Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-dev:master commit in: sec-policy/selinux-chromium/, sec-policy/selinux-nginx/files/, ...
Date: Sun, 25 Nov 2012 19:44:49
Message-Id: 1353872529.349f55ac0d848e65e0cd28a629a7da5b770ab18e.SwifT@gentoo
1 commit: 349f55ac0d848e65e0cd28a629a7da5b770ab18e
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Sun Nov 25 19:42:09 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Sun Nov 25 19:42:09 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=349f55ac
7
8 Fix build failures on r8
9
10 Package-Manager: portage-2.1.11.31
11 Manifest-Sign-Key: 0xCDBA2FDB
12
13 ---
14 .../files/fix-make-gpg-optional-r8.patch | 52 ++++++++++++++++++++
15 .../selinux-apache-2.20120725-r8.ebuild | 2 +
16 .../selinux-chromium-2.20120725-r8.ebuild | 4 ++
17 .../selinux-mplayer-2.20120725-r8.ebuild | 4 ++
18 .../selinux-nginx/files/fix-tunable-names-r8.patch | 42 ++++++++++++++++
19 .../selinux-nginx-2.20120725-r8.ebuild | 2 +
20 .../files/fix-qemu-is-optional-r8.patch | 15 ++++++
21 .../selinux-virt/selinux-virt-2.20120725-r8.ebuild | 1 +
22 8 files changed, 122 insertions(+), 0 deletions(-)
23
24 diff --git a/sec-policy/selinux-apache/files/fix-make-gpg-optional-r8.patch b/sec-policy/selinux-apache/files/fix-make-gpg-optional-r8.patch
25 new file mode 100644
26 index 0000000..ce8aac3
27 --- /dev/null
28 +++ b/sec-policy/selinux-apache/files/fix-make-gpg-optional-r8.patch
29 @@ -0,0 +1,52 @@
30 +--- contrib/apache.te 2012-11-25 20:20:08.229745244 +0100
31 ++++ contrib/apache.te 2012-11-24 20:02:13.095338898 +0100
32 +@@ -357,7 +357,6 @@
33 +
34 + type httpd_gpg_t;
35 + domain_type(httpd_gpg_t)
36 +-gpg_entry_type(httpd_gpg_t)
37 + role system_r types httpd_gpg_t;
38 +
39 + ifdef(`distro_gentoo',`
40 +@@ -586,10 +585,6 @@
41 + allow httpd_t httpd_script_exec_type:dir list_dir_perms;
42 + ')
43 +
44 +-tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
45 +- gpg_spec_domtrans(httpd_t, httpd_gpg_t)
46 +-')
47 +-
48 + tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
49 + fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
50 + ')
51 +@@ -677,6 +672,13 @@
52 + ')
53 +
54 + optional_policy(`
55 ++ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
56 ++ gpg_spec_domtrans(httpd_t, httpd_gpg_t)
57 ++ ')
58 ++')
59 ++
60 ++
61 ++optional_policy(`
62 + tunable_policy(`httpd_mod_auth_ntlm_winbind',`
63 + samba_domtrans_winbind_helper(httpd_t)
64 + ')
65 +@@ -1398,7 +1400,6 @@
66 +
67 + miscfiles_read_localization(httpd_gpg_t)
68 +
69 +-gpg_exec(httpd_gpg_t)
70 +
71 + tunable_policy(`httpd_gpg_anon_write',`
72 + miscfiles_manage_public_files(httpd_gpg_t)
73 +@@ -1407,3 +1408,8 @@
74 + optional_policy(`
75 + apache_manage_sys_rw_content(httpd_gpg_t)
76 + ')
77 ++
78 ++optional_policy(`
79 ++ gpg_entry_type(httpd_gpg_t)
80 ++ gpg_exec(httpd_gpg_t)
81 ++')
82
83 diff --git a/sec-policy/selinux-apache/selinux-apache-2.20120725-r8.ebuild b/sec-policy/selinux-apache/selinux-apache-2.20120725-r8.ebuild
84 index 2afdf68..83c23d7 100644
85 --- a/sec-policy/selinux-apache/selinux-apache-2.20120725-r8.ebuild
86 +++ b/sec-policy/selinux-apache/selinux-apache-2.20120725-r8.ebuild
87 @@ -16,3 +16,5 @@ DEPEND="${DEPEND}
88 sec-policy/selinux-kerberos
89 "
90 RDEPEND="${DEPEND}"
91 +
92 +POLICY_PATCH="${FILESDIR}/fix-make-gpg-optional-r8.patch"
93
94 diff --git a/sec-policy/selinux-chromium/selinux-chromium-2.20120725-r8.ebuild b/sec-policy/selinux-chromium/selinux-chromium-2.20120725-r8.ebuild
95 index fe71d8c..80d7d4f 100644
96 --- a/sec-policy/selinux-chromium/selinux-chromium-2.20120725-r8.ebuild
97 +++ b/sec-policy/selinux-chromium/selinux-chromium-2.20120725-r8.ebuild
98 @@ -12,3 +12,7 @@ inherit selinux-policy-2
99 DESCRIPTION="SELinux policy for chromium"
100
101 KEYWORDS="~amd64 ~x86"
102 +DEPEND="${DEPEND}
103 + sec-policy/selinux-xserver
104 +"
105 +RDEPEND="${DEPEND}"
106
107 diff --git a/sec-policy/selinux-mplayer/selinux-mplayer-2.20120725-r8.ebuild b/sec-policy/selinux-mplayer/selinux-mplayer-2.20120725-r8.ebuild
108 index 2728c70..588c7e3 100644
109 --- a/sec-policy/selinux-mplayer/selinux-mplayer-2.20120725-r8.ebuild
110 +++ b/sec-policy/selinux-mplayer/selinux-mplayer-2.20120725-r8.ebuild
111 @@ -12,3 +12,7 @@ inherit selinux-policy-2
112 DESCRIPTION="SELinux policy for mplayer"
113
114 KEYWORDS="~amd64 ~x86"
115 +DEPEND="${DEPEND}
116 + sec-policy/selinux-xserver
117 +"
118 +RDEPEND="${DEPEND}"
119
120 diff --git a/sec-policy/selinux-nginx/files/fix-tunable-names-r8.patch b/sec-policy/selinux-nginx/files/fix-tunable-names-r8.patch
121 new file mode 100644
122 index 0000000..3a5b69f
123 --- /dev/null
124 +++ b/sec-policy/selinux-nginx/files/fix-tunable-names-r8.patch
125 @@ -0,0 +1,42 @@
126 +--- contrib.orig/nginx.te 2012-11-24 19:52:13.439337617 +0100
127 ++++ contrib/nginx.te 2012-11-24 18:34:57.565327680 +0100
128 +@@ -124,33 +124,33 @@
129 + sysnet_dns_name_resolve(nginx_t)
130 +
131 +
132 +-tunable_policy(`gentoo_nginx_enable_http_server',`
133 ++tunable_policy(`nginx_enable_http_server',`
134 + corenet_tcp_bind_http_port(nginx_t)
135 + apache_read_all_content(nginx_t)
136 + apache_manage_all_rw_content(nginx_t)
137 + ')
138 +
139 + # We enable both binding and connecting, since nginx acts here as a reverse proxy
140 +-tunable_policy(`gentoo_nginx_enable_imap_server',`
141 ++tunable_policy(`nginx_enable_imap_server',`
142 + corenet_tcp_bind_pop_port(nginx_t)
143 + corenet_tcp_connect_pop_port(nginx_t)
144 + ')
145 +
146 +-tunable_policy(`gentoo_nginx_enable_pop3_server',`
147 ++tunable_policy(`nginx_enable_pop3_server',`
148 + corenet_tcp_bind_pop_port(nginx_t)
149 + corenet_tcp_connect_pop_port(nginx_t)
150 + ')
151 +
152 +-tunable_policy(`gentoo_nginx_enable_smtp_server',`
153 ++tunable_policy(`nginx_enable_smtp_server',`
154 + corenet_tcp_bind_smtp_port(nginx_t)
155 + corenet_tcp_connect_smtp_port(nginx_t)
156 + ')
157 +
158 +-tunable_policy(`gentoo_nginx_can_network_connect_http',`
159 ++tunable_policy(`nginx_can_network_connect_http',`
160 + corenet_tcp_connect_http_port(nginx_t)
161 + ')
162 +
163 +-tunable_policy(`gentoo_nginx_can_network_connect',`
164 ++tunable_policy(`nginx_can_network_connect',`
165 + corenet_tcp_connect_all_ports(nginx_t)
166 + ')
167 +
168
169 diff --git a/sec-policy/selinux-nginx/selinux-nginx-2.20120725-r8.ebuild b/sec-policy/selinux-nginx/selinux-nginx-2.20120725-r8.ebuild
170 index 33dbef2..61fec2a 100644
171 --- a/sec-policy/selinux-nginx/selinux-nginx-2.20120725-r8.ebuild
172 +++ b/sec-policy/selinux-nginx/selinux-nginx-2.20120725-r8.ebuild
173 @@ -16,3 +16,5 @@ DEPEND="${DEPEND}
174 sec-policy/selinux-apache
175 "
176 RDEPEND="${DEPEND}"
177 +
178 +POLICY_PATCH="${FILESDIR}/fix-tunable-names-r8.patch"
179
180 diff --git a/sec-policy/selinux-virt/files/fix-qemu-is-optional-r8.patch b/sec-policy/selinux-virt/files/fix-qemu-is-optional-r8.patch
181 new file mode 100644
182 index 0000000..08db031
183 --- /dev/null
184 +++ b/sec-policy/selinux-virt/files/fix-qemu-is-optional-r8.patch
185 @@ -0,0 +1,15 @@
186 +--- contrib/virt.te 2012-11-25 20:32:20.060892255 +0100
187 ++++ contrib/virt.te 2012-11-25 20:31:23.778880957 +0100
188 +@@ -281,7 +281,11 @@
189 + userdom_search_user_home_dirs(virt_domain)
190 + userdom_read_all_users_state(virt_domain)
191 +
192 +-qemu_exec(virt_domain)
193 ++ifdef(`distro_gentoo',`
194 ++ optional_policy(`
195 ++ qemu_exec(virt_domain)
196 ++ ')
197 ++')
198 +
199 + tunable_policy(`virt_use_execmem',`
200 + allow virt_domain self:process { execmem execstack };
201
202 diff --git a/sec-policy/selinux-virt/selinux-virt-2.20120725-r8.ebuild b/sec-policy/selinux-virt/selinux-virt-2.20120725-r8.ebuild
203 index a11ad0e..5c5389f 100644
204 --- a/sec-policy/selinux-virt/selinux-virt-2.20120725-r8.ebuild
205 +++ b/sec-policy/selinux-virt/selinux-virt-2.20120725-r8.ebuild
206 @@ -12,3 +12,4 @@ inherit selinux-policy-2
207 DESCRIPTION="SELinux policy for virt"
208
209 KEYWORDS="~amd64 ~x86"
210 +POLICY_PATCH="${FILESDIR}/fix-qemu-is-optional-r8.patch"