[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Mon, 05 Jun 2017 17:26:22
Message-Id:	`1496682978.cf36b3514d4db2806437cdd1ed63cd328f40a3e2.perfinion@gentoo`

1

commit:     cf36b3514d4db2806437cdd1ed63cd328f40a3e2

2

Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>

3

AuthorDate: Mon Jun  5 00:30:25 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Mon Jun  5 17:16:18 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cf36b351

7

8

cgmanager: Move lines

9

10

 policy/modules/contrib/cgmanager.fc | 15 ++++++++-------

11

 policy/modules/contrib/cgmanager.te | 26 ++++++++++++--------------

12

 2 files changed, 20 insertions(+), 21 deletions(-)

13

14

diff --git a/policy/modules/contrib/cgmanager.fc b/policy/modules/contrib/cgmanager.fc

15

index d53e92f5..d638d196 100644

16

--- a/policy/modules/contrib/cgmanager.fc

17

+++ b/policy/modules/contrib/cgmanager.fc

18

@@ -1,9 +1,10 @@

19

-/usr/sbin/cgmanager		--	gen_context(system_u:object_r:cgmanager_exec_t,s0)

20

-/usr/sbin/cgproxy		--	gen_context(system_u:object_r:cgmanager_exec_t,s0)

21

-/usr/sbin/cgm-release-agent	--	gen_context(system_u:object_r:cgmanager_exec_t,s0)

22

+/sys/fs/cgroup/cgmanager(/.*)?				gen_context(system_u:object_r:cgmanager_cgroup_t,s0)

23

24

-/sys/fs/cgroup/cgmanager(/.*)?		gen_context(system_u:object_r:cgmanager_cgroup_t,s0)

25

+/run/cgmanager(/.*)?					gen_context(system_u:object_r:cgmanager_run_t,s0)

26

+/run/cgmanager.pid					gen_context(system_u:object_r:cgmanager_run_t,s0)

27

+/run/cgmanager/fs(/.*)?					<<none>>

28

29

-/run/cgmanager(/.*)?			gen_context(system_u:object_r:cgmanager_run_t,s0)

30

-/run/cgmanager.pid			gen_context(system_u:object_r:cgmanager_run_t,s0)

31

-/run/cgmanager/fs(/.*)?			<<none>>

32

+/usr/libexec/cgmanager/cgm-release-agent	--	gen_context(system_u:object_r:cgmanager_exec_t,s0)

33

+

34

+/usr/sbin/cgmanager				--	gen_context(system_u:object_r:cgmanager_exec_t,s0)

35

+/usr/sbin/cgproxy				--	gen_context(system_u:object_r:cgmanager_exec_t,s0)

36

37

diff --git a/policy/modules/contrib/cgmanager.te b/policy/modules/contrib/cgmanager.te

38

index 5c322954..c3cc5217 100644

39

--- a/policy/modules/contrib/cgmanager.te

40

+++ b/policy/modules/contrib/cgmanager.te

41

@@ -9,12 +9,12 @@ type cgmanager_t;

42

 type cgmanager_exec_t;

43

 init_daemon_domain(cgmanager_t, cgmanager_exec_t)

44

45

-type cgmanager_run_t;

46

-files_pid_file(cgmanager_run_t)

47

-

48

 type cgmanager_cgroup_t;

49

 files_type(cgmanager_cgroup_t)

50

51

+type cgmanager_run_t;

52

+files_pid_file(cgmanager_run_t)

53

+

54

 ########################################

55

#

56

 # CGManager local policy

57

@@ -23,40 +23,38 @@ files_type(cgmanager_cgroup_t)

58

 allow cgmanager_t self:capability { sys_admin dac_override };

59

 allow cgmanager_t self:fifo_file rw_fifo_file_perms;

60

61

+manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)

62

+manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)

63

+manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)

64

+fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")

65

+

66

+can_exec(cgmanager_t, cgmanager_exec_t)

67

+

68

 manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)

69

 manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)

70

 manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)

71

 files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })

72

 allow cgmanager_t cgmanager_run_t:dir mounton;

73

74

-manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)

75

-manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)

76

-manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)

77

-fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")

78

-

79

+# for the release agent

80

 kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)

81

 kernel_read_system_state(cgmanager_t)

82

83

 corecmd_exec_bin(cgmanager_t)

84

-can_exec(cgmanager_t, cgmanager_exec_t)

85

86

 domain_read_all_domains_state(cgmanager_t)

87

88

 files_read_etc_files(cgmanager_t)

89

-

90

 # cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things

91

 files_mounton_all_mountpoints(cgmanager_t)

92

 files_unmount_all_file_type_fs(cgmanager_t)

93

-fs_unmount_xattr_fs(cgmanager_t)

94

95

+fs_unmount_xattr_fs(cgmanager_t)

96

 fs_manage_cgroup_dirs(cgmanager_t)

97

 fs_manage_cgroup_files(cgmanager_t)

98

-

99

 fs_getattr_tmpfs(cgmanager_t)

100

-

101

 fs_manage_tmpfs_dirs(cgmanager_t)

102

 fs_manage_tmpfs_files(cgmanager_t)

103

-

104

 fs_mount_cgroup(cgmanager_t)

105

 fs_mount_tmpfs(cgmanager_t)

106

 fs_mounton_tmpfs(cgmanager_t)

1	commit: cf36b3514d4db2806437cdd1ed63cd328f40a3e2
2	Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
3	AuthorDate: Mon Jun 5 00:30:25 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Mon Jun 5 17:16:18 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cf36b351
7
8	cgmanager: Move lines
9
10	policy/modules/contrib/cgmanager.fc \| 15 ++++++++-------
11	policy/modules/contrib/cgmanager.te \| 26 ++++++++++++--------------
12	2 files changed, 20 insertions(+), 21 deletions(-)
13
14	diff --git a/policy/modules/contrib/cgmanager.fc b/policy/modules/contrib/cgmanager.fc
15	index d53e92f5..d638d196 100644
16	--- a/policy/modules/contrib/cgmanager.fc
17	+++ b/policy/modules/contrib/cgmanager.fc
18	@@ -1,9 +1,10 @@
19	-/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
20	-/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
21	-/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
22	+/sys/fs/cgroup/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
23
24	-/sys/fs/cgroup/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
25	+/run/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_run_t,s0)
26	+/run/cgmanager.pid gen_context(system_u:object_r:cgmanager_run_t,s0)
27	+/run/cgmanager/fs(/.*)? <<none>>
28
29	-/run/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_run_t,s0)
30	-/run/cgmanager.pid gen_context(system_u:object_r:cgmanager_run_t,s0)
31	-/run/cgmanager/fs(/.*)? <<none>>
32	+/usr/libexec/cgmanager/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
33	+
34	+/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
35	+/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
36
37	diff --git a/policy/modules/contrib/cgmanager.te b/policy/modules/contrib/cgmanager.te
38	index 5c322954..c3cc5217 100644
39	--- a/policy/modules/contrib/cgmanager.te
40	+++ b/policy/modules/contrib/cgmanager.te
41	@@ -9,12 +9,12 @@ type cgmanager_t;
42	type cgmanager_exec_t;
43	init_daemon_domain(cgmanager_t, cgmanager_exec_t)
44
45	-type cgmanager_run_t;
46	-files_pid_file(cgmanager_run_t)
47	-
48	type cgmanager_cgroup_t;
49	files_type(cgmanager_cgroup_t)
50
51	+type cgmanager_run_t;
52	+files_pid_file(cgmanager_run_t)
53	+
54	########################################
55	#
56	# CGManager local policy
57	@@ -23,40 +23,38 @@ files_type(cgmanager_cgroup_t)
58	allow cgmanager_t self:capability { sys_admin dac_override };
59	allow cgmanager_t self:fifo_file rw_fifo_file_perms;
60
61	+manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
62	+manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
63	+manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
64	+fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
65	+
66	+can_exec(cgmanager_t, cgmanager_exec_t)
67	+
68	manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
69	manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
70	manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
71	files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
72	allow cgmanager_t cgmanager_run_t:dir mounton;
73
74	-manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
75	-manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
76	-manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
77	-fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
78	-
79	+# for the release agent
80	kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
81	kernel_read_system_state(cgmanager_t)
82
83	corecmd_exec_bin(cgmanager_t)
84	-can_exec(cgmanager_t, cgmanager_exec_t)
85
86	domain_read_all_domains_state(cgmanager_t)
87
88	files_read_etc_files(cgmanager_t)
89	-
90	# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
91	files_mounton_all_mountpoints(cgmanager_t)
92	files_unmount_all_file_type_fs(cgmanager_t)
93	-fs_unmount_xattr_fs(cgmanager_t)
94
95	+fs_unmount_xattr_fs(cgmanager_t)
96	fs_manage_cgroup_dirs(cgmanager_t)
97	fs_manage_cgroup_files(cgmanager_t)
98	-
99	fs_getattr_tmpfs(cgmanager_t)
100	-
101	fs_manage_tmpfs_dirs(cgmanager_t)
102	fs_manage_tmpfs_files(cgmanager_t)
103	-
104	fs_mount_cgroup(cgmanager_t)
105	fs_mount_tmpfs(cgmanager_t)
106	fs_mounton_tmpfs(cgmanager_t)

Gentoo Archives: gentoo-commits