[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/

2023-10-06 Thread Kenton Groombridge 
commit: 1d66af88aa2d390ac5783557e8d04289d16bc612
Author: Russell Coker  coker  com  au>
AuthorDate: Mon Sep 25 15:46:04 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Oct  6 15:30:09 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d66af88

small storage changes (#706)

* Changes to storage.fc, smartmon, samba and lvm

Signed-off-by: Russell Coker  coker.com.au>

* Add the interfaces this patch needs

Signed-off-by: Russell Coker  coker.com.au>

* use manage_sock_file_perms for sock_file

Signed-off-by: Russell Coker  coker.com.au>

* Renamed files_watch_all_file_type_dir to files_watch_all_dirs

Signed-off-by: Russell Coker  coker.com.au>

* Use read_files_pattern

Signed-off-by: Russell Coker  coker.com.au>

-

Signed-off-by: Russell Coker  coker.com.au>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/files.if  | 19 +++
 policy/modules/kernel/storage.fc|  1 +
 policy/modules/services/samba.te| 11 ++-
 policy/modules/services/smartmon.if | 20 
 policy/modules/services/smartmon.te |  2 +-
 policy/modules/system/lvm.te|  1 +
 policy/modules/system/userdomain.if | 18 ++
 7 files changed, 70 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index d8874ace2..a1113ff7c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1426,6 +1426,25 @@ interface(`files_unmount_all_file_type_fs',`
allow $1 file_type:filesystem unmount;
 ')
 
+
+## 
+## watch all directories of file_type
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_watch_all_dirs',`
+   gen_require(`
+   attribute file_type;
+   ')
+
+   allow $1 file_type:dir watch;
+')
+
+
 
 ## 
 ## Read all non-authentication related

diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 3033ac4de..9cd280c25 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -29,6 +29,7 @@
 /dev/lvm   -c  
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mcdx? -b  
gen_context(system_u:object_r:removable_device_t,s0)
 /dev/megadev.* -c  
gen_context(system_u:object_r:removable_device_t,s0)
+/dev/megaraid.*-c  
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mmcblk.*  -b  
gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mmcblk.*  -c  
gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mspblk.*  -b  
gen_context(system_u:object_r:removable_device_t,s0)

diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 8ec3a1c62..f78d316cc 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -408,11 +408,13 @@ tunable_policy(`samba_create_home_dirs',`
 ')
 
 tunable_policy(`samba_enable_home_dirs',`
+   files_watch_home(smbd_t)
userdom_manage_user_home_content_dirs(smbd_t)
userdom_manage_user_home_content_files(smbd_t)
userdom_manage_user_home_content_symlinks(smbd_t)
userdom_manage_user_home_content_sockets(smbd_t)
userdom_manage_user_home_content_pipes(smbd_t)
+   userdom_watch_user_home_dirs(smbd_t)
 ')
 
 tunable_policy(`samba_portmapper',`
@@ -444,11 +446,13 @@ tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
files_list_non_auth_dirs(smbd_t)
files_read_non_auth_files(smbd_t)
+   files_watch_all_dirs(smbd_t)
 ')
 
 tunable_policy(`samba_export_all_rw',`
fs_read_noxattr_fs_files(smbd_t)
files_manage_non_auth_files(smbd_t)
+   files_watch_all_dirs(smbd_t)
 ')
 
 optional_policy(`
@@ -617,13 +621,17 @@ optional_policy(`
 allow smbcontrol_t self:process signal;
 allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
 allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+allow smbcontrol_t self:unix_dgram_socket create_socket_perms;
 allow smbcontrol_t self:process { signal signull };
 
 allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
-read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t { smbd_t nmbd_t }:unix_dgram_socket sendto;
+manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t samba_runtime_t:file map;
 allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
 
 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
+allow smbcontrol_t samba_var_t:sock_file manage_sock_file_perms;
 
 samba_read_config(smbcontrol_t)
 samba_search_var(smbcontrol_t)
@@ -639,6 +647,7 @@ files_search_var_lib(smbcontrol_t)
 term_use_console(smbcontrol_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/

2023-10-06 Thread Kenton Groombridge 
commit: 3cf4d89db3171671a05868dd5ecaf933c49fcaa4
Author: Russell Coker  coker  com  au>
AuthorDate: Thu Sep 28 13:55:56 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Oct  6 15:30:52 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3cf4d89d

mon.te patches as well as some fstools patches related to it (#697)

* Patches for mon, mostly mon local monitoring.

Also added the fsdaemon_read_lib() interface and fstools patch because it
also uses fsdaemon_read_lib() and it's called by monitoring scripts

Signed-off-by: Russell Coker  coker.com.au>

* Added the files_dontaudit_tmpfs_file_getattr() and
storage_dev_filetrans_fixed_disk_control() interfaces needed

Signed-off-by: Russell Coker  coker.com.au>

* Fixed the issues from the review

Signed-off-by: Russell Coker  coker.com.au>

* Specify name to avoid conflicting file trans

Signed-off-by: Russell Coker  coker.com.au>

* fixed dontaudi_ typo

Signed-off-by: Russell Coker  coker.com.au>

* Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for 
the object class

Signed-off-by: Russell Coker  coker.com.au>

* Remove fsdaemon_read_lib as it was already merged

Signed-off-by: Russell Coker  coker.com.au>

-

Signed-off-by: Russell Coker  coker.com.au>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/files.if  | 18 ++
 policy/modules/kernel/kernel.te |  2 +-
 policy/modules/kernel/storage.if|  7 ++-
 policy/modules/services/mon.te  | 30 ++
 policy/modules/services/smartmon.te |  2 +-
 policy/modules/system/fstools.te| 17 +
 policy/modules/system/init.te   |  2 +-
 policy/modules/system/lvm.te|  2 +-
 policy/modules/system/raid.te   |  2 +-
 9 files changed, 72 insertions(+), 10 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a1113ff7c..591aa64d6 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -434,6 +434,24 @@ interface(`files_tmpfs_file',`
typeattribute $1 tmpfsfile;
 ')
 
+
+## 
+## dontaudit getattr on tmpfs files
+## 
+## 
+## 
+## Domain to not have stat on tmpfs files audited
+## 
+## 
+#
+interface(`files_dontaudit_getattr_all_tmpfs_files',`
+   gen_require(`
+   attribute tmpfsfile;
+   ')
+
+   dontaudit $1 tmpfsfile:file getattr;
+')
+
 
 ## 
 ## Get the attributes of all directories.

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 666d0e7e9..8156ac087 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -390,7 +390,7 @@ ifdef(`init_systemd',`
')
 
optional_policy(`
-   storage_dev_filetrans_fixed_disk(kernel_t)
+   storage_dev_filetrans_fixed_disk(kernel_t, blk_file)
storage_setattr_fixed_disk_dev(kernel_t)
storage_create_fixed_disk_dev(kernel_t)
storage_delete_fixed_disk_dev(kernel_t)

diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 9c581a910..777caea69 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -296,6 +296,11 @@ interface(`storage_manage_fixed_disk',`
 ## Domain allowed access.
 ## 
 ## 
+## 
+## 
+## The class of the object to be created.
+## 
+## 
 ## 
 ## 
 ## Optional filename of the block device to be created
@@ -307,7 +312,7 @@ interface(`storage_dev_filetrans_fixed_disk',`
type fixed_disk_device_t;
')
 
-   dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
+   dev_filetrans($1, fixed_disk_device_t, $2, $3)
 ')
 
 

diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te
index b9a349871..bbf0496b3 100644
--- a/policy/modules/services/mon.te
+++ b/policy/modules/services/mon.te
@@ -42,8 +42,7 @@ files_tmp_file(mon_tmp_t)
 
 allow mon_t self:fifo_file rw_fifo_file_perms;
 allow mon_t self:tcp_socket create_stream_socket_perms;
-# for mailxmpp.alert to set ulimit
-allow mon_t self:process setrlimit;
+allow mon_t self:process { setrlimit getsched signal };
 
 domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
 
@@ -104,6 +103,11 @@ optional_policy(`
mta_send_mail(mon_t)
 ')
 
+optional_policy(`
+   # for config of xmpp sending program
+   xdg_read_config_files(mon_t)
+')
+
 
 #
 # Local policy
@@ -151,6 +155,10 @@ optional_policy(`
mysql_stream_connect(mon_net_test_t)
 ')
 
+optional_policy(`
+   snmp_read_snmp_var_lib_files(mon_net_test_t)
+')
+
 
 #
 # Local policy
@@ -161,9 +169,10 @@ optional_policy(`
 #
 
 # sys_ptrace is for

[gentoo-commits] proj/hardened-refpolicy:master commit in: /, policy/modules/kernel/, policy/modules/system/, policy/modules/services/, ...

2019-12-24 Thread Jason Zaman 
commit: 3ad3fd938f3a06d4170286f9e14bbcd0765e8fb6
Author: Jason Zaman  gentoo  org>
AuthorDate: Tue Dec 17 04:17:02 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 24 09:58:27 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3ad3fd93

Fix gentoo-specific lint issues

Signed-off-by: Jason Zaman  gentoo.org>

 .travis.yml   | 2 +-
 policy/modules/admin/portage.fc   | 2 +-
 policy/modules/apps/java.fc   | 2 +-
 policy/modules/apps/qemu.fc   | 4 ++--
 policy/modules/contrib/android.fc | 2 +-
 policy/modules/contrib/dirsrv.fc  | 4 ++--
 policy/modules/contrib/openrc.fc  | 2 +-
 policy/modules/contrib/phpfpm.fc  | 8 
 policy/modules/contrib/resolvconf.fc  | 2 +-
 policy/modules/contrib/rtorrent.fc| 6 +++---
 policy/modules/contrib/uwsgi.fc   | 2 +-
 policy/modules/contrib/vde.fc | 2 +-
 policy/modules/kernel/corecommands.fc | 8 
 policy/modules/services/ntp.fc| 2 +-
 policy/modules/system/lvm.fc  | 5 -
 policy/modules/system/miscfiles.fc| 6 ++
 policy/modules/system/tmpfiles.fc | 6 +++---
 17 files changed, 29 insertions(+), 36 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 8be908cc..5dfbe090 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -25,7 +25,7 @@ env:
 matrix:
   include:
   - python: 3.7
-env: LINT=true TYPE=standard
+env: LINT=true TYPE=standard DISTRO=gentoo
 
 sudo: false
 dist: bionic

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index 8a41cfff..26850f9d 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -23,7 +23,7 @@
 /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
 /usr/portage/distfiles/cvs-src(/.*)?   
gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/egit-src(/.*)?  
gen_context(system_u:object_r:portage_srcrepo_t,s0)
-/usr/portage/distfiles/git.?-src(/.*)? 
gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/git[0-9]-src(/.*)?  
gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/go-src(/.*)?
gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/hg-src(/.*)?
gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/svn-src(/.*)?   
gen_context(system_u:object_r:portage_srcrepo_t,s0)

diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
index e8804805..d0476be2 100644
--- a/policy/modules/apps/java.fc
+++ b/policy/modules/apps/java.fc
@@ -34,5 +34,5 @@ HOME_DIR/\.java(/.*)? 
gen_context(system_u:object_r:java_home_t,s0)
 
 ifdef(`distro_gentoo',`
 # Running maven (mvn) command needs read access to this, yet the file is 
marked as bin_t otherwise
-/usr/share/maven-bin-[^/]*/bin/m2.conf --  
gen_context(system_u:object_r:usr_t,s0)
+/usr/share/maven-bin-[^/]*/bin/m2\.conf--  
gen_context(system_u:object_r:usr_t,s0)
 ')

diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc
index df3aa2d3..59dcb78b 100644
--- a/policy/modules/apps/qemu.fc
+++ b/policy/modules/apps/qemu.fc
@@ -12,8 +12,8 @@
 ifdef(`distro_gentoo',`
 /usr/bin/qemu-ga   --  gen_context(system_u:object_r:qemu_ga_exec_t,s0)
 
-/var/log/qemu-ga.log   --  gen_context(system_u:object_r:qemu_ga_log_t,s0)
+/var/log/qemu-ga\.log  --  gen_context(system_u:object_r:qemu_ga_log_t,s0)
 /var/log/qemu-ga(/.*)? --  gen_context(system_u:object_r:qemu_ga_log_t,s0)
 
-/run/qemu-ga.pid   --  gen_context(system_u:object_r:qemu_ga_run_t,s0)
+/run/qemu-ga\.pid  --  gen_context(system_u:object_r:qemu_ga_run_t,s0)
 ')

diff --git a/policy/modules/contrib/android.fc 
b/policy/modules/contrib/android.fc
index af983112..a72f5d9f 100644
--- a/policy/modules/contrib/android.fc
+++ b/policy/modules/contrib/android.fc
@@ -2,7 +2,7 @@ HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s
 HOME_DIR/\.android(/.*)?   
gen_context(system_u:object_r:android_home_t,s0)
 HOME_DIR/\.gradle(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
 
-/opt/android-studio/bin/studio.sh  
gen_context(system_u:object_r:android_java_exec_t,s0)
+/opt/android-studio/bin/studio\.sh 
gen_context(system_u:object_r:android_java_exec_t,s0)
 
 /opt/android-sdk-update-manager/platform-tools/adb --  
gen_context(system_u:object_r:android_tools_exec_t,s0)
 /opt/android-sdk-update-manager/platform-tools/fastboot--  
gen_context(system_u:object_r:android_tools_exec_t,s0)

diff --git a/policy/modules/contrib/dirsrv.fc b/policy/modules/contrib/dirsrv.fc
index 3a33d632..a675110f 100644
--- a/policy/modules/contrib/dirsrv.fc
+++ b/policy/modules/contrib/dirsrv.fc
@@ -5,8 +5,8 @@
 /var/lib/dirsrv(/.*)?  gen_context(system_u:object_r:dirsrv_var_lib_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/

2017-12-12 Thread Jason Zaman 
commit: 11930ca161a01e71abb6f3522e3dea4f91445ac9
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Dec  3 21:48:54 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:06:26 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=11930ca1

corcmd, fs, xserver, init, systemd, userdomain: Module version bump.

 policy/modules/kernel/corecommands.te | 2 +-
 policy/modules/kernel/filesystem.te   | 2 +-
 policy/modules/services/xserver.te| 2 +-
 policy/modules/system/init.te | 2 +-
 policy/modules/system/systemd.te  | 2 +-
 policy/modules/system/userdomain.te   | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/policy/modules/kernel/corecommands.te 
b/policy/modules/kernel/corecommands.te
index 4bc0a45c..9ea33753 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.24.5)
+policy_module(corecommands, 1.24.6)
 
 
 #

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 62c2a783..d564752f 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.23.1)
+policy_module(filesystem, 1.23.2)
 
 
 #

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index e5c5acad..c3380257 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.14.4)
+policy_module(xserver, 3.14.5)
 
 gen_require(`
class x_drawable all_x_drawable_perms;

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f495e386..4ef6d035 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.3.8)
+policy_module(init, 2.3.9)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 4f3ed091..5051b87c 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.4.5)
+policy_module(systemd, 1.4.6)
 
 #
 #

diff --git a/policy/modules/system/userdomain.te 
b/policy/modules/system/userdomain.te
index b348ccd0..0e8aa374 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.14.7)
+policy_module(userdomain, 4.14.8)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/

2017-02-17 Thread Jason Zaman 
commit: 047cdd145b3f30c17182c16be7357559e8c24b1f
Author: Chris PeBenito  ieee  org>
AuthorDate: Tue Feb  7 23:51:58 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Feb 17 08:04:15 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=047cdd14

usrmerge FC fixes from Russell Coker.

 policy/modules/kernel/corecommands.fc |  3 ++-
 policy/modules/kernel/corecommands.te |  2 +-
 policy/modules/services/xserver.fc| 12 
 policy/modules/services/xserver.te|  2 +-
 policy/modules/system/sysnetwork.fc   |  1 +
 policy/modules/system/sysnetwork.te   |  2 +-
 6 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index d8c7389c..7c1ae574 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -251,7 +251,7 @@ ifdef(`distro_gentoo',`
 
 /usr/libexec/openssh/sftp-server --gen_context(system_u:object_r:bin_t,s0)
 
-/usr/local/bin(/.*)?   gen_context(system_u:object_r:bin_t,s0)
+/usr/local/(.*/)?bin(/.*)? 
gen_context(system_u:object_r:bin_t,s0)
 /usr/local/sbin(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Brother(/.*)?   gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Printer(/.*)?   gen_context(system_u:object_r:bin_t,s0)
@@ -265,6 +265,7 @@ ifdef(`distro_gentoo',`
 /usr/sbin/sesh --  
gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/smrsh--  
gen_context(system_u:object_r:shell_exec_t,s0)
 
+/usr/share/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/share/ajaxterm/ajaxterm.py.* --   gen_context(system_u:object_r:bin_t,s0)
 /usr/share/ajaxterm/qweb.py.* --   gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apr-0/build/[^/]+\.sh --gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/kernel/corecommands.te 
b/policy/modules/kernel/corecommands.te
index ca4e75f1..a9535774 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.23.1)
+policy_module(corecommands, 1.23.2)
 
 
 #

diff --git a/policy/modules/services/xserver.fc 
b/policy/modules/services/xserver.fc
index 40b214a1..f9f541d4 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -62,10 +62,10 @@ HOME_DIR/\.Xauthority.* --  
gen_context(system_u:object_r:xauth_home_t,s0)
 # /usr
 #
 
-/usr/s?bin/gdm(3)? --  gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/s?bin/gdm-binary  --  gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/s?bin/lxdm(-binary)? --   gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/s?bin/[xkw]dm --  gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/gdm(3)?   --  gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/gdm-binary--  gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/[xkw]dm   --  gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm--  
gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth   --  gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/bin/slim  --  gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -80,7 +80,11 @@ HOME_DIR/\.Xauthority.*  --  
gen_context(system_u:object_r:xauth_home_t,s0)
 /usr/lib/xorg-server/Xorg\.wrap--  
gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/lib/X11/xdm/Xsession  --  
gen_context(system_u:object_r:xsession_exec_t,s0)
 
+/usr/sbin/[xkw]dm  --  gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/sbin/gdm(3)?  --  gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/sbin/gdm-binary   --  gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/sbin/lightdm  --  gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/sbin/lxdm(-binary)? --gen_context(system_u:object_r:xdm_exec_t,s0)
 
 # xserver default configure bug: not FHS-compliant because not read-only !
 /usr/share/X11/xkb(/.*)?   gen_context(system_u:object_r:xkb_var_lib_t,s0)

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index c622abf9..9c1a0276 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.0)
+policy_module(xserver, 3.13.1)
 
 gen_require(`
class x_drawable all_x_drawable_perms;

diff --git a/policy/modules/system/sysnetwork.fc 
b/policy/modules/system/sysnetwork.fc
index a2329a85..e887076b 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -38,6 +38,7 @@ ifdef(`distro_redhat',`
 
 /usr/sbin/dhclient.*   --

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/

2017-01-01 Thread Jason Zaman 
commit: a3346de8032c55b8f109d4649cc1331e6e415dee
Author: Chris PeBenito  ieee  org>
AuthorDate: Thu Dec 22 20:54:46 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan  1 16:26:28 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a3346de8

Module version bumps for /run fc changes from cgzones.

 policy/modules/kernel/files.te| 2 +-
 policy/modules/kernel/filesystem.te   | 2 +-
 policy/modules/services/postgresql.te | 2 +-
 policy/modules/services/ssh.te| 2 +-
 policy/modules/services/xserver.te| 2 +-
 policy/modules/system/authlogin.te| 2 +-
 policy/modules/system/fstools.te  | 2 +-
 policy/modules/system/getty.te| 2 +-
 policy/modules/system/hotplug.te  | 2 +-
 policy/modules/system/init.te | 2 +-
 policy/modules/system/ipsec.te| 2 +-
 policy/modules/system/iptables.te | 2 +-
 policy/modules/system/logging.te  | 2 +-
 policy/modules/system/lvm.te  | 2 +-
 policy/modules/system/modutils.te | 2 +-
 policy/modules/system/mount.te| 2 +-
 policy/modules/system/selinuxutil.te  | 2 +-
 policy/modules/system/setrans.te  | 2 +-
 policy/modules/system/sysnetwork.te   | 2 +-
 policy/modules/system/systemd.te  | 2 +-
 policy/modules/system/udev.te | 2 +-
 policy/modules/system/userdomain.te   | 2 +-
 22 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index e004c90..1e58d9e 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.22.0)
+policy_module(files, 1.22.1)
 
 
 #

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 2e49c03..76f295d 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.21.1)
+policy_module(filesystem, 1.21.2)
 
 
 #

diff --git a/policy/modules/services/postgresql.te 
b/policy/modules/services/postgresql.te
index 627983d..9f29980 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,4 +1,4 @@
-policy_module(postgresql, 1.18.0)
+policy_module(postgresql, 1.18.1)
 
 gen_require(`
class db_database all_db_database_perms;

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 68d945a..89db98c 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.8.0)
+policy_module(ssh, 2.8.1)
 
 
 #

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index ac86b84..ba96a78 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.12.5)
+policy_module(xserver, 3.12.6)
 
 gen_require(`
class x_drawable all_x_drawable_perms;

diff --git a/policy/modules/system/authlogin.te 
b/policy/modules/system/authlogin.te
index d0b9457..3f88d37 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.9.0)
+policy_module(authlogin, 2.9.1)
 
 
 #

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 69eaf37..84a5032 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.19.0)
+policy_module(fstools, 1.19.1)
 
 
 #

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index b2358ba..38c76d1 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -1,4 +1,4 @@
-policy_module(getty, 1.11.1)
+policy_module(getty, 1.11.2)
 
 
 #

diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index 856ddff..efd92fb 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -1,4 +1,4 @@
-policy_module(hotplug, 1.17.0)
+policy_module(hotplug, 1.17.1)
 
 
 #

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a5a1610..766e037 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.1.0)
+policy_module(init, 2.1.1)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 0815149..df8a123 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,4 +1,4 @@
-policy_module(ipsec, 1.16.0)
+policy_module(ipsec, 1.16.1)
 
 
 #

diff --git a/policy/modules/system/iptables.te