[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Wed, 21 Nov 2012 21:10:11
Message-Id:	`1353532178.e2ae0ff011ca8e38472e44f381b4f0d0bc1d706e.SwifT@gentoo`

1

commit:     e2ae0ff011ca8e38472e44f381b4f0d0bc1d706e

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Wed Nov 21 21:09:38 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Wed Nov 21 21:09:38 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e2ae0ff0

7

8

Remove calls that are now handled in the upstream code (was in distro_gentoo earlier)

9

10

---

11

 policy/modules/contrib/cron.fc    |    1 -

12

 policy/modules/contrib/cron.if    |    8 --------

13

 policy/modules/contrib/cron.te    |   24 +++++-------------------

14

 policy/modules/contrib/postfix.fc |    4 ----

15

 policy/modules/contrib/postfix.te |    6 ------

16

 policy/modules/contrib/qemu.te    |    5 -----

17

 6 files changed, 5 insertions(+), 43 deletions(-)

18

19

diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc

20

index b2d6309..a7bfe6d 100644

21

--- a/policy/modules/contrib/cron.fc

22

+++ b/policy/modules/contrib/cron.fc

23

@@ -50,7 +50,6 @@ ifdef(`distro_debian',`

24

')

25

26

 ifdef(`distro_gentoo',`

27

-/var/spool/at/atspool(/.*)?	gen_context(system_u:object_r:user_cron_spool_log_t,s0)

28

 /var/spool/cron/lastrun	-d	gen_context(system_u:object_r:crond_tmp_t,s0)

29

 /var/spool/cron/lastrun/[^/]*	--	<<none>>

30

')

31

32

diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if

33

index 2b859e5..01ba3ce 100644

34

--- a/policy/modules/contrib/cron.if

35

+++ b/policy/modules/contrib/cron.if

36

@@ -316,14 +316,6 @@ interface(`cron_system_entry',`

37

 	domtrans_pattern(crond_t, $2, $1)

38

39

 	role system_r types $1;

40

-

41

-	ifdef(`distro_gentoo',`

42

-		gen_require(`

43

-			type user_cron_spool_log_t;

44

-		')

45

-

46

-		rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)

47

-	')

48

')

49

50

 ########################################

51

52

diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te

53

index 039526d..f383f5f 100644

54

--- a/policy/modules/contrib/cron.te

55

+++ b/policy/modules/contrib/cron.te

56

@@ -121,24 +121,19 @@ files_type(user_cron_spool_t)

57

 ubac_constrained(user_cron_spool_t)

58

 mta_system_content(user_cron_spool_t)

59

60

+type user_cron_spool_log_t;

61

+logging_log_file(user_cron_spool_log_t)

62

+ubac_constrained(user_cron_spool_log_t)

63

+mta_system_content(user_cron_spool_log_t)

64

+

65

 ifdef(`distro_gentoo',`

66

 	# Logging for atd jobs

67

-	type user_cron_spool_log_t;

68

-	logging_log_file(user_cron_spool_log_t)

69

-	ubac_constrained(user_cron_spool_log_t)

70

-	mta_system_content(user_cron_spool_log_t)

71

-

72

 	domain_interactive_fd(cronjob_t)

73

 	domain_interactive_fd(system_cronjob_t)

74

75

 	logging_syslog_managed_log_file(cron_log_t, "cron.log")

76

')

77

78

-type user_cron_spool_log_t;

79

-logging_log_file(user_cron_spool_log_t)

80

-ubac_constrained(user_cron_spool_log_t)

81

-mta_system_content(user_cron_spool_log_t)

82

-

83

 ifdef(`enable_mcs',`

84

 	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)

85

')

86

@@ -216,10 +211,6 @@ selinux_compute_create_context(admin_crontab_t)

87

 selinux_compute_relabel_context(admin_crontab_t)

88

 selinux_compute_user_contexts(admin_crontab_t)

89

90

-ifdef(`distro_gentoo',`

91

-	allow admin_crontab_t self:capability fsetid;

92

-')

93

-

94

 tunable_policy(`fcron_crond',`

95

 	allow admin_crontab_t self:process setfscreate;

96

')

97

@@ -351,11 +342,6 @@ ifdef(`distro_debian',`

98

')

99

')

100

101

-ifdef(`distro_gentoo',`

102

-	manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)

103

-	manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)

104

-')

105

-

106

 ifdef(`distro_redhat',`

107

 	optional_policy(`

108

 		rpm_manage_log(crond_t)

109

110

diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc

111

index 76e1469..c0e8785 100644

112

--- a/policy/modules/contrib/postfix.fc

113

+++ b/policy/modules/contrib/postfix.fc

114

@@ -55,7 +55,3 @@

115

 /var/spool/postfix/public(/.*)?	gen_context(system_u:object_r:postfix_public_t,s0)

116

 /var/spool/postfix/bounce(/.*)?	gen_context(system_u:object_r:postfix_spool_bounce_t,s0)

117

 /var/spool/postfix/flush(/.*)?	gen_context(system_u:object_r:postfix_spool_flush_t,s0)

118

-

119

-ifdef(`distro_gentoo',`

120

-/var/spool/postfix/pid(/.*)?	gen_context(system_u:object_r:postfix_var_run_t,s0)

121

-')

122

123

diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te

124

index 913530e..12db12d 100644

125

--- a/policy/modules/contrib/postfix.te

126

+++ b/policy/modules/contrib/postfix.te

127

@@ -158,10 +158,6 @@ miscfiles_read_generic_certs(postfix_domain)

128

129

 userdom_dontaudit_use_unpriv_user_fds(postfix_domain)

130

131

-ifdef(`distro_gentoo',`

132

-manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)

133

-')

134

-

135

 optional_policy(`

136

 	udev_read_db(postfix_domain)

137

')

138

@@ -312,8 +308,6 @@ mta_read_sendmail_bin(postfix_master_t)

139

 mta_getattr_spool(postfix_master_t)

140

141

 ifdef(`distro_gentoo',`

142

-	allow postfix_master_t self:capability fowner;

143

-

144

 	filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "defer")

145

 	filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")

146

')

147

148

diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te

149

index ee05637..e21eee6 100644

150

--- a/policy/modules/contrib/qemu.te

151

+++ b/policy/modules/contrib/qemu.te

152

@@ -31,11 +31,6 @@ ifdef(`distro_gentoo',`

153

 	optional_policy(`

154

 		vde_connect(qemu_t)

155

')

156

-

157

-	optional_policy(`

158

-		# When qemu is built with SDL support

159

-		xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)

160

-	')

161

')

162

163

 tunable_policy(`qemu_full_network',`

1	commit: e2ae0ff011ca8e38472e44f381b4f0d0bc1d706e
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Wed Nov 21 21:09:38 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Wed Nov 21 21:09:38 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e2ae0ff0
7
8	Remove calls that are now handled in the upstream code (was in distro_gentoo earlier)
9
10	---
11	policy/modules/contrib/cron.fc \| 1 -
12	policy/modules/contrib/cron.if \| 8 --------
13	policy/modules/contrib/cron.te \| 24 +++++-------------------
14	policy/modules/contrib/postfix.fc \| 4 ----
15	policy/modules/contrib/postfix.te \| 6 ------
16	policy/modules/contrib/qemu.te \| 5 -----
17	6 files changed, 5 insertions(+), 43 deletions(-)
18
19	diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
20	index b2d6309..a7bfe6d 100644
21	--- a/policy/modules/contrib/cron.fc
22	+++ b/policy/modules/contrib/cron.fc
23	@@ -50,7 +50,6 @@ ifdef(`distro_debian',`
24	')
25
26	ifdef(`distro_gentoo',`
27	-/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0)
28	/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
29	/var/spool/cron/lastrun/[^/]* -- <<none>>
30	')
31
32	diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
33	index 2b859e5..01ba3ce 100644
34	--- a/policy/modules/contrib/cron.if
35	+++ b/policy/modules/contrib/cron.if
36	@@ -316,14 +316,6 @@ interface(`cron_system_entry',`
37	domtrans_pattern(crond_t, $2, $1)
38
39	role system_r types $1;
40	-
41	- ifdef(`distro_gentoo',`
42	- gen_require(`
43	- type user_cron_spool_log_t;
44	- ')
45	-
46	- rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)
47	- ')
48	')
49
50	########################################
51
52	diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
53	index 039526d..f383f5f 100644
54	--- a/policy/modules/contrib/cron.te
55	+++ b/policy/modules/contrib/cron.te
56	@@ -121,24 +121,19 @@ files_type(user_cron_spool_t)
57	ubac_constrained(user_cron_spool_t)
58	mta_system_content(user_cron_spool_t)
59
60	+type user_cron_spool_log_t;
61	+logging_log_file(user_cron_spool_log_t)
62	+ubac_constrained(user_cron_spool_log_t)
63	+mta_system_content(user_cron_spool_log_t)
64	+
65	ifdef(`distro_gentoo',`
66	# Logging for atd jobs
67	- type user_cron_spool_log_t;
68	- logging_log_file(user_cron_spool_log_t)
69	- ubac_constrained(user_cron_spool_log_t)
70	- mta_system_content(user_cron_spool_log_t)
71	-
72	domain_interactive_fd(cronjob_t)
73	domain_interactive_fd(system_cronjob_t)
74
75	logging_syslog_managed_log_file(cron_log_t, "cron.log")
76	')
77
78	-type user_cron_spool_log_t;
79	-logging_log_file(user_cron_spool_log_t)
80	-ubac_constrained(user_cron_spool_log_t)
81	-mta_system_content(user_cron_spool_log_t)
82	-
83	ifdef(`enable_mcs',`
84	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
85	')
86	@@ -216,10 +211,6 @@ selinux_compute_create_context(admin_crontab_t)
87	selinux_compute_relabel_context(admin_crontab_t)
88	selinux_compute_user_contexts(admin_crontab_t)
89
90	-ifdef(`distro_gentoo',`
91	- allow admin_crontab_t self:capability fsetid;
92	-')
93	-
94	tunable_policy(`fcron_crond',`
95	allow admin_crontab_t self:process setfscreate;
96	')
97	@@ -351,11 +342,6 @@ ifdef(`distro_debian',`
98	')
99	')
100
101	-ifdef(`distro_gentoo',`
102	- manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
103	- manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
104	-')
105	-
106	ifdef(`distro_redhat',`
107	optional_policy(`
108	rpm_manage_log(crond_t)
109
110	diff --git a/policy/modules/contrib/postfix.fc b/policy/modules/contrib/postfix.fc
111	index 76e1469..c0e8785 100644
112	--- a/policy/modules/contrib/postfix.fc
113	+++ b/policy/modules/contrib/postfix.fc
114	@@ -55,7 +55,3 @@
115	/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
116	/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
117	/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
118	-
119	-ifdef(`distro_gentoo',`
120	-/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0)
121	-')
122
123	diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
124	index 913530e..12db12d 100644
125	--- a/policy/modules/contrib/postfix.te
126	+++ b/policy/modules/contrib/postfix.te
127	@@ -158,10 +158,6 @@ miscfiles_read_generic_certs(postfix_domain)
128
129	userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
130
131	-ifdef(`distro_gentoo',`
132	-manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
133	-')
134	-
135	optional_policy(`
136	udev_read_db(postfix_domain)
137	')
138	@@ -312,8 +308,6 @@ mta_read_sendmail_bin(postfix_master_t)
139	mta_getattr_spool(postfix_master_t)
140
141	ifdef(`distro_gentoo',`
142	- allow postfix_master_t self:capability fowner;
143	-
144	filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "defer")
145	filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")
146	')
147
148	diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
149	index ee05637..e21eee6 100644
150	--- a/policy/modules/contrib/qemu.te
151	+++ b/policy/modules/contrib/qemu.te
152	@@ -31,11 +31,6 @@ ifdef(`distro_gentoo',`
153	optional_policy(`
154	vde_connect(qemu_t)
155	')
156	-
157	- optional_policy(`
158	- # When qemu is built with SDL support
159	- xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
160	- ')
161	')
162
163	tunable_policy(`qemu_full_network',`

Gentoo Archives: gentoo-commits