[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Wed, 01 May 2013 20:11:26
Message-Id:	`1367439025.fd7ac272a9fa36d2c0f7b690d022d119488430e8.SwifT@gentoo`

1

commit:     fd7ac272a9fa36d2c0f7b690d022d119488430e8

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Wed May  1 20:10:25 2013 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Wed May  1 20:10:25 2013 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fd7ac272

7

8

Update policy with suggestions by dgrift

9

10

---

11

 policy/modules/contrib/minidlna.fc |    7 ++++-

12

 policy/modules/contrib/minidlna.if |    6 ++--

13

 policy/modules/contrib/minidlna.te |   47 ++++++++++++++++++++---------------

14

 3 files changed, 35 insertions(+), 25 deletions(-)

15

16

diff --git a/policy/modules/contrib/minidlna.fc b/policy/modules/contrib/minidlna.fc

17

index 05ad732..9d4cd52 100644

18

--- a/policy/modules/contrib/minidlna.fc

19

+++ b/policy/modules/contrib/minidlna.fc

20

@@ -1,11 +1,14 @@

21

 /etc/rc\.d/init\.d/minidlna	--	gen_context(system_u:object_r:minidlna_initrc_exec_t,s0)

22

23

-/etc/minidlna\.conf	--	gen_context(system_u:object_r:minidlna_etc_t,s0)

24

+/etc/minidlna\.conf	--	gen_context(system_u:object_r:minidlna_conf_t,s0)

25

26

 /usr/sbin/minidlna	--	gen_context(system_u:object_r:minidlna_exec_t,s0)

27

28

+/var/cache/minidlna(/.*)?	gen_context(system_u:object_r:minidlna_db_t,s0)

29

+

30

 /var/lib/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_db_t,s0)

31

32

-/var/log/minidlna\.log	--	gen_context(system_u:object_r:minidlna_log_t,s0)

33

+/var/log/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_log_t,s0)

34

+/var/log/minidlna\.log.*	--	gen_context(system_u:object_r:minidlna_log_t,s0)

35

36

 /var/run/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_var_run_t,s0)

37

38

diff --git a/policy/modules/contrib/minidlna.if b/policy/modules/contrib/minidlna.if

39

index d27f634..358917a 100644

40

--- a/policy/modules/contrib/minidlna.if

41

+++ b/policy/modules/contrib/minidlna.if

42

@@ -1,4 +1,4 @@

43

-## <summary>MiniDLNA server</summary>

44

+## <summary>MiniDLNA lightweight DLNA/UPnP media server</summary>

45

46

 ########################################

47

 ## <summary>

48

@@ -20,7 +20,7 @@

49

 interface(`minidlna_admin',`

50

 	gen_require(`

51

 		type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t;

52

-		type minidlna_etc_t, minidlna_log_t, minidlna_db_t;

53

+		type minidlna_conf_t, minidlna_log_t, minidlna_db_t;

54

')

55

56

 	allow $1 minidlna_t:process { ptrace signal_perms };

57

@@ -32,7 +32,7 @@ interface(`minidlna_admin',`

58

 	allow $2 system_r;

59

60

 	files_search_etc($1)

61

-	admin_pattern($1, minidlna_etc_t)

62

+	admin_pattern($1, minidlna_conf_t)

63

64

 	logging_search_logs($1)

65

 	admin_pattern($1, minidlna_log_t)

66

67

diff --git a/policy/modules/contrib/minidlna.te b/policy/modules/contrib/minidlna.te

68

index 3becc3f..d3a5978 100644

69

--- a/policy/modules/contrib/minidlna.te

70

+++ b/policy/modules/contrib/minidlna.te

71

@@ -7,21 +7,21 @@ policy_module(minidlna, 0.1)

72

73

 ## <desc>

74

 ##	<p>

75

-##	Allow minidlna to read generic user content

76

+##	Determine whether minidlna can read generic user content.

77

 ##	</p>

78

 ## </desc>

79

 gen_tunable(minidlna_read_generic_user_content, false)

80

81

 ## <desc>

82

 ##	<p>

83

-##	Allow minidlna to read all user content

84

+##	Determine whether minidlna can read all user content.

85

 ##	</p>

86

 ## </desc>

87

 gen_tunable(minidlna_read_all_user_content, false)

88

89

 ## <desc>

90

 ##	<p>

91

-##	Allow minidlna to read xdg videos, pictures and music labeled files

92

+##	Determine whether minidlna can read users xdg videos, pictures and music labeled files

93

 ##	</p>

94

 ## </desc>

95

 gen_tunable(minidlna_read_xdg_media_content, false)

96

@@ -33,8 +33,8 @@ init_daemon_domain(minidlna_t, minidlna_exec_t)

97

 type minidlna_initrc_exec_t;

98

 init_script_file(minidlna_initrc_exec_t)

99

100

-type minidlna_etc_t;

101

-files_config_file(minidlna_etc_t)

102

+type minidlna_conf_t;

103

+files_config_file(minidlna_conf_t)

104

105

 type minidlna_log_t;

106

 logging_log_file(minidlna_log_t)

107

@@ -50,27 +50,33 @@ files_pid_file(minidlna_var_run_t)

108

 # Local policy

109

#

110

111

-allow minidlna_t self:process { setsched };

112

+allow minidlna_t self:process setsched;

113

 allow minidlna_t self:tcp_socket create_stream_socket_perms;

114

-allow minidlna_t self:udp_socket { create_socket_perms node_bind };

115

-allow minidlna_t self:netlink_route_socket rw_netlink_socket_perms;

116

-allow minidlna_t minidlna_log_t:file { create_file_perms append_file_perms };

117

-allow minidlna_t minidlna_etc_t:file read_file_perms;

118

-

119

-manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)

120

-create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)

121

-rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)

122

-files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)

123

-

124

-manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)

125

-rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)

126

+allow minidlna_t self:udp_socket create_socket_perms;

127

+allow minidlna_t self:netlink_route_socket r_netlink_socket_perms;

128

+allow minidlna_t minidlna_conf_t:file read_file_perms;

129

+

130

+allow minidlna_t minidlna_db_t:dir { create_dir_perms rw_dir_perms };

131

+allow minidlna_t minidlna_db_t:file manage_file_perms;

132

+#manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)

133

+#create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)

134

+#rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)

135

+#files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)

136

+

137

+allow minidlna_t minidlna_log_t:file append_file_perms;

138

+create_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t)

139

+#append_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t)

140

+logging_log_filetrans(minidlna_t, minidlna_log_t, file)

141

+

142

+allow minidlna_t minidlna_var_run_t:file manage_file_perms;

143

+allow minidlna_t minidlna_var_run_t:dir rw_dir_perms;

144

+#manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)

145

+#rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)

146

 files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)

147

148

 kernel_read_fs_sysctls(minidlna_t)

149

 kernel_read_system_state(minidlna_t)

150

151

-logging_log_filetrans(minidlna_t, minidlna_log_t, file)

152

-

153

 corecmd_exec_bin(minidlna_t)

154

 corecmd_exec_shell(minidlna_t)

155

156

@@ -92,6 +98,7 @@ corenet_sendrecv_trivnet1_server_packets(minidlna_t)

157

 corenet_tcp_bind_trivnet1_port(minidlna_t)

158

159

 files_read_etc_files(minidlna_t)

160

+files_search_var_lib(minidlna_t)

161

162

 miscfiles_read_localization(minidlna_t)

163

 miscfiles_read_public_files(minidlna_t)

1	commit: fd7ac272a9fa36d2c0f7b690d022d119488430e8
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Wed May 1 20:10:25 2013 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Wed May 1 20:10:25 2013 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fd7ac272
7
8	Update policy with suggestions by dgrift
9
10	---
11	policy/modules/contrib/minidlna.fc \| 7 ++++-
12	policy/modules/contrib/minidlna.if \| 6 ++--
13	policy/modules/contrib/minidlna.te \| 47 ++++++++++++++++++++---------------
14	3 files changed, 35 insertions(+), 25 deletions(-)
15
16	diff --git a/policy/modules/contrib/minidlna.fc b/policy/modules/contrib/minidlna.fc
17	index 05ad732..9d4cd52 100644
18	--- a/policy/modules/contrib/minidlna.fc
19	+++ b/policy/modules/contrib/minidlna.fc
20	@@ -1,11 +1,14 @@
21	/etc/rc\.d/init\.d/minidlna -- gen_context(system_u:object_r:minidlna_initrc_exec_t,s0)
22
23	-/etc/minidlna\.conf -- gen_context(system_u:object_r:minidlna_etc_t,s0)
24	+/etc/minidlna\.conf -- gen_context(system_u:object_r:minidlna_conf_t,s0)
25
26	/usr/sbin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0)
27
28	+/var/cache/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
29	+
30	/var/lib/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
31
32	-/var/log/minidlna\.log -- gen_context(system_u:object_r:minidlna_log_t,s0)
33	+/var/log/minidlna(/.*)? gen_context(system_u:object_r:minidlna_log_t,s0)
34	+/var/log/minidlna\.log.* -- gen_context(system_u:object_r:minidlna_log_t,s0)
35
36	/var/run/minidlna(/.*)? gen_context(system_u:object_r:minidlna_var_run_t,s0)
37
38	diff --git a/policy/modules/contrib/minidlna.if b/policy/modules/contrib/minidlna.if
39	index d27f634..358917a 100644
40	--- a/policy/modules/contrib/minidlna.if
41	+++ b/policy/modules/contrib/minidlna.if
42	@@ -1,4 +1,4 @@
43	-## <summary>MiniDLNA server</summary>
44	+## <summary>MiniDLNA lightweight DLNA/UPnP media server</summary>
45
46	########################################
47	## <summary>
48	@@ -20,7 +20,7 @@
49	interface(`minidlna_admin',`
50	gen_require(`
51	type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t;
52	- type minidlna_etc_t, minidlna_log_t, minidlna_db_t;
53	+ type minidlna_conf_t, minidlna_log_t, minidlna_db_t;
54	')
55
56	allow $1 minidlna_t:process { ptrace signal_perms };
57	@@ -32,7 +32,7 @@ interface(`minidlna_admin',`
58	allow $2 system_r;
59
60	files_search_etc($1)
61	- admin_pattern($1, minidlna_etc_t)
62	+ admin_pattern($1, minidlna_conf_t)
63
64	logging_search_logs($1)
65	admin_pattern($1, minidlna_log_t)
66
67	diff --git a/policy/modules/contrib/minidlna.te b/policy/modules/contrib/minidlna.te
68	index 3becc3f..d3a5978 100644
69	--- a/policy/modules/contrib/minidlna.te
70	+++ b/policy/modules/contrib/minidlna.te
71	@@ -7,21 +7,21 @@ policy_module(minidlna, 0.1)
72
73	## <desc>
74	## <p>
75	-## Allow minidlna to read generic user content
76	+## Determine whether minidlna can read generic user content.
77	## </p>
78	## </desc>
79	gen_tunable(minidlna_read_generic_user_content, false)
80
81	## <desc>
82	## <p>
83	-## Allow minidlna to read all user content
84	+## Determine whether minidlna can read all user content.
85	## </p>
86	## </desc>
87	gen_tunable(minidlna_read_all_user_content, false)
88
89	## <desc>
90	## <p>
91	-## Allow minidlna to read xdg videos, pictures and music labeled files
92	+## Determine whether minidlna can read users xdg videos, pictures and music labeled files
93	## </p>
94	## </desc>
95	gen_tunable(minidlna_read_xdg_media_content, false)
96	@@ -33,8 +33,8 @@ init_daemon_domain(minidlna_t, minidlna_exec_t)
97	type minidlna_initrc_exec_t;
98	init_script_file(minidlna_initrc_exec_t)
99
100	-type minidlna_etc_t;
101	-files_config_file(minidlna_etc_t)
102	+type minidlna_conf_t;
103	+files_config_file(minidlna_conf_t)
104
105	type minidlna_log_t;
106	logging_log_file(minidlna_log_t)
107	@@ -50,27 +50,33 @@ files_pid_file(minidlna_var_run_t)
108	# Local policy
109	#
110
111	-allow minidlna_t self:process { setsched };
112	+allow minidlna_t self:process setsched;
113	allow minidlna_t self:tcp_socket create_stream_socket_perms;
114	-allow minidlna_t self:udp_socket { create_socket_perms node_bind };
115	-allow minidlna_t self:netlink_route_socket rw_netlink_socket_perms;
116	-allow minidlna_t minidlna_log_t:file { create_file_perms append_file_perms };
117	-allow minidlna_t minidlna_etc_t:file read_file_perms;
118	-
119	-manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
120	-create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
121	-rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
122	-files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)
123	-
124	-manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
125	-rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
126	+allow minidlna_t self:udp_socket create_socket_perms;
127	+allow minidlna_t self:netlink_route_socket r_netlink_socket_perms;
128	+allow minidlna_t minidlna_conf_t:file read_file_perms;
129	+
130	+allow minidlna_t minidlna_db_t:dir { create_dir_perms rw_dir_perms };
131	+allow minidlna_t minidlna_db_t:file manage_file_perms;
132	+#manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
133	+#create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
134	+#rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
135	+#files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)
136	+
137	+allow minidlna_t minidlna_log_t:file append_file_perms;
138	+create_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t)
139	+#append_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t)
140	+logging_log_filetrans(minidlna_t, minidlna_log_t, file)
141	+
142	+allow minidlna_t minidlna_var_run_t:file manage_file_perms;
143	+allow minidlna_t minidlna_var_run_t:dir rw_dir_perms;
144	+#manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
145	+#rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
146	files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
147
148	kernel_read_fs_sysctls(minidlna_t)
149	kernel_read_system_state(minidlna_t)
150
151	-logging_log_filetrans(minidlna_t, minidlna_log_t, file)
152	-
153	corecmd_exec_bin(minidlna_t)
154	corecmd_exec_shell(minidlna_t)
155
156	@@ -92,6 +98,7 @@ corenet_sendrecv_trivnet1_server_packets(minidlna_t)
157	corenet_tcp_bind_trivnet1_port(minidlna_t)
158
159	files_read_etc_files(minidlna_t)
160	+files_search_var_lib(minidlna_t)
161
162	miscfiles_read_localization(minidlna_t)
163	miscfiles_read_public_files(minidlna_t)

Gentoo Archives: gentoo-commits