[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Sun, 30 Apr 2017 09:33:15
Message-Id:	`1493543572.79122e4440ac3616cef3283767c88232f9f6f265.perfinion@gentoo`

1

commit:     79122e4440ac3616cef3283767c88232f9f6f265

2

Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>

3

AuthorDate: Wed Apr 19 01:06:48 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sun Apr 30 09:12:52 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79122e44

7

8

logging patches from Russell Coker

9

10

Patches for logrotate, webalizer, sysstat, and logwatch.

11

12

 policy/modules/contrib/logrotate.te | 6 +++++-

13

 policy/modules/contrib/logwatch.te  | 7 ++++++-

14

 policy/modules/contrib/sysstat.te   | 9 ++++++---

15

 policy/modules/contrib/webalizer.te | 8 +++++++-

16

 4 files changed, 24 insertions(+), 6 deletions(-)

17

18

diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te

19

index ec338fb6..1c63e097 100644

20

--- a/policy/modules/contrib/logrotate.te

21

+++ b/policy/modules/contrib/logrotate.te

22

@@ -1,4 +1,4 @@

23

-policy_module(logrotate, 1.18.2)

24

+policy_module(logrotate, 1.18.3)

25

26

 ########################################

27

#

28

@@ -89,6 +89,7 @@ files_dontaudit_list_mnt(logrotate_t)

29

 fs_search_auto_mountpoints(logrotate_t)

30

 fs_getattr_xattr_fs(logrotate_t)

31

 fs_list_inotifyfs(logrotate_t)

32

+fs_getattr_tmpfs(logrotate_t)

33

34

 mls_file_read_all_levels(logrotate_t)

35

 mls_file_write_all_levels(logrotate_t)

36

@@ -102,8 +103,10 @@ auth_manage_login_records(logrotate_t)

37

 auth_use_nsswitch(logrotate_t)

38

39

 init_all_labeled_script_domtrans(logrotate_t)

40

+init_startstop_all_script_services(logrotate_t)

41

 init_get_generic_units_status(logrotate_t)

42

 init_get_all_units_status(logrotate_t)

43

+init_get_system_status(logrotate_t)

44

 init_dbus_chat(logrotate_t)

45

 init_stream_connect(logrotate_t)

46

 init_manage_all_units(logrotate_t)

47

@@ -218,6 +221,7 @@ optional_policy(`

48

 optional_policy(`

49

 	mysql_read_config(logrotate_t)

50

 	mysql_stream_connect(logrotate_t)

51

+	mysql_signal(logrotate_t)

52

')

53

54

 optional_policy(`

55

56

diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te

57

index 24f1c17b..d2b54207 100644

58

--- a/policy/modules/contrib/logwatch.te

59

+++ b/policy/modules/contrib/logwatch.te

60

@@ -1,4 +1,4 @@

61

-policy_module(logwatch, 1.14.0)

62

+policy_module(logwatch, 1.14.1)

63

64

 #################################

65

#

66

@@ -160,6 +160,10 @@ optional_policy(`

67

')

68

69

 optional_policy(`

70

+	raid_domtrans_mdadm(logwatch_t)

71

+')

72

+

73

+optional_policy(`

74

 	rpc_search_nfs_state_data(logwatch_t)

75

')

76

77

@@ -189,4 +193,5 @@ logging_read_all_logs(logwatch_mail_t)

78

79

 optional_policy(`

80

 	cron_use_system_job_fds(logwatch_mail_t)

81

+	cron_rw_system_job_pipes(logwatch_mail_t)

82

')

83

84

diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te

85

index ac249ac0..deca783e 100644

86

--- a/policy/modules/contrib/sysstat.te

87

+++ b/policy/modules/contrib/sysstat.te

88

@@ -1,4 +1,4 @@

89

-policy_module(sysstat, 1.9.0)

90

+policy_module(sysstat, 1.9.1)

91

92

 ########################################

93

#

94

@@ -24,8 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co

95

 allow sysstat_t self:fifo_file rw_fifo_file_perms;

96

97

 manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)

98

-append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)

99

-create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)

100

+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)

101

 setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)

102

 manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)

103

 logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })

104

@@ -39,12 +38,15 @@ kernel_read_fs_sysctls(sysstat_t)

105

 kernel_read_rpc_sysctls(sysstat_t)

106

107

 corecmd_exec_bin(sysstat_t)

108

+corecmd_exec_shell(sysstat_t)

109

110

 dev_read_sysfs(sysstat_t)

111

+dev_getattr_sysfs(sysstat_t)

112

 dev_read_urand(sysstat_t)

113

114

 files_search_var(sysstat_t)

115

 files_read_etc_runtime_files(sysstat_t)

116

+files_search_all_mountpoints(sysstat_t)

117

118

 fs_getattr_xattr_fs(sysstat_t)

119

 fs_list_inotifyfs(sysstat_t)

120

@@ -66,6 +68,7 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)

121

122

 optional_policy(`

123

 	cron_system_entry(sysstat_t, sysstat_exec_t)

124

+	cron_rw_tmp_files(sysstat_t)

125

')

126

127

 ifdef(`distro_gentoo',`

128

129

diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te

130

index 06f9d332..9ea1bdad 100644

131

--- a/policy/modules/contrib/webalizer.te

132

+++ b/policy/modules/contrib/webalizer.te

133

@@ -1,4 +1,4 @@

134

-policy_module(webalizer, 1.14.0)

135

+policy_module(webalizer, 1.14.1)

136

137

 ########################################

138

#

139

@@ -16,6 +16,9 @@ role webalizer_roles types webalizer_t;

140

 type webalizer_etc_t;

141

 files_config_file(webalizer_etc_t)

142

143

+type webalizer_log_t;

144

+logging_log_file(webalizer_log_t)

145

+

146

 type webalizer_tmp_t;

147

 files_tmp_file(webalizer_tmp_t)

148

149

@@ -37,6 +40,9 @@ allow webalizer_t self:tcp_socket { accept listen };

150

151

 allow webalizer_t webalizer_etc_t:file read_file_perms;

152

153

+manage_dirs_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)

154

+manage_files_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)

155

+

156

 manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)

157

 manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)

158

 files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })

1	commit: 79122e4440ac3616cef3283767c88232f9f6f265
2	Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
3	AuthorDate: Wed Apr 19 01:06:48 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sun Apr 30 09:12:52 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79122e44
7
8	logging patches from Russell Coker
9
10	Patches for logrotate, webalizer, sysstat, and logwatch.
11
12	policy/modules/contrib/logrotate.te \| 6 +++++-
13	policy/modules/contrib/logwatch.te \| 7 ++++++-
14	policy/modules/contrib/sysstat.te \| 9 ++++++---
15	policy/modules/contrib/webalizer.te \| 8 +++++++-
16	4 files changed, 24 insertions(+), 6 deletions(-)
17
18	diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
19	index ec338fb6..1c63e097 100644
20	--- a/policy/modules/contrib/logrotate.te
21	+++ b/policy/modules/contrib/logrotate.te
22	@@ -1,4 +1,4 @@
23	-policy_module(logrotate, 1.18.2)
24	+policy_module(logrotate, 1.18.3)
25
26	########################################
27	#
28	@@ -89,6 +89,7 @@ files_dontaudit_list_mnt(logrotate_t)
29	fs_search_auto_mountpoints(logrotate_t)
30	fs_getattr_xattr_fs(logrotate_t)
31	fs_list_inotifyfs(logrotate_t)
32	+fs_getattr_tmpfs(logrotate_t)
33
34	mls_file_read_all_levels(logrotate_t)
35	mls_file_write_all_levels(logrotate_t)
36	@@ -102,8 +103,10 @@ auth_manage_login_records(logrotate_t)
37	auth_use_nsswitch(logrotate_t)
38
39	init_all_labeled_script_domtrans(logrotate_t)
40	+init_startstop_all_script_services(logrotate_t)
41	init_get_generic_units_status(logrotate_t)
42	init_get_all_units_status(logrotate_t)
43	+init_get_system_status(logrotate_t)
44	init_dbus_chat(logrotate_t)
45	init_stream_connect(logrotate_t)
46	init_manage_all_units(logrotate_t)
47	@@ -218,6 +221,7 @@ optional_policy(`
48	optional_policy(`
49	mysql_read_config(logrotate_t)
50	mysql_stream_connect(logrotate_t)
51	+ mysql_signal(logrotate_t)
52	')
53
54	optional_policy(`
55
56	diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
57	index 24f1c17b..d2b54207 100644
58	--- a/policy/modules/contrib/logwatch.te
59	+++ b/policy/modules/contrib/logwatch.te
60	@@ -1,4 +1,4 @@
61	-policy_module(logwatch, 1.14.0)
62	+policy_module(logwatch, 1.14.1)
63
64	#################################
65	#
66	@@ -160,6 +160,10 @@ optional_policy(`
67	')
68
69	optional_policy(`
70	+ raid_domtrans_mdadm(logwatch_t)
71	+')
72	+
73	+optional_policy(`
74	rpc_search_nfs_state_data(logwatch_t)
75	')
76
77	@@ -189,4 +193,5 @@ logging_read_all_logs(logwatch_mail_t)
78
79	optional_policy(`
80	cron_use_system_job_fds(logwatch_mail_t)
81	+ cron_rw_system_job_pipes(logwatch_mail_t)
82	')
83
84	diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te
85	index ac249ac0..deca783e 100644
86	--- a/policy/modules/contrib/sysstat.te
87	+++ b/policy/modules/contrib/sysstat.te
88	@@ -1,4 +1,4 @@
89	-policy_module(sysstat, 1.9.0)
90	+policy_module(sysstat, 1.9.1)
91
92	########################################
93	#
94	@@ -24,8 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co
95	allow sysstat_t self:fifo_file rw_fifo_file_perms;
96
97	manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
98	-append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
99	-create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
100	+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
101	setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
102	manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
103	logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
104	@@ -39,12 +38,15 @@ kernel_read_fs_sysctls(sysstat_t)
105	kernel_read_rpc_sysctls(sysstat_t)
106
107	corecmd_exec_bin(sysstat_t)
108	+corecmd_exec_shell(sysstat_t)
109
110	dev_read_sysfs(sysstat_t)
111	+dev_getattr_sysfs(sysstat_t)
112	dev_read_urand(sysstat_t)
113
114	files_search_var(sysstat_t)
115	files_read_etc_runtime_files(sysstat_t)
116	+files_search_all_mountpoints(sysstat_t)
117
118	fs_getattr_xattr_fs(sysstat_t)
119	fs_list_inotifyfs(sysstat_t)
120	@@ -66,6 +68,7 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
121
122	optional_policy(`
123	cron_system_entry(sysstat_t, sysstat_exec_t)
124	+ cron_rw_tmp_files(sysstat_t)
125	')
126
127	ifdef(`distro_gentoo',`
128
129	diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
130	index 06f9d332..9ea1bdad 100644
131	--- a/policy/modules/contrib/webalizer.te
132	+++ b/policy/modules/contrib/webalizer.te
133	@@ -1,4 +1,4 @@
134	-policy_module(webalizer, 1.14.0)
135	+policy_module(webalizer, 1.14.1)
136
137	########################################
138	#
139	@@ -16,6 +16,9 @@ role webalizer_roles types webalizer_t;
140	type webalizer_etc_t;
141	files_config_file(webalizer_etc_t)
142
143	+type webalizer_log_t;
144	+logging_log_file(webalizer_log_t)
145	+
146	type webalizer_tmp_t;
147	files_tmp_file(webalizer_tmp_t)
148
149	@@ -37,6 +40,9 @@ allow webalizer_t self:tcp_socket { accept listen };
150
151	allow webalizer_t webalizer_etc_t:file read_file_perms;
152
153	+manage_dirs_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
154	+manage_files_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
155	+
156	manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
157	manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
158	files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })

Gentoo Archives: gentoo-commits