[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: e9a93b0d4db7a376a9eb4b5e2fe84885124be4e6
Author: Sven Vermeulen  siphos  be>
AuthorDate: Thu May 15 18:02:15 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu May 15 18:02:15 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e9a93b0d

Move distro_gentoo to bottom, fade-oout wrong type name

---
 policy/modules/contrib/gnome.te | 14 --
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index b4a361a..5dd3498 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -46,12 +46,6 @@ userdom_user_home_content(gnome_keyring_home_t)
 type gnome_keyring_tmp_t;
 userdom_user_tmp_file(gnome_keyring_tmp_t)
 
-ifdef(`distro_gentoo',`
-   type gnome_xdg_config_t;
-
-   xdg_config_home_content(gnome_xdg_config_t)
-')
-
 ##
 #
 # Common local Policy
@@ -145,3 +139,11 @@ optional_policy(`
 optional_policy(`
telepathy_mission_control_read_state(gkeyringd_domain)
 ')
+
+ifdef(`distro_gentoo',`
+   type gnome_xdg_config_t; # Fase out
+   type gnome_xdg_config_home_t;
+
+   xdg_config_home_content(gnome_xdg_config_t)
+   xdg_config_home_content(gnome_xdg_config_home_t)
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

[Sven Vermeulen]

commit: e8f4cf7abd48e3f49d693d944cb3c60845398904
Author: Nicolas Iooss  m4x  org>
AuthorDate: Sat May 10 14:45:24 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri May 16 18:42:54 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e8f4cf7a

Make unconfined user run lvm programs in confined domain

When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is
called to setup a new device.  This program works with udev to configure the
new device and uses SysV semaphores to synchronize states.  As udev runs
dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t
semaphores (not unconfined_t) and hence needs to run in lvm_t domain.

More details are available in the archives on the ML:
http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html

---
 policy/modules/system/unconfined.te | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/unconfined.te 
b/policy/modules/system/unconfined.te
index 9742a34..28df819 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -108,6 +108,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+   lvm_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
modutils_run_update_mods(unconfined_t, unconfined_r)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit: 73d7fb2e565bba1c32e7c4a9bb2e7eb18e3022e1
Author: Nicolas Iooss  m4x  org>
AuthorDate: Sat May 10 14:44:02 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri May 16 18:42:51 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=73d7fb2e

Make support/policyvers.py compatible with Python 3

Add parenthesis around print statement, like in other Python scripts.

---
 support/policyvers.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/support/policyvers.py b/support/policyvers.py
index 0d969a4..a367ef1 100644
--- a/support/policyvers.py
+++ b/support/policyvers.py
@@ -1,4 +1,4 @@
 #!/usr/bin/python
 import selinux
 if selinux.is_selinux_enabled():
-   print selinux.security_policyvers()
+   print(selinux.security_policyvers())

[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/

[Sven Vermeulen]

commit: cd3ee9060a3bfcb6ae28e7c01d4b22b517dc97a4
Author: Sven Vermeulen  siphos  be>
AuthorDate: Fri May 16 18:43:31 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri May 16 18:43:31 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cd3ee906

Merge upstream

---
 gentoo/STATE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gentoo/STATE b/gentoo/STATE
index 62eadee..4d5ba32 100644
--- a/gentoo/STATE
+++ b/gentoo/STATE
@@ -1,2 +1,2 @@
 contrib is at 393c4fc0c906174d572842a7594f612c1b1aabba
-master is at eb998eed13619eaf4b6f46726a3791e160448638
+master is at 5b2a2998b8983e748f377cde398514a78b3e5550

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit: 198bd85a025f7b81e1d1afc9b594b33f64080e06
Author: Chris PeBenito  tresys  com>
AuthorDate: Tue May 13 13:39:00 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri May 16 18:42:58 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=198bd85a

Need the __future__ import for python2 if using print().

---
 support/policyvers.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/support/policyvers.py b/support/policyvers.py
index a367ef1..834ff3d 100644
--- a/support/policyvers.py
+++ b/support/policyvers.py
@@ -1,4 +1,5 @@
 #!/usr/bin/python
+from __future__ import print_function
 import selinux
 if selinux.is_selinux_enabled():
print(selinux.security_policyvers())

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

[Sven Vermeulen]

commit: c34ccf06f53106dd698fcb1569e3b5cccb78167d
Author: Chris PeBenito  tresys  com>
AuthorDate: Tue May 13 12:44:26 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri May 16 18:42:55 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c34ccf06

Module version bump for unconfined->lvm transition from Nicolas Iooss.

---
 policy/modules/system/unconfined.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/unconfined.te 
b/policy/modules/system/unconfined.te
index 28df819..e92c2c0 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.6.0)
+policy_module(unconfined, 3.6.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: e272b12c0e2345b698444b24675566a014e0ae75
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sun May 18 11:01:54 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Sun May 18 11:01:54 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e272b12c

Introduce cachefilesd_kernel_t for cachefiles

When the Linux kernel is acting for cachefilesd, it does so through the
defined context. As the module is called cachefilesd, we call it
cachefilesd_kernel_t (unlike fedora, which uses cachefiles_kernel_t).

Port changes from fedora to use the kernel_service class into this
module as well.

---
 policy/modules/contrib/cachefilesd.te | 31 +++
 1 file changed, 31 insertions(+)

diff --git a/policy/modules/contrib/cachefilesd.te 
b/policy/modules/contrib/cachefilesd.te
index a3760bc..353aa85 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -50,3 +50,34 @@ init_dontaudit_use_script_ptys(cachefilesd_t)
 optional_policy(`
rpm_use_script_fds(cachefilesd_t)
 ')
+
+ifdef(`distro_gentoo',`
+   type cachefilesd_kernel_t;
+   domain_type(cachefilesd_kernel_t)
+   domain_obj_id_change_exemption(cachefilesd_kernel_t)
+   role system_r types cachefilesd_kernel_t;
+
+   # CacheFiles tells the Linux kernel for which security context
+   # it should act to begin caching.
+
+   # Allow cachefilesd_t to tell the kernel to use cachefilesd_kernel_t)
+   allow cachefilesd_t cachefilesd_kernel_t:kernel_service { 
use_as_override };
+
+   # Allow cachefilesd_t to tell the kernel to write files as 
cachefilesd_cache_t
+   allow cachefilesd_t cachefilesd_cache_t:kernel_service { 
create_files_as };
+
+   ##
+   #
+   # cachefilesd_kernel_t policy
+   #
+   allow cachefilesd_kernel_t self:capability { dac_override 
dac_read_search };
+
+   manage_dirs_pattern(cachefilesd_kernel_t, cachefilesd_cache_t, 
cachefilesd_cache_t)
+   manage_files_pattern(cachefilesd_kernel_t, cachefilesd_cache_t, 
cachefilesd_cache_t)
+
+   fs_getattr_xattr_fs(cachefilesd_kernel_t)
+
+   dev_search_sysfs(cachefilesd_kernel_t)
+
+   init_sigchld_script(cachefilesd_kernel_t)
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: f798c56c670f48f3e06b16188b4cd1ddab08508e
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sun May 18 12:00:13 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Sun May 18 12:00:13 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f798c56c

Make cachefiles_kernel_t an alias to cachefilesd_kernel_t so that default 
package settings can be retained

---
 policy/modules/contrib/cachefilesd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/contrib/cachefilesd.te 
b/policy/modules/contrib/cachefilesd.te
index 353aa85..0490841 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -53,6 +53,8 @@ optional_policy(`
 
 ifdef(`distro_gentoo',`
type cachefilesd_kernel_t;
+   # Compatible with fedora, for package defaults and so on
+   typealias cachefilesd_kernel_t alias cachefiles_kernel_t;
domain_type(cachefilesd_kernel_t)
domain_obj_id_change_exemption(cachefilesd_kernel_t)
role system_r types cachefilesd_kernel_t;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 48be2f701bc828ed49544836c4963b9d9eab0489
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sat May 17 15:26:50 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu May 22 16:32:07 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=48be2f70

Mark icedtea binaries as java_exec_t

Add the icedtea location to the java file contexts so that the icedtea
java binaries are marked as java_exec_t.

See also https://bugs.gentoo.org/show_bug.cgi?id=510364

Signed-off-by: Sven Vermeulen  siphos.be>

---
 policy/modules/contrib/java.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/java.fc b/policy/modules/contrib/java.fc
index e3be797..cc4f515 100644
--- a/policy/modules/contrib/java.fc
+++ b/policy/modules/contrib/java.fc
@@ -22,6 +22,7 @@ HOME_DIR/\.java(/.*)? 
gen_context(system_u:object_r:java_home_t,s0)
 
 /usr/lib/bin/java[^/]* --  gen_context(system_u:object_r:java_exec_t,s0)
 /usr/lib/eclipse/eclipse   --  
gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/icedtea[67]/bin(/.*)? --  
gen_context(system_u:object_r:java_exec_t,s0)
 /usr/lib/jvm/java(.*/)bin(/.*)?--  
gen_context(system_u:object_r:java_exec_t,s0)
 /usr/lib/opera(/.*)?/opera --  
gen_context(system_u:object_r:java_exec_t,s0)
 /usr/lib/opera(/.*)?/works --  
gen_context(system_u:object_r:java_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 08e4725f1152c1c4671090440d6461dbc89b3f22
Author: Chris PeBenito  tresys  com>
AuthorDate: Tue May 20 13:16:55 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu May 22 16:32:08 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=08e4725f

Module version bump for java icedtea fc entries from Sven Vermeulen.

---
 policy/modules/contrib/java.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 8503180..11e996d 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -1,4 +1,4 @@
-policy_module(java, 2.7.0)
+policy_module(java, 2.7.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: e5e9e3b1d23814120d95b4bc247056b72a38c3ea
Author: Sven Vermeulen  siphos  be>
AuthorDate: Fri May 16 18:34:37 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu May 22 16:32:05 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e5e9e3b1

Fix typo in dnsmasq.if

Signed-off-by: Sven Vermeulen  siphos.be>

---
 policy/modules/contrib/dnsmasq.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/dnsmasq.if 
b/policy/modules/contrib/dnsmasq.if
index 19aa0b8..62e4948 100644
--- a/policy/modules/contrib/dnsmasq.if
+++ b/policy/modules/contrib/dnsmasq.if
@@ -281,7 +281,7 @@ interface(`dnsmasq_admin',`
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
 
-   logging_seearch_logs($1)
+   logging_search_logs($1)
admin_pattern($1, dnsmasq_var_log_t)
 
files_list_pids($1)

[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/

[Sven Vermeulen]

commit: 1100d189090b44d07efb96020c7c2752eb86bdb0
Author: Sven Vermeulen  siphos  be>
AuthorDate: Thu May 22 16:32:41 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu May 22 16:32:41 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1100d189

Merge upstream

---
 gentoo/STATE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gentoo/STATE b/gentoo/STATE
index 4d5ba32..8122a7c 100644
--- a/gentoo/STATE
+++ b/gentoo/STATE
@@ -1,2 +1,2 @@
-contrib is at 393c4fc0c906174d572842a7594f612c1b1aabba
+contrib is at 1b67699d50a988875bb9683d4fef3dae148e7e9b
 master is at 5b2a2998b8983e748f377cde398514a78b3e5550

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: f0c9d69ef883747dd922d9bdcf3b24e534aa4469
Author: Jason Zaman  perfinion  com>
AuthorDate: Mon May 19 20:44:45 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu May 22 16:52:42 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f0c9d69e

gconfd keeps its database in the xdg directories

gconfd stores settings for applications in the gnome desktop.
it needs to be able to manage gnome directories inside
~/.{cache,config,local}/

Signed-off-by: Jason Zaman  perfinion.com>

---
 policy/modules/contrib/gnome.fc |  2 ++
 policy/modules/contrib/gnome.te | 18 ++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index 9bc2c50..31d8c6c 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -18,5 +18,7 @@ HOME_DIR/\.gnome2_private(/.*)?   
gen_context(system_u:object_r:gnome_home_t,s0)
 
 
 ifdef(`distro_gentoo',`
+HOME_DIR/\.config/dconf(/.*)?  
gen_context(system_u:object_r:gnome_xdg_config_home_t,s0)
+HOME_DIR/\.cache/dconf(/.*)?   
gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
 HOME_DIR/\.cache/keyring-.*
gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
 ')

diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 98cd996..99b426d 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -170,4 +170,22 @@ ifdef(`distro_gentoo',`
 
allow gkeyringd_domain gnome_xdg_data_home_t:file manage_file_perms;
manage_dirs_pattern(gkeyringd_domain, gnome_xdg_data_home_t, 
gnome_xdg_data_home_t)
+
+   ##
+   ## gconfd
+   ##
+
+   xdg_cache_home_filetrans(gconfd_t, gnome_xdg_cache_home_t, dir)
+   xdg_config_home_filetrans(gconfd_t, gnome_xdg_config_home_t, dir)
+   xdg_data_home_filetrans(gconfd_t, gnome_xdg_data_home_t, dir)
+
+   # gconf stores settings for gnome, it needs access
+   allow gconfd_t gnome_xdg_cache_home_t:file manage_file_perms;
+   manage_dirs_pattern(gconfd_t, gnome_xdg_cache_home_t, 
gnome_xdg_cache_home_t)
+
+   allow gconfd_t gnome_xdg_config_home_t:file manage_file_perms;
+   manage_dirs_pattern(gconfd_t, gnome_xdg_config_home_t, 
gnome_xdg_config_home_t)
+
+   allow gconfd_t gnome_xdg_data_home_t:file manage_file_perms;
+   manage_dirs_pattern(gconfd_t, gnome_xdg_data_home_t, 
gnome_xdg_data_home_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 8f3ac480c34bff1c605ba8f4a71bc484dccd8b9d
Author: Jason Zaman  perfinion  com>
AuthorDate: Mon May 19 20:44:44 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu May 22 16:52:42 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8f3ac480

Gnome Keyring policies

Gnome keyring communicates with other programs via a socket in
~/.cache/. This patch creates gnome_xdg_*_home_t labels and lets
gnome keyring manage them

Signed-off-by: Jason Zaman  perfinion.com>

---
 policy/modules/contrib/gnome.fc |  5 +
 policy/modules/contrib/gnome.te | 24 
 2 files changed, 29 insertions(+)

diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc
index 209314b..9bc2c50 100644
--- a/policy/modules/contrib/gnome.fc
+++ b/policy/modules/contrib/gnome.fc
@@ -15,3 +15,8 @@ HOME_DIR/\.gnome2_private(/.*)?   
gen_context(system_u:object_r:gnome_home_t,s0)
 /usr/bin/mate-keyring-daemon   --  
gen_context(system_u:object_r:gkeyringd_exec_t,s0)
 /usr/lib/[^/]*/gconf/gconfd-2  --  
gen_context(system_u:object_r:gconfd_exec_t,s0)
 /usr/libexec/gconfd-2  --  gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+
+ifdef(`distro_gentoo',`
+HOME_DIR/\.cache/keyring-.*
gen_context(system_u:object_r:gnome_xdg_cache_home_t,s0)
+')

diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 5dd3498..98cd996 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -141,9 +141,33 @@ optional_policy(`
 ')
 
 ifdef(`distro_gentoo',`
+   type gnome_xdg_cache_home_t;
type gnome_xdg_config_t; # Fase out
type gnome_xdg_config_home_t;
+   type gnome_xdg_data_home_t;
 
+   xdg_cache_home_content(gnome_xdg_cache_home_t)
xdg_config_home_content(gnome_xdg_config_t)
xdg_config_home_content(gnome_xdg_config_home_t)
+   xdg_data_home_content(gnome_xdg_data_home_t)
+
+   ##
+   ## Keyring
+   ##
+
+   # When gnome-keyring creates a .cache/keyring- make sure it is 
gnome_xdg_cache_home_t
+   xdg_cache_home_filetrans(gkeyringd_domain, gnome_xdg_cache_home_t, dir)
+   # Same for ~/.config and ~/.local stuff
+   xdg_config_home_filetrans(gkeyringd_domain, gnome_xdg_config_home_t, 
dir)
+   xdg_data_home_filetrans(gkeyringd_domain, gnome_xdg_data_home_t, dir)
+
+   allow gkeyringd_domain gnome_xdg_cache_home_t:file manage_file_perms;
+   allow gkeyringd_domain gnome_xdg_cache_home_t:sock_file 
manage_sock_file_perms;
+   manage_dirs_pattern(gkeyringd_domain, gnome_xdg_cache_home_t, 
gnome_xdg_cache_home_t)
+
+   allow gkeyringd_domain gnome_xdg_config_home_t:file manage_file_perms;
+   manage_dirs_pattern(gkeyringd_domain, gnome_xdg_config_home_t, 
gnome_xdg_config_home_t)
+
+   allow gkeyringd_domain gnome_xdg_data_home_t:file manage_file_perms;
+   manage_dirs_pattern(gkeyringd_domain, gnome_xdg_data_home_t, 
gnome_xdg_data_home_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/roles/

[Sven Vermeulen]

commit: 2660dc2c8c1c68742a9f57f53b6389b9fc5b810b
Author: Nicolas Iooss  m4x  org>
AuthorDate: Fri May 23 18:18:10 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Wed May 28 15:39:01 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2660dc2c

No longer use deprecated MLS interfaces

Since commit 2d0c9cec mls_file_read_up and mls_file_write_down
interfaces are deprecated even though they are still present.

Replace mls_file_read_up with mls_file_read_all_levels and
mls_file_write_down with mls_file_write_all_levels.

---
 policy/modules/kernel/kernel.te | 4 ++--
 policy/modules/roles/secadm.te  | 2 +-
 policy/modules/roles/sysadm.te  | 2 +-
 policy/modules/system/init.te   | 6 +++---
 policy/modules/system/setrans.te| 2 +-
 policy/modules/system/udev.te   | 2 +-
 policy/modules/system/userdomain.if | 2 +-
 7 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 196c2c2..b56ffce 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -289,8 +289,8 @@ files_read_usr_files(kernel_t)
 
 mcs_process_set_categories(kernel_t)
 
-mls_process_read_up(kernel_t)
-mls_process_write_down(kernel_t)
+mls_process_read_all_levels(kernel_t)
+mls_process_write_all_levels(kernel_t)
 mls_file_write_all_levels(kernel_t)
 mls_file_read_all_levels(kernel_t)
 

diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index da11120..2da0b26 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -23,7 +23,7 @@ dev_relabel_all_dev_nodes(secadm_t)
 
 domain_obj_id_change_exemption(secadm_t)
 
-mls_process_read_up(secadm_t)
+mls_process_read_all_levels(secadm_t)
 mls_file_read_all_levels(secadm_t)
 mls_file_write_all_levels(secadm_t)
 mls_file_upgrade(secadm_t)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 4acf417..c826abf 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -27,7 +27,7 @@ ifndef(`enable_mls',`
 
 corecmd_exec_shell(sysadm_t)
 
-mls_process_read_up(sysadm_t)
+mls_process_read_all_levels(sysadm_t)
 
 ubac_process_exempt(sysadm_t)
 ubac_file_exempt(sysadm_t)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 20d17da..d84f199 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -154,7 +154,7 @@ mcs_killall(init_t)
 
 mls_file_read_all_levels(init_t)
 mls_file_write_all_levels(init_t)
-mls_process_write_down(init_t)
+mls_process_write_all_levels(init_t)
 mls_fd_use_all_levels(init_t)
 
 selinux_set_all_booleans(init_t)
@@ -385,8 +385,8 @@ mcs_process_set_categories(initrc_t)
 
 mls_file_read_all_levels(initrc_t)
 mls_file_write_all_levels(initrc_t)
-mls_process_read_up(initrc_t)
-mls_process_write_down(initrc_t)
+mls_process_read_all_levels(initrc_t)
+mls_process_write_all_levels(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
 

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index d98b5b2..5dba88e 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -68,7 +68,7 @@ mls_file_read_all_levels(setrans_t)
 mls_file_write_all_levels(setrans_t)
 mls_net_receive_all_levels(setrans_t)
 mls_socket_write_all_levels(setrans_t)
-mls_process_read_up(setrans_t)
+mls_process_read_all_levels(setrans_t)
 mls_socket_read_all_levels(setrans_t)
 
 selinux_compute_access_vector(setrans_t)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 95ad555..49a6ca3 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -130,7 +130,7 @@ mls_file_read_all_levels(udev_t)
 mls_file_write_all_levels(udev_t)
 mls_file_upgrade(udev_t)
 mls_file_downgrade(udev_t)
-mls_process_write_down(udev_t)
+mls_process_write_all_levels(udev_t)
 
 selinux_get_fs_mount(udev_t)
 selinux_validate_context(udev_t)

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index 2f51389..3cec4f1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1283,7 +1283,7 @@ template(`userdom_security_admin_template',`
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
 
-   mls_process_read_up($1)
+   mls_process_read_all_levels($1)
mls_file_read_all_levels($1)
mls_file_upgrade($1)
mls_file_downgrade($1)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/roles/

[Sven Vermeulen]

commit: be9f9cab9e1cba95d0b6fee0aec85834717244fb
Author: Chris PeBenito  tresys  com>
AuthorDate: Tue May 27 13:23:29 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Wed May 28 15:39:03 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=be9f9cab

Module version bump for deprecated interface usage removal from Nicolas Iooss.

---
 policy/modules/kernel/kernel.te | 2 +-
 policy/modules/roles/secadm.te  | 2 +-
 policy/modules/roles/sysadm.te  | 2 +-
 policy/modules/system/init.te   | 2 +-
 policy/modules/system/setrans.te| 2 +-
 policy/modules/system/udev.te   | 2 +-
 policy/modules/system/userdomain.te | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index b56ffce..5d6da7f 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.18.0)
+policy_module(kernel, 1.18.1)
 
 
 #

diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index 2da0b26..f7791d0 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -1,4 +1,4 @@
-policy_module(secadm, 2.4.0)
+policy_module(secadm, 2.4.1)
 
 
 #

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index c826abf..4f85745 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.7.0)
+policy_module(sysadm, 2.7.1)
 
 
 #

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d84f199..a4a7872 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.21.0)
+policy_module(init, 1.21.1)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 5dba88e..a840e70 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -1,4 +1,4 @@
-policy_module(setrans, 1.9.0)
+policy_module(setrans, 1.9.1)
 
 gen_require(`
class context contains;

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 49a6ca3..78652da 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.17.1)
+policy_module(udev, 1.17.2)
 
 
 #

diff --git a/policy/modules/system/userdomain.te 
b/policy/modules/system/userdomain.te
index 43ec88f..912849c 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.10.1)
+policy_module(userdomain, 4.10.2)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

[Sven Vermeulen]

commit: a5789c9300a5b068ba899c6984b786e20ed67473
Author: Chris PeBenito  tresys  com>
AuthorDate: Tue May 27 13:08:12 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Wed May 28 15:38:59 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a5789c93

Module version bump for ifconfig fc entry from Sven Vermeulen.

---
 policy/modules/system/sysnetwork.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/sysnetwork.te 
b/policy/modules/system/sysnetwork.te
index 1523924..3f79de9 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.16.0)
+policy_module(sysnetwork, 1.16.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

[Sven Vermeulen]

commit: e73631f72a9944c16c84ec42e5e665e2f815fed9
Author: Sven Vermeulen  siphos  be>
AuthorDate: Thu May 22 17:59:30 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Wed May 28 15:38:57 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e73631f7

ifconfig can also be in /bin

Signed-off-by: Sven Vermeulen  siphos.be>

---
 policy/modules/system/sysnetwork.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/sysnetwork.fc 
b/policy/modules/system/sysnetwork.fc
index 40edc18..fa7a406 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -2,6 +2,7 @@
 #
 # /bin
 #
+/bin/ifconfig  --  
gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /bin/ip--  
gen_context(system_u:object_r:ifconfig_exec_t,s0)
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/

[Sven Vermeulen]

commit: 9f4ab0dd5191f7ef65e6dc81de8074f7c571ffe1
Author: Sven Vermeulen  siphos  be>
AuthorDate: Wed May 28 15:39:35 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Wed May 28 15:39:35 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9f4ab0dd

Merge with upstream

---
 gentoo/STATE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gentoo/STATE b/gentoo/STATE
index 8122a7c..c864826 100644
--- a/gentoo/STATE
+++ b/gentoo/STATE
@@ -1,2 +1,2 @@
 contrib is at 1b67699d50a988875bb9683d4fef3dae148e7e9b
-master is at 5b2a2998b8983e748f377cde398514a78b3e5550
+master is at ca1b69c09e56379da6e40af44cb28ac8948ee64f

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 89b14c472ffd3b15552f4dbc5b39e0081ec72f7e
Author: Sven Vermeulen  siphos  be>
AuthorDate: Wed May 28 17:52:02 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Wed May 28 17:52:02 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=89b14c47

Add gnome_dbus_chat_gconfd interface (bug #510572)

---
 policy/modules/contrib/gnome.if | 23 +++
 1 file changed, 23 insertions(+)

diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 118ee01..5e05e12 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -735,3 +735,26 @@ interface(`gnome_stream_connect_all_gkeyringd',`
files_search_tmp($1)
stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, 
gkeyringd_domain)
 ')
+
+# From here Gentoo specific but cannot use ifdef distro_gentoo here
+
+#
+## 
+## Send and receive messages from the gconf daemon
+## over dbus.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gnome_dbus_chat_gconfd',`
+   gen_require(`
+   type gconfd_t;
+   class dbus send_msg;
+   ')
+
+   allow $1 gconfd_t:dbus send_msg;
+   allow gconfd_t $1:dbus send_msg;
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: ce8cd6e1a0c4bd7b15c26763603c34beb4f88df2
Author: Sven Vermeulen  siphos  be>
AuthorDate: Wed May 28 17:54:01 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Wed May 28 17:54:01 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ce8cd6e1

Allow GNOME enabled user domains to send dbus messages to gconfd

---
 policy/modules/contrib/gnome.if | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 5e05e12..cad0e95 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -115,6 +115,12 @@ template(`gnome_role_template',`
gnome_dbus_chat_gkeyringd($1, $3)
')
')
+
+   ifdef(`distro_gentoo',`
+   optional_policy(`
+   gnome_dbus_chat_gconfd($3)
+   ')
+   ')
 ')
 
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 3d04e6e43e2cf2dc82633dccbb3fcc3025c5e6a0
Author: Sven Vermeulen  siphos  be>
AuthorDate: Thu May 29 16:36:24 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu May 29 16:36:24 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3d04e6e4

Add support for git3-src repo

---
 policy/modules/contrib/portage.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/portage.fc 
b/policy/modules/contrib/portage.fc
index a2738ea..73326f2 100644
--- a/policy/modules/contrib/portage.fc
+++ b/policy/modules/contrib/portage.fc
@@ -21,7 +21,7 @@
 /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
 /usr/portage/distfiles/cvs-src(/.*)?   
gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/egit-src(/.*)?  
gen_context(system_u:object_r:portage_srcrepo_t,s0)
-/usr/portage/distfiles/git-src(/.*)?   
gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/git.?-src(/.*)? 
gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/svn-src(/.*)?   
gen_context(system_u:object_r:portage_srcrepo_t,s0)
 
 /var/db/pkg(/.*)?  gen_context(system_u:object_r:portage_db_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 2d41348bbc572a365a257976002d9f5e145eefc8
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu May 29 14:53:07 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu May 29 17:28:29 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2d41348b

Allow mozilla to send dbus messages to gconfd

Firefox throws the following error when it starts if it cannot talk to gconfd

Configuration server couldn't be contacted: D-BUS error: An SELinux
policy prevents this sender from sending this message to this recipient,
0 matched rules; type="method_call", sender=":1.120" (uid=1000 pid=26773
comm="/opt/firefox/firefox ") interface="org.gnome.GConf.Server"
member="GetDefaultDatabase" error name="(unset)" requested_reply="0"
destination="org.gnome.GConf" (uid=1000 pid=20128
comm="/usr/libexec/gconfd-2 ")

Signed-off-by: Jason Zaman  perfinion.com>

---
 policy/modules/contrib/mozilla.te | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/mozilla.te 
b/policy/modules/contrib/mozilla.te
index 87728ae..6d7bac7 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -761,4 +761,8 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t)
')
')
+
+   optional_policy(`
+   gnome_dbus_chat_gconfd(mozilla_t)
+   ')
 ')

[gentoo-commits] proj/hardened-refpolicy: New tag: 2.20140311-r3

[Sven Vermeulen]

commit: 
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu May 29 18:00:53 2014 +

New tag: 2.20140311-r3

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

[Sven Vermeulen]

commit: 37c87be77b50e083b41acd263d8f14d647cc6533
Author: Sven Vermeulen  siphos  be>
AuthorDate: Fri May 30 12:50:42 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri May 30 12:50:42 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=37c87be7

udev-acl is moved to /usr/lib/ConsoleKit

---
 policy/modules/system/udev.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 82662a1..8d414c1 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -49,6 +49,8 @@ ifdef(`distro_gentoo',`
 
 /usr/bin/udevadm   --  gen_context(system_u:object_r:udev_exec_t,s0)
 
+/usr/lib/ConsoleKit/udev-acl   --  
gen_context(system_u:object_r:udev_exec_t,s0)
+
 /var/run/udev/rules\.d(/.*)?   gen_context(system_u:object_r:udev_rules_t,s0)
 /var/run/udev/data(/.*)?   gen_context(system_u:object_r:udev_tbl_t,s0)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit: 304ec5224b39f6d7ac2c731bd9b4c0fd4f5c0af8
Author: Nicolas Iooss  m4x  org>
AuthorDate: Sun Mar 23 21:01:39 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:20:50 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=304ec522

fc_sort: make outfile argument optional

When working on fc_sort to try to understand why using /usr/s?bin/... file
contexts has been reported not to work properly [1], I found it frustrating not
to be able to do "tmp/fc_sort my_filecontexts.fc" and see the result printed on
the screen.  This patch implements this behavior by making optional the second
argument of fc_sort.

[1] commit 36e2216f8 of contrib repository,
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=36e2216f82192660d063012e69281f27ba20864b

---
 support/fc_sort.c | 20 +---
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/support/fc_sort.c b/support/fc_sort.c
index 5aed783..6dc59af 100644
--- a/support/fc_sort.c
+++ b/support/fc_sort.c
@@ -328,13 +328,13 @@ int main(int argc, char *argv[])
 
 
/* Check for the correct number of command line arguments. */
-   if (argc != 3) {
-   fprintf(stderr, "Usage: %s  \n",argv[0]);
+   if (argc < 2 || argc > 3) {
+   fprintf(stderr, "Usage: %s  []\n",argv[0]);
return 1;
}

input_name = argv[1];
-   output_name = argv[2];
+   output_name = (argc >= 3) ? argv[2] : NULL;
 
i = j = lines = 0;
 
@@ -526,9 +526,13 @@ int main(int argc, char *argv[])
fc_merge_sort(master);
 
/* Open the output file. */
-   if (!(out_file = fopen(output_name, "w"))) {
-   printf("Error: failure opening output file for write.\n");
-   return -1;
+   if (output_name) {
+   if (!(out_file = fopen(output_name, "w"))) {
+   printf("Error: failure opening output file for 
write.\n");
+   return -1;
+   }
+   } else {
+   out_file = stdout;
}
 
/* Output the sorted file_context linked list to the output file. */
@@ -555,7 +559,9 @@ int main(int argc, char *argv[])
}
free(master);
 
-   fclose(out_file);
+   if (output_name) {
+   fclose(out_file);
+   }
 
return 0;
 }

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

[Sven Vermeulen]

commit: 1a9ac1b5f5f82b586e7879f51670b61ee93757bd
Author: Nicolas Iooss  m4x  org>
AuthorDate: Sun Mar 23 21:20:22 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:20:51 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1a9ac1b5

userdomain: no longer allow unprivileged users to read kernel symbols

Unprivileged users don't need to read kallsyms and /boot/System.map.

This allow rule was introduced in the initial revision of userdomain.if in
2005, with commit b16c6b8c32a631a2e66265f6f60b664222760972:

# cjp: why?
bootloader_read_kernel_symbol_table($1_t)

---
 policy/modules/system/userdomain.if | 2 --
 1 file changed, 2 deletions(-)

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index 9aeac69..822e21f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1030,8 +1030,6 @@ template(`userdom_unpriv_user_template', `
corenet_tcp_bind_xserver_port($1_t)
 
files_exec_usr_files($1_t)
-   # cjp: why?
-   files_read_kernel_symbol_table($1_t)
 
ifndef(`enable_mls',`
fs_exec_noxattr($1_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 1e38c79a38749e559fd12eeddd14eda3ae6ebb8c
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sun Mar 30 14:09:12 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:55:01 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1e38c79a

dnsmasq reads MTU sysctl

The dnsmasq application reads in the value of the
/proc/sys/net/ipv6/conf/*/mtu values.

This is confirmed through looking at the source code of dnsmasq, in
src/radv.c.

Signed-off-by: Sven Vermeulen  siphos.be>

---
 policy/modules/contrib/dnsmasq.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/dnsmasq.te 
b/policy/modules/contrib/dnsmasq.te
index f1fdee0..7027424 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -52,6 +52,7 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, 
dnsmasq_var_run_t)
 files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
 
 kernel_read_kernel_sysctls(dnsmasq_t)
+kernel_read_net_sysctls(dnsmasq_t)
 kernel_read_network_state(dnsmasq_t)
 kernel_read_system_state(dnsmasq_t)
 kernel_request_load_module(dnsmasq_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: d534fb609483e7e649c328a80e9cc1ff64f7844d
Author: Chris PeBenito  tresys  com>
AuthorDate: Fri Apr  4 19:11:51 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:54:52 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d534fb60

Whitespace fix in shibboleth.te.

---
 policy/modules/contrib/shibboleth.te | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/policy/modules/contrib/shibboleth.te 
b/policy/modules/contrib/shibboleth.te
index d1f4212..e59de3e 100644
--- a/policy/modules/contrib/shibboleth.te
+++ b/policy/modules/contrib/shibboleth.te
@@ -41,7 +41,6 @@ manage_files_pattern(shibboleth_t, shibboleth_log_t, 
shibboleth_log_t)
 manage_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t)
 manage_sock_files_pattern(shibboleth_t, shibboleth_var_run_t, 
shibboleth_var_run_t)
 
-
 corenet_all_recvfrom_netlabel(shibboleth_t)
 corenet_all_recvfrom_unlabeled(shibboleth_t)
 corenet_tcp_connect_http_port(shibboleth_t)
@@ -61,7 +60,6 @@ term_dontaudit_search_ptys(shibboleth_t)
 term_dontaudit_use_all_ptys(shibboleth_t)
 term_dontaudit_use_all_ttys(shibboleth_t)
 
-
 logging_log_filetrans(shibboleth_t, shibboleth_log_t, { file dir })
 logging_send_syslog_msg(shibboleth_t)
 
@@ -69,7 +67,6 @@ miscfiles_read_localization(shibboleth_t)
 
 sysnet_dns_name_resolve(shibboleth_t)
 
-
 # permissions for the configuration files
 # there is shared information between apache and shibboleth, e.g., certificates
 apache_read_config(shibboleth_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit: 0ec7241b0d77111ca2d105bc2c38a85ba6cef4f2
Author: Nicolas Iooss  m4x  org>
AuthorDate: Sun Mar 23 21:01:37 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:20:45 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0ec7241b

fc_sort: fix typos in comments

---
 support/fc_sort.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/support/fc_sort.c b/support/fc_sort.c
index e03ef3b..29e2ce9 100644
--- a/support/fc_sort.c
+++ b/support/fc_sort.c
@@ -81,7 +81,7 @@ typedef struct file_context_bucket {
  *  -> a is less specific than b.
  * If a's string length is shorter than b's string length,
  *  -> a is less specific than b.
- * If a does not have a specified type and b does not,
+ * If a does not have a specified type and b does,
  *  -> a is less specific than b.
  */
 int fc_compare(file_context_node_t *a, file_context_node_t *b)
@@ -496,7 +496,7 @@ int main(int argc, char *argv[])
bcurrent->data = current;
current = current->next;
 
-   /* Detatch the node in the bucket from the old list. */
+   /* Detach the node in the bucket from the old list. */
bcurrent->data->next = NULL;
 
/* If there should be another bucket, put one at the end. */

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Sven Vermeulen]

commit: c2b4cb85ee37e4ae38214ccffea6f477915bf360
Author: Chris PeBenito  tresys  com>
AuthorDate: Fri Apr  4 20:09:30 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:25:58 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c2b4cb85

Module version bump for 2 Gentoo patches from Sven Vermeulen.

---
 policy/modules/kernel/devices.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 948b064..ba79da9 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.16.0)
+policy_module(devices, 1.16.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit: 2b3ad3e102a5932ca54db3276cabc35a744b33ea
Author: Nicolas Iooss  m4x  org>
AuthorDate: Sun Mar 23 21:01:38 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:20:48 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2b3ad3e1

fc_sort: initialize allocated memory to fix execution on an empty file

When running fc_sort on an empty context file, this program uses uninitialized
pointers when accessing to the elements of a list.  On my system, it goes in a
very long loop (maybe infinite) because uninitialized fields in malloc'ed
structures happen to contain valid pointers in the heap.

This patch fixes this bug by initializing ->next and ->data fields before they
may be read.

---
 support/fc_sort.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/support/fc_sort.c b/support/fc_sort.c
index 29e2ce9..5aed783 100644
--- a/support/fc_sort.c
+++ b/support/fc_sort.c
@@ -346,6 +346,7 @@ int main(int argc, char *argv[])
 
/* Initialize the head of the linked list. */
head = current = 
(file_context_node_t*)malloc(sizeof(file_context_node_t));
+   head->next = NULL;
 
/* Parse the file into a file_context linked list. */
line_buf = NULL;
@@ -489,6 +490,8 @@ int main(int argc, char *argv[])
bcurrent = master =
(file_context_bucket_t *)
malloc(sizeof(file_context_bucket_t));
+   bcurrent->next = NULL;
+   bcurrent->data = NULL;
 
/* Go until all the nodes have been put in individual buckets. */
while (current) {

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: cf6444b17f433683e92dc5f94814896bf0c6a34b
Author: Martin Lang  automata  rwth-aachen  de>
AuthorDate: Sat Mar 15 13:29:46 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:54:46 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf6444b1

Add a policy module for shibboleth authentication

Signed-off-by: Martin Lang  automata.rwth-aachen.de>

---
 policy/modules/contrib/apache.te |  5 +++
 policy/modules/contrib/shibboleth.fc |  6 +++
 policy/modules/contrib/shibboleth.if | 40 +++
 policy/modules/contrib/shibboleth.te | 75 
 4 files changed, 126 insertions(+)

diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 102d5a8..32f9251 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -867,6 +867,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+   shibboleth_read_config(httpd_t)
+   shibboleth_stream_connect(httpd_t)
+')
+
+optional_policy(`
smokeping_read_lib_files(httpd_t)
 ')
 

diff --git a/policy/modules/contrib/shibboleth.fc 
b/policy/modules/contrib/shibboleth.fc
new file mode 100644
index 000..a0b9626
--- /dev/null
+++ b/policy/modules/contrib/shibboleth.fc
@@ -0,0 +1,6 @@
+/etc/shibboleth(/.*)?  
gen_context(system_u:object_r:shibboleth_etc_t,s0)
+
+/usr/sbin/shibd--  
gen_context(system_u:object_r:shibboleth_exec_t,s0)
+
+/var/log/shibboleth(/.*)?  
gen_context(system_u:object_r:shibboleth_log_t,s0)
+/var/run/shibboleth(/.*)?  
gen_context(system_u:object_r:shibboleth_var_run_t,s0)

diff --git a/policy/modules/contrib/shibboleth.if 
b/policy/modules/contrib/shibboleth.if
new file mode 100644
index 000..4a3ba02
--- /dev/null
+++ b/policy/modules/contrib/shibboleth.if
@@ -0,0 +1,40 @@
+## Shibboleth authentication deamon
+
+
+## 
+## Allow your application domain to access
+## config files from shibboleth
+## 
+## 
+## 
+## The domain which should be enabled.
+## 
+## 
+#
+interface(`shibboleth_read_config',`
+   gen_require(`
+   type shibboleth_etc_t;
+   ')
+
+   read_files_pattern($1, shibboleth_etc_t, shibboleth_etc_t)
+')
+
+
+## 
+## Allow the specified domain to connect to shibboleth with a unix socket.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`shibboleth_stream_connect',`
+   gen_require(`
+   type shibboleth_t;
+   type shibboleth_var_run_t;
+   ')
+
+   stream_connect_pattern($1, shibboleth_var_run_t, shibboleth_var_run_t, 
shibboleth_t)
+   files_search_pids($1)
+')

diff --git a/policy/modules/contrib/shibboleth.te 
b/policy/modules/contrib/shibboleth.te
new file mode 100644
index 000..d1f4212
--- /dev/null
+++ b/policy/modules/contrib/shibboleth.te
@@ -0,0 +1,75 @@
+policy_module(shibboleth, 2.0.0)
+
+
+#
+# Declarations
+#
+
+type shibboleth_t;
+type shibboleth_exec_t;
+init_daemon_domain(shibboleth_t, shibboleth_exec_t)
+
+type shibboleth_etc_t;
+files_config_file(shibboleth_etc_t)
+
+type shibboleth_log_t;
+logging_log_file(shibboleth_log_t)
+
+type shibboleth_var_run_t;
+files_pid_file(shibboleth_var_run_t)
+init_daemon_run_dir(shibboleth_var_run_t, "shibboleth")
+
+
+#
+# Local policy
+#
+
+allow shibboleth_t self:process { signal_perms };
+
+# networking:
+# shibboleth uses tcp sockets for connecting to central
+# authentication server and unix stream sockets
+# to exchange information with the apache module
+allow shibboleth_t self:unix_stream_socket create_stream_socket_perms;
+allow shibboleth_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(shibboleth_t, shibboleth_etc_t, shibboleth_etc_t)
+read_lnk_files_pattern(shibboleth_t, shibboleth_etc_t, shibboleth_etc_t)
+
+manage_files_pattern(shibboleth_t, shibboleth_log_t, shibboleth_log_t)
+
+manage_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t)
+manage_sock_files_pattern(shibboleth_t, shibboleth_var_run_t, 
shibboleth_var_run_t)
+
+
+corenet_all_recvfrom_netlabel(shibboleth_t)
+corenet_all_recvfrom_unlabeled(shibboleth_t)
+corenet_tcp_connect_http_port(shibboleth_t)
+corenet_tcp_sendrecv_all_ports(shibboleth_t)
+corenet_tcp_sendrecv_generic_if(shibboleth_t)
+corenet_tcp_sendrecv_generic_node(shibboleth_t)
+
+dev_read_urand(shibboleth_t)
+
+domain_dontaudit_use_interactive_fds(shibboleth_t)
+
+files_read_etc_files(shibboleth_t)
+files_read_usr_files(shibboleth_t)
+files_search_etc(shibboleth_t)
+
+term_dontaudit_search_ptys(shibboleth_t)
+term_dontaudit_use_all_ptys(shibboleth_t)
+term_dontaudit_use_all_ttys(shibboleth_t)
+
+
+logging_log_filetrans(shibbo

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: b3140630d8a0db7bbb7faa0cc074f1ac6034bd7b
Author: Chris PeBenito  tresys  com>
AuthorDate: Fri Apr  4 20:18:45 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:55:03 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b3140630

Module version bump for dnsmasq MTU fix from Sven Vermeulen.

---
 policy/modules/contrib/dnsmasq.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/dnsmasq.te 
b/policy/modules/contrib/dnsmasq.te
index 7027424..4abe6bf 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.11.0)
+policy_module(dnsmasq, 1.11.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Sven Vermeulen]

commit: 891859b30d8ed3a32c815c1fa2648cbe4109d899
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Mar 25 20:30:06 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:25:15 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=891859b3

Support /sys/devices/system/cpu/online

In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so
we need to grant most domains read access to this file. As we don't want
them to have read access on sysfs_t by default, create a new type
(cpu_online_t) and assign it to the file, and grant domains read access
to the file.

This does require systems to relabel the file upon every boot, something
distributions do in their bootup scripts, as /sys devices don't keep
their context.

Signed-off-by: Sven Vermeulen  siphos.be>

---
 policy/modules/kernel/devices.fc |  1 +
 policy/modules/kernel/devices.if | 31 ---
 policy/modules/kernel/devices.te |  7 +++
 policy/modules/kernel/domain.te  |  3 ++-
 4 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 5bf5ef2..053cfa7 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -199,6 +199,7 @@ ifdef(`distro_debian',`
 /lib/udev/devices/zero -c  gen_context(system_u:object_r:zero_device_t,s0)
 
 /sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
+/sys/devices/system/cpu/online --  
gen_context(system_u:object_r:cpu_online_t,s0)
 
 ifdef(`distro_redhat',`
 # originally from named.fc

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 41eb2ca..56dd021 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4929,48 +4929,49 @@ interface(`dev_create_zero_dev',`
 
 
 ## 
-## Unconfined access to devices.
+## Read cpu online hardware state information
 ## 
+## 
+## 
+## Allow the specified domain to read /sys/devices/system/cpu/online
+## 
+## 
 ## 
 ## 
 ## Domain allowed access.
 ## 
 ## 
 #
-interface(`dev_unconfined',`
+interface(`dev_read_cpu_online',`
gen_require(`
-   attribute devices_unconfined_type;
+   type cpu_online_t;
')
 
-   typeattribute $1 devices_unconfined_type;
+   dev_search_sysfs($1)
+   read_files_pattern($1, cpu_online_t, cpu_online_t)
 ')
 
-# We cannot use ifdef distro_gentoo for interfaces
 
 
 ## 
-## Read cpu online hardware state information.
+## Unconfined access to devices.
 ## 
-## 
-## 
-## Allow the specified domain to read /sys/devices/system/cpu/online file.
-## 
-## 
 ## 
 ## 
 ## Domain allowed access.
 ## 
 ## 
 #
-interface(`dev_read_cpu_online',`
+interface(`dev_unconfined',`
gen_require(`
-   type cpu_online_t;
+   attribute devices_unconfined_type;
')
 
-   dev_search_sysfs($1)
-   read_files_pattern($1, cpu_online_t, cpu_online_t)
+   typeattribute $1 devices_unconfined_type;
 ')
 
+# We cannot use ifdef distro_gentoo for interfaces
+
 
 ## 
 ## Relabel cpu online hardware state information.

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 14c178e..948b064 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -60,6 +60,13 @@ type cpu_device_t;
 dev_node(cpu_device_t)
 
 #
+# /sys/devices/system/cpu/online device
+#
+type cpu_online_t;
+files_type(cpu_online_t)
+dev_associate_sysfs(cpu_online_t)
+
+#
 # Type for /dev/crash
 #
 type crash_device_t;

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index ea5cdee..4af7dbd 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -1,4 +1,4 @@
-policy_module(domain, 1.11.0)
+policy_module(domain, 1.11.1)
 
 
 #
@@ -98,6 +98,7 @@ allow domain self:process { fork sigchld };
 
 # glibc get_nprocs requires read access to /sys/devices/system/cpu/online
 dev_read_cpu_online(domain)
+
 # Use trusted objects in /dev
 dev_rw_null(domain)
 dev_rw_zero(domain)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/admin/

[Sven Vermeulen]

commit: 606ce20297b1815ca6ea395c19c0471fdad55d46
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Apr  8 15:54:11 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:54:11 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=606ce202

Remove merged code, reshuffle gentoo specific ones

---
 policy/modules/admin/sudo.if|   5 --
 policy/modules/kernel/devices.fc|   4 -
 policy/modules/kernel/devices.if| 155 ++--
 policy/modules/system/userdomain.if |  40 +-
 4 files changed, 99 insertions(+), 105 deletions(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 07e5db8..d9114b3 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -160,11 +160,6 @@ template(`sudo_role_template',`
fprintd_dbus_chat($1_sudo_t)
')
 
-   ifdef(`distro_gentoo',`
-   # Massive amount of getattr denials but no mention in logs or 
functional issues, so dontaudit it
-   term_dontaudit_getattr_unallocated_ttys($1_sudo_t)
-   ')
-
 ')
 
 

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 053cfa7..d6ebfcd 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -208,7 +208,3 @@ ifdef(`distro_redhat',`
 /var/named/chroot/dev/random -c
gen_context(system_u:object_r:random_device_t,s0)
 /var/named/chroot/dev/zero -c  gen_context(system_u:object_r:zero_device_t,s0)
 ')
-
-ifdef(`distro_gentoo',`
-/sys/devices/system/cpu/online --  
gen_context(system_u:object_r:cpu_online_t,s0)
-')

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 56dd021..8c14b43 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -588,25 +588,6 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
 
 
 ## 
-## Setattr for generic character device files.
-## 
-## 
-## 
-## Domain allowed access
-## 
-## 
-#
-interface(`dev_setattr_generic_chr_files',`
-   gen_require(`
-   type device_t;
-   ')
-
-   allow $1 device_t:chr_file setattr;
-')
-
-
-
-## 
 ## Read generic character device files.
 ## 
 ## 
@@ -3856,42 +3837,6 @@ interface(`dev_manage_smartcard',`
 
 
 ## 
-## Get the attributes of sysfs filesystem
-## 
-## 
-## 
-## Domain allowed access.
-## 
-## 
-#
-interface(`dev_getattr_sysfs_fs',`
-   gen_require(`
-   type sysfs_t;
-   ')
-
-   allow $1 sysfs_t:filesystem getattr;
-')
-
-
-## 
-## Do not audit getting the attributes of sysfs filesystem
-## 
-## 
-## 
-## Domain to dontaudit access from
-## 
-## 
-#
-interface(`dev_dontaudit_getattr_sysfs_fs',`
-   gen_require(`
-   type sysfs_t;
-   ')
-
-   dontaudit $1 sysfs_t:filesystem getattr;
-')
-
-
-## 
 ## Associate a file to a sysfs filesystem.
 ## 
 ## 
@@ -4038,26 +3983,6 @@ interface(`dev_manage_sysfs_dirs',`
 
 
 ## 
-## Dont audit attempts to read hardware state information
-## 
-## 
-## 
-## Domain for which the attempts do not need to be audited
-## 
-## 
-#
-interface(`dev_dontaudit_read_sysfs',`
-   gen_require(`
-   type sysfs_t;
-   ')
-
-   dontaudit $1 sysfs_t:file read_file_perms;
-   dontaudit $1 sysfs_t:dir list_dir_perms;
-   dontaudit $1 sysfs_t:lnk_file read_lnk_file_perms;
-')
-
-
-## 
 ## Read hardware state information.
 ## 
 ## 
@@ -4947,11 +4872,11 @@ interface(`dev_read_cpu_online',`
type cpu_online_t;
')
 
+   allow $1 cpu_online_t:file read_file_perms;
+
dev_search_sysfs($1)
-   read_files_pattern($1, cpu_online_t, cpu_online_t)
 ')
 
-
 
 ## 
 ## Unconfined access to devices.
@@ -4974,6 +4899,82 @@ interface(`dev_unconfined',`
 
 
 ## 
+## Dont audit attempts to read hardware state information
+## 
+## 
+## 
+## Domain for which the attempts do not need to be audited
+## 
+## 
+#
+interface(`dev_dontaudit_read_sysfs',`
+   gen_require(`
+   type sysfs_t;
+   ')
+
+   dontaudit $1 sysfs_t:file read_file_perms;
+   dontaudit $1 sysfs_t:dir list_dir_perms;
+   dontaudit $1 sysfs_t:lnk_file read_lnk_file_perms;
+')
+
+###

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 433013d235557841904f9217fc2705b50013191a
Author: Chris PeBenito  tresys  com>
AuthorDate: Fri Apr  4 20:25:02 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:55:10 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=433013d2

Module version bump for apache content interfaces from Sven Vermeulen.

---
 policy/modules/contrib/apache.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index ba6b285..69fa4b7 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.8.1)
+policy_module(apache, 2.8.2)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 9fea8be50eaffaab464c2138945673f5a0117207
Author: Chris PeBenito  tresys  com>
AuthorDate: Fri Apr  4 19:15:56 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:54:59 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9fea8be5

Module version bump for apt fix from Nicolas Iooss.

---
 policy/modules/contrib/apt.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
index 6b2f022..c2b7ad1 100644
--- a/policy/modules/contrib/apt.te
+++ b/policy/modules/contrib/apt.te
@@ -1,4 +1,4 @@
-policy_module(apt, 1.9.0)
+policy_module(apt, 1.9.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: a613b96aa77e7fb576408a71335844d6005ad4b0
Author: Nicolas Iooss  m4x  org>
AuthorDate: Sat Mar 15 17:13:11 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:54:57 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a613b96a

apt: remove non-existing permission set write_dir_perms

write_dir_perms doesn't exist in policy/support/obj_perm_sets.spt so this
patch removes the buggy dontaudit statement from apt_read_cache.

---
 policy/modules/contrib/apt.if | 1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if
index cde81d2..0a1bc49 100644
--- a/policy/modules/contrib/apt.if
+++ b/policy/modules/contrib/apt.if
@@ -171,7 +171,6 @@ interface(`apt_read_cache',`
 
files_search_var($1)
allow $1 apt_var_cache_t:dir list_dir_perms;
-   dontaudit $1 apt_var_cache_t:dir write_dir_perms;
allow $1 apt_var_cache_t:file read_file_perms;
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/

[Sven Vermeulen]

commit: 73b4bd3cdcdf2c6c66f1c4f17f2ba2d708831bf7
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Apr  8 16:01:39 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 16:01:39 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=73b4bd3c

Update with current points

---
 gentoo/STATE | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gentoo/STATE b/gentoo/STATE
index aec863f..b0c8b06 100644
--- a/gentoo/STATE
+++ b/gentoo/STATE
@@ -1,2 +1,2 @@
-contrib is at d2432997254355840aa785bef0ac989e298fea04
-master is at a10930fe7cdfcf03af050ba990534df04a99fd6f
+contrib is at 7846ae1b40c6de281c59d409aca3f480e83bdc3d
+master is at 2a8d47d7b1b06f1427106a64e7b5a6ede8f63197

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 74463625f2bf9c3ecb3904207fccb0a6140f7bda
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Apr  8 16:00:54 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 16:00:54 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=74463625

Remove merged code

---
 policy/modules/contrib/apache.if  | 133 --
 policy/modules/contrib/dnsmasq.te |  10 ---
 2 files changed, 143 deletions(-)

diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 1a07241..717c6f7 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -83,17 +83,6 @@ template(`apache_content_template',`
allow { httpd_t httpd_suexec_t } { httpd_$1_content_t 
httpd_$1_htaccess_t }:file read_file_perms;
allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file 
read_lnk_file_perms;
 
-   ifdef(`distro_gentoo',`
-   gen_require(`
-   attribute httpd_rw_content;
-   attribute httpd_ra_content;
-   type httpd_log_t;
-   ')
-
-   typeattribute httpd_$1_rw_content_t httpd_rw_content;
-   typeattribute httpd_$1_ra_content_t httpd_ra_content;
-   ')
-
tunable_policy(`allow_httpd_$1_script_anon_write',`
miscfiles_manage_public_files(httpd_$1_script_t)
')
@@ -1357,125 +1346,3 @@ interface(`apache_admin',`
apache_run_all_scripts($1, $2)
apache_run_helper($1, $2)
 ')
-
-
-## 
-## Read all appendable content.
-## 
-## 
-## 
-## Domain allowed access.
-## 
-## 
-## 
-#
-interface(`apache_read_all_ra_content',`
-   gen_require(`
-   attribute httpd_ra_content;
-   ')
-
-   read_files_pattern($1, httpd_ra_content, httpd_ra_content)
-   read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
-')
-
-
-## 
-## Append to all appendable web content files.
-## 
-## 
-## 
-## Domain allowed access.
-## 
-## 
-## 
-#
-interface(`apache_append_all_ra_content',`
-   gen_require(`
-   attribute httpd_ra_content;
-   ')
-
-   apache_search_all_content($1)
-   append_files_pattern($1, httpd_ra_content, httpd_ra_content)
-')
-
-
-## 
-## Read all read/write content.
-## 
-## 
-## 
-## Domain allowed access.
-## 
-## 
-## 
-#
-interface(`apache_read_all_rw_content',`
-   gen_require(`
-   attribute httpd_rw_content;
-   ')
-
-   read_files_pattern($1, httpd_rw_content, httpd_rw_content)
-   read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
-')
-
-
-## 
-## Manage all read/write content.
-## 
-## 
-## 
-## Domain allowed access.
-## 
-## 
-## 
-#
-interface(`apache_manage_all_rw_content',`
-   gen_require(`
-   attribute httpd_rw_content;
-   ')
-
-   manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
-   manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
-   manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
-')
-
-
-## 
-## Read all web content.
-## 
-## 
-## 
-## Domain allowed access.
-## 
-## 
-## 
-#
-interface(`apache_read_all_content',`
-   gen_require(`
-   attribute httpdcontent, httpd_script_exec_type;
-   ')
-
-   read_files_pattern($1, httpdcontent, httpdcontent)
-   read_lnk_files_pattern($1, httpdcontent, httpdcontent)
-
-   read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
-   read_lnk_files_pattern($1, httpd_script_exec_type, 
httpd_script_exec_type)
-')
-
-
-## 
-## Search all apache content.
-## 
-## 
-## 
-## Domain allowed access.
-## 
-## 
-#
-interface(`apache_search_all_content',`
-   gen_require(`
-   attribute httpdcontent;
-   ')
-
-   allow $1 httpdcontent:dir search_dir_perms;
-')

diff --git a/policy/modules/contrib/dnsmasq.te 
b/policy/modules/contrib/dnsmasq.te
index 4abe6bf..e286965 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -128,13 +128,3 @@ optional_policy(`
virt_read_pid_files(dnsmasq_t)
virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
 ')
-
-ifdef(`distro_gentoo',`
-   
-   #
-   # dnsmasq_t policy
-   #
-
-
-   kernel_read_net_sysctls(dnsmasq_t)
-')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit: 6f89ead94bb14f55eca319a101c791159faa9739
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Mar 25 20:30:04 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:20:56 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6f89ead9

Hide getattr denials upon sudo invocation

When sudo is invoked (sudo -i) the audit log gets quite a lot of denials
related to the getattr permission against tty_device_t:chr_file for the
*_sudo_t domain. However, no additional logging (that would hint at a
need) by sudo, nor any functional issues come up.

Hence the dontaudit call.

Signed-off-by: Sven Vermeulen  siphos.be>

---
 policy/modules/admin/sudo.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 4bb2245..07e5db8 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -110,6 +110,7 @@ template(`sudo_role_template',`
selinux_compute_relabel_context($1_sudo_t)
 
term_getattr_pty_fs($1_sudo_t)
+   term_dontaudit_getattr_unallocated_ttys($1_sudo_t)
term_relabel_all_ttys($1_sudo_t)
term_relabel_all_ptys($1_sudo_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 14231a7ebe8835d31adfb73f97d3b168fb30e567
Author: Chris PeBenito  tresys  com>
AuthorDate: Fri Apr  4 19:12:48 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:54:54 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=14231a7e

Module version bump for new shibboleth module from Martin Lang.

Reduces shibboleth to 1.0.0, as it is the initial refpolicy version.

---
 policy/modules/contrib/apache.te | 2 +-
 policy/modules/contrib/shibboleth.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 32f9251..de61615 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.8.0)
+policy_module(apache, 2.8.1)
 
 
 #

diff --git a/policy/modules/contrib/shibboleth.te 
b/policy/modules/contrib/shibboleth.te
index e59de3e..63950ea 100644
--- a/policy/modules/contrib/shibboleth.te
+++ b/policy/modules/contrib/shibboleth.te
@@ -1,4 +1,4 @@
-policy_module(shibboleth, 2.0.0)
+policy_module(shibboleth, 1.0.0)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

[Sven Vermeulen]

commit: bf28162c411a83bb8d14ca0b70dcc6ece418c095
Author: Chris PeBenito  tresys  com>
AuthorDate: Fri Apr  4 19:53:32 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:20:52 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bf28162c

Module version bump for userdomain kernel symbol table fix from Nicolas Iooss.

---
 policy/modules/system/userdomain.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.te 
b/policy/modules/system/userdomain.te
index c85e4d6..43ec88f 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.10.0)
+policy_module(userdomain, 4.10.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 39cc094a67628edbc6539c8d0b9734de80a6c4a0
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sun Mar 30 14:09:11 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 15:55:05 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=39cc094a

Support read/append/manage functions for various httpd content

We make the web content types as defined by the apache module more
generic in use so that other domains, who need to interact with these
types, can do so without getting too many privileges assigned (like with
apache_manage_all_content).

Within the apache module, the apache_content_template() allows creation
of additional derived types for "apache web content". But this is
actually being used to label generic web content, and it creates
additional types based on the prefix.

When we want to support additional web servers (or parsers used by web
servers, such as php-fpm) that do not run within the apache-provided
domains, they have a hard time accessing the data. There is currently
one interface available (apache_manage_all_content) but that is a lot of
privileges for a parser that possibly just needs to read content.

In this patch, we create additional attributes (httpd_ra_content for
read/append data, and httpd_rw_content for read/write content) and
define interfaces to manage the types that have these attributes
assigned.

This is the result of the discussion of June 2012, which was version 3
of the patchset (I never came to finish up the commit), see also
http://oss.tresys.com/pipermail/refpolicy/2012-June/005175.html

Signed-off-by: Sven Vermeulen  siphos.be>

---
 policy/modules/contrib/apache.if | 120 ++-
 policy/modules/contrib/apache.te |   3 +
 2 files changed, 121 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 655cbe1..1a07241 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -15,6 +15,7 @@ template(`apache_content_template',`
gen_require(`
attribute httpdcontent, httpd_exec_scripts, 
httpd_script_exec_type;
attribute httpd_script_domains, httpd_htaccess_type;
+   attribute httpd_rw_content, httpd_ra_content;
type httpd_t, httpd_suexec_t;
')
 
@@ -48,11 +49,11 @@ template(`apache_content_template',`
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
 
-   type httpd_$1_rw_content_t, httpdcontent; # customizable
+   type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # 
customizable
typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t 
httpd_$1_content_rw_t };
files_type(httpd_$1_rw_content_t)
 
-   type httpd_$1_ra_content_t, httpdcontent; # customizable
+   type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # 
customizable
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t 
httpd_$1_content_ra_t };
files_type(httpd_$1_ra_content_t)
 
@@ -402,6 +403,121 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
 
 
 ## 
+## Read all appendable content
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`apache_read_all_ra_content',`
+   gen_require(`
+   attribute httpd_ra_content;
+   ')
+
+   read_files_pattern($1, httpd_ra_content, httpd_ra_content)
+   read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content)
+')
+
+
+## 
+## Append to all appendable web content
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`apache_append_all_ra_content',`
+   gen_require(`
+   attribute httpd_ra_content;
+   ')
+
+   append_files_pattern($1, httpd_ra_content, httpd_ra_content)
+')
+
+
+## 
+## Read all read/write content
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`apache_read_all_rw_content',`
+   gen_require(`
+   attribute httpd_rw_content;
+   ')
+
+   read_files_pattern($1, httpd_rw_content, httpd_rw_content)
+   read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content)
+')
+
+
+## 
+## Manage all read/write content
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`apache_manage_all_rw_content',`
+   gen_require(`
+   attribute httpd_rw_content;
+   ')
+
+   manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content)
+   manage_files_pattern($1, httpd_rw_content, httpd_rw_content)
+   manage_lnk_files_pattern($1, httpd_rw_content, htt

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Sven Vermeulen]

commit: 089750c82708d26eb65d01a0f88ee6599d5d1159
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Apr  8 16:11:56 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 16:11:56 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=089750c8

Remove duplicate declaration

---
 policy/modules/kernel/devices.te | 7 ---
 1 file changed, 7 deletions(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index ba79da9..25d28ce 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -328,10 +328,3 @@ files_associate_tmp(device_node)
 allow devices_unconfined_type self:capability sys_rawio;
 allow devices_unconfined_type device_node:{ blk_file chr_file } *;
 allow devices_unconfined_type mtrr_device_t:file *;
-
-ifdef(`distro_gentoo',`
-   # Support access to /sys/devices/system/cpu/online
-   type cpu_online_t;
-   files_type(cpu_online_t)
-   dev_associate_sysfs(cpu_online_t)
-')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: db642f6a500038cd36fd65f4268eb35448805269
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Apr  8 17:01:57 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Apr  8 17:01:57 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=db642f6a

Remove duplicate declarations

---
 policy/modules/contrib/apache.te | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 69fa4b7..4faa22c 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1427,9 +1427,6 @@ optional_policy(`
 ')
 
 ifdef(`distro_gentoo',`
-   attribute httpd_ra_content;
-   attribute httpd_rw_content;
-
init_daemon_run_dir(httpd_var_run_t, "apache_ssl_mutex")
init_daemon_run_dir(httpd_var_run_t, "apache2")
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

[Sven Vermeulen]

commit: 1d9cedc615b9f486cba8290781abfa238b3133fc
Author: Laurent Bigonville  bigon  be>
AuthorDate: Sat Apr  5 18:01:22 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri Apr 11 17:48:02 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1d9cedc6

Properly label the manpages installed by postgresql

The postgresql manpages are installed under a private directory, some of
them are symlinked to the usual location.

Properly labeling them ensure that mandb can read them.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740591

---
 policy/modules/system/miscfiles.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/miscfiles.fc 
b/policy/modules/system/miscfiles.fc
index a5337b6..8b48030 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -52,6 +52,7 @@ ifdef(`distro_redhat',`
 /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
 /usr/share/locale(/.*)?
gen_context(system_u:object_r:locale_t,s0)
 /usr/share/man(/.*)?   gen_context(system_u:object_r:man_t,s0)
+/usr/share/postgresql/[^/]*/man(/.*)?  
gen_context(system_u:object_r:man_t,s0)
 /usr/share/X11/locale(/.*)?gen_context(system_u:object_r:locale_t,s0)
 /usr/share/zoneinfo(/.*)?  gen_context(system_u:object_r:locale_t,s0)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

[Sven Vermeulen]

commit: e5a9a4b6a5a10d11bd8934e6b79da7ff6d88597b
Author: Laurent Bigonville  bigon  be>
AuthorDate: Fri Apr  4 20:52:54 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri Apr 11 17:47:59 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e5a9a4b6

Use new fs_getattr_all_xattr_fs interface for setfiles_t and restorecond_t

Use the new fs_getattr_all_xattr_fs() interface to allow setfiles_t and
restorecond_t domain to also get the attributes on pseudo-filesystems
that support xattr

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682

---
 policy/modules/system/selinuxutil.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/selinuxutil.te 
b/policy/modules/system/selinuxutil.te
index 305ef69..cf0c693 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -332,7 +332,7 @@ kernel_read_system_state(restorecond_t)
 
 fs_relabelfrom_noxattr_fs(restorecond_t)
 fs_dontaudit_list_nfs(restorecond_t)
-fs_getattr_xattr_fs(restorecond_t)
+fs_getattr_all_xattr_fs(restorecond_t)
 fs_list_inotifyfs(restorecond_t)
 
 selinux_validate_context(restorecond_t)
@@ -564,7 +564,7 @@ files_relabel_all_files(setfiles_t)
 files_read_usr_symlinks(setfiles_t)
 files_dontaudit_read_all_symlinks(setfiles_t)
 
-fs_getattr_xattr_fs(setfiles_t)
+fs_getattr_all_xattr_fs(setfiles_t)
 fs_list_all(setfiles_t)
 fs_search_auto_mountpoints(setfiles_t)
 fs_relabelfrom_noxattr_fs(setfiles_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/

[Sven Vermeulen]

commit: 2db34aef1f34c9fcc91aed805fc45b942b269f34
Author: Sven Vermeulen  siphos  be>
AuthorDate: Fri Apr 11 17:47:16 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri Apr 11 17:47:16 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2db34aef

Merge upstream contrib

---
 gentoo/STATE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gentoo/STATE b/gentoo/STATE
index b0c8b06..b37ecc9 100644
--- a/gentoo/STATE
+++ b/gentoo/STATE
@@ -1,2 +1,2 @@
-contrib is at 7846ae1b40c6de281c59d409aca3f480e83bdc3d
+contrib is at b64bdd0a5179447f6c2a30c8081a403ea3816457
 master is at 2a8d47d7b1b06f1427106a64e7b5a6ede8f63197

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 86a756e52673f5ef0eb6169b7b445ad7de765961
Author: Chris PeBenito  tresys  com>
AuthorDate: Fri Apr 11 13:17:06 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri Apr 11 17:46:45 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=86a756e5

Module version bump for gitweb fc entry on Debian and ArchLinux from Nicolas 
Iooss.

---
 policy/modules/contrib/git.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te
index 653392c..42551f9 100644
--- a/policy/modules/contrib/git.te
+++ b/policy/modules/contrib/git.te
@@ -1,4 +1,4 @@
-policy_module(git, 1.4.0)
+policy_module(git, 1.4.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Sven Vermeulen]

commit: 03082087c0e7ca8f63e18f125ae24b73ca0c9e1b
Author: Laurent Bigonville  bigon  be>
AuthorDate: Fri Apr  4 20:52:52 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri Apr 11 17:47:56 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=03082087

Create new xattrfs attribute and fs_getattr_all_xattr_fs() interface

Create a new attribute and fs_getattr_all_xattr_fs() interface that will
be used for all the filesystems that support xattr

---
 policy/modules/kernel/filesystem.if | 58 +
 policy/modules/kernel/filesystem.te |  1 +
 2 files changed, 59 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index e7d05e7..5b80ee2 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -108,6 +108,64 @@ interface(`fs_exec_noxattr',`
 
 
 ## 
+## Transform specified type into a filesystem
+## type which has extended attribute
+## support.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`fs_xattr_type',`
+   gen_require(`
+   attribute xattrfs;
+   ')
+
+   fs_type($1)
+
+   typeattribute $1 xattrfs;
+')
+
+
+## 
+## Get the attributes of all the
+## filesystems which have extended
+## attributes.
+## This includes pseudo filesystems.
+## 
+## 
+## 
+## Allow the specified domain to
+## get the attributes of a filesystems
+## which have extended attributes.
+## Example attributes:
+## 
+## 
+## Type of the file system (e.g., tmpfs)
+## Size of the file system
+## Available space on the file system
+## 
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+## 
+#
+interface(`fs_getattr_all_xattr_fs',`
+   gen_require(`
+   attribute xattrfs;
+   ')
+
+   allow $1 xattrfs:filesystem getattr;
+')
+
+
+## 
 ## Mount a persistent filesystem which
 ## has extended attributes, such as
 ## ext3, JFS, or XFS.

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 0e09942..abaf5c0 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -8,6 +8,7 @@ policy_module(filesystem, 1.18.0)
 attribute filesystem_type;
 attribute filesystem_unconfined_type;
 attribute noxattrfs;
+attribute xattrfs;
 
 ##
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: f04beadc745baa12d14310a2e12757d945d67101
Author: Nicolas Iooss  m4x  org>
AuthorDate: Sat Apr  5 20:37:45 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri Apr 11 17:46:46 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f04beadc

Fix strange file patterns

Some file patterns look very strange, like:

/var/log/cluster/.*\.*log

I've found such patterns while writing a script that parses the file patterns.
Hence I haven't tested if the new file contexts apply to the existing files.
For example, this patch changes

/var/run/*.fingerd\.pid

to

/var/run/fingerd\.pid

because "/*" seems weird to me, but this also changes the semantic of the
pattern.  Another possibility which doesn't change the meaning is:

/var/run/?.fingerd\.pid

I send this patch as an RFC because what I consider abnormal may in fact be
something expected or a workaround to fix some bugs I'm not aware of.

---
 policy/modules/contrib/finger.fc | 2 +-
 policy/modules/contrib/rhcs.fc   | 2 +-
 policy/modules/contrib/setroubleshoot.fc | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/contrib/finger.fc b/policy/modules/contrib/finger.fc
index 843940b..623421d 100644
--- a/policy/modules/contrib/finger.fc
+++ b/policy/modules/contrib/finger.fc
@@ -7,4 +7,4 @@
 
 /var/log/cfingerd\.log.*   --  
gen_context(system_u:object_r:fingerd_log_t,s0)
 
-/var/run/*.fingerd\.pid--  
gen_context(system_u:object_r:fingerd_var_run_t,s0)
+/var/run/fingerd\.pid  --  
gen_context(system_u:object_r:fingerd_var_run_t,s0)

diff --git a/policy/modules/contrib/rhcs.fc b/policy/modules/contrib/rhcs.fc
index 47de2d6..c619502 100644
--- a/policy/modules/contrib/rhcs.fc
+++ b/policy/modules/contrib/rhcs.fc
@@ -14,7 +14,7 @@
 
 /var/lib/qdiskd(/.*)?  gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
 
-/var/log/cluster/.*\.*log  <>
+/var/log/cluster/.*\.log   <>
 /var/log/cluster/dlm_controld\.log.*   --  
gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
 /var/log/cluster/fenced\.log.* --  
gen_context(system_u:object_r:fenced_var_log_t,s0)
 /var/log/cluster/gfs_controld\.log.*   --  
gen_context(system_u:object_r:gfs_controld_var_log_t,s0)

diff --git a/policy/modules/contrib/setroubleshoot.fc 
b/policy/modules/contrib/setroubleshoot.fc
index 0b3a971..e89c06f 100644
--- a/policy/modules/contrib/setroubleshoot.fc
+++ b/policy/modules/contrib/setroubleshoot.fc
@@ -1,6 +1,6 @@
 /usr/sbin/setroubleshootd  --  
gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
 
-/usr/share/setroubleshoot/SetroubleshootFixit\.py* --  
gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
+/usr/share/setroubleshoot/SetroubleshootFixit\.py  --  
gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
 
 /var/run/setroubleshoot(/.*)?  
gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: db9bbe71ff53be3cac3ec53063728a21b6f02f58
Author: Nicolas Iooss  m4x  org>
AuthorDate: Sat Apr  5 17:10:53 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri Apr 11 17:46:44 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=db9bbe71

Label /usr/share/gitweb/static as httpd_git_content_t

This directory contains gitweb static files at least on Debian and ArchLinux.

---
 policy/modules/contrib/git.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/git.fc b/policy/modules/contrib/git.fc
index d8a3f8e..c26586d 100644
--- a/policy/modules/contrib/git.fc
+++ b/policy/modules/contrib/git.fc
@@ -5,6 +5,7 @@ HOME_DIR/public_git(/.*)?   
gen_context(system_u:object_r:git_user_content_t,s0)
 /usr/libexec/git-core/git-daemon --
gen_context(system_u:object_r:gitd_exec_t,s0)
 
 /usr/share/gitweb/gitweb\.cgi  --  
gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/usr/share/gitweb/static(/.*)? 
gen_context(system_u:object_r:httpd_git_content_t,s0)
 
 /var/cache/cgit(/.*)?  
gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
 /var/cache/gitweb-caching(/.*)?
gen_context(system_u:object_r:httpd_git_rw_content_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit: 0174d192aac9d69d24fded5aee1a6a1040cd4a2c
Author: Laurent Bigonville  bigon  be>
AuthorDate: Sat Apr  5 18:01:21 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri Apr 11 17:48:01 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0174d192

Add telepathy role for user_r and staff_r

---
 policy/modules/roles/staff.te  | 4 
 policy/modules/roles/unprivuser.te | 4 
 2 files changed, 8 insertions(+)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index abc38c0..247f898 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -90,6 +90,10 @@ ifndef(`distro_redhat',`
optional_policy(`
pulseaudio_role(staff_r, staff_t)
')
+
+   optional_policy(`
+   telepathy_role_template(staff, staff_r, staff_t)
+   ')
')
 
optional_policy(`

diff --git a/policy/modules/roles/unprivuser.te 
b/policy/modules/roles/unprivuser.te
index e9319d0..c40c34c 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -63,6 +63,10 @@ ifndef(`distro_redhat',`
optional_policy(`
pulseaudio_role(user_r, user_t)
')
+
+   optional_policy(`
+   telepathy_role_template(user, user_r, user_t)
+   ')
')
 
optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Sven Vermeulen]

commit: decabd8c4269860861be981cec6f0936aeea9b10
Author: Laurent Bigonville  bigon  be>
AuthorDate: Fri Apr  4 20:52:53 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri Apr 11 17:47:57 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=decabd8c

Associate the new xattrfs attribute to fs_t and some pseudo-fs

Associate the new xattrfs attribute to fs_t and the pseudo filesystems
that we know support xattr

This patch adds the attribute to the following (pseudo) filesystems

 - device_t
 - devpts_t
 - fs_t
 - hugetlbfs
 - sysfs_t
 - tmpfs_t

---
 policy/modules/kernel/devices.te| 4 ++--
 policy/modules/kernel/filesystem.te | 6 +++---
 policy/modules/kernel/terminal.te   | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 25d28ce..2fdb01b 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -18,7 +18,7 @@ fs_associate_tmpfs(device_t)
 files_type(device_t)
 files_mountpoint(device_t)
 files_associate_tmp(device_t)
-fs_type(device_t)
+fs_xattr_type(device_t)
 fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
 
 #
@@ -231,7 +231,7 @@ dev_node(sound_device_t)
 #
 type sysfs_t;
 files_mountpoint(sysfs_t)
-fs_type(sysfs_t)
+fs_xattr_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
 
 #

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index abaf5c0..31058f0 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -16,7 +16,7 @@ attribute xattrfs;
 # filesystems with extended attributes
 #
 type fs_t;
-fs_type(fs_t)
+fs_xattr_type(fs_t)
 sid fs gen_context(system_u:object_r:fs_t,s0)
 
 # Use xattrs for the following filesystem types.
@@ -96,7 +96,7 @@ fs_type(futexfs_t)
 genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
 
 type hugetlbfs_t;
-fs_type(hugetlbfs_t)
+fs_xattr_type(hugetlbfs_t)
 files_mountpoint(hugetlbfs_t)
 fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
 
@@ -176,7 +176,7 @@ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
 #
 type tmpfs_t;
 dev_associate(tmpfs_t)
-fs_type(tmpfs_t)
+fs_xattr_type(tmpfs_t)
 files_type(tmpfs_t)
 files_mountpoint(tmpfs_t)
 files_poly_parent(tmpfs_t)

diff --git a/policy/modules/kernel/terminal.te 
b/policy/modules/kernel/terminal.te
index e05079a..01dbf46 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -27,7 +27,7 @@ dev_node(console_device_t)
 type devpts_t;
 files_mountpoint(devpts_t)
 fs_associate_tmpfs(devpts_t)
-fs_type(devpts_t)
+fs_xattr_type(devpts_t)
 fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/roles/

[Sven Vermeulen]

commit: dfb102dc02c13d63bf69cb88edf5ea11601f5e81
Author: Chris PeBenito  tresys  com>
AuthorDate: Fri Apr 11 15:21:03 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri Apr 11 17:48:06 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dfb102dc

Module version bump for 2 patch sets from Laurent Bigonville.

* xattrfs attribute
* Misc Debian fixes

---
 policy/modules/kernel/devices.te | 2 +-
 policy/modules/kernel/filesystem.te  | 2 +-
 policy/modules/kernel/terminal.te| 2 +-
 policy/modules/roles/staff.te| 2 +-
 policy/modules/roles/unprivuser.te   | 2 +-
 policy/modules/system/miscfiles.te   | 2 +-
 policy/modules/system/selinuxutil.te | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 2fdb01b..3e03a9d 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.16.1)
+policy_module(devices, 1.16.2)
 
 
 #

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 31058f0..bad3d16 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.18.0)
+policy_module(filesystem, 1.18.1)
 
 
 #

diff --git a/policy/modules/kernel/terminal.te 
b/policy/modules/kernel/terminal.te
index 01dbf46..94f7dac 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,4 +1,4 @@
-policy_module(terminal, 1.12.0)
+policy_module(terminal, 1.12.1)
 
 
 #

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 247f898..27b49b1 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -1,4 +1,4 @@
-policy_module(staff, 2.5.0)
+policy_module(staff, 2.5.1)
 
 
 #

diff --git a/policy/modules/roles/unprivuser.te 
b/policy/modules/roles/unprivuser.te
index c40c34c..65600f4 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,4 +1,4 @@
-policy_module(unprivuser, 2.5.0)
+policy_module(unprivuser, 2.5.1)
 
 # this module should be named user, but that is
 # a compile error since user is a keyword.

diff --git a/policy/modules/system/miscfiles.te 
b/policy/modules/system/miscfiles.te
index e60f80d..920ae21 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.11.0)
+policy_module(miscfiles, 1.11.1)
 
 
 #

diff --git a/policy/modules/system/selinuxutil.te 
b/policy/modules/system/selinuxutil.te
index cf0c693..2b99c9b 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.18.0)
+policy_module(selinuxutil, 1.18.1)
 
 gen_require(`
bool secure_mode;

[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/

[Sven Vermeulen]

commit: f5ad1b829068ed28086d5b3d5b851e586c131233
Author: Sven Vermeulen  siphos  be>
AuthorDate: Fri Apr 11 17:48:28 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri Apr 11 17:48:28 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f5ad1b82

Merge upstream (main)

---
 gentoo/STATE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gentoo/STATE b/gentoo/STATE
index b37ecc9..6bdbba3 100644
--- a/gentoo/STATE
+++ b/gentoo/STATE
@@ -1,2 +1,2 @@
 contrib is at b64bdd0a5179447f6c2a30c8081a403ea3816457
-master is at 2a8d47d7b1b06f1427106a64e7b5a6ede8f63197
+master is at eabe0273c226b07dbecd21168cc9c7da51de8d4d

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

[Sven Vermeulen]

commit: ac5b056e808e96202f2ece7a5cba0aa7ca95602a
Author: Laurent Bigonville  bigon  be>
AuthorDate: Sat Apr  5 18:01:23 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri Apr 11 17:48:04 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ac5b056e

Label /usr/local/share/ca-certificates(/.*)? as cert_t

On Debian, this directory can contain locally trusted certificates that
will be then be symlinked to /etc/ssl/certs by
update-ca-certificates(8), the files should be labelled as cert_t.

---
 policy/modules/system/miscfiles.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/miscfiles.fc 
b/policy/modules/system/miscfiles.fc
index 8b48030..7396629 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -39,6 +39,8 @@ ifdef(`distro_redhat',`
 
 /usr/lib/perl5/man(/.*)?   gen_context(system_u:object_r:man_t,s0)
 
+/usr/local/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
 /usr/local/man(/.*)?   gen_context(system_u:object_r:man_t,s0)
 /usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: ae1067f21dc8dc41b8a42ef0edd777fe4805b1cf
Author: Chris PeBenito  tresys  com>
AuthorDate: Fri Apr 11 15:43:13 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri Apr 11 17:46:48 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ae1067f2

Module version bump for fc regex fixes from Nicolas Iooss.

---
 policy/modules/contrib/finger.te | 2 +-
 policy/modules/contrib/rhcs.te   | 2 +-
 policy/modules/contrib/setroubleshoot.te | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te
index 35da09d..5bcd50b 100644
--- a/policy/modules/contrib/finger.te
+++ b/policy/modules/contrib/finger.te
@@ -1,4 +1,4 @@
-policy_module(finger, 1.10.0)
+policy_module(finger, 1.10.1)
 
 
 #

diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 16f1a23..f5afb7c 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -1,4 +1,4 @@
-policy_module(rhcs, 1.3.0)
+policy_module(rhcs, 1.3.1)
 
 
 #

diff --git a/policy/modules/contrib/setroubleshoot.te 
b/policy/modules/contrib/setroubleshoot.te
index 6f6d668..62b935a 100644
--- a/policy/modules/contrib/setroubleshoot.te
+++ b/policy/modules/contrib/setroubleshoot.te
@@ -1,4 +1,4 @@
-policy_module(setroubleshoot, 1.13.0)
+policy_module(setroubleshoot, 1.13.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit: c16ea5592a48b18414eea52965925345ac4e094a
Author: Sven Vermeulen  siphos  be>
AuthorDate: Fri Apr 11 18:32:49 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri Apr 11 18:32:49 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c16ea559

Run audit2allow and sepolgen needs policy read access

---
 policy/modules/roles/sysadm.te | 5 +
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index bdaf706..4acf417 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -551,6 +551,11 @@ ifdef(`distro_gentoo',`
')
 
optional_policy(`
+   # Support audit2allow, sepolgen and so on
+   selinux_read_policy(sysadm_t)
+   ')
+
+   optional_policy(`
shorewall_admin(sysadm_t, sysadm_r)
')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 17ffc8e920a4dab85c5626bdc9844ee79f0555b2
Author: Sven Vermeulen  siphos  be>
AuthorDate: Fri Apr 11 18:31:04 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Fri Apr 11 18:31:04 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=17ffc8e9

Allow mutt to read/write attachments in XDG downloads dir

---
 policy/modules/contrib/mutt.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/contrib/mutt.te b/policy/modules/contrib/mutt.te
index f6d3489..393b943 100644
--- a/policy/modules/contrib/mutt.te
+++ b/policy/modules/contrib/mutt.te
@@ -91,5 +91,7 @@ optional_policy(`
 
 optional_policy(`
xdg_manage_cache_home(mutt_t)
+   # Save and send attachments
+   xdg_manage_downloads_home(mutt_t)
xdg_read_config_home_files(mutt_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: eb72a1a6cf9947aebd0d5df523c180ef0cfa6446
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sat Apr 12 13:37:06 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Sat Apr 12 13:37:06 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=eb72a1a6

Snort policy updates

When snort starts up, its init script creates the /var/run/snort directory.
However, the policy did not have a file transition for this, which results
in the /var/run/snort directory to be initrc_var_run_t.

By supporting a file transition to snort_var_run_t the PID file can be
hosted inside its own directory as intended.

Error logs from Snort:
Apr  9 14:42:45 server snort[1916]: WARNING: /var/run/snort is invalid,
trying /var/run...
Apr  9 14:42:45 server snort[1916]: Previous Error, errno=13,
(Permission denied)
Apr  9 14:42:45 server snort[1916]: PID path stat checked out ok, PID
path set to /var/run/

Second, snort is not able to write to its own log file. It needs the
write privilege for this (append no longer cuts it) as found through the
AVC denial.

Error logs from Snort:
Apr  9 14:42:45 server snort[1916]: FATAL ERROR: spo_unified2.c(320)
Could not open /var/log/snort//merged.log: Permission denied

Reported-by: sgnut 

---
 policy/modules/contrib/snort.fc |  4 
 policy/modules/contrib/snort.te | 12 
 2 files changed, 16 insertions(+)

diff --git a/policy/modules/contrib/snort.fc b/policy/modules/contrib/snort.fc
index 591b9a1..ad73ece 100644
--- a/policy/modules/contrib/snort.fc
+++ b/policy/modules/contrib/snort.fc
@@ -10,3 +10,7 @@
 /var/log/snort(/.*)?   gen_context(system_u:object_r:snort_log_t,s0)
 
 /var/run/snort.*   --  
gen_context(system_u:object_r:snort_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/var/run/snort(/.*)?   gen_context(system_u:object_r:snort_var_run_t,s0)
+')

diff --git a/policy/modules/contrib/snort.te b/policy/modules/contrib/snort.te
index 1af72df..44fcaf9 100644
--- a/policy/modules/contrib/snort.te
+++ b/policy/modules/contrib/snort.te
@@ -114,3 +114,15 @@ optional_policy(`
 optional_policy(`
udev_read_db(snort_t)
 ')
+
+ifdef(`distro_gentoo',`
+   ##
+   #
+   # Local policy
+   #
+   # Reported through IRC - needs write, append is not enough
+   allow snort_t snort_log_t:file write_file_perms;
+
+   # Init creates /var/run/snort if it does not exist yet
+   init_daemon_run_dir(snort_var_run_t, "snort")
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: f545f061fccaddd18620fe5b50bc179db9c2de6f
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sat Apr 12 19:03:32 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Sat Apr 12 19:03:32 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f545f061

Allow chromium to kill its own processes if it detects issues

---
 policy/modules/contrib/chromium.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/chromium.te 
b/policy/modules/contrib/chromium.te
index 9e06778..b460904 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -66,7 +66,7 @@ xdg_cache_home_content(chromium_xdg_cache_t)
 # chromium local policy
 #
 
-allow chromium_t self:process { getsched setrlimit setsched signal };
+allow chromium_t self:process { getsched setrlimit setsched sigkill signal };
 allow chromium_t self:fifo_file rw_fifo_file_perms;;
 allow chromium_t self:sem create_sem_perms;
 allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Sven Vermeulen]

commit: 81e7c63e1781015a444ea090dfe2b453bdbf70b2
Author: Sven Vermeulen  siphos  be>
AuthorDate: Thu Apr 17 18:20:58 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu Apr 17 18:20:58 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=81e7c63e

Also on Gentoo

---
 policy/modules/kernel/corecommands.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 7ef2dd5..d1ad47f 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -420,4 +420,5 @@ ifdef(`distro_suse',`
 
 ifdef(`distro_gentoo',`
 /usr/lib/xfce4/notifyd/xfce4-notifyd   --  
gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cvs/contrib/rcs2log --  gen_context(system_u:object_r:bin_t,s0)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 0af22df335db344407c0254eae8f278fb0dfc8a4
Author: Laurent Bigonville  bigon  be>
AuthorDate: Fri Apr 11 17:27:18 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu Apr 17 19:02:14 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0af22df3

Add new gnome_spec_domtrans_all_gkeyringd() interface

Allow the caller to transition to all the gkeyringd domains

---
 policy/modules/contrib/gnome.if | 20 
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 112d33b..118ee01 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -671,6 +671,26 @@ interface(`gnome_dbus_chat_all_gkeyringd',`
 
 
 ## 
+## Run all gkeyringd in gkeyringd domain.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+#
+interface(`gnome_spec_domtrans_all_gkeyringd',`
+   gen_require(`
+   attribute gkeyringd_domain;
+   type gkeyringd_exec_t;
+   ')
+
+   corecmd_search_bin($1)
+   spec_domtrans_pattern($1, gkeyringd_exec_t, gkeyringd_domain)
+')
+
+
+## 
 ## Connect to gnome keyring daemon
 ## with a unix stream socket.
 ## 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

[Sven Vermeulen]

commit: ea8a0b2e03f83982188736cf96997663996b8fda
Author: Chris PeBenito  tresys  com>
AuthorDate: Tue Apr 15 18:51:53 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu Apr 17 19:03:41 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ea8a0b2e

Module version bump for gnome keyring fix from Laurent Bigonville.

---
 policy/modules/services/xserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index ac13180..e8c8c01 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.10.0)
+policy_module(xserver, 3.10.1)
 
 gen_require(`
class x_drawable all_x_drawable_perms;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

[Sven Vermeulen]

commit: b515caffd4a76d93c61b1b4a045bd1e922c8356c
Author: Laurent Bigonville  bigon  be>
AuthorDate: Fri Apr 11 17:28:27 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu Apr 17 19:03:39 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b515caff

Allow the xdm_t domain to enter all the gkeyringd ones

During the opening of the session, the pam_gnome_keyring module is
starting the daemon in the gkeyringd user domain, allow xdm_t to
transition to it.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742966

---
 policy/modules/services/xserver.te | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index 6366abf..ac13180 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -528,6 +528,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+   gnome_spec_domtrans_all_gkeyringd(xdm_t)
+')
+
+optional_policy(`
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 5709cab00aaa691d78dfd6c3bcc1a14db5384de8
Author: Chris PeBenito  tresys  com>
AuthorDate: Tue Apr 15 18:50:46 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu Apr 17 19:02:16 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5709cab0

Module version bump for various fixes from Laurent Bigonville.

---
 policy/modules/contrib/dbus.te  | 2 +-
 policy/modules/contrib/exim.te  | 2 +-
 policy/modules/contrib/gnome.te | 2 +-
 policy/modules/contrib/obex.te  | 2 +-
 policy/modules/contrib/telepathy.te | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index b9838d1..8075f85 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.19.0)
+policy_module(dbus, 1.19.1)
 
 gen_require(`
class dbus all_dbus_perms;

diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index b6a7fb3..768a69f 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.7.0)
+policy_module(exim, 1.7.1)
 
 
 #

diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index e6fe219..b4a361a 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.4.0)
+policy_module(gnome, 2.4.1)
 
 ##
 #

diff --git a/policy/modules/contrib/obex.te b/policy/modules/contrib/obex.te
index cd29ea8..dfb181c 100644
--- a/policy/modules/contrib/obex.te
+++ b/policy/modules/contrib/obex.te
@@ -1,4 +1,4 @@
-policy_module(obex, 1.0.0)
+policy_module(obex, 1.0.1)
 
 
 #

diff --git a/policy/modules/contrib/telepathy.te 
b/policy/modules/contrib/telepathy.te
index 5383971..e7fe4da 100644
--- a/policy/modules/contrib/telepathy.te
+++ b/policy/modules/contrib/telepathy.te
@@ -1,4 +1,4 @@
-policy_module(telepathy, 1.5.0)
+policy_module(telepathy, 1.5.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 1b3f7528b59220920ac2b66e3e5fd2aa960c4c5e
Author: Laurent Bigonville  bigon  be>
AuthorDate: Fri Apr 11 17:27:15 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu Apr 17 19:02:08 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1b3f7528

Allow gconfd to be started by the session bus

Allow gconfd to be started by the session bus and make it transition to
its own domain.

It also connects to the system bus to listen to signals from
org.gnome.GConf.Defaults interface

---
 policy/modules/contrib/gnome.te | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te
index 0b45360..e6fe219 100644
--- a/policy/modules/contrib/gnome.te
+++ b/policy/modules/contrib/gnome.te
@@ -97,6 +97,12 @@ userdom_manage_user_tmp_dirs(gconfd_t)
 userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
 
 optional_policy(`
+   dbus_all_session_domain(gconfd_t, gconfd_exec_t)
+
+   dbus_system_bus_client(gconfd_t)
+')
+
+optional_policy(`
nscd_dontaudit_search_pid(gconfd_t)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/

[Sven Vermeulen]

commit: 8fa5a13a6783e7a39e5c0ef042b4393d9edef17f
Author: Sven Vermeulen  siphos  be>
AuthorDate: Thu Apr 17 19:04:07 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu Apr 17 19:04:07 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8fa5a13a

Merging with upstream

---
 gentoo/STATE | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gentoo/STATE b/gentoo/STATE
index 6bdbba3..aebe597 100644
--- a/gentoo/STATE
+++ b/gentoo/STATE
@@ -1,2 +1,2 @@
-contrib is at b64bdd0a5179447f6c2a30c8081a403ea3816457
-master is at eabe0273c226b07dbecd21168cc9c7da51de8d4d
+contrib is at 2923fe4d0ff36840bbc2f473cf175db12da717ac
+master is at 76a9daf35aea332ec751e28564fc7bdb15ab613b

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 8ae4a42143f20541f9a43506ffb3e94fe19c42e1
Author: Laurent Bigonville  bigon  be>
AuthorDate: Fri Apr 11 17:27:16 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu Apr 17 19:02:10 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8ae4a421

Fix the usage of dbus_spec_session_domain() interface

Change the order of the parameters for the calls to
dbus_spec_session_domain() interface.

For consistancy with the other dbus interfaces and the backward
compatibility, we consider that the description was correct and we
change the callers instead.

The order of the parameter for this interface is the following:
 dbus_spec_session_domain(role_prefix, domain, entry_point)

---
 policy/modules/contrib/dbus.if  |  2 +-
 policy/modules/contrib/gnome.if |  2 +-
 policy/modules/contrib/obex.if  |  2 +-
 policy/modules/contrib/telepathy.if | 18 +-
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index fa6d806..21e8b5c 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -469,7 +469,7 @@ interface(`dbus_spec_session_domain',`
type $1_dbusd_t;
')
 
-   domtrans_pattern($1_dbusd_t, $2, $3)
+   domtrans_pattern($1_dbusd_t, $3, $2)
 
dbus_spec_session_bus_client($1, $2)
dbus_connect_spec_session_bus($1, $2)

diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index ab09d61..112d33b 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -109,7 +109,7 @@ template(`gnome_role_template',`
gnome_stream_connect_gkeyringd($1, $3)
 
optional_policy(`
-   dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+   dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
 
optional_policy(`
gnome_dbus_chat_gkeyringd($1, $3)

diff --git a/policy/modules/contrib/obex.if b/policy/modules/contrib/obex.if
index 8635ea2..410c0e8 100644
--- a/policy/modules/contrib/obex.if
+++ b/policy/modules/contrib/obex.if
@@ -42,7 +42,7 @@ template(`obex_role_template',`
allow $3 obex_t:process { ptrace signal_perms };
ps_process_pattern($3, obex_t)
 
-   dbus_spec_session_domain($1, obex_exec_t, obex_t)
+   dbus_spec_session_domain($1, obex_t, obex_exec_t)
 
obex_dbus_chat($3)
 ')

diff --git a/policy/modules/contrib/telepathy.if 
b/policy/modules/contrib/telepathy.if
index 42946bc..0d58469 100644
--- a/policy/modules/contrib/telepathy.if
+++ b/policy/modules/contrib/telepathy.if
@@ -78,15 +78,15 @@ template(`telepathy_role_template',`
telepathy_msn_stream_connect($3)
telepathy_salut_stream_connect($3)
 
-   dbus_spec_session_domain($1, telepathy_gabble_exec_t, 
telepathy_gabble_t)
-   dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, 
telepathy_sofiasip_t)
-   dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t)
-   dbus_spec_session_domain($1, telepathy_logger_exec_t, 
telepathy_logger_t)
-   dbus_spec_session_domain($1, telepathy_mission_control_exec_t, 
telepathy_mission_control_t)
-   dbus_spec_session_domain($1, telepathy_salut_exec_t, telepathy_salut_t)
-   dbus_spec_session_domain($1, telepathy_sunshine_exec_t, 
telepathy_sunshine_t)
-   dbus_spec_session_domain($1, telepathy_stream_engine_exec_t, 
telepathy_stream_engine_t)
-   dbus_spec_session_domain($1, telepathy_msn_exec_t, telepathy_msn_t)
+   dbus_spec_session_domain($1, telepathy_gabble_t, 
telepathy_gabble_exec_t)
+   dbus_spec_session_domain($1, telepathy_sofiasip_t, 
telepathy_sofiasip_exec_t)
+   dbus_spec_session_domain($1, telepathy_idle_t, telepathy_idle_exec_t)
+   dbus_spec_session_domain($1, telepathy_logger_t, 
telepathy_logger_exec_t)
+   dbus_spec_session_domain($1, telepathy_mission_control_t, 
telepathy_mission_control_exec_t)
+   dbus_spec_session_domain($1, telepathy_salut_t, telepathy_salut_exec_t)
+   dbus_spec_session_domain($1, telepathy_sunshine_t, 
telepathy_sunshine_exec_t)
+   dbus_spec_session_domain($1, telepathy_stream_engine_t, 
telepathy_stream_engine_exec_t)
+   dbus_spec_session_domain($1, telepathy_msn_t, telepathy_msn_exec_t)
 
allow $3 { telepathy_mission_control_cache_home_t 
telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms 
relabel_dir_perms };
allow $3 { telepathy_gabble_cache_home_t 
telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms 
relabel_dir_perms };

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: b092bd58fa1a153909737c9c8a16b0354a45e08d
Author: Laurent Bigonville  bigon  be>
AuthorDate: Fri Apr 11 17:27:17 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu Apr 17 19:02:11 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b092bd58

Properly label exim4 initscript under Debian

Keep the same regex expression as for the other filecontexts

---
 policy/modules/contrib/exim.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc
index 9df498d..48abe95 100644
--- a/policy/modules/contrib/exim.fc
+++ b/policy/modules/contrib/exim.fc
@@ -1,4 +1,4 @@
-/etc/rc\.d/init\.d/exim--  
gen_context(system_u:object_r:exim_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/exim[0-9]?  --  
gen_context(system_u:object_r:exim_initrc_exec_t,s0)
 
 /usr/sbin/exim[0-9]?   --  gen_context(system_u:object_r:exim_exec_t,s0)
 /usr/sbin/exim_tidydb  --  gen_context(system_u:object_r:exim_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 8f976037a6642f6725d76d3b4b8395fca3bc1e53
Author: Laurent Bigonville  bigon  be>
AuthorDate: Fri Apr 11 17:27:14 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Thu Apr 17 19:02:05 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8f976037

Fix dbus_all_session_domain(), session_bus_type is an attribute

Fix dbus_all_session_domain(), session_bus_type is an attribute not a
type

---
 policy/modules/contrib/dbus.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index 733f027..fa6d806 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -432,7 +432,7 @@ interface(`dbus_session_domain',`
 #
 interface(`dbus_all_session_domain',`
gen_require(`
-   type session_bus_type;
+   attribute session_bus_type;
')
 
domtrans_pattern(session_bus_type, $2, $1)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 3a8ac7c8f7f648a826b5c2c668bf75856ac931bf
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sat Nov  8 16:35:45 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Sat Nov  8 16:35:45 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3a8ac7c8

Fix bug #528602 - vnstatd init script naming fix in fc file thanks to Eric 
Glisse

---
 policy/modules/contrib/vnstatd.fc | 5 +
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/contrib/vnstatd.fc 
b/policy/modules/contrib/vnstatd.fc
index 24228b6..5f125a2 100644
--- a/policy/modules/contrib/vnstatd.fc
+++ b/policy/modules/contrib/vnstatd.fc
@@ -7,3 +7,8 @@
 /var/lib/vnstat(/.*)?  gen_context(system_u:object_r:vnstatd_var_lib_t,s0)
 
 /var/run/vnstat.*  gen_context(system_u:object_r:vnstatd_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+# Fix bug 528602 - name is vnstatd in Gentoo
+/etc/rc\.d/init\.d/vnstatd --  
gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0)
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 28f48ea9662d40ad2692559fbc97fb2e3cb6ae44
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 10:37:46 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 10:37:46 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=28f48ea9

Fix bug #528602 - Update context for vnstatd binary

---
 policy/modules/contrib/vnstatd.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/vnstatd.fc 
b/policy/modules/contrib/vnstatd.fc
index 5f125a2..52f8f68 100644
--- a/policy/modules/contrib/vnstatd.fc
+++ b/policy/modules/contrib/vnstatd.fc
@@ -11,4 +11,5 @@
 ifdef(`distro_gentoo',`
 # Fix bug 528602 - name is vnstatd in Gentoo
 /etc/rc\.d/init\.d/vnstatd --  
gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0)
+/usr/bin/vnstatd   --  gen_context(system_u:object_r:vnstat_exec_t,s0)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, man/man8/

[Sven Vermeulen]

commit: 9849bb0f35a1fbe3b88f21386420d17248e24561
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 12:59:52 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 12:59:52 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9849bb0f

Add cron_selinux manual page, support for bug #526532

---
 man/man8/cron_selinux.8 | 349 
 policy/modules/contrib/cron.rst | 284 
 2 files changed, 633 insertions(+)

diff --git a/man/man8/cron_selinux.8 b/man/man8/cron_selinux.8
new file mode 100644
index 000..701ad97
--- /dev/null
+++ b/man/man8/cron_selinux.8
@@ -0,0 +1,349 @@
+.\" Man page generated from reStructuredText.
+.
+.TH CRON_SELINUX 8 "2014-11-11" "" "SELinux"
+.SH NAME
+cron_selinux \- SELinux policy module for Cron
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH DESCRIPTION
+.sp
+The \fBcron\fP SELinux module supports various Unix cron daemons, including 
(but
+not limited to) vixie\-cron, cronie, fcron and anacron.
+.sp
+The SELinux cron support is somewhat more complex than most other SELinux
+domains, because the cron daemon is responsible for executing workload in the
+context of end users as well as the overall system. Most Cron implementations
+are also SELinux\-aware, so having some understanding of how they operate is
+important.
+.sp
+Most of these cron implementations use the SELinux ownership of the crontab
+file (the file which contains the execution task definitions) to determine
+in which context a task is to be executed. For instance, if a crontab file
+installed in \fB/var/spool/cron/crontabs\fP has a SELinux context whose SELinux
+owner is \fIstaff_u\fP, then the tasks defined in it will be run through either
+the general cronjob domain (\fIcronjob_t\fP) or the end user domain 
(\fIstaff_t\fP)
+depending on the value of the \fIcron_userdomain_transition\fP boolean.
+.sp
+This boolean, if set to 1 (true), will have the tasks run in the user domain
+(such as \fIstaff_t\fP, \fIsysadm_t\fP, \fIunconfined_t\fP, etc.) whereas, if 
it is set
+to 0 (false), will have the tasks run in the general cronjob domain
+(\fIcronjob_t\fP) for end user tasks, or the system cronjob domain
+(\fIsystem_cronjob_t\fP) for system tasks.
+.sp
+The latter is also an important detail \- if for some reason packages deploy
+their tasks as end user cronjobs, then the resulting commands might not be
+running in the proper domain. As a general rule, system cronjobs are defined
+in either \fB/etc/crontab\fP or in files in the \fB/etc/cron.d\fP directory. 
End
+user cronjobs are defined in files in the \fB/var/spool/cron/crontabs\fP
+directory.
+.SS System administration
+.sp
+To perform system administration tasks (non\-end user tasks) through cron jobs,
+take the following considerations into account:
+.INDENT 0.0
+.IP \(bu 2
+To ensure that the jobs run in the right context (\fIsystem_cronjob_t\fP for
+starts), make sure that the cronjob definitions (the crontab files) are
+inside \fB/etc/crontab\fP or in the \fB/etc/cron.d\fP directories.
+.IP \(bu 2
+Have the scripts to be executed labeled properly, and consider using a domain
+transition for these scripts (through \fBcron_system_entry()\fP).
+.IP \(bu 2
+Make sure the \fBHOME\fP directory is set to \fB/\fP so that the target domains
+do not need any privileges inside end user locations (including \fB/root\fP).
+.UNINDENT
+.SS User cronjobs
+.sp
+When working with end user crontabs (those triggered / managed through the
+\fBcrontab\fP command), take care that this is done as the SELinux user which 
is
+associated with the file. This is for two reasons:
+.INDENT 0.0
+.IP 1. 3
+If \fBUSE="ubac"\fP is set, then the SELinux User Based Access Control is
+enabled. This could prevent one SELinux user from editing (or even viewing)
+the crontab files of another user.
+.IP 2. 3
+The owner of the crontab file is also used by most cron implementations to
+find out which context the user cronjob should run in. If this ownership is
+incorrect, then the cronjob might not even launch properly, or run in the
+wrong context.
+.UNINDENT
+.sp
+If this was not done correctly, you will get the following error:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.

[gentoo-commits] proj/hardened-refpolicy:master commit in: man/man8/, policy/modules/contrib/

[Sven Vermeulen]

commit: 895d9f5db7c868d47665873f5ac4081fce64c906
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 13:20:23 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 13:20:23 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=895d9f5d

Add manual pages for munin SELinux policy, supports bug #526532

---
 man/man8/munin_selinux.8 | 177 +++
 policy/modules/contrib/munin.rst | 130 
 2 files changed, 307 insertions(+)

diff --git a/man/man8/munin_selinux.8 b/man/man8/munin_selinux.8
new file mode 100644
index 000..99507b6
--- /dev/null
+++ b/man/man8/munin_selinux.8
@@ -0,0 +1,177 @@
+.\" Man page generated from reStructuredText.
+.
+.TH MUNIN_SELINUX 8 "2014-11-11" "" "SELinux"
+.SH NAME
+munin_selinux \- SELinux policy module for Munin
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH DESCRIPTION
+.sp
+The \fImunin\fP SELinux module supports the Munin networked resource management
+tool.
+.SH DOMAINS
+.sp
+The following is a list of munin related domains.
+.INDENT 0.0
+.TP
+.B munin_t
+is the main domain for the munin daemon
+.TP
+.B \(aq*\(aq_munin_plugin_t
+is a set of domains related to the munin plugins
+.UNINDENT
+.SH LOCATIONS
+.sp
+The following list of locations identify file resources that are used by the
+munin domains. They are by default allocated towards the default locations for
+munin, so if you use a different location, you will need to properly address
+this. You can do so through \fBsemanage\fP, like so:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+semanage fcontext \-a \-t system_cron_spool_t 
"/usr/local/share/munin/plugins(/.*)?"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The above example marks the \fI/usr/local/share/munin/plugins\fP location as 
the location where
+munin plugin executables are stored.
+.SS FUNCTIONAL
+.INDENT 0.0
+.TP
+.B munin_etc_t
+is used for the munin configuration files
+.UNINDENT
+.SS EXECUTABLES
+.INDENT 0.0
+.TP
+.B munin_exec_t
+is used for the munin binaries
+.TP
+.B munin_initrc_exec_t
+is used for the munin init script
+.TP
+.B \(aq*\(aq_munin_plugin_exec_t
+is used for the munin plugin executables
+.UNINDENT
+.SS DAEMON FILES
+.INDENT 0.0
+.TP
+.B munin_log_t
+is used for the munin logs
+.TP
+.B munin_plugin_state_t
+is used for the munin plugin state information
+.TP
+.B munin_var_lib_t
+is used for the variable information used by munin
+.TP
+.B munin_var_run_t
+is used for the variable runtime state information of munin
+.UNINDENT
+.SH POLICY
+.sp
+The following interfaces can be used to enhance the default policy with
+munin\-related provileges. More details on these interfaces can be found in the
+interface HTML documentation, we will not list all available interfaces here.
+.SS Plugin template
+.sp
+With the \fBmunin_plugin_template\fP interface, additional munin plugin domains
+can be created. The interface takes a single prefix (like "disk") and will 
create
+the proper types and privileges, including (using "disk" as the example):
+.INDENT 0.0
+.IP \(bu 2
+\fIdisk_munin_plugin_t\fP as plugin domain
+.IP \(bu 2
+\fIdisk_munin_plugin_exec_t\fP as plugin executable type
+.IP \(bu 2
+\fIdisk_munin_plugin_tmp_t\fP as plugin temporary file type
+.UNINDENT
+.sp
+To enable it:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+munin_plugin_template(disk)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Administrative role
+.sp
+The \fBmunin_admin\fP interface grants a user role and type administrative 
access
+to the munin types:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+munin_admin(myuser_t, myuser_r)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH BUGS
+.SS Munin
+.sp
+The \fBnet\-analyzer/munin\fP package deploys the munin cronjobs as end user
+cronjobs inside \fB/var/spool/cron/crontabs\fP\&. The munin cronjobs are meant 
to
+be executed as the munin Linux account, but the jobs themselves are best seen
+as system cronjobs (as they are not related to a true interactive end user).
+.sp
+The default deployed files do not get the \fIsystem_u\fP SELinux ownership
+assigned. To fix this, execute the following command:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+~# chcon \-u system_u /var/spool/cron/crontabs/munin
+.ft P
+.f

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, man/man8/

[Sven Vermeulen]

commit: 96b9d3ea8b0f23712fca45c58b36a0d107eb4e07
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 13:08:49 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 13:08:49 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=96b9d3ea

Fix typo in cron manual page

---
 man/man8/cron_selinux.8 | 2 +-
 policy/modules/contrib/cron.rst | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/man/man8/cron_selinux.8 b/man/man8/cron_selinux.8
index 701ad97..c3dd184 100644
--- a/man/man8/cron_selinux.8
+++ b/man/man8/cron_selinux.8
@@ -218,7 +218,7 @@ is used for the administrator cronjob definition files
 .B system_cron_spool_t
 is used for the system cronjob definition files
 .UNINDENT
-.SS EXEUTABLES
+.SS EXECUTABLES
 .INDENT 0.0
 .TP
 .B anacron_exec_t

diff --git a/policy/modules/contrib/cron.rst b/policy/modules/contrib/cron.rst
index 55f625c..caf0977 100644
--- a/policy/modules/contrib/cron.rst
+++ b/policy/modules/contrib/cron.rst
@@ -180,8 +180,8 @@ sysadm_cron_spool_t
 system_cron_spool_t
   is used for the system cronjob definition files
 
-EXEUTABLES
---
+EXECUTABLES
+---
 
 anacron_exec_t
   is used for the **anacron** binary

[gentoo-commits] proj/hardened-refpolicy:master commit in: man/man8/, policy/modules/contrib/

[Sven Vermeulen]

commit: 6f1b709ddb3b5e9d71ed8195849d9feb1752f9f4
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 13:35:45 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 13:35:45 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6f1b709d

Crontab fix for munin (workaround) is in policy

---
 man/man8/cron_selinux.8  | 2 +-
 man/man8/munin_selinux.8 | 2 +-
 policy/modules/contrib/cron.rst  | 2 +-
 policy/modules/contrib/munin.rst | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/man/man8/cron_selinux.8 b/man/man8/cron_selinux.8
index c3dd184..5444953 100644
--- a/man/man8/cron_selinux.8
+++ b/man/man8/cron_selinux.8
@@ -321,7 +321,7 @@ cronjobs inside \fB/var/spool/cron/crontabs\fP\&. The munin 
cronjobs are meant t
 be executed as the munin Linux account, but the jobs themselves are best seen
 as system cronjobs (as they are not related to a true interactive end user).
 .sp
-The default deployed files do not get the \fIsystem_u\fP SELinux ownership
+The default deployed files might not get the \fIsystem_u\fP SELinux ownership
 assigned. To fix this, execute the following command:
 .INDENT 0.0
 .INDENT 3.5

diff --git a/man/man8/munin_selinux.8 b/man/man8/munin_selinux.8
index 99507b6..29eb7aa 100644
--- a/man/man8/munin_selinux.8
+++ b/man/man8/munin_selinux.8
@@ -149,7 +149,7 @@ cronjobs inside \fB/var/spool/cron/crontabs\fP\&. The munin 
cronjobs are meant t
 be executed as the munin Linux account, but the jobs themselves are best seen
 as system cronjobs (as they are not related to a true interactive end user).
 .sp
-The default deployed files do not get the \fIsystem_u\fP SELinux ownership
+The default deployed files might not get the \fIsystem_u\fP SELinux ownership
 assigned. To fix this, execute the following command:
 .INDENT 0.0
 .INDENT 3.5

diff --git a/policy/modules/contrib/cron.rst b/policy/modules/contrib/cron.rst
index caf0977..a35c26a 100644
--- a/policy/modules/contrib/cron.rst
+++ b/policy/modules/contrib/cron.rst
@@ -268,7 +268,7 @@ cronjobs inside ``/var/spool/cron/crontabs``. The munin 
cronjobs are meant to
 be executed as the munin Linux account, but the jobs themselves are best seen
 as system cronjobs (as they are not related to a true interactive end user).
 
-The default deployed files do not get the *system_u* SELinux ownership
+The default deployed files might not get the *system_u* SELinux ownership
 assigned. To fix this, execute the following command::
 
   ~# chcon -u system_u /var/spool/cron/crontabs/munin

diff --git a/policy/modules/contrib/munin.rst b/policy/modules/contrib/munin.rst
index 3819024..220c75e 100644
--- a/policy/modules/contrib/munin.rst
+++ b/policy/modules/contrib/munin.rst
@@ -115,7 +115,7 @@ cronjobs inside ``/var/spool/cron/crontabs``. The munin 
cronjobs are meant to
 be executed as the munin Linux account, but the jobs themselves are best seen
 as system cronjobs (as they are not related to a true interactive end user).
 
-The default deployed files do not get the *system_u* SELinux ownership
+The default deployed files might not get the *system_u* SELinux ownership
 assigned. To fix this, execute the following command::
 
   ~# chcon -u system_u /var/spool/cron/crontabs/munin

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: f849d7e0c29175d717cb3addf4285ce09a20c2bb
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 13:33:21 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 13:33:21 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f849d7e0

Force munin crontab to be system_u (define context), fix bug #526532

---
 policy/modules/contrib/cron.fc | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
index 266a439..590908c 100644
--- a/policy/modules/contrib/cron.fc
+++ b/policy/modules/contrib/cron.fc
@@ -60,3 +60,7 @@ ifdef(`distro_suse',`
 /var/spool/cron/lastrun/[^/]*  --  <>
 /var/spool/cron/tabs   -d  gen_context(system_u:object_r:cron_spool_t,s0)
 ')
+
+ifdef(`distro_gentoo',`
+/var/spool/cron/crontabs/munin --  
gen_context(system_u:object_r:system_cron_spool_t,s0)
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 5930912adf0ca652cdcc7c0708086e21788fc022
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 13:37:38 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 13:37:38 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5930912a

Add info on why munin crontab is explicitly mentioned

---
 policy/modules/contrib/cron.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
index 590908c..cbb19b7 100644
--- a/policy/modules/contrib/cron.fc
+++ b/policy/modules/contrib/cron.fc
@@ -62,5 +62,6 @@ ifdef(`distro_suse',`
 ')
 
 ifdef(`distro_gentoo',`
+# Fix bug 526532 - Workaround so that munin crontab gets a system_u label 
assigned
 /var/spool/cron/crontabs/munin --  
gen_context(system_u:object_r:system_cron_spool_t,s0)
 ')

[gentoo-commits] proj/hardened-refpolicy: New branch: bitcoin

[Sven Vermeulen]

commit: 
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 14:04:34 2014 +

New branch: bitcoin

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/kernel/

[Sven Vermeulen]

commit: ea33f9c5072845e60486b6584aca32458156806b
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 14:22:23 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 14:22:23 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ea33f9c5

Add bitcoin ports

---
 policy/modules/kernel/corenetwork.te.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corenetwork.te.in 
b/policy/modules/kernel/corenetwork.te.in
index a118109..5c6af72 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -93,6 +93,7 @@ network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, 
udp,4569,s0)
 network_port(audit, tcp,60,s0)
 network_port(auth, tcp,113,s0)
 network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
+network_port(bitcoin, tcp,8332,s0, tcp,8333,s0)
 network_port(boinc, tcp,31416,s0)
 network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
 network_port(biff) # no defined portcon

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: cb4861e977601050afc03217b9421f3ad1119f3e
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 14:23:16 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 14:23:16 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cb4861e9

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++
 policy/modules/contrib/bitcoin.if | 48 +
 policy/modules/contrib/bitcoin.te | 87 +++
 3 files changed, 151 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc 
b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 000..86c4083
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind--  
gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind  --  gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)? --  
gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if 
b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 000..2a56735
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## Bitcoin software-based online payment system
+
+#
+## 
+## Administer a bitcoin environment
+## 
+## 
+## 
+## Domain allowed access
+## 
+## 
+## 
+## 
+## Role allowed access
+## 
+## 
+#
+interface(`bitcoin_admin',`
+   gen_require(`
+   type bitcoin_t;
+   type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+   type bitcoin_var_lib_t, bitcoin_var_run_t;
+   type bitcoin_initrc_exec_t;
+   ')
+
+   allow $1 bitcoin_t:process { ptrace signal_perms };
+   ps_process_pattern($1, bitcoin_t)
+
+   init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+   domain_system_change_exemption($1)
+   role_transition $2 bitcoin_initrc_exec_t system_r;
+   allow $2 bitcoin_t;
+
+   files_list_tmp($1)
+   admin_pattern($1, bitcoin_tmp_t)
+
+   logging_list_logs($1)
+   admin_pattern($1, bitcoin_log_t)
+
+   files_list_etc($1)
+   admin_pattern($1, bitcoin_etc_t)
+
+   files_list_var_lib($1)
+   admin_pattern($1, bitcoin_var_lib_t)
+
+   files_list_pids($1)
+   admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te 
b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 000..cb85531
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,87 @@
+policy_module(bitcoin, 0.1)
+
+#
+#
+# Declarations
+#
+
+## 
+## 
+## Determine whether the bitcoin daemon can bind
+## to all unreserved ports or not.
+## 
+##<
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create 
nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_files_pattern;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also 
bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+fs_getattr_xattr_fs(bitcoin_t)
+fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_b

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: b5b6cb5395d941a974d597e202dda20c21b2ffc5
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 14:23:16 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 14:35:22 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b5b6cb53

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++
 policy/modules/contrib/bitcoin.if | 48 +
 policy/modules/contrib/bitcoin.te | 87 +++
 3 files changed, 151 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc 
b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 000..86c4083
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind--  
gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind  --  gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)? --  
gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if 
b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 000..2a56735
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## Bitcoin software-based online payment system
+
+#
+## 
+## Administer a bitcoin environment
+## 
+## 
+## 
+## Domain allowed access
+## 
+## 
+## 
+## 
+## Role allowed access
+## 
+## 
+#
+interface(`bitcoin_admin',`
+   gen_require(`
+   type bitcoin_t;
+   type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+   type bitcoin_var_lib_t, bitcoin_var_run_t;
+   type bitcoin_initrc_exec_t;
+   ')
+
+   allow $1 bitcoin_t:process { ptrace signal_perms };
+   ps_process_pattern($1, bitcoin_t)
+
+   init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+   domain_system_change_exemption($1)
+   role_transition $2 bitcoin_initrc_exec_t system_r;
+   allow $2 bitcoin_t;
+
+   files_list_tmp($1)
+   admin_pattern($1, bitcoin_tmp_t)
+
+   logging_list_logs($1)
+   admin_pattern($1, bitcoin_log_t)
+
+   files_list_etc($1)
+   admin_pattern($1, bitcoin_etc_t)
+
+   files_list_var_lib($1)
+   admin_pattern($1, bitcoin_var_lib_t)
+
+   files_list_pids($1)
+   admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te 
b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 000..ad3e7ec
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,87 @@
+policy_module(bitcoin, 0.1)
+
+#
+#
+# Declarations
+#
+
+## 
+## 
+## Determine whether the bitcoin daemon can bind
+## to all unreserved ports or not.
+## 
+## 
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create 
nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_files_pattern;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also 
bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+fs_getattr_xattr_fs(bitcoin_t)
+fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: fda39cc6bb008dabfa6ea8c670483e0b68108331
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 14:23:16 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 14:41:36 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fda39cc6

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 
 policy/modules/contrib/bitcoin.if | 48 ++
 policy/modules/contrib/bitcoin.te | 86 +++
 3 files changed, 150 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc 
b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 000..86c4083
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind--  
gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind  --  gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)? --  
gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if 
b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 000..2a56735
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## Bitcoin software-based online payment system
+
+#
+## 
+## Administer a bitcoin environment
+## 
+## 
+## 
+## Domain allowed access
+## 
+## 
+## 
+## 
+## Role allowed access
+## 
+## 
+#
+interface(`bitcoin_admin',`
+   gen_require(`
+   type bitcoin_t;
+   type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+   type bitcoin_var_lib_t, bitcoin_var_run_t;
+   type bitcoin_initrc_exec_t;
+   ')
+
+   allow $1 bitcoin_t:process { ptrace signal_perms };
+   ps_process_pattern($1, bitcoin_t)
+
+   init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+   domain_system_change_exemption($1)
+   role_transition $2 bitcoin_initrc_exec_t system_r;
+   allow $2 bitcoin_t;
+
+   files_list_tmp($1)
+   admin_pattern($1, bitcoin_tmp_t)
+
+   logging_list_logs($1)
+   admin_pattern($1, bitcoin_log_t)
+
+   files_list_etc($1)
+   admin_pattern($1, bitcoin_etc_t)
+
+   files_list_var_lib($1)
+   admin_pattern($1, bitcoin_var_lib_t)
+
+   files_list_pids($1)
+   admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te 
b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 000..ddd1ca3
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,86 @@
+policy_module(bitcoin, 0.1)
+
+#
+#
+# Declarations
+#
+
+## 
+## 
+## Determine whether the bitcoin daemon can bind
+## to all unreserved ports or not.
+## 
+## 
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create 
nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also 
bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 7279800c28d37ac866f6d47924c5f23fa5e1875d
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 14:23:16 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 15:37:21 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7279800c

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 
 policy/modules/contrib/bitcoin.if | 48 ++
 policy/modules/contrib/bitcoin.te | 86 +++
 3 files changed, 150 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc 
b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 000..86c4083
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind--  
gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind  --  gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)? --  
gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if 
b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## Bitcoin software-based online payment system
+
+#
+## 
+## Administer a bitcoin environment
+## 
+## 
+## 
+## Domain allowed access
+## 
+## 
+## 
+## 
+## Role allowed access
+## 
+## 
+#
+interface(`bitcoin_admin',`
+   gen_require(`
+   type bitcoin_t;
+   type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+   type bitcoin_var_lib_t, bitcoin_var_run_t;
+   type bitcoin_initrc_exec_t;
+   ')
+
+   allow $1 bitcoin_t:process { ptrace signal_perms };
+   ps_process_pattern($1, bitcoin_t)
+
+   init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+   domain_system_change_exemption($1)
+   role_transition $2 bitcoin_initrc_exec_t system_r;
+   allow $2 system_r;
+
+   files_list_tmp($1)
+   admin_pattern($1, bitcoin_tmp_t)
+
+   logging_list_logs($1)
+   admin_pattern($1, bitcoin_log_t)
+
+   files_list_etc($1)
+   admin_pattern($1, bitcoin_etc_t)
+
+   files_list_var_lib($1)
+   admin_pattern($1, bitcoin_var_lib_t)
+
+   files_list_pids($1)
+   admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te 
b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 000..ddd1ca3
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,86 @@
+policy_module(bitcoin, 0.1)
+
+#
+#
+# Declarations
+#
+
+## 
+## 
+## Determine whether the bitcoin daemon can bind
+## to all unreserved ports or not.
+## 
+## 
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create 
nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also 
bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: dc7e1bc6aac145b6ee318bed445819031f5523d1
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 14:23:16 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 15:45:23 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dc7e1bc6

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 
 policy/modules/contrib/bitcoin.if | 48 ++
 policy/modules/contrib/bitcoin.te | 86 +++
 3 files changed, 150 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc 
b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind--  
gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind  --  gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if 
b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## Bitcoin software-based online payment system
+
+#
+## 
+## Administer a bitcoin environment
+## 
+## 
+## 
+## Domain allowed access
+## 
+## 
+## 
+## 
+## Role allowed access
+## 
+## 
+#
+interface(`bitcoin_admin',`
+   gen_require(`
+   type bitcoin_t;
+   type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+   type bitcoin_var_lib_t, bitcoin_var_run_t;
+   type bitcoin_initrc_exec_t;
+   ')
+
+   allow $1 bitcoin_t:process { ptrace signal_perms };
+   ps_process_pattern($1, bitcoin_t)
+
+   init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+   domain_system_change_exemption($1)
+   role_transition $2 bitcoin_initrc_exec_t system_r;
+   allow $2 system_r;
+
+   files_list_tmp($1)
+   admin_pattern($1, bitcoin_tmp_t)
+
+   logging_list_logs($1)
+   admin_pattern($1, bitcoin_log_t)
+
+   files_list_etc($1)
+   admin_pattern($1, bitcoin_etc_t)
+
+   files_list_var_lib($1)
+   admin_pattern($1, bitcoin_var_lib_t)
+
+   files_list_pids($1)
+   admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te 
b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 000..ddd1ca3
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,86 @@
+policy_module(bitcoin, 0.1)
+
+#
+#
+# Declarations
+#
+
+## 
+## 
+## Determine whether the bitcoin daemon can bind
+## to all unreserved ports or not.
+## 
+## 
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create 
nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also 
bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/system/

[Sven Vermeulen]

commit: 91b06086bea526e22411773d54c897ef06d85861
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 15:58:55 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 15:59:06 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=91b06086

Add support for init_script_readable

---
 policy/modules/system/init.if | 18 ++
 policy/modules/system/init.te |  5 +
 2 files changed, 23 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 2b7793a..7cdf3a8 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1906,3 +1906,21 @@ interface(`init_relabelto_script_state',`
relabelto_files_pattern($1, initrc_state_t, initrc_state_t)
relabelto_dirs_pattern($1, initrc_state_t, initrc_state_t)
 ')
+
+#
+## 
+## Mark as a readable type for the initrc_t domain
+## 
+## 
+## 
+## Type that initrc_t needs read access to
+## 
+## 
+#
+interface(`init_script_readable_type',`
+   gen_require(`
+   attribute init_script_readable;
+   ')
+
+   typeattribute $1 init_script_readable;
+')

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index cd2b0e4..cd3d18d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -935,12 +935,17 @@ optional_policy(`
 ')
 
 ifdef(`distro_gentoo',`
+   # Attribute to assign to types that the initrc_t domain needs read 
access to
+   attribute init_script_readable;
+
#
#
# Local initrc_t policy
#
allow initrc_t self:capability sys_admin;
 
+   read_files_pattern(initrc_t, init_script_readable, init_script_readable)
+
manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
files_pid_filetrans(initrc_t, initrc_var_run_t, dir)
 

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 8c8da66ac3f8b7fa37fc60ac8d92251ba00bfc20
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 14:23:16 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 16:00:03 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8c8da66a

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++
 policy/modules/contrib/bitcoin.if | 48 +
 policy/modules/contrib/bitcoin.te | 87 +++
 3 files changed, 151 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc 
b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind--  
gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind  --  gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if 
b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## Bitcoin software-based online payment system
+
+#
+## 
+## Administer a bitcoin environment
+## 
+## 
+## 
+## Domain allowed access
+## 
+## 
+## 
+## 
+## Role allowed access
+## 
+## 
+#
+interface(`bitcoin_admin',`
+   gen_require(`
+   type bitcoin_t;
+   type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+   type bitcoin_var_lib_t, bitcoin_var_run_t;
+   type bitcoin_initrc_exec_t;
+   ')
+
+   allow $1 bitcoin_t:process { ptrace signal_perms };
+   ps_process_pattern($1, bitcoin_t)
+
+   init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+   domain_system_change_exemption($1)
+   role_transition $2 bitcoin_initrc_exec_t system_r;
+   allow $2 system_r;
+
+   files_list_tmp($1)
+   admin_pattern($1, bitcoin_tmp_t)
+
+   logging_list_logs($1)
+   admin_pattern($1, bitcoin_log_t)
+
+   files_list_etc($1)
+   admin_pattern($1, bitcoin_etc_t)
+
+   files_list_var_lib($1)
+   admin_pattern($1, bitcoin_var_lib_t)
+
+   files_list_pids($1)
+   admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te 
b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 000..6103dee
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,87 @@
+policy_module(bitcoin, 0.1)
+
+#
+#
+# Declarations
+#
+
+## 
+## 
+## Determine whether the bitcoin daemon can bind
+## to all unreserved ports or not.
+## 
+## 
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+init_script_readable(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create 
nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also 
bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 43299f0d2a7a0ac2adc1b91ea2939bca948863b2
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 14:23:16 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 16:01:32 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=43299f0d

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++
 policy/modules/contrib/bitcoin.if | 48 +
 policy/modules/contrib/bitcoin.te | 87 +++
 3 files changed, 151 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc 
b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind--  
gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind  --  gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if 
b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## Bitcoin software-based online payment system
+
+#
+## 
+## Administer a bitcoin environment
+## 
+## 
+## 
+## Domain allowed access
+## 
+## 
+## 
+## 
+## Role allowed access
+## 
+## 
+#
+interface(`bitcoin_admin',`
+   gen_require(`
+   type bitcoin_t;
+   type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+   type bitcoin_var_lib_t, bitcoin_var_run_t;
+   type bitcoin_initrc_exec_t;
+   ')
+
+   allow $1 bitcoin_t:process { ptrace signal_perms };
+   ps_process_pattern($1, bitcoin_t)
+
+   init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+   domain_system_change_exemption($1)
+   role_transition $2 bitcoin_initrc_exec_t system_r;
+   allow $2 system_r;
+
+   files_list_tmp($1)
+   admin_pattern($1, bitcoin_tmp_t)
+
+   logging_list_logs($1)
+   admin_pattern($1, bitcoin_log_t)
+
+   files_list_etc($1)
+   admin_pattern($1, bitcoin_etc_t)
+
+   files_list_var_lib($1)
+   admin_pattern($1, bitcoin_var_lib_t)
+
+   files_list_pids($1)
+   admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te 
b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 000..4c13fea
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,87 @@
+policy_module(bitcoin, 0.1)
+
+#
+#
+# Declarations
+#
+
+## 
+## 
+## Determine whether the bitcoin daemon can bind
+## to all unreserved ports or not.
+## 
+## 
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+init_script_readable_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create 
nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also 
bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: a89a0cb5ca7a1b82bb9741c56cef24acfc8a986a
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 14:23:16 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 16:09:12 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a89a0cb5

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++
 policy/modules/contrib/bitcoin.if | 48 +
 policy/modules/contrib/bitcoin.te | 87 +++
 3 files changed, 151 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc 
b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind--  
gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind  --  gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if 
b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## Bitcoin software-based online payment system
+
+#
+## 
+## Administer a bitcoin environment
+## 
+## 
+## 
+## Domain allowed access
+## 
+## 
+## 
+## 
+## Role allowed access
+## 
+## 
+#
+interface(`bitcoin_admin',`
+   gen_require(`
+   type bitcoin_t;
+   type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+   type bitcoin_var_lib_t, bitcoin_var_run_t;
+   type bitcoin_initrc_exec_t;
+   ')
+
+   allow $1 bitcoin_t:process { ptrace signal_perms };
+   ps_process_pattern($1, bitcoin_t)
+
+   init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+   domain_system_change_exemption($1)
+   role_transition $2 bitcoin_initrc_exec_t system_r;
+   allow $2 system_r;
+
+   files_list_tmp($1)
+   admin_pattern($1, bitcoin_tmp_t)
+
+   logging_list_logs($1)
+   admin_pattern($1, bitcoin_log_t)
+
+   files_list_etc($1)
+   admin_pattern($1, bitcoin_etc_t)
+
+   files_list_var_lib($1)
+   admin_pattern($1, bitcoin_var_lib_t)
+
+   files_list_pids($1)
+   admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te 
b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 000..4c13fea
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,87 @@
+policy_module(bitcoin, 0.1)
+
+#
+#
+# Declarations
+#
+
+## 
+## 
+## Determine whether the bitcoin daemon can bind
+## to all unreserved ports or not.
+## 
+## 
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+init_script_readable_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create 
nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also 
bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/system/

[Sven Vermeulen]

commit: c4daf11c488d7feb4f15277f0583ea59be816164
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 15:58:55 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 16:09:08 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c4daf11c

Add support for init_script_readable

---
 policy/modules/system/init.if | 18 ++
 policy/modules/system/init.te |  6 ++
 2 files changed, 24 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 2b7793a..7cdf3a8 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1906,3 +1906,21 @@ interface(`init_relabelto_script_state',`
relabelto_files_pattern($1, initrc_state_t, initrc_state_t)
relabelto_dirs_pattern($1, initrc_state_t, initrc_state_t)
 ')
+
+#
+## 
+## Mark as a readable type for the initrc_t domain
+## 
+## 
+## 
+## Type that initrc_t needs read access to
+## 
+## 
+#
+interface(`init_script_readable_type',`
+   gen_require(`
+   attribute init_script_readable;
+   ')
+
+   typeattribute $1 init_script_readable;
+')

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index cd2b0e4..6fd1d7f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -935,12 +935,18 @@ optional_policy(`
 ')
 
 ifdef(`distro_gentoo',`
+   # Attribute to assign to types that the initrc_t domain needs read 
access to
+   attribute init_script_readable;
+
#
#
# Local initrc_t policy
#
allow initrc_t self:capability sys_admin;
 
+   read_files_pattern(initrc_t, init_script_readable, init_script_readable)
+   read_lnk_files_pattern(initrc_t, init_script_readable, 
init_script_readable)
+
manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
files_pid_filetrans(initrc_t, initrc_var_run_t, dir)
 

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 47ced09d9eaad4632c5667b3185d81b5491bfc45
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 14:23:16 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 16:14:41 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=47ced09d

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++
 policy/modules/contrib/bitcoin.if | 48 +
 policy/modules/contrib/bitcoin.te | 88 +++
 3 files changed, 152 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc 
b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind--  
gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind  --  gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if 
b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## Bitcoin software-based online payment system
+
+#
+## 
+## Administer a bitcoin environment
+## 
+## 
+## 
+## Domain allowed access
+## 
+## 
+## 
+## 
+## Role allowed access
+## 
+## 
+#
+interface(`bitcoin_admin',`
+   gen_require(`
+   type bitcoin_t;
+   type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+   type bitcoin_var_lib_t, bitcoin_var_run_t;
+   type bitcoin_initrc_exec_t;
+   ')
+
+   allow $1 bitcoin_t:process { ptrace signal_perms };
+   ps_process_pattern($1, bitcoin_t)
+
+   init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+   domain_system_change_exemption($1)
+   role_transition $2 bitcoin_initrc_exec_t system_r;
+   allow $2 system_r;
+
+   files_list_tmp($1)
+   admin_pattern($1, bitcoin_tmp_t)
+
+   logging_list_logs($1)
+   admin_pattern($1, bitcoin_log_t)
+
+   files_list_etc($1)
+   admin_pattern($1, bitcoin_etc_t)
+
+   files_list_var_lib($1)
+   admin_pattern($1, bitcoin_var_lib_t)
+
+   files_list_pids($1)
+   admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te 
b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 000..f069c55
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,88 @@
+policy_module(bitcoin, 0.1)
+
+#
+#
+# Declarations
+#
+
+## 
+## 
+## Determine whether the bitcoin daemon can bind
+## to all unreserved ports or not.
+## 
+## 
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+files_config_file(bitcoin_etc_t)
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+init_script_readable_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create 
nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also 
bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_l

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: e872d6690226ab048f76dd7bf849546a0273856b
Author: Sven Vermeulen  siphos  be>
AuthorDate: Tue Nov 11 14:23:16 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Tue Nov 11 16:19:27 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e872d669

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++
 policy/modules/contrib/bitcoin.if | 48 +
 policy/modules/contrib/bitcoin.te | 89 +++
 3 files changed, 153 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc 
b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind--  
gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind  --  gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if 
b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## Bitcoin software-based online payment system
+
+#
+## 
+## Administer a bitcoin environment
+## 
+## 
+## 
+## Domain allowed access
+## 
+## 
+## 
+## 
+## Role allowed access
+## 
+## 
+#
+interface(`bitcoin_admin',`
+   gen_require(`
+   type bitcoin_t;
+   type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+   type bitcoin_var_lib_t, bitcoin_var_run_t;
+   type bitcoin_initrc_exec_t;
+   ')
+
+   allow $1 bitcoin_t:process { ptrace signal_perms };
+   ps_process_pattern($1, bitcoin_t)
+
+   init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+   domain_system_change_exemption($1)
+   role_transition $2 bitcoin_initrc_exec_t system_r;
+   allow $2 system_r;
+
+   files_list_tmp($1)
+   admin_pattern($1, bitcoin_tmp_t)
+
+   logging_list_logs($1)
+   admin_pattern($1, bitcoin_log_t)
+
+   files_list_etc($1)
+   admin_pattern($1, bitcoin_etc_t)
+
+   files_list_var_lib($1)
+   admin_pattern($1, bitcoin_var_lib_t)
+
+   files_list_pids($1)
+   admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te 
b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 000..66a1c1d
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,89 @@
+policy_module(bitcoin, 0.1)
+
+#
+#
+# Declarations
+#
+
+## 
+## 
+## Determine whether the bitcoin daemon can bind
+## to all unreserved ports or not.
+## 
+## 
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+files_config_file(bitcoin_etc_t)
+init_script_readable_type(bitcoin_etc_t)
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+init_script_readable_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create 
nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also 
bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_u

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit: 63c4bbae315e8277a8323e88606853ad24feaa7f
Author: Dominick Grift  gmail  com>
AuthorDate: Wed Oct  1 10:35:50 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Sun Oct 12 08:23:16 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=63c4bbae

Module version bump for changes to the networkmanager modules by Lubomir Rintel

---
 policy/modules/contrib/networkmanager.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/networkmanager.te 
b/policy/modules/contrib/networkmanager.te
index b3deb5b..07701fd 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.16.1)
+policy_module(networkmanager, 1.16.2)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit: 282116096675c76b306401b6dd93ee63e22e5931
Author: Laurent Bigonville  bigon  be>
AuthorDate: Fri Oct  3 12:29:05 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Sun Oct 12 08:24:31 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=28211609

On Debian iputils-arping is installed in /usr/bin/arping

---
 policy/modules/admin/netutils.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 407078f..355714d 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -4,6 +4,7 @@
 
 /sbin/arping   --  
gen_context(system_u:object_r:netutils_exec_t,s0)
 
+/usr/bin/arping--  
gen_context(system_u:object_r:netutils_exec_t,s0)
 /usr/bin/lft   --  
gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/bin/nmap  --  
gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/bin/traceroute.*  --  
gen_context(system_u:object_r:traceroute_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit: d211e0e619833fd7743396651109e91eb09d620d
Author: Laurent Bigonville  bigon  be>
AuthorDate: Fri Oct  3 12:35:58 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Sun Oct 12 08:24:33 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d211e0e6

Debian also ship a different arping implementation

In addition to the iputils arping implementation, Debian also ships an
other implementation which is installed under /usr/sbin/arping

---
 policy/modules/admin/netutils.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 355714d..a4672ca 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -9,6 +9,7 @@
 /usr/bin/nmap  --  
gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/bin/traceroute.*  --  
gen_context(system_u:object_r:traceroute_exec_t,s0)
 
+/usr/sbin/arping   --  
gen_context(system_u:object_r:netutils_exec_t,s0)
 /usr/sbin/fping--  gen_context(system_u:object_r:ping_exec_t,s0)
 /usr/sbin/traceroute.* --  
gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/sbin/hping2   --  gen_context(system_u:object_r:ping_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit: f591616e559675fd9ebec18575267d125d4eb135
Author: Chris PeBenito  tresys  com>
AuthorDate: Mon Oct  6 13:50:58 2014 +
Commit:     Sven Vermeulen  gentoo  org>
CommitDate: Sun Oct 12 08:24:40 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f591616e

Module version bump for Debian arping fc entries from Laurent Bigonville.

---
 policy/modules/admin/netutils.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index cfd9700..5f4c84e 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,4 +1,4 @@
-policy_module(netutils, 1.13.1)
+policy_module(netutils, 1.13.2)
 
 
 #