[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Tue, 30 Oct 2012 18:37:30
Message-Id:	`1351621978.36b9de677df390ea7ac2ef242414a7122c6e26ac.SwifT@gentoo`

1

commit:     36b9de677df390ea7ac2ef242414a7122c6e26ac

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Tue Oct 30 09:58:49 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Oct 30 18:32:58 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=36b9de67

7

8

Changes to the tvtime policy module

9

10

Module clean up

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/tvtime.fc |    6 ++----

16

 policy/modules/contrib/tvtime.if |   26 ++++++++++++--------------

17

 policy/modules/contrib/tvtime.te |   20 ++++++++++----------

18

 3 files changed, 24 insertions(+), 28 deletions(-)

19

20

diff --git a/policy/modules/contrib/tvtime.fc b/policy/modules/contrib/tvtime.fc

21

index 3b0e6ce..92cb760 100644

22

--- a/policy/modules/contrib/tvtime.fc

23

+++ b/policy/modules/contrib/tvtime.fc

24

@@ -1,5 +1,3 @@

25

-#

26

-# /usr

27

-#

28

-/usr/bin/tvtime	--	gen_context(system_u:object_r:tvtime_exec_t,s0)

29

+HOME_DIR/\.tvtime(/.*)?	gen_context(system_u:object_r:tvtime_home_t,s0)

30

31

+/usr/bin/tvtime	--	gen_context(system_u:object_r:tvtime_exec_t,s0)

32

33

diff --git a/policy/modules/contrib/tvtime.if b/policy/modules/contrib/tvtime.if

34

index 8d89f21..1bb0f7c 100644

35

--- a/policy/modules/contrib/tvtime.if

36

+++ b/policy/modules/contrib/tvtime.if

37

@@ -1,4 +1,4 @@

38

-## <summary> tvtime - a high quality television application </summary>

39

+## <summary>High quality television application.</summary>

40

41

 ########################################

42

 ## <summary>

43

@@ -17,24 +17,22 @@

44

#

45

 interface(`tvtime_role',`

46

 	gen_require(`

47

-		type tvtime_t, tvtime_exec_t;

48

+		attribute_role tvtime_roles;

49

+		type tvtime_t, tvtime_exec_t, tvtime_tmp_t;

50

 		type tvtime_home_t, tvtime_tmpfs_t;

51

')

52

53

-	role $1 types tvtime_t;

54

+	roleattribute $1 tvtime_roles;

55

56

-	# Type transition

57

 	domtrans_pattern($2, tvtime_exec_t, tvtime_t)

58

59

-	# X access, Home files

60

-	manage_dirs_pattern($2, tvtime_home_t, tvtime_home_t)

61

-	manage_files_pattern($2, tvtime_home_t, tvtime_home_t)

62

-	manage_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t)

63

-	relabel_dirs_pattern($2, tvtime_home_t, tvtime_home_t)

64

-	relabel_files_pattern($2, tvtime_home_t, tvtime_home_t)

65

-	relabel_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t)

66

-

67

-	# Allow the user domain to signal/ps.

68

 	ps_process_pattern($2, tvtime_t)

69

-	allow $2 tvtime_t:process signal_perms;

70

+	allow $2 tvtime_t:process { ptrace signal_perms };

71

+

72

+	allow $2 { tvtime_home_t tvtime_tmp_t }:dir { manage_dir_perms relabel_dir_perms };

73

+	allow $2 { tvtime_home_t tvtime_tmpfs_t tvtime_tmp_t }:file { manage_file_perms relabel_file_perms };

74

+	allow $2 { tvtime_home_t tvtime_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };

75

+	allow $2 tvtime_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };

76

+	allow $2 tvtime_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };

77

+	userdom_user_home_dir_filetrans($2, tvtime_home_t, dir, ".tvtime")

78

')

79

80

diff --git a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te

81

index 531b1f1..3292fcc 100644

82

--- a/policy/modules/contrib/tvtime.te

83

+++ b/policy/modules/contrib/tvtime.te

84

@@ -1,15 +1,18 @@

85

-policy_module(tvtime, 2.2.0)

86

+policy_module(tvtime, 2.2.1)

87

88

 ########################################

89

#

90

 # Declarations

91

#

92

93

+attribute_role tvtime_roles;

94

+

95

 type tvtime_t;

96

 type tvtime_exec_t;

97

 typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t };

98

 typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t };

99

 userdom_user_application_domain(tvtime_t, tvtime_exec_t)

100

+role tvtime_roles types tvtime_t;

101

102

 type tvtime_home_t alias tvtime_rw_t;

103

 typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t };

104

@@ -36,7 +39,6 @@ allow tvtime_t self:process setsched;

105

 allow tvtime_t self:unix_dgram_socket rw_socket_perms;

106

 allow tvtime_t self:unix_stream_socket rw_stream_socket_perms;

107

108

-# X access, Home files

109

 manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)

110

 manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)

111

 manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)

112

@@ -55,30 +57,28 @@ fs_tmpfs_filetrans(tvtime_t, tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file

113

 kernel_read_all_sysctls(tvtime_t)

114

 kernel_get_sysvipc_info(tvtime_t)

115

116

-dev_read_urand(tvtime_t)

117

 dev_read_realtime_clock(tvtime_t)

118

 dev_read_sound(tvtime_t)

119

+dev_read_urand(tvtime_t)

120

121

 files_read_usr_files(tvtime_t)

122

-files_search_pids(tvtime_t)

123

-# Read /etc/tvtime

124

-files_read_etc_files(tvtime_t)

125

126

-# X access, Home files

127

+fs_getattr_all_fs(tvtime_t)

128

 fs_search_auto_mountpoints(tvtime_t)

129

130

-miscfiles_read_localization(tvtime_t)

131

+auth_use_nsswitch(tvtime_t)

132

+

133

 miscfiles_read_fonts(tvtime_t)

134

+miscfiles_read_localization(tvtime_t)

135

136

 userdom_use_user_terminals(tvtime_t)

137

-userdom_read_user_home_content_files(tvtime_t)

138

139

-# X access, Home files

140

 tunable_policy(`use_nfs_home_dirs',`

141

 	fs_manage_nfs_dirs(tvtime_t)

142

 	fs_manage_nfs_files(tvtime_t)

143

 	fs_manage_nfs_symlinks(tvtime_t)

144

')

145

+

146

 tunable_policy(`use_samba_home_dirs',`

147

 	fs_manage_cifs_dirs(tvtime_t)

148

 	fs_manage_cifs_files(tvtime_t)

1	commit: 36b9de677df390ea7ac2ef242414a7122c6e26ac
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Tue Oct 30 09:58:49 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue Oct 30 18:32:58 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=36b9de67
7
8	Changes to the tvtime policy module
9
10	Module clean up
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/tvtime.fc \| 6 ++----
16	policy/modules/contrib/tvtime.if \| 26 ++++++++++++--------------
17	policy/modules/contrib/tvtime.te \| 20 ++++++++++----------
18	3 files changed, 24 insertions(+), 28 deletions(-)
19
20	diff --git a/policy/modules/contrib/tvtime.fc b/policy/modules/contrib/tvtime.fc
21	index 3b0e6ce..92cb760 100644
22	--- a/policy/modules/contrib/tvtime.fc
23	+++ b/policy/modules/contrib/tvtime.fc
24	@@ -1,5 +1,3 @@
25	-#
26	-# /usr
27	-#
28	-/usr/bin/tvtime -- gen_context(system_u:object_r:tvtime_exec_t,s0)
29	+HOME_DIR/\.tvtime(/.*)? gen_context(system_u:object_r:tvtime_home_t,s0)
30
31	+/usr/bin/tvtime -- gen_context(system_u:object_r:tvtime_exec_t,s0)
32
33	diff --git a/policy/modules/contrib/tvtime.if b/policy/modules/contrib/tvtime.if
34	index 8d89f21..1bb0f7c 100644
35	--- a/policy/modules/contrib/tvtime.if
36	+++ b/policy/modules/contrib/tvtime.if
37	@@ -1,4 +1,4 @@
38	-## <summary> tvtime - a high quality television application </summary>
39	+## <summary>High quality television application.</summary>
40
41	########################################
42	## <summary>
43	@@ -17,24 +17,22 @@
44	#
45	interface(`tvtime_role',`
46	gen_require(`
47	- type tvtime_t, tvtime_exec_t;
48	+ attribute_role tvtime_roles;
49	+ type tvtime_t, tvtime_exec_t, tvtime_tmp_t;
50	type tvtime_home_t, tvtime_tmpfs_t;
51	')
52
53	- role $1 types tvtime_t;
54	+ roleattribute $1 tvtime_roles;
55
56	- # Type transition
57	domtrans_pattern($2, tvtime_exec_t, tvtime_t)
58
59	- # X access, Home files
60	- manage_dirs_pattern($2, tvtime_home_t, tvtime_home_t)
61	- manage_files_pattern($2, tvtime_home_t, tvtime_home_t)
62	- manage_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t)
63	- relabel_dirs_pattern($2, tvtime_home_t, tvtime_home_t)
64	- relabel_files_pattern($2, tvtime_home_t, tvtime_home_t)
65	- relabel_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t)
66	-
67	- # Allow the user domain to signal/ps.
68	ps_process_pattern($2, tvtime_t)
69	- allow $2 tvtime_t:process signal_perms;
70	+ allow $2 tvtime_t:process { ptrace signal_perms };
71	+
72	+ allow $2 { tvtime_home_t tvtime_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
73	+ allow $2 { tvtime_home_t tvtime_tmpfs_t tvtime_tmp_t }:file { manage_file_perms relabel_file_perms };
74	+ allow $2 { tvtime_home_t tvtime_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
75	+ allow $2 tvtime_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
76	+ allow $2 tvtime_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
77	+ userdom_user_home_dir_filetrans($2, tvtime_home_t, dir, ".tvtime")
78	')
79
80	diff --git a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te
81	index 531b1f1..3292fcc 100644
82	--- a/policy/modules/contrib/tvtime.te
83	+++ b/policy/modules/contrib/tvtime.te
84	@@ -1,15 +1,18 @@
85	-policy_module(tvtime, 2.2.0)
86	+policy_module(tvtime, 2.2.1)
87
88	########################################
89	#
90	# Declarations
91	#
92
93	+attribute_role tvtime_roles;
94	+
95	type tvtime_t;
96	type tvtime_exec_t;
97	typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t };
98	typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t };
99	userdom_user_application_domain(tvtime_t, tvtime_exec_t)
100	+role tvtime_roles types tvtime_t;
101
102	type tvtime_home_t alias tvtime_rw_t;
103	typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t };
104	@@ -36,7 +39,6 @@ allow tvtime_t self:process setsched;
105	allow tvtime_t self:unix_dgram_socket rw_socket_perms;
106	allow tvtime_t self:unix_stream_socket rw_stream_socket_perms;
107
108	-# X access, Home files
109	manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
110	manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
111	manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
112	@@ -55,30 +57,28 @@ fs_tmpfs_filetrans(tvtime_t, tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file
113	kernel_read_all_sysctls(tvtime_t)
114	kernel_get_sysvipc_info(tvtime_t)
115
116	-dev_read_urand(tvtime_t)
117	dev_read_realtime_clock(tvtime_t)
118	dev_read_sound(tvtime_t)
119	+dev_read_urand(tvtime_t)
120
121	files_read_usr_files(tvtime_t)
122	-files_search_pids(tvtime_t)
123	-# Read /etc/tvtime
124	-files_read_etc_files(tvtime_t)
125
126	-# X access, Home files
127	+fs_getattr_all_fs(tvtime_t)
128	fs_search_auto_mountpoints(tvtime_t)
129
130	-miscfiles_read_localization(tvtime_t)
131	+auth_use_nsswitch(tvtime_t)
132	+
133	miscfiles_read_fonts(tvtime_t)
134	+miscfiles_read_localization(tvtime_t)
135
136	userdom_use_user_terminals(tvtime_t)
137	-userdom_read_user_home_content_files(tvtime_t)
138
139	-# X access, Home files
140	tunable_policy(`use_nfs_home_dirs',`
141	fs_manage_nfs_dirs(tvtime_t)
142	fs_manage_nfs_files(tvtime_t)
143	fs_manage_nfs_symlinks(tvtime_t)
144	')
145	+
146	tunable_policy(`use_samba_home_dirs',`
147	fs_manage_cifs_dirs(tvtime_t)
148	fs_manage_cifs_files(tvtime_t)

Gentoo Archives: gentoo-commits