[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Thu, 30 Mar 2017 17:06:36
Message-Id:	`1490882318.61dedbfbae31d9ab77c89176a73b09cab9700c4e.perfinion@gentoo`

1

commit:     61dedbfbae31d9ab77c89176a73b09cab9700c4e

2

Author:     cgzones <cgzones <AT> googlemail <DOT> com>

3

AuthorDate: Wed Mar  8 20:21:44 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Thu Mar 30 13:58:38 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=61dedbfb

7

8

dphysswapfile: update

9

10

 policy/modules/contrib/dphysswapfile.fc |  8 +++++---

11

 policy/modules/contrib/dphysswapfile.if | 33 +++++++++++++++++++++++++++++++++

12

 policy/modules/contrib/dphysswapfile.te |  6 +++++-

13

 3 files changed, 43 insertions(+), 4 deletions(-)

14

15

diff --git a/policy/modules/contrib/dphysswapfile.fc b/policy/modules/contrib/dphysswapfile.fc

16

index 3cf1968d..5c0feb83 100644

17

--- a/policy/modules/contrib/dphysswapfile.fc

18

+++ b/policy/modules/contrib/dphysswapfile.fc

19

@@ -1,5 +1,7 @@

20

-/etc/dphys-swapfile             --      gen_context(system_u:object_r:dphysswapfile_conf_t,s0)

21

+/etc/dphys-swapfile			--	gen_context(system_u:object_r:dphysswapfile_conf_t,s0)

22

23

-/usr/sbin/dphys-swapfile            --      gen_context(system_u:object_r:dphysswapfile_exec_t,s0)

24

+/etc/rc\.d/init\.d/dphys-swapfile	--	gen_context(system_u:object_r:dphysswapfile_initrc_exec_t,s0)

25

26

-/var/swap                       --      gen_context(system_u:object_r:dphysswapfile_swap_t,s0)

27

+/usr/sbin/dphys-swapfile		--	gen_context(system_u:object_r:dphysswapfile_exec_t,s0)

28

+

29

+/var/swap				--	gen_context(system_u:object_r:dphysswapfile_swap_t,s0)

30

31

diff --git a/policy/modules/contrib/dphysswapfile.if b/policy/modules/contrib/dphysswapfile.if

32

index 53725743..7dda9553 100644

33

--- a/policy/modules/contrib/dphysswapfile.if

34

+++ b/policy/modules/contrib/dphysswapfile.if

35

@@ -17,3 +17,36 @@ interface(`dphysswapfile_dontaudit_read_swap',`

36

37

 	dontaudit $1 dphysswapfile_swap_t:file read_file_perms;

38

')

39

+

40

+########################################

41

+## <summary>

42

+##	All of the rules required to

43

+##	administrate an dphys-swapfile environment.

44

+## </summary>

45

+## <param name="domain">

46

+##	<summary>

47

+##	Domain allowed access.

48

+##	</summary>

49

+## </param>

50

+## <param name="role">

51

+##	<summary>

52

+##	Role allowed access.

53

+##	</summary>

54

+## </param>

55

+## <rolecap/>

56

+#

57

+interface(`dphysswapfile_admin',`

58

+	gen_require(`

59

+		type dphysswapfile_t, dphysswapfile_conf_t;

60

+		type dphysswapfile_initrc_exec_t;

61

+	')

62

+

63

+	admin_process_pattern($1, dphysswapfile_t)

64

+

65

+	init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t)

66

+

67

+	files_search_etc($1)

68

+	admin_pattern($1, dphysswapfile_conf_t)

69

+

70

+	# do not grant access to swap file for now

71

+')

72

73

diff --git a/policy/modules/contrib/dphysswapfile.te b/policy/modules/contrib/dphysswapfile.te

74

index 26faf67d..cb3d194f 100644

75

--- a/policy/modules/contrib/dphysswapfile.te

76

+++ b/policy/modules/contrib/dphysswapfile.te

77

@@ -12,6 +12,9 @@ init_system_domain(dphysswapfile_t, dphysswapfile_exec_t)

78

 type dphysswapfile_conf_t;

79

 files_config_file(dphysswapfile_conf_t)

80

81

+type dphysswapfile_initrc_exec_t;

82

+init_script_file(dphysswapfile_initrc_exec_t)

83

+

84

 type dphysswapfile_swap_t;

85

 files_type(dphysswapfile_swap_t)

86

87

@@ -20,7 +23,7 @@ files_type(dphysswapfile_swap_t)

88

 # Policy

89

#

90

91

-# sys_admin : for swapon

92

+# sys_admin : swapon

93

 allow dphysswapfile_t self:capability sys_admin;

94

 allow dphysswapfile_t self:fifo_file rw_fifo_file_perms;

95

 allow dphysswapfile_t self:unix_stream_socket { create connect };

96

@@ -36,6 +39,7 @@ kernel_read_system_state(dphysswapfile_t)

97

 corecmd_exec_bin(dphysswapfile_t)

98

 corecmd_exec_shell(dphysswapfile_t)

99

100

+# ignore ls -l /var/swap noise

101

 files_dontaudit_getattr_pid_dirs(dphysswapfile_t)

102

 files_read_etc_files(dphysswapfile_t)

103

 files_search_var(dphysswapfile_t)

1	commit: 61dedbfbae31d9ab77c89176a73b09cab9700c4e
2	Author: cgzones <cgzones <AT> googlemail <DOT> com>
3	AuthorDate: Wed Mar 8 20:21:44 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Thu Mar 30 13:58:38 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=61dedbfb
7
8	dphysswapfile: update
9
10	policy/modules/contrib/dphysswapfile.fc \| 8 +++++---
11	policy/modules/contrib/dphysswapfile.if \| 33 +++++++++++++++++++++++++++++++++
12	policy/modules/contrib/dphysswapfile.te \| 6 +++++-
13	3 files changed, 43 insertions(+), 4 deletions(-)
14
15	diff --git a/policy/modules/contrib/dphysswapfile.fc b/policy/modules/contrib/dphysswapfile.fc
16	index 3cf1968d..5c0feb83 100644
17	--- a/policy/modules/contrib/dphysswapfile.fc
18	+++ b/policy/modules/contrib/dphysswapfile.fc
19	@@ -1,5 +1,7 @@
20	-/etc/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_conf_t,s0)
21	+/etc/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_conf_t,s0)
22
23	-/usr/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
24	+/etc/rc\.d/init\.d/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_initrc_exec_t,s0)
25
26	-/var/swap -- gen_context(system_u:object_r:dphysswapfile_swap_t,s0)
27	+/usr/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
28	+
29	+/var/swap -- gen_context(system_u:object_r:dphysswapfile_swap_t,s0)
30
31	diff --git a/policy/modules/contrib/dphysswapfile.if b/policy/modules/contrib/dphysswapfile.if
32	index 53725743..7dda9553 100644
33	--- a/policy/modules/contrib/dphysswapfile.if
34	+++ b/policy/modules/contrib/dphysswapfile.if
35	@@ -17,3 +17,36 @@ interface(`dphysswapfile_dontaudit_read_swap',`
36
37	dontaudit $1 dphysswapfile_swap_t:file read_file_perms;
38	')
39	+
40	+########################################
41	+## <summary>
42	+## All of the rules required to
43	+## administrate an dphys-swapfile environment.
44	+## </summary>
45	+## <param name="domain">
46	+## <summary>
47	+## Domain allowed access.
48	+## </summary>
49	+## </param>
50	+## <param name="role">
51	+## <summary>
52	+## Role allowed access.
53	+## </summary>
54	+## </param>
55	+## <rolecap/>
56	+#
57	+interface(`dphysswapfile_admin',`
58	+ gen_require(`
59	+ type dphysswapfile_t, dphysswapfile_conf_t;
60	+ type dphysswapfile_initrc_exec_t;
61	+ ')
62	+
63	+ admin_process_pattern($1, dphysswapfile_t)
64	+
65	+ init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t)
66	+
67	+ files_search_etc($1)
68	+ admin_pattern($1, dphysswapfile_conf_t)
69	+
70	+ # do not grant access to swap file for now
71	+')
72
73	diff --git a/policy/modules/contrib/dphysswapfile.te b/policy/modules/contrib/dphysswapfile.te
74	index 26faf67d..cb3d194f 100644
75	--- a/policy/modules/contrib/dphysswapfile.te
76	+++ b/policy/modules/contrib/dphysswapfile.te
77	@@ -12,6 +12,9 @@ init_system_domain(dphysswapfile_t, dphysswapfile_exec_t)
78	type dphysswapfile_conf_t;
79	files_config_file(dphysswapfile_conf_t)
80
81	+type dphysswapfile_initrc_exec_t;
82	+init_script_file(dphysswapfile_initrc_exec_t)
83	+
84	type dphysswapfile_swap_t;
85	files_type(dphysswapfile_swap_t)
86
87	@@ -20,7 +23,7 @@ files_type(dphysswapfile_swap_t)
88	# Policy
89	#
90
91	-# sys_admin : for swapon
92	+# sys_admin : swapon
93	allow dphysswapfile_t self:capability sys_admin;
94	allow dphysswapfile_t self:fifo_file rw_fifo_file_perms;
95	allow dphysswapfile_t self:unix_stream_socket { create connect };
96	@@ -36,6 +39,7 @@ kernel_read_system_state(dphysswapfile_t)
97	corecmd_exec_bin(dphysswapfile_t)
98	corecmd_exec_shell(dphysswapfile_t)
99
100	+# ignore ls -l /var/swap noise
101	files_dontaudit_getattr_pid_dirs(dphysswapfile_t)
102	files_read_etc_files(dphysswapfile_t)
103	files_search_var(dphysswapfile_t)

Gentoo Archives: gentoo-commits