[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Tue, 02 Oct 2012 18:14:00
Message-Id:	`1349201059.ed6053a16d285c29f5490f8572c10b17e723c99d.SwifT@gentoo`

1

commit:     ed6053a16d285c29f5490f8572c10b17e723c99d

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Sat Sep 29 09:55:40 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Oct  2 18:04:19 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ed6053a1

7

8

Changes to the entropyd policy module

9

10

Add init script

11

Module clean up

12

13

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

14

15

---

16

 policy/modules/contrib/entropyd.fc |    7 +++----

17

 policy/modules/contrib/entropyd.if |   36 +++++++++++++++++++++++++++++++++++-

18

 policy/modules/contrib/entropyd.te |   16 +++++++++-------

19

 3 files changed, 47 insertions(+), 12 deletions(-)

20

21

diff --git a/policy/modules/contrib/entropyd.fc b/policy/modules/contrib/entropyd.fc

22

index d2d8ce3..c698711 100644

23

--- a/policy/modules/contrib/entropyd.fc

24

+++ b/policy/modules/contrib/entropyd.fc

25

@@ -1,8 +1,7 @@

26

-#

27

-# /usr

28

-#

29

+/etc/rc\.d/init\.d/((audio-entropyd)|(haveged))	--	gen_context(system_u:object_r:entropyd_initrc_exec_t,s0)

30

+

31

 /usr/sbin/audio-entropyd	--	gen_context(system_u:object_r:entropyd_exec_t,s0)

32

-/usr/sbin/haveged		--	gen_context(system_u:object_r:entropyd_exec_t,s0)

33

+/usr/sbin/haveged	--	gen_context(system_u:object_r:entropyd_exec_t,s0)

34

35

 /var/run/audio-entropyd\.pid	--	gen_context(system_u:object_r:entropyd_var_run_t,s0)

36

 /var/run/haveged\.pid		--	gen_context(system_u:object_r:entropyd_var_run_t,s0)

37

38

diff --git a/policy/modules/contrib/entropyd.if b/policy/modules/contrib/entropyd.if

39

index 67906f0..1161fbf 100644

40

--- a/policy/modules/contrib/entropyd.if

41

+++ b/policy/modules/contrib/entropyd.if

42

@@ -1 +1,35 @@

43

-## <summary>Generate entropy from audio input</summary>

44

+## <summary>Generate entropy from audio input.</summary>

45

+

46

+########################################

47

+## <summary>

48

+##	All of the rules required to

49

+##	administrate an entropyd environment.

50

+## </summary>

51

+## <param name="domain">

52

+##	<summary>

53

+##	Domain allowed access.

54

+##	</summary>

55

+## </param>

56

+## <param name="role">

57

+##	<summary>

58

+##	Role allowed access.

59

+##	</summary>

60

+## </param>

61

+## <rolecap/>

62

+#

63

+interface(`entropyd_admin',`

64

+	gen_require(`

65

+		type entropyd_t, entropyd_initrc_exec_t, entropyd_var_run_t;

66

+	')

67

+

68

+	allow $1 entropyd_t:process { ptrace signal_perms };

69

+	ps_process_pattern($1, entropyd_t)

70

+

71

+	init_labeled_script_domtrans($1, entropyd_initrc_exec_t)

72

+	domain_system_change_exemption($1)

73

+	role_transition $2 entropyd_initrc_exec_t system_r;

74

+	allow $2 system_r;

75

+

76

+	files_search_pids($1)

77

+	admin_pattern($1, entropyd_var_run_t)

78

+')

79

80

diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te

81

index b6ac808..e1aff60 100644

82

--- a/policy/modules/contrib/entropyd.te

83

+++ b/policy/modules/contrib/entropyd.te

84

@@ -1,4 +1,4 @@

85

-policy_module(entropyd, 1.7.0)

86

+policy_module(entropyd, 1.7.1)

87

88

 ########################################

89

#

90

@@ -6,9 +6,11 @@ policy_module(entropyd, 1.7.0)

91

#

92

93

 ## <desc>

94

-## <p>

95

-##   Allow the use of the audio devices as the source for the entropy feeds

96

-## </p>

97

+##	<p>

98

+##	Determine whether entropyd can use

99

+##	audio devices as the source for

100

+##	the entropy feeds.

101

+##	</p>

102

 ## </desc>

103

 gen_tunable(entropyd_use_audio, false)

104

105

@@ -16,6 +18,9 @@ type entropyd_t;

106

 type entropyd_exec_t;

107

 init_daemon_domain(entropyd_t, entropyd_exec_t)

108

109

+type entropyd_initrc_exec_t;

110

+init_script_file(entropyd_initrc_exec_t)

111

+

112

 type entropyd_var_run_t;

113

 files_pid_file(entropyd_var_run_t)

114

115

@@ -27,7 +32,6 @@ files_pid_file(entropyd_var_run_t)

116

 allow entropyd_t self:capability { dac_override ipc_lock sys_admin };

117

 dontaudit entropyd_t self:capability sys_tty_config;

118

 allow entropyd_t self:process signal_perms;

119

-allow entropyd_t self:unix_dgram_socket create_socket_perms;

120

121

 manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)

122

 files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)

123

@@ -59,8 +63,6 @@ userdom_dontaudit_search_user_home_dirs(entropyd_t)

124

125

 tunable_policy(`entropyd_use_audio',`

126

 	dev_read_sound(entropyd_t)

127

-	# set sound card parameters such as sample format, number of channels

128

-	# and sample rate.

129

 	dev_write_sound(entropyd_t)

130

')

1	commit: ed6053a16d285c29f5490f8572c10b17e723c99d
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Sat Sep 29 09:55:40 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue Oct 2 18:04:19 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ed6053a1
7
8	Changes to the entropyd policy module
9
10	Add init script
11	Module clean up
12
13	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
14
15	---
16	policy/modules/contrib/entropyd.fc \| 7 +++----
17	policy/modules/contrib/entropyd.if \| 36 +++++++++++++++++++++++++++++++++++-
18	policy/modules/contrib/entropyd.te \| 16 +++++++++-------
19	3 files changed, 47 insertions(+), 12 deletions(-)
20
21	diff --git a/policy/modules/contrib/entropyd.fc b/policy/modules/contrib/entropyd.fc
22	index d2d8ce3..c698711 100644
23	--- a/policy/modules/contrib/entropyd.fc
24	+++ b/policy/modules/contrib/entropyd.fc
25	@@ -1,8 +1,7 @@
26	-#
27	-# /usr
28	-#
29	+/etc/rc\.d/init\.d/((audio-entropyd)\|(haveged)) -- gen_context(system_u:object_r:entropyd_initrc_exec_t,s0)
30	+
31	/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
32	-/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
33	+/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
34
35	/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
36	/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
37
38	diff --git a/policy/modules/contrib/entropyd.if b/policy/modules/contrib/entropyd.if
39	index 67906f0..1161fbf 100644
40	--- a/policy/modules/contrib/entropyd.if
41	+++ b/policy/modules/contrib/entropyd.if
42	@@ -1 +1,35 @@
43	-## <summary>Generate entropy from audio input</summary>
44	+## <summary>Generate entropy from audio input.</summary>
45	+
46	+########################################
47	+## <summary>
48	+## All of the rules required to
49	+## administrate an entropyd environment.
50	+## </summary>
51	+## <param name="domain">
52	+## <summary>
53	+## Domain allowed access.
54	+## </summary>
55	+## </param>
56	+## <param name="role">
57	+## <summary>
58	+## Role allowed access.
59	+## </summary>
60	+## </param>
61	+## <rolecap/>
62	+#
63	+interface(`entropyd_admin',`
64	+ gen_require(`
65	+ type entropyd_t, entropyd_initrc_exec_t, entropyd_var_run_t;
66	+ ')
67	+
68	+ allow $1 entropyd_t:process { ptrace signal_perms };
69	+ ps_process_pattern($1, entropyd_t)
70	+
71	+ init_labeled_script_domtrans($1, entropyd_initrc_exec_t)
72	+ domain_system_change_exemption($1)
73	+ role_transition $2 entropyd_initrc_exec_t system_r;
74	+ allow $2 system_r;
75	+
76	+ files_search_pids($1)
77	+ admin_pattern($1, entropyd_var_run_t)
78	+')
79
80	diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
81	index b6ac808..e1aff60 100644
82	--- a/policy/modules/contrib/entropyd.te
83	+++ b/policy/modules/contrib/entropyd.te
84	@@ -1,4 +1,4 @@
85	-policy_module(entropyd, 1.7.0)
86	+policy_module(entropyd, 1.7.1)
87
88	########################################
89	#
90	@@ -6,9 +6,11 @@ policy_module(entropyd, 1.7.0)
91	#
92
93	## <desc>
94	-## <p>
95	-## Allow the use of the audio devices as the source for the entropy feeds
96	-## </p>
97	+## <p>
98	+## Determine whether entropyd can use
99	+## audio devices as the source for
100	+## the entropy feeds.
101	+## </p>
102	## </desc>
103	gen_tunable(entropyd_use_audio, false)
104
105	@@ -16,6 +18,9 @@ type entropyd_t;
106	type entropyd_exec_t;
107	init_daemon_domain(entropyd_t, entropyd_exec_t)
108
109	+type entropyd_initrc_exec_t;
110	+init_script_file(entropyd_initrc_exec_t)
111	+
112	type entropyd_var_run_t;
113	files_pid_file(entropyd_var_run_t)
114
115	@@ -27,7 +32,6 @@ files_pid_file(entropyd_var_run_t)
116	allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
117	dontaudit entropyd_t self:capability sys_tty_config;
118	allow entropyd_t self:process signal_perms;
119	-allow entropyd_t self:unix_dgram_socket create_socket_perms;
120
121	manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)
122	files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
123	@@ -59,8 +63,6 @@ userdom_dontaudit_search_user_home_dirs(entropyd_t)
124
125	tunable_policy(`entropyd_use_audio',`
126	dev_read_sound(entropyd_t)
127	- # set sound card parameters such as sample format, number of channels
128	- # and sample rate.
129	dev_write_sound(entropyd_t)
130	')

Gentoo Archives: gentoo-commits