5 +34,5 @@ HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:java_home_t,s0) ifdef(`distro_gentoo',` # Running maven (mvn) command needs read access to this, yet the file is marked as bin_t otherwise -/usr/share/maven-bin-[^/]*/bin/m2.conf -- gen_context(system_u:object_r:usr_t,s0) +/usr/share/maven-bin-[^/]*/bin/m2\.conf-- gen_context(system_u:object_r:usr_t,s0) ') diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc index df3aa2d3..59dcb78b 100644 --- a/policy/modules/apps/qemu.fc +++ b/policy/modules/apps/qemu.fc @@ -12,8 +12,8 @@ ifdef(`distro_gentoo',` /usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0) -/var/log/qemu-ga.log -- gen_context(system_u:object_r:qemu_ga_log_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:qemu_ga_log_t,s0) /var/log/qemu-ga(/.*)? -- gen_context(system_u:object_r:qemu_ga_log_t,s0) -/run/qemu-ga.pid -- gen_context(system_u:object_r:qemu_ga_run_t,s0) +/run/qemu-ga\.pid -- gen_context(system_u:object_r:qemu_ga_run_t,s0) ') diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc index af983112..a72f5d9f 100644 --- a/policy/modules/contrib/android.fc +++ b/policy/modules/contrib/android.fc @@ -2,7 +2,7 @@ HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) HOME_DIR/\.gradle(/.*)? gen_context(system_u:object_r:android_home_t,s0) -/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) +/opt/android-studio/bin/studio\.sh gen_context(system_u:object_r:android_java_exec_t,s0) /opt/android-sdk-update-manager/platform-tools/adb -- gen_context(system_u:object_r:android_tools_exec_t,s0) /opt/android-sdk-update-manager/platform-tools/fastboot-- gen_context(system_u:object_r:android_tools_exec_t,s0) diff --git a/policy/modules/contrib/dirsrv.fc b/policy/modules/contrib/dirsrv.fc index 3a33d632..a675110f 100644 --- a/policy/modules/contrib/dirsrv.fc +++ b/policy/modules/contrib/dirsrv.fc @@ -5,8 +5,8 @@ /var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 11930ca161a01e71abb6f3522e3dea4f91445ac9 Author: Chris PeBenito ieee org> AuthorDate: Sun Dec 3 21:48:54 2017 + Commit: Jason Zaman gentoo org> CommitDate: Tue Dec 12 07:06:26 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=11930ca1 corcmd, fs, xserver, init, systemd, userdomain: Module version bump. policy/modules/kernel/corecommands.te | 2 +- policy/modules/kernel/filesystem.te | 2 +- policy/modules/services/xserver.te| 2 +- policy/modules/system/init.te | 2 +- policy/modules/system/systemd.te | 2 +- policy/modules/system/userdomain.te | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 4bc0a45c..9ea33753 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,4 +1,4 @@ -policy_module(corecommands, 1.24.5) +policy_module(corecommands, 1.24.6) # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 62c2a783..d564752f 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.23.1) +policy_module(filesystem, 1.23.2) # diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index e5c5acad..c3380257 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,4 +1,4 @@ -policy_module(xserver, 3.14.4) +policy_module(xserver, 3.14.5) gen_require(` class x_drawable all_x_drawable_perms; diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index f495e386..4ef6d035 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.3.8) +policy_module(init, 2.3.9) gen_require(` class passwd rootok; diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 4f3ed091..5051b87c 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.4.5) +policy_module(systemd, 1.4.6) # # diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index b348ccd0..0e8aa374 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,4 +1,4 @@ -policy_module(userdomain, 4.14.7) +policy_module(userdomain, 4.14.8) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 047cdd145b3f30c17182c16be7357559e8c24b1f Author: Chris PeBenito ieee org> AuthorDate: Tue Feb 7 23:51:58 2017 + Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:04:15 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=047cdd14 usrmerge FC fixes from Russell Coker. policy/modules/kernel/corecommands.fc | 3 ++- policy/modules/kernel/corecommands.te | 2 +- policy/modules/services/xserver.fc| 12 policy/modules/services/xserver.te| 2 +- policy/modules/system/sysnetwork.fc | 1 + policy/modules/system/sysnetwork.te | 2 +- 6 files changed, 14 insertions(+), 8 deletions(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index d8c7389c..7c1ae574 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -251,7 +251,7 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server --gen_context(system_u:object_r:bin_t,s0) -/usr/local/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/local/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -265,6 +265,7 @@ ifdef(`distro_gentoo',` /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh-- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/share/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/ajaxterm/ajaxterm.py.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/[^/]+\.sh --gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index ca4e75f1..a9535774 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,4 +1,4 @@ -policy_module(corecommands, 1.23.1) +policy_module(corecommands, 1.23.2) # diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc index 40b214a1..f9f541d4 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -62,10 +62,10 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /usr # -/usr/s?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0) -/usr/s?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) -/usr/s?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) -/usr/s?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/bin/gdm-binary-- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm-- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) @@ -80,7 +80,11 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) /usr/lib/xorg-server/Xorg\.wrap-- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/lib/X11/xdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) +/usr/sbin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/sbin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/sbin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/sbin/lightdm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/sbin/lxdm(-binary)? --gen_context(system_u:object_r:xdm_exec_t,s0) # xserver default configure bug: not FHS-compliant because not read-only ! /usr/share/X11/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index c622abf9..9c1a0276 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,4 +1,4 @@ -policy_module(xserver, 3.13.0) +policy_module(xserver, 3.13.1) gen_require(` class x_drawable all_x_drawable_perms; diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index a2329a85..e887076b 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -38,6 +38,7 @@ ifdef(`distro_redhat',` /usr/sbin/dhclient.* --
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: a3346de8032c55b8f109d4649cc1331e6e415dee Author: Chris PeBenito ieee org> AuthorDate: Thu Dec 22 20:54:46 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 1 16:26:28 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a3346de8 Module version bumps for /run fc changes from cgzones. policy/modules/kernel/files.te| 2 +- policy/modules/kernel/filesystem.te | 2 +- policy/modules/services/postgresql.te | 2 +- policy/modules/services/ssh.te| 2 +- policy/modules/services/xserver.te| 2 +- policy/modules/system/authlogin.te| 2 +- policy/modules/system/fstools.te | 2 +- policy/modules/system/getty.te| 2 +- policy/modules/system/hotplug.te | 2 +- policy/modules/system/init.te | 2 +- policy/modules/system/ipsec.te| 2 +- policy/modules/system/iptables.te | 2 +- policy/modules/system/logging.te | 2 +- policy/modules/system/lvm.te | 2 +- policy/modules/system/modutils.te | 2 +- policy/modules/system/mount.te| 2 +- policy/modules/system/selinuxutil.te | 2 +- policy/modules/system/setrans.te | 2 +- policy/modules/system/sysnetwork.te | 2 +- policy/modules/system/systemd.te | 2 +- policy/modules/system/udev.te | 2 +- policy/modules/system/userdomain.te | 2 +- 22 files changed, 22 insertions(+), 22 deletions(-) diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index e004c90..1e58d9e 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.22.0) +policy_module(files, 1.22.1) # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 2e49c03..76f295d 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.21.1) +policy_module(filesystem, 1.21.2) # diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 627983d..9f29980 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -1,4 +1,4 @@ -policy_module(postgresql, 1.18.0) +policy_module(postgresql, 1.18.1) gen_require(` class db_database all_db_database_perms; diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 68d945a..89db98c 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -1,4 +1,4 @@ -policy_module(ssh, 2.8.0) +policy_module(ssh, 2.8.1) # diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index ac86b84..ba96a78 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,4 +1,4 @@ -policy_module(xserver, 3.12.5) +policy_module(xserver, 3.12.6) gen_require(` class x_drawable all_x_drawable_perms; diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index d0b9457..3f88d37 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -1,4 +1,4 @@ -policy_module(authlogin, 2.9.0) +policy_module(authlogin, 2.9.1) # diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index 69eaf37..84a5032 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -1,4 +1,4 @@ -policy_module(fstools, 1.19.0) +policy_module(fstools, 1.19.1) # diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te index b2358ba..38c76d1 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -1,4 +1,4 @@ -policy_module(getty, 1.11.1) +policy_module(getty, 1.11.2) # diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te index 856ddff..efd92fb 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te @@ -1,4 +1,4 @@ -policy_module(hotplug, 1.17.0) +policy_module(hotplug, 1.17.1) # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index a5a1610..766e037 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.1.0) +policy_module(init, 2.1.1) gen_require(` class passwd rootok; diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 0815149..df8a123 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -1,4 +1,4 @@ -policy_module(ipsec, 1.16.0) +policy_module(ipsec, 1.16.1) # diff --git a/policy/modules/system/iptables.te