[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Thu, 30 Mar 2017 17:06:59
Message-Id:	`1490882319.4ab83a2a3657e6838b704166dea7b318b8046ce8.perfinion@gentoo`

1

commit:     4ab83a2a3657e6838b704166dea7b318b8046ce8

2

Author:     cgzones <cgzones <AT> googlemail <DOT> com>

3

AuthorDate: Wed Mar  8 20:35:28 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Thu Mar 30 13:58:39 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4ab83a2a

7

8

mandb: update

9

10

fix mandb when running as root

11

move file label from cronjob to binary file

12

13

 policy/modules/contrib/mandb.fc |  3 +--

14

 policy/modules/contrib/mandb.if | 10 +++-------

15

 policy/modules/contrib/mandb.te | 26 +++++++++++---------------

16

 3 files changed, 15 insertions(+), 24 deletions(-)

17

18

diff --git a/policy/modules/contrib/mandb.fc b/policy/modules/contrib/mandb.fc

19

index 9f2825e9..d92a58fd 100644

20

--- a/policy/modules/contrib/mandb.fc

21

+++ b/policy/modules/contrib/mandb.fc

22

@@ -1,4 +1,3 @@

23

-/etc/cron\.(daily|weekly)/man-db.*	--	gen_context(system_u:object_r:mandb_exec_t,s0)

24

+/usr/bin/mandb				--	gen_context(system_u:object_r:mandb_exec_t,s0)

25

26

-# Systemd unit file

27

 /usr/lib/systemd/system/[^/]*man-db.*	--	gen_context(system_u:object_r:mandb_unit_t,s0)

28

29

diff --git a/policy/modules/contrib/mandb.if b/policy/modules/contrib/mandb.if

30

index 327f3f72..2b5d5385 100644

31

--- a/policy/modules/contrib/mandb.if

32

+++ b/policy/modules/contrib/mandb.if

33

@@ -42,7 +42,7 @@ interface(`mandb_run',`

34

 		attribute_role mandb_roles;

35

')

36

37

-	lightsquid_domtrans($1)

38

+	mandb_domtrans($1)

39

 	roleattribute $2 mandb_roles;

40

')

41

42

@@ -122,14 +122,10 @@ interface(`mandb_manage_cache_content',`

43

#

44

 interface(`mandb_admin',`

45

 	gen_require(`

46

-		type mandb_t, mandb_cache_t;

47

+		type mandb_t;

48

')

49

50

-	allow $1 mandb_t:process { ptrace signal_perms };

51

-	ps_process_pattern($1, mandb_t)

52

+	admin_process_pattern($1, mandb_t)

53

54

 	mandb_run($1, $2)

55

-

56

-	# pending

57

-	# miscfiles_manage_man_cache_content(mandb_t)

58

')

59

60

diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te

61

index 142e7e07..0358aaff 100644

62

--- a/policy/modules/contrib/mandb.te

63

+++ b/policy/modules/contrib/mandb.te

64

@@ -21,7 +21,11 @@ init_unit_file(mandb_unit_t)

65

 # Local policy

66

#

67

68

-allow mandb_t self:capability { setgid setuid };

69

+# dac_override : write /var/cache/man/*

70

+# fowner       : chmod /var/cache/man/*

71

+# chown        : lchown32 /var/cache/man/*

72

+# fsetid       : chmod /var/cache/man/*

73

+allow mandb_t self:capability { chown dac_override fowner fsetid setgid setuid };

74

 allow mandb_t self:process { setsched signal };

75

 allow mandb_t self:fifo_file rw_fifo_file_perms;

76

 allow mandb_t self:unix_stream_socket create_stream_socket_perms;

77

@@ -32,28 +36,20 @@ kernel_read_system_state(mandb_t)

78

 corecmd_exec_bin(mandb_t)

79

 corecmd_exec_shell(mandb_t)

80

81

-dev_search_sysfs(mandb_t)

82

-

83

 domain_use_interactive_fds(mandb_t)

84

85

+files_dontaudit_search_home(mandb_t)

86

 files_read_etc_files(mandb_t)

87

+# search /var/run/nscd/socket

88

+files_search_pids(mandb_t)

89

+

90

+fs_getattr_xattr_fs(mandb_t)

91

92

 miscfiles_manage_man_cache(mandb_t)

93

 miscfiles_read_man_pages(mandb_t)

94

 miscfiles_read_localization(mandb_t)

95

96

-ifdef(`distro_debian',`

97

-	optional_policy(`

98

-		apt_exec(mandb_t)

99

-		apt_read_db(mandb_t)

100

-	')

101

-

102

-	optional_policy(`

103

-		dpkg_exec(mandb_t)

104

-		dpkg_read_db(mandb_t)

105

-		userdom_dontaudit_search_user_home_dirs(mandb_t)

106

-	')

107

-')

108

+userdom_use_inherited_user_terminals(mandb_t)

109

110

 optional_policy(`

111

 	cron_system_entry(mandb_t, mandb_exec_t)

1	commit: 4ab83a2a3657e6838b704166dea7b318b8046ce8
2	Author: cgzones <cgzones <AT> googlemail <DOT> com>
3	AuthorDate: Wed Mar 8 20:35:28 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Thu Mar 30 13:58:39 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4ab83a2a
7
8	mandb: update
9
10	fix mandb when running as root
11	move file label from cronjob to binary file
12
13	policy/modules/contrib/mandb.fc \| 3 +--
14	policy/modules/contrib/mandb.if \| 10 +++-------
15	policy/modules/contrib/mandb.te \| 26 +++++++++++---------------
16	3 files changed, 15 insertions(+), 24 deletions(-)
17
18	diff --git a/policy/modules/contrib/mandb.fc b/policy/modules/contrib/mandb.fc
19	index 9f2825e9..d92a58fd 100644
20	--- a/policy/modules/contrib/mandb.fc
21	+++ b/policy/modules/contrib/mandb.fc
22	@@ -1,4 +1,3 @@
23	-/etc/cron\.(daily\|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
24	+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
25
26	-# Systemd unit file
27	/usr/lib/systemd/system/[^/]man-db. -- gen_context(system_u:object_r:mandb_unit_t,s0)
28
29	diff --git a/policy/modules/contrib/mandb.if b/policy/modules/contrib/mandb.if
30	index 327f3f72..2b5d5385 100644
31	--- a/policy/modules/contrib/mandb.if
32	+++ b/policy/modules/contrib/mandb.if
33	@@ -42,7 +42,7 @@ interface(`mandb_run',`
34	attribute_role mandb_roles;
35	')
36
37	- lightsquid_domtrans($1)
38	+ mandb_domtrans($1)
39	roleattribute $2 mandb_roles;
40	')
41
42	@@ -122,14 +122,10 @@ interface(`mandb_manage_cache_content',`
43	#
44	interface(`mandb_admin',`
45	gen_require(`
46	- type mandb_t, mandb_cache_t;
47	+ type mandb_t;
48	')
49
50	- allow $1 mandb_t:process { ptrace signal_perms };
51	- ps_process_pattern($1, mandb_t)
52	+ admin_process_pattern($1, mandb_t)
53
54	mandb_run($1, $2)
55	-
56	- # pending
57	- # miscfiles_manage_man_cache_content(mandb_t)
58	')
59
60	diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
61	index 142e7e07..0358aaff 100644
62	--- a/policy/modules/contrib/mandb.te
63	+++ b/policy/modules/contrib/mandb.te
64	@@ -21,7 +21,11 @@ init_unit_file(mandb_unit_t)
65	# Local policy
66	#
67
68	-allow mandb_t self:capability { setgid setuid };
69	+# dac_override : write /var/cache/man/*
70	+# fowner : chmod /var/cache/man/*
71	+# chown : lchown32 /var/cache/man/*
72	+# fsetid : chmod /var/cache/man/*
73	+allow mandb_t self:capability { chown dac_override fowner fsetid setgid setuid };
74	allow mandb_t self:process { setsched signal };
75	allow mandb_t self:fifo_file rw_fifo_file_perms;
76	allow mandb_t self:unix_stream_socket create_stream_socket_perms;
77	@@ -32,28 +36,20 @@ kernel_read_system_state(mandb_t)
78	corecmd_exec_bin(mandb_t)
79	corecmd_exec_shell(mandb_t)
80
81	-dev_search_sysfs(mandb_t)
82	-
83	domain_use_interactive_fds(mandb_t)
84
85	+files_dontaudit_search_home(mandb_t)
86	files_read_etc_files(mandb_t)
87	+# search /var/run/nscd/socket
88	+files_search_pids(mandb_t)
89	+
90	+fs_getattr_xattr_fs(mandb_t)
91
92	miscfiles_manage_man_cache(mandb_t)
93	miscfiles_read_man_pages(mandb_t)
94	miscfiles_read_localization(mandb_t)
95
96	-ifdef(`distro_debian',`
97	- optional_policy(`
98	- apt_exec(mandb_t)
99	- apt_read_db(mandb_t)
100	- ')
101	-
102	- optional_policy(`
103	- dpkg_exec(mandb_t)
104	- dpkg_read_db(mandb_t)
105	- userdom_dontaudit_search_user_home_dirs(mandb_t)
106	- ')
107	-')
108	+userdom_use_inherited_user_terminals(mandb_t)
109
110	optional_policy(`
111	cron_system_entry(mandb_t, mandb_exec_t)

Gentoo Archives: gentoo-commits