[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date:	Sun, 27 Feb 2022 02:52:48
Message-Id:	`1645927997.a6f1a4be5244df25381bdc9d270765134f4d802b.perfinion@gentoo`

1

commit:     a6f1a4be5244df25381bdc9d270765134f4d802b

2

Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>

3

AuthorDate: Wed Feb 16 16:04:33 2022 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sun Feb 27 02:13:17 2022 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a6f1a4be

7

8

cron, dbus, policykit, postfix: Minor style fixes.

9

10

No rule changes.

11

12

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>

13

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

14

15

 policy/modules/services/cron.te      | 4 ++--

16

 policy/modules/services/dbus.te      | 5 ++---

17

 policy/modules/services/policykit.te | 2 +-

18

 policy/modules/services/postfix.te   | 5 ++---

19

 4 files changed, 7 insertions(+), 9 deletions(-)

20

21

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te

22

index 9ecbe4d6..b36fc709 100644

23

--- a/policy/modules/services/cron.te

24

+++ b/policy/modules/services/cron.te

25

@@ -209,10 +209,10 @@ tunable_policy(`fcron_crond',`

26

 # Daemon local policy

27

#

28

29

-# for changing buffer sizes

30

 dontaudit crond_t self:capability net_admin;

31

 allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };

32

-dontaudit crond_t self:capability { sys_resource sys_tty_config };

33

+# net_admin for changing buffer sizes

34

+dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };

35

36

 allow crond_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };

37

 allow crond_t self:fd use;

38

39

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te

40

index 9a1e6b30..31fc905c 100644

41

--- a/policy/modules/services/dbus.te

42

+++ b/policy/modules/services/dbus.te

43

@@ -67,10 +67,9 @@ ifdef(`enable_mls',`

44

 # Local policy

45

#

46

47

-# for changing buffer sizes

48

-dontaudit system_dbusd_t self:capability net_admin;

49

 allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };

50

-dontaudit system_dbusd_t self:capability sys_tty_config;

51

+# net_admin for changing buffer sizes

52

+dontaudit system_dbusd_t self:capability { net_admin sys_tty_config };

53

 allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };

54

 allow system_dbusd_t self:fifo_file rw_fifo_file_perms;

55

 allow system_dbusd_t self:dbus { send_msg acquire_svc };

56

57

diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te

58

index 46f5568f..197dc13c 100644

59

--- a/policy/modules/services/policykit.te

60

+++ b/policy/modules/services/policykit.te

61

@@ -68,9 +68,9 @@ miscfiles_read_localization(policykit_domain)

62

 # Local policy

63

#

64

65

+allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };

66

 # for changing buffer sizes

67

 dontaudit policykit_t self:capability net_admin;

68

-allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };

69

 allow policykit_t self:process { getsched setsched signal };

70

 allow policykit_t self:unix_stream_socket { accept connectto listen };

71

72

73

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te

74

index 6fe06887..5c324bc7 100644

75

--- a/policy/modules/services/postfix.te

76

+++ b/policy/modules/services/postfix.te

77

@@ -107,10 +107,9 @@ mta_mailserver_delivery(postfix_virtual_t)

78

 # Common postfix domain local policy

79

#

80

81

-# for changing buffer sizes

82

-dontaudit postfix_domain self:capability net_admin;

83

 allow postfix_domain self:capability { sys_chroot sys_nice };

84

-dontaudit postfix_domain self:capability sys_tty_config;

85

+# net_admin for changing buffer sizes

86

+dontaudit postfix_domain self:capability { net_admin sys_tty_config };

87

 allow postfix_domain self:process { signal_perms setpgid setsched };

88

 allow postfix_domain self:fifo_file rw_fifo_file_perms;

89

 allow postfix_domain self:unix_stream_socket { accept connectto listen };

1	commit: a6f1a4be5244df25381bdc9d270765134f4d802b
2	Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
3	AuthorDate: Wed Feb 16 16:04:33 2022 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sun Feb 27 02:13:17 2022 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a6f1a4be
7
8	cron, dbus, policykit, postfix: Minor style fixes.
9
10	No rule changes.
11
12	Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
13	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
14
15	policy/modules/services/cron.te \| 4 ++--
16	policy/modules/services/dbus.te \| 5 ++---
17	policy/modules/services/policykit.te \| 2 +-
18	policy/modules/services/postfix.te \| 5 ++---
19	4 files changed, 7 insertions(+), 9 deletions(-)
20
21	diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
22	index 9ecbe4d6..b36fc709 100644
23	--- a/policy/modules/services/cron.te
24	+++ b/policy/modules/services/cron.te
25	@@ -209,10 +209,10 @@ tunable_policy(`fcron_crond',`
26	# Daemon local policy
27	#
28
29	-# for changing buffer sizes
30	dontaudit crond_t self:capability net_admin;
31	allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };
32	-dontaudit crond_t self:capability { sys_resource sys_tty_config };
33	+# net_admin for changing buffer sizes
34	+dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
35
36	allow crond_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
37	allow crond_t self:fd use;
38
39	diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
40	index 9a1e6b30..31fc905c 100644
41	--- a/policy/modules/services/dbus.te
42	+++ b/policy/modules/services/dbus.te
43	@@ -67,10 +67,9 @@ ifdef(`enable_mls',`
44	# Local policy
45	#
46
47	-# for changing buffer sizes
48	-dontaudit system_dbusd_t self:capability net_admin;
49	allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };
50	-dontaudit system_dbusd_t self:capability sys_tty_config;
51	+# net_admin for changing buffer sizes
52	+dontaudit system_dbusd_t self:capability { net_admin sys_tty_config };
53	allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
54	allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
55	allow system_dbusd_t self:dbus { send_msg acquire_svc };
56
57	diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
58	index 46f5568f..197dc13c 100644
59	--- a/policy/modules/services/policykit.te
60	+++ b/policy/modules/services/policykit.te
61	@@ -68,9 +68,9 @@ miscfiles_read_localization(policykit_domain)
62	# Local policy
63	#
64
65	+allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
66	# for changing buffer sizes
67	dontaudit policykit_t self:capability net_admin;
68	-allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
69	allow policykit_t self:process { getsched setsched signal };
70	allow policykit_t self:unix_stream_socket { accept connectto listen };
71
72
73	diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
74	index 6fe06887..5c324bc7 100644
75	--- a/policy/modules/services/postfix.te
76	+++ b/policy/modules/services/postfix.te
77	@@ -107,10 +107,9 @@ mta_mailserver_delivery(postfix_virtual_t)
78	# Common postfix domain local policy
79	#
80
81	-# for changing buffer sizes
82	-dontaudit postfix_domain self:capability net_admin;
83	allow postfix_domain self:capability { sys_chroot sys_nice };
84	-dontaudit postfix_domain self:capability sys_tty_config;
85	+# net_admin for changing buffer sizes
86	+dontaudit postfix_domain self:capability { net_admin sys_tty_config };
87	allow postfix_domain self:process { signal_perms setpgid setsched };
88	allow postfix_domain self:fifo_file rw_fifo_file_perms;
89	allow postfix_domain self:unix_stream_socket { accept connectto listen };

Gentoo Archives: gentoo-commits