[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Mon, 23 Jan 2017 15:44:22
Message-Id:	`1485176165.045e19bda47a4abb2725672b0da50dafaaf85739.perfinion@gentoo`

1

commit:     045e19bda47a4abb2725672b0da50dafaaf85739

2

Author:     cgzones <cgzones <AT> googlemail <DOT> com>

3

AuthorDate: Thu Jan  5 19:12:45 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Mon Jan 23 12:56:05 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=045e19bd

7

8

update exim module

9

10

 policy/modules/contrib/exim.fc | 14 +++++++-------

11

 policy/modules/contrib/exim.if |  8 ++++----

12

 policy/modules/contrib/exim.te | 25 +++++++++++++------------

13

 3 files changed, 24 insertions(+), 23 deletions(-)

14

15

diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc

16

index 9e04a0d..842cb34 100644

17

--- a/policy/modules/contrib/exim.fc

18

+++ b/policy/modules/contrib/exim.fc

19

@@ -1,13 +1,13 @@

20

 /etc/rc\.d/init\.d/exim[0-9]?	--	gen_context(system_u:object_r:exim_initrc_exec_t,s0)

21

22

-/usr/sbin/exim[0-9]?	--	gen_context(system_u:object_r:exim_exec_t,s0)

23

-/usr/sbin/exim_tidydb	--	gen_context(system_u:object_r:exim_exec_t,s0)

24

+/run/exim[0-9]?(/.*)?			gen_context(system_u:object_r:exim_pid_t,s0)

25

+/run/exim[0-9]?\.pid		--	gen_context(system_u:object_r:exim_pid_t,s0)

26

27

-/var/lib/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_var_lib_t,s0)

28

+/usr/sbin/exim[0-9]?		--	gen_context(system_u:object_r:exim_exec_t,s0)

29

+/usr/sbin/exim_tidydb		--	gen_context(system_u:object_r:exim_exec_t,s0)

30

31

-/var/log/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_log_t,s0)

32

+/var/lib/exim[0-9]?(/.*)?		gen_context(system_u:object_r:exim_var_lib_t,s0)

33

34

-/run/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_var_run_t,s0)

35

-/run/exim[0-9]?\.pid	--	gen_context(system_u:object_r:exim_var_run_t,s0)

36

+/var/log/exim[0-9]?(/.*)?		gen_context(system_u:object_r:exim_log_t,s0)

37

38

-/var/spool/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_spool_t,s0)

39

+/var/spool/exim[0-9]?(/.*)?		gen_context(system_u:object_r:exim_spool_t,s0)

40

41

diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if

42

index 51655bb..c75f5fa 100644

43

--- a/policy/modules/contrib/exim.if

44

+++ b/policy/modules/contrib/exim.if

45

@@ -96,10 +96,10 @@ interface(`exim_read_tmp_files',`

46

#

47

 interface(`exim_read_pid_files',`

48

 	gen_require(`

49

-		type exim_var_run_t;

50

+		type exim_pid_t;

51

')

52

53

-	allow $1 exim_var_run_t:file read_file_perms;

54

+	allow $1 exim_pid_t:file read_file_perms;

55

 	files_search_pids($1)

56

')

57

58

@@ -281,7 +281,7 @@ interface(`exim_manage_var_lib_files',`

59

 interface(`exim_admin',`

60

 	gen_require(`

61

 		type exim_t, exim_spool_t, exim_log_t;

62

-		type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;

63

+		type exim_pid_t, exim_initrc_exec_t, exim_tmp_t;

64

 		type exim_keytab_t;

65

')

66

67

@@ -300,7 +300,7 @@ interface(`exim_admin',`

68

 	admin_pattern($1, exim_log_t)

69

70

 	files_search_pids($1)

71

-	admin_pattern($1, exim_var_run_t)

72

+	admin_pattern($1, exim_pid_t)

73

74

 	files_search_tmp($1)

75

 	admin_pattern($1, exim_tmp_t)

76

77

diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te

78

index b8de337..5f2810f 100644

79

--- a/policy/modules/contrib/exim.te

80

+++ b/policy/modules/contrib/exim.te

81

@@ -54,17 +54,18 @@ files_type(exim_var_lib_t)

82

 type exim_log_t;

83

 logging_log_file(exim_log_t)

84

85

+type exim_pid_t;

86

+typealias exim_pid_t alias exim_var_run_t;

87

+files_pid_file(exim_pid_t)

88

+

89

 type exim_spool_t;

90

 files_type(exim_spool_t)

91

92

 type exim_tmp_t;

93

 files_tmp_file(exim_tmp_t)

94

95

-type exim_var_run_t;

96

-files_pid_file(exim_var_run_t)

97

-

98

 ifdef(`distro_debian',`

99

-	init_daemon_pid_file(exim_var_run_t, dir, "exim4")

100

+	init_daemon_pid_file(exim_pid_t, dir, "exim4")

101

')

102

103

 ########################################

104

@@ -72,21 +73,25 @@ ifdef(`distro_debian',`

105

 # Local policy

106

#

107

108

-allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };

109

+allow exim_t self:capability { chown dac_override fowner setuid setgid sys_resource };

110

 allow exim_t self:process { setrlimit setpgid };

111

 allow exim_t self:fifo_file rw_fifo_file_perms;

112

 allow exim_t self:unix_stream_socket { accept listen };

113

 allow exim_t self:tcp_socket { accept listen };

114

115

-allow exim_t exim_keytab_t:file read_file_perms;

116

+can_exec(exim_t, exim_exec_t)

117

118

-manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)

119

+allow exim_t exim_keytab_t:file read_file_perms;

120

121

 append_files_pattern(exim_t, exim_log_t, exim_log_t)

122

 create_files_pattern(exim_t, exim_log_t, exim_log_t)

123

 setattr_files_pattern(exim_t, exim_log_t, exim_log_t)

124

 logging_log_filetrans(exim_t, exim_log_t, file)

125

126

+manage_dirs_pattern(exim_t, exim_pid_t, exim_pid_t)

127

+manage_files_pattern(exim_t, exim_pid_t, exim_pid_t)

128

+files_pid_filetrans(exim_t, exim_pid_t, { dir file })

129

+

130

 manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)

131

 manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)

132

 manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)

133

@@ -96,11 +101,7 @@ manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)

134

 manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)

135

 files_tmp_filetrans(exim_t, exim_tmp_t, { dir file })

136

137

-manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)

138

-manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)

139

-files_pid_filetrans(exim_t, exim_var_run_t, { dir file })

140

-

141

-can_exec(exim_t, exim_exec_t)

142

+manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)

143

144

 kernel_read_crypto_sysctls(exim_t)

145

 kernel_read_kernel_sysctls(exim_t)

1	commit: 045e19bda47a4abb2725672b0da50dafaaf85739
2	Author: cgzones <cgzones <AT> googlemail <DOT> com>
3	AuthorDate: Thu Jan 5 19:12:45 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Mon Jan 23 12:56:05 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=045e19bd
7
8	update exim module
9
10	policy/modules/contrib/exim.fc \| 14 +++++++-------
11	policy/modules/contrib/exim.if \| 8 ++++----
12	policy/modules/contrib/exim.te \| 25 +++++++++++++------------
13	3 files changed, 24 insertions(+), 23 deletions(-)
14
15	diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc
16	index 9e04a0d..842cb34 100644
17	--- a/policy/modules/contrib/exim.fc
18	+++ b/policy/modules/contrib/exim.fc
19	@@ -1,13 +1,13 @@
20	/etc/rc\.d/init\.d/exim[0-9]? -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
21
22	-/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
23	-/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
24	+/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_pid_t,s0)
25	+/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_pid_t,s0)
26
27	-/var/lib/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_lib_t,s0)
28	+/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
29	+/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
30
31	-/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
32	+/var/lib/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_lib_t,s0)
33
34	-/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
35	-/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
36	+/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
37
38	-/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
39	+/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
40
41	diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
42	index 51655bb..c75f5fa 100644
43	--- a/policy/modules/contrib/exim.if
44	+++ b/policy/modules/contrib/exim.if
45	@@ -96,10 +96,10 @@ interface(`exim_read_tmp_files',`
46	#
47	interface(`exim_read_pid_files',`
48	gen_require(`
49	- type exim_var_run_t;
50	+ type exim_pid_t;
51	')
52
53	- allow $1 exim_var_run_t:file read_file_perms;
54	+ allow $1 exim_pid_t:file read_file_perms;
55	files_search_pids($1)
56	')
57
58	@@ -281,7 +281,7 @@ interface(`exim_manage_var_lib_files',`
59	interface(`exim_admin',`
60	gen_require(`
61	type exim_t, exim_spool_t, exim_log_t;
62	- type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
63	+ type exim_pid_t, exim_initrc_exec_t, exim_tmp_t;
64	type exim_keytab_t;
65	')
66
67	@@ -300,7 +300,7 @@ interface(`exim_admin',`
68	admin_pattern($1, exim_log_t)
69
70	files_search_pids($1)
71	- admin_pattern($1, exim_var_run_t)
72	+ admin_pattern($1, exim_pid_t)
73
74	files_search_tmp($1)
75	admin_pattern($1, exim_tmp_t)
76
77	diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
78	index b8de337..5f2810f 100644
79	--- a/policy/modules/contrib/exim.te
80	+++ b/policy/modules/contrib/exim.te
81	@@ -54,17 +54,18 @@ files_type(exim_var_lib_t)
82	type exim_log_t;
83	logging_log_file(exim_log_t)
84
85	+type exim_pid_t;
86	+typealias exim_pid_t alias exim_var_run_t;
87	+files_pid_file(exim_pid_t)
88	+
89	type exim_spool_t;
90	files_type(exim_spool_t)
91
92	type exim_tmp_t;
93	files_tmp_file(exim_tmp_t)
94
95	-type exim_var_run_t;
96	-files_pid_file(exim_var_run_t)
97	-
98	ifdef(`distro_debian',`
99	- init_daemon_pid_file(exim_var_run_t, dir, "exim4")
100	+ init_daemon_pid_file(exim_pid_t, dir, "exim4")
101	')
102
103	########################################
104	@@ -72,21 +73,25 @@ ifdef(`distro_debian',`
105	# Local policy
106	#
107
108	-allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
109	+allow exim_t self:capability { chown dac_override fowner setuid setgid sys_resource };
110	allow exim_t self:process { setrlimit setpgid };
111	allow exim_t self:fifo_file rw_fifo_file_perms;
112	allow exim_t self:unix_stream_socket { accept listen };
113	allow exim_t self:tcp_socket { accept listen };
114
115	-allow exim_t exim_keytab_t:file read_file_perms;
116	+can_exec(exim_t, exim_exec_t)
117
118	-manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
119	+allow exim_t exim_keytab_t:file read_file_perms;
120
121	append_files_pattern(exim_t, exim_log_t, exim_log_t)
122	create_files_pattern(exim_t, exim_log_t, exim_log_t)
123	setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
124	logging_log_filetrans(exim_t, exim_log_t, file)
125
126	+manage_dirs_pattern(exim_t, exim_pid_t, exim_pid_t)
127	+manage_files_pattern(exim_t, exim_pid_t, exim_pid_t)
128	+files_pid_filetrans(exim_t, exim_pid_t, { dir file })
129	+
130	manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)
131	manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)
132	manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)
133	@@ -96,11 +101,7 @@ manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
134	manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
135	files_tmp_filetrans(exim_t, exim_tmp_t, { dir file })
136
137	-manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)
138	-manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
139	-files_pid_filetrans(exim_t, exim_var_run_t, { dir file })
140	-
141	-can_exec(exim_t, exim_exec_t)
142	+manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
143
144	kernel_read_crypto_sysctls(exim_t)
145	kernel_read_kernel_sysctls(exim_t)

Gentoo Archives: gentoo-commits