[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/admin/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/admin/
Date:	Sun, 07 Feb 2021 03:20:47
Message-Id:	`1612646109.6b6d9fc0d2ae76f8c137b5c3bcb1f184d0c62c57.perfinion@gentoo`

1

commit:     6b6d9fc0d2ae76f8c137b5c3bcb1f184d0c62c57

2

Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>

3

AuthorDate: Mon Feb  1 04:57:13 2021 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sat Feb  6 21:15:09 2021 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b6d9fc0

7

8

new version of filetrans patch

9

10

Name changes suggested by Dominick and some more additions.

11

12

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

13

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

14

15

 policy/modules/admin/dpkg.te         | 20 +++++++++++++

16

 policy/modules/services/aptcacher.if | 54 ++++++++++++++++++++++++++++++++++++

17

 policy/modules/services/clamav.if    | 36 ++++++++++++++++++++++++

18

 policy/modules/services/ftp.if       | 18 ++++++++++++

19

 policy/modules/services/milter.if    | 18 ++++++++++++

20

 policy/modules/services/mysql.fc     |  4 +--

21

 policy/modules/services/mysql.if     | 38 +++++++++++++++++++++++++

22

 policy/modules/system/authlogin.if   |  7 ++++-

23

 policy/modules/system/init.te        |  5 ++++

24

 policy/modules/system/systemd.if     | 25 +++++++++++++++++

25

 policy/modules/system/unconfined.te  |  1 +

26

 11 files changed, 223 insertions(+), 3 deletions(-)

27

28

diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te

29

index ee37e504..6830c795 100644

30

--- a/policy/modules/admin/dpkg.te

31

+++ b/policy/modules/admin/dpkg.te

32

@@ -276,6 +276,7 @@ term_use_all_terms(dpkg_script_t)

33

34

 files_manage_non_auth_files(dpkg_script_t)

35

36

+auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write")

37

 auth_manage_shadow(dpkg_script_t)

38

39

 init_all_labeled_script_domtrans(dpkg_script_t)

40

@@ -306,10 +307,20 @@ optional_policy(`

41

 	apt_use_fds(dpkg_script_t)

42

')

43

44

+optional_policy(`

45

+	aptcacher_filetrans_cache_dir(dpkg_script_t)

46

+	aptcacher_filetrans_conf_dir(dpkg_script_t)

47

+	aptcacher_filetrans_log_dir(dpkg_script_t)

48

+')

49

+

50

 optional_policy(`

51

 	bootloader_run(dpkg_script_t, dpkg_roles)

52

')

53

54

+optional_policy(`

55

+	clamav_filetrans_log(dpkg_script_t)

56

+')

57

+

58

 optional_policy(`

59

 	devicekit_dbus_chat_power(dpkg_script_t)

60

')

61

@@ -318,6 +329,10 @@ optional_policy(`

62

 	init_dbus_chat(dpkg_script_t)

63

')

64

65

+optional_policy(`

66

+	milter_filetrans_spamass_state(dpkg_script_t)

67

+')

68

+

69

 optional_policy(`

70

 	modutils_run(dpkg_script_t, dpkg_roles)

71

')

72

@@ -326,6 +341,11 @@ optional_policy(`

73

 	mta_send_mail(dpkg_script_t)

74

')

75

76

+optional_policy(`

77

+	mysql_create_db_dir(dpkg_script_t)

78

+	mysql_create_log_dir(dpkg_script_t)

79

+')

80

+

81

 optional_policy(`

82

 	nis_use_ypbind(dpkg_script_t)

83

')

84

85

diff --git a/policy/modules/services/aptcacher.if b/policy/modules/services/aptcacher.if

86

index 12c1335a..bef83332 100644

87

--- a/policy/modules/services/aptcacher.if

88

+++ b/policy/modules/services/aptcacher.if

89

@@ -63,3 +63,57 @@ interface(`aptcacher_stream_connect',`

90

 	files_search_runtime($1)

91

 	stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)

92

')

93

+

94

+########################################

95

+## <summary>

96

+##	create /var/log/apt-cacher-ng

97

+## </summary>

98

+## <param name="domain">

99

+##	<summary>

100

+##	Domain allowed access.

101

+##	</summary>

102

+## </param>

103

+#

104

+interface(`aptcacher_filetrans_log_dir',`

105

+	gen_require(`

106

+		type aptcacher_log_t;

107

+	')

108

+

109

+	logging_log_filetrans($1, aptcacher_log_t, dir, "apt-cacher-ng")

110

+')

111

+

112

+########################################

113

+## <summary>

114

+##	create /var/cache/apt-cacher-ng

115

+## </summary>

116

+## <param name="domain">

117

+##	<summary>

118

+##	Domain allowed access.

119

+##	</summary>

120

+## </param>

121

+#

122

+interface(`aptcacher_filetrans_cache_dir',`

123

+	gen_require(`

124

+		type aptcacher_cache_t;

125

+	')

126

+

127

+	files_var_filetrans($1, aptcacher_cache_t, dir, "apt-cacher-ng")

128

+')

129

+

130

+########################################

131

+## <summary>

132

+##	create /etc/apt-cacher-ng

133

+## </summary>

134

+## <param name="domain">

135

+##	<summary>

136

+##	Domain allowed access.

137

+##	</summary>

138

+## </param>

139

+#

140

+interface(`aptcacher_filetrans_conf_dir',`

141

+	gen_require(`

142

+		type aptcacher_conf_t;

143

+	')

144

+

145

+	files_etc_filetrans($1, aptcacher_conf_t, dir, "apt-cacher-ng")

146

+')

147

148

diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if

149

index 33909248..29d00c98 100644

150

--- a/policy/modules/services/clamav.if

151

+++ b/policy/modules/services/clamav.if

152

@@ -430,3 +430,39 @@ interface(`clamav_admin',`

153

 	files_list_tmp($1)

154

 	admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })

155

')

156

+

157

+########################################

158

+## <summary>

159

+##	specified domain creates /var/log/clamav/freshclam.log with correct type

160

+## </summary>

161

+## <param name="domain">

162

+##	<summary>

163

+##	Domain allowed access.

164

+##	</summary>

165

+## </param>

166

+#

167

+interface(`clamav_filetrans_log',`

168

+	gen_require(`

169

+		type clamd_var_log_t, freshclam_var_log_t;

170

+	')

171

+

172

+	filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file, "freshclam.log")

173

+')

174

+

175

+########################################

176

+## <summary>

177

+##	specified domain creates /run/clamav with correct type

178

+## </summary>

179

+## <param name="domain">

180

+##	<summary>

181

+##	Domain allowed access.

182

+##	</summary>

183

+## </param>

184

+#

185

+interface(`clamav_filetrans_runtime_dir',`

186

+	gen_require(`

187

+		type clamd_runtime_t;

188

+	')

189

+

190

+	files_runtime_filetrans($1, clamd_runtime_t, dir, "clamav")

191

+')

192

193

diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if

194

index 56ac12bd..27af355f 100644

195

--- a/policy/modules/services/ftp.if

196

+++ b/policy/modules/services/ftp.if

197

@@ -189,3 +189,21 @@ interface(`ftp_admin',`

198

199

 	ftp_run_ftpdctl($1, $2)

200

')

201

+

202

+########################################

203

+## <summary>

204

+##	create /run/pure-ftpd

205

+## </summary>

206

+## <param name="domain">

207

+##	<summary>

208

+##	Domain allowed access.

209

+##	</summary>

210

+## </param>

211

+#

212

+interface(`ftp_filetrans_pure_ftpd_runtime',`

213

+	gen_require(`

214

+		type ftpd_runtime_t;

215

+	')

216

+

217

+	files_runtime_filetrans($1, ftpd_runtime_t, dir, "pure-ftpd")

218

+')

219

220

diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if

221

index d024d152..13b05498 100644

222

--- a/policy/modules/services/milter.if

223

+++ b/policy/modules/services/milter.if

224

@@ -98,6 +98,24 @@ interface(`milter_manage_spamass_state',`

225

 	manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)

226

')

227

228

+########################################

229

+## <summary>

230

+##	create spamass milter state dir

231

+## </summary>

232

+## <param name="domain">

233

+##	<summary>

234

+##	Domain allowed access.

235

+##	</summary>

236

+## </param>

237

+#

238

+interface(`milter_filetrans_spamass_state',`

239

+	gen_require(`

240

+		type spamass_milter_state_t;

241

+	')

242

+

243

+	files_var_lib_filetrans($1, spamass_milter_state_t, dir, "spamass-milter")

244

+')

245

+

246

 ########################################

247

 ## <summary>

248

 ##	Get the attributes of the spamassissin milter data dir.

249

250

diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc

251

index d23f2636..7b7b45b3 100644

252

--- a/policy/modules/services/mysql.fc

253

+++ b/policy/modules/services/mysql.fc

254

@@ -25,8 +25,8 @@ HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)

255

 /var/lib/mysql(/.*)?	gen_context(system_u:object_r:mysqld_db_t,s0)

256

 /var/lib/mysql/mysql.*	-s	gen_context(system_u:object_r:mysqld_runtime_t,s0)

257

258

-/var/log/mariadb(/.*)?	gen_context(system_u:object_r:mysqld_log_t,s0)

259

-/var/log/mysql.*	--	gen_context(system_u:object_r:mysqld_log_t,s0)

260

+/var/log/mariadb(/.*)?		gen_context(system_u:object_r:mysqld_log_t,s0)

261

+/var/log/mysql(/.*)?		gen_context(system_u:object_r:mysqld_log_t,s0)

262

263

 /run/mysqld.*	gen_context(system_u:object_r:mysqld_runtime_t,s0)

264

 /run/mysqlmanager.*	--	gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0)

265

266

diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if

267

index afdfbc6b..e89a66d9 100644

268

--- a/policy/modules/services/mysql.if

269

+++ b/policy/modules/services/mysql.if

270

@@ -241,6 +241,24 @@ interface(`mysql_manage_db_files',`

271

 	manage_files_pattern($1, mysqld_db_t, mysqld_db_t)

272

')

273

274

+########################################

275

+## <summary>

276

+##	create mysqld db dir.

277

+## </summary>

278

+## <param name="domain">

279

+##	<summary>

280

+##	Domain allowed access.

281

+##	</summary>

282

+## </param>

283

+#

284

+interface(`mysql_create_db_dir',`

285

+	gen_require(`

286

+		type mysqld_db_t;

287

+	')

288

+

289

+	files_var_lib_filetrans($1, mysqld_db_t, dir, "mysql")

290

+')

291

+

292

 ########################################

293

 ## <summary>

294

 ##	Create, read, write, and delete

295

@@ -325,9 +343,29 @@ interface(`mysql_write_log',`

296

')

297

298

 	logging_search_logs($1)

299

+	allow $1 mysqld_log_t:dir search_dir_perms;

300

 	allow $1 mysqld_log_t:file write_file_perms;

301

')

302

303

+########################################

304

+## <summary>

305

+##	create mysqld log dir.

306

+## </summary>

307

+## <param name="domain">

308

+##	<summary>

309

+##	Domain allowed access.

310

+##	</summary>

311

+## </param>

312

+#

313

+interface(`mysql_create_log_dir',`

314

+	gen_require(`

315

+		type mysqld_log_t;

316

+	')

317

+

318

+	logging_search_logs($1)

319

+	logging_log_filetrans($1, mysqld_log_t, dir, "mysql")

320

+')

321

+

322

 ######################################

323

 ## <summary>

324

 ##	Execute mysqld safe in the

325

326

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if

327

index 8f8b8009..08361bb5 100644

328

--- a/policy/modules/system/authlogin.if

329

+++ b/policy/modules/system/authlogin.if

330

@@ -719,13 +719,18 @@ interface(`auth_manage_shadow',`

331

 ##	Domain allowed access.

332

 ##	</summary>

333

 ## </param>

334

+## <param name="name" optional="true">

335

+##      <summary>

336

+##      The name of the object being created.

337

+##      </summary>

338

+## </param>

339

#

340

 interface(`auth_etc_filetrans_shadow',`

341

 	gen_require(`

342

 		type shadow_t;

343

')

344

345

-	files_etc_filetrans($1, shadow_t, file)

346

+	files_etc_filetrans($1, shadow_t, file, $2)

347

')

348

349

 #######################################

350

351

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te

352

index de5bca5e..1c9a5cdd 100644

353

--- a/policy/modules/system/init.te

354

+++ b/policy/modules/system/init.te

355

@@ -1097,6 +1097,7 @@ optional_policy(`

356

')

357

358

 optional_policy(`

359

+	clamav_filetrans_runtime_dir(initrc_t)

360

 	clamav_read_config(initrc_t)

361

')

362

363

@@ -1289,6 +1290,10 @@ optional_policy(`

364

 	fs_search_ramfs(initrc_t)

365

')

366

367

+optional_policy(`

368

+	ftp_filetrans_pure_ftpd_runtime(initrc_t)

369

+')

370

+

371

 optional_policy(`

372

 	rpc_read_exports(initrc_t)

373

')

374

375

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if

376

index 8e58c0d7..ac431aba 100644

377

--- a/policy/modules/system/systemd.if

378

+++ b/policy/modules/system/systemd.if

379

@@ -526,6 +526,31 @@ interface(`systemd_use_passwd_agent_fds',`

380

 	allow systemd_passwd_agent_t $1:fd use;

381

')

382

383

+########################################

384

+## <summary>

385

+##      allow systemd_passwd_agent to be run by admin

386

+## </summary>

387

+## <param name="domain">

388

+##      <summary>

389

+##      Domain that runs it

390

+##      </summary>

391

+## </param>

392

+## <param name="role">

393

+##      <summary>

394

+##      role that it runs in

395

+##      </summary>

396

+## </param>

397

+#

398

+interface(`systemd_run_passwd_agent',`

399

+	gen_require(`

400

+		type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;

401

+	')

402

+

403

+	domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)

404

+	allow systemd_passwd_agent_t $1:fd use;

405

+	role $2 types systemd_passwd_agent_t;

406

+')

407

+

408

 #######################################

409

 ## <summary>

410

 ##	Allow a systemd_passwd_agent_t process to interact with a daemon

411

412

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te

413

index eac4d285..42879fb7 100644

414

--- a/policy/modules/system/unconfined.te

415

+++ b/policy/modules/system/unconfined.te

416

@@ -66,6 +66,7 @@ ifdef(`init_systemd',`

417

418

 	optional_policy(`

419

 		systemd_dbus_chat_resolved(unconfined_t)

420

+		systemd_filetrans_passwd_runtime_dirs(unconfined_t)

421

')

422

')

1	commit: 6b6d9fc0d2ae76f8c137b5c3bcb1f184d0c62c57
2	Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
3	AuthorDate: Mon Feb 1 04:57:13 2021 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sat Feb 6 21:15:09 2021 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b6d9fc0
7
8	new version of filetrans patch
9
10	Name changes suggested by Dominick and some more additions.
11
12	Signed-off-by: Russell Coker <russell <AT> coker.com.au>
13	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
14
15	policy/modules/admin/dpkg.te \| 20 +++++++++++++
16	policy/modules/services/aptcacher.if \| 54 ++++++++++++++++++++++++++++++++++++
17	policy/modules/services/clamav.if \| 36 ++++++++++++++++++++++++
18	policy/modules/services/ftp.if \| 18 ++++++++++++
19	policy/modules/services/milter.if \| 18 ++++++++++++
20	policy/modules/services/mysql.fc \| 4 +--
21	policy/modules/services/mysql.if \| 38 +++++++++++++++++++++++++
22	policy/modules/system/authlogin.if \| 7 ++++-
23	policy/modules/system/init.te \| 5 ++++
24	policy/modules/system/systemd.if \| 25 +++++++++++++++++
25	policy/modules/system/unconfined.te \| 1 +
26	11 files changed, 223 insertions(+), 3 deletions(-)
27
28	diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
29	index ee37e504..6830c795 100644
30	--- a/policy/modules/admin/dpkg.te
31	+++ b/policy/modules/admin/dpkg.te
32	@@ -276,6 +276,7 @@ term_use_all_terms(dpkg_script_t)
33
34	files_manage_non_auth_files(dpkg_script_t)
35
36	+auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write")
37	auth_manage_shadow(dpkg_script_t)
38
39	init_all_labeled_script_domtrans(dpkg_script_t)
40	@@ -306,10 +307,20 @@ optional_policy(`
41	apt_use_fds(dpkg_script_t)
42	')
43
44	+optional_policy(`
45	+ aptcacher_filetrans_cache_dir(dpkg_script_t)
46	+ aptcacher_filetrans_conf_dir(dpkg_script_t)
47	+ aptcacher_filetrans_log_dir(dpkg_script_t)
48	+')
49	+
50	optional_policy(`
51	bootloader_run(dpkg_script_t, dpkg_roles)
52	')
53
54	+optional_policy(`
55	+ clamav_filetrans_log(dpkg_script_t)
56	+')
57	+
58	optional_policy(`
59	devicekit_dbus_chat_power(dpkg_script_t)
60	')
61	@@ -318,6 +329,10 @@ optional_policy(`
62	init_dbus_chat(dpkg_script_t)
63	')
64
65	+optional_policy(`
66	+ milter_filetrans_spamass_state(dpkg_script_t)
67	+')
68	+
69	optional_policy(`
70	modutils_run(dpkg_script_t, dpkg_roles)
71	')
72	@@ -326,6 +341,11 @@ optional_policy(`
73	mta_send_mail(dpkg_script_t)
74	')
75
76	+optional_policy(`
77	+ mysql_create_db_dir(dpkg_script_t)
78	+ mysql_create_log_dir(dpkg_script_t)
79	+')
80	+
81	optional_policy(`
82	nis_use_ypbind(dpkg_script_t)
83	')
84
85	diff --git a/policy/modules/services/aptcacher.if b/policy/modules/services/aptcacher.if
86	index 12c1335a..bef83332 100644
87	--- a/policy/modules/services/aptcacher.if
88	+++ b/policy/modules/services/aptcacher.if
89	@@ -63,3 +63,57 @@ interface(`aptcacher_stream_connect',`
90	files_search_runtime($1)
91	stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
92	')
93	+
94	+########################################
95	+## <summary>
96	+## create /var/log/apt-cacher-ng
97	+## </summary>
98	+## <param name="domain">
99	+## <summary>
100	+## Domain allowed access.
101	+## </summary>
102	+## </param>
103	+#
104	+interface(`aptcacher_filetrans_log_dir',`
105	+ gen_require(`
106	+ type aptcacher_log_t;
107	+ ')
108	+
109	+ logging_log_filetrans($1, aptcacher_log_t, dir, "apt-cacher-ng")
110	+')
111	+
112	+########################################
113	+## <summary>
114	+## create /var/cache/apt-cacher-ng
115	+## </summary>
116	+## <param name="domain">
117	+## <summary>
118	+## Domain allowed access.
119	+## </summary>
120	+## </param>
121	+#
122	+interface(`aptcacher_filetrans_cache_dir',`
123	+ gen_require(`
124	+ type aptcacher_cache_t;
125	+ ')
126	+
127	+ files_var_filetrans($1, aptcacher_cache_t, dir, "apt-cacher-ng")
128	+')
129	+
130	+########################################
131	+## <summary>
132	+## create /etc/apt-cacher-ng
133	+## </summary>
134	+## <param name="domain">
135	+## <summary>
136	+## Domain allowed access.
137	+## </summary>
138	+## </param>
139	+#
140	+interface(`aptcacher_filetrans_conf_dir',`
141	+ gen_require(`
142	+ type aptcacher_conf_t;
143	+ ')
144	+
145	+ files_etc_filetrans($1, aptcacher_conf_t, dir, "apt-cacher-ng")
146	+')
147
148	diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
149	index 33909248..29d00c98 100644
150	--- a/policy/modules/services/clamav.if
151	+++ b/policy/modules/services/clamav.if
152	@@ -430,3 +430,39 @@ interface(`clamav_admin',`
153	files_list_tmp($1)
154	admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
155	')
156	+
157	+########################################
158	+## <summary>
159	+## specified domain creates /var/log/clamav/freshclam.log with correct type
160	+## </summary>
161	+## <param name="domain">
162	+## <summary>
163	+## Domain allowed access.
164	+## </summary>
165	+## </param>
166	+#
167	+interface(`clamav_filetrans_log',`
168	+ gen_require(`
169	+ type clamd_var_log_t, freshclam_var_log_t;
170	+ ')
171	+
172	+ filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file, "freshclam.log")
173	+')
174	+
175	+########################################
176	+## <summary>
177	+## specified domain creates /run/clamav with correct type
178	+## </summary>
179	+## <param name="domain">
180	+## <summary>
181	+## Domain allowed access.
182	+## </summary>
183	+## </param>
184	+#
185	+interface(`clamav_filetrans_runtime_dir',`
186	+ gen_require(`
187	+ type clamd_runtime_t;
188	+ ')
189	+
190	+ files_runtime_filetrans($1, clamd_runtime_t, dir, "clamav")
191	+')
192
193	diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
194	index 56ac12bd..27af355f 100644
195	--- a/policy/modules/services/ftp.if
196	+++ b/policy/modules/services/ftp.if
197	@@ -189,3 +189,21 @@ interface(`ftp_admin',`
198
199	ftp_run_ftpdctl($1, $2)
200	')
201	+
202	+########################################
203	+## <summary>
204	+## create /run/pure-ftpd
205	+## </summary>
206	+## <param name="domain">
207	+## <summary>
208	+## Domain allowed access.
209	+## </summary>
210	+## </param>
211	+#
212	+interface(`ftp_filetrans_pure_ftpd_runtime',`
213	+ gen_require(`
214	+ type ftpd_runtime_t;
215	+ ')
216	+
217	+ files_runtime_filetrans($1, ftpd_runtime_t, dir, "pure-ftpd")
218	+')
219
220	diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if
221	index d024d152..13b05498 100644
222	--- a/policy/modules/services/milter.if
223	+++ b/policy/modules/services/milter.if
224	@@ -98,6 +98,24 @@ interface(`milter_manage_spamass_state',`
225	manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
226	')
227
228	+########################################
229	+## <summary>
230	+## create spamass milter state dir
231	+## </summary>
232	+## <param name="domain">
233	+## <summary>
234	+## Domain allowed access.
235	+## </summary>
236	+## </param>
237	+#
238	+interface(`milter_filetrans_spamass_state',`
239	+ gen_require(`
240	+ type spamass_milter_state_t;
241	+ ')
242	+
243	+ files_var_lib_filetrans($1, spamass_milter_state_t, dir, "spamass-milter")
244	+')
245	+
246	########################################
247	## <summary>
248	## Get the attributes of the spamassissin milter data dir.
249
250	diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc
251	index d23f2636..7b7b45b3 100644
252	--- a/policy/modules/services/mysql.fc
253	+++ b/policy/modules/services/mysql.fc
254	@@ -25,8 +25,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
255	/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
256	/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0)
257
258	-/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
259	-/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
260	+/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
261	+/var/log/mysql(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
262
263	/run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0)
264	/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0)
265
266	diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
267	index afdfbc6b..e89a66d9 100644
268	--- a/policy/modules/services/mysql.if
269	+++ b/policy/modules/services/mysql.if
270	@@ -241,6 +241,24 @@ interface(`mysql_manage_db_files',`
271	manage_files_pattern($1, mysqld_db_t, mysqld_db_t)
272	')
273
274	+########################################
275	+## <summary>
276	+## create mysqld db dir.
277	+## </summary>
278	+## <param name="domain">
279	+## <summary>
280	+## Domain allowed access.
281	+## </summary>
282	+## </param>
283	+#
284	+interface(`mysql_create_db_dir',`
285	+ gen_require(`
286	+ type mysqld_db_t;
287	+ ')
288	+
289	+ files_var_lib_filetrans($1, mysqld_db_t, dir, "mysql")
290	+')
291	+
292	########################################
293	## <summary>
294	## Create, read, write, and delete
295	@@ -325,9 +343,29 @@ interface(`mysql_write_log',`
296	')
297
298	logging_search_logs($1)
299	+ allow $1 mysqld_log_t:dir search_dir_perms;
300	allow $1 mysqld_log_t:file write_file_perms;
301	')
302
303	+########################################
304	+## <summary>
305	+## create mysqld log dir.
306	+## </summary>
307	+## <param name="domain">
308	+## <summary>
309	+## Domain allowed access.
310	+## </summary>
311	+## </param>
312	+#
313	+interface(`mysql_create_log_dir',`
314	+ gen_require(`
315	+ type mysqld_log_t;
316	+ ')
317	+
318	+ logging_search_logs($1)
319	+ logging_log_filetrans($1, mysqld_log_t, dir, "mysql")
320	+')
321	+
322	######################################
323	## <summary>
324	## Execute mysqld safe in the
325
326	diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
327	index 8f8b8009..08361bb5 100644
328	--- a/policy/modules/system/authlogin.if
329	+++ b/policy/modules/system/authlogin.if
330	@@ -719,13 +719,18 @@ interface(`auth_manage_shadow',`
331	## Domain allowed access.
332	## </summary>
333	## </param>
334	+## <param name="name" optional="true">
335	+## <summary>
336	+## The name of the object being created.
337	+## </summary>
338	+## </param>
339	#
340	interface(`auth_etc_filetrans_shadow',`
341	gen_require(`
342	type shadow_t;
343	')
344
345	- files_etc_filetrans($1, shadow_t, file)
346	+ files_etc_filetrans($1, shadow_t, file, $2)
347	')
348
349	#######################################
350
351	diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
352	index de5bca5e..1c9a5cdd 100644
353	--- a/policy/modules/system/init.te
354	+++ b/policy/modules/system/init.te
355	@@ -1097,6 +1097,7 @@ optional_policy(`
356	')
357
358	optional_policy(`
359	+ clamav_filetrans_runtime_dir(initrc_t)
360	clamav_read_config(initrc_t)
361	')
362
363	@@ -1289,6 +1290,10 @@ optional_policy(`
364	fs_search_ramfs(initrc_t)
365	')
366
367	+optional_policy(`
368	+ ftp_filetrans_pure_ftpd_runtime(initrc_t)
369	+')
370	+
371	optional_policy(`
372	rpc_read_exports(initrc_t)
373	')
374
375	diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
376	index 8e58c0d7..ac431aba 100644
377	--- a/policy/modules/system/systemd.if
378	+++ b/policy/modules/system/systemd.if
379	@@ -526,6 +526,31 @@ interface(`systemd_use_passwd_agent_fds',`
380	allow systemd_passwd_agent_t $1:fd use;
381	')
382
383	+########################################
384	+## <summary>
385	+## allow systemd_passwd_agent to be run by admin
386	+## </summary>
387	+## <param name="domain">
388	+## <summary>
389	+## Domain that runs it
390	+## </summary>
391	+## </param>
392	+## <param name="role">
393	+## <summary>
394	+## role that it runs in
395	+## </summary>
396	+## </param>
397	+#
398	+interface(`systemd_run_passwd_agent',`
399	+ gen_require(`
400	+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
401	+ ')
402	+
403	+ domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
404	+ allow systemd_passwd_agent_t $1:fd use;
405	+ role $2 types systemd_passwd_agent_t;
406	+')
407	+
408	#######################################
409	## <summary>
410	## Allow a systemd_passwd_agent_t process to interact with a daemon
411
412	diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
413	index eac4d285..42879fb7 100644
414	--- a/policy/modules/system/unconfined.te
415	+++ b/policy/modules/system/unconfined.te
416	@@ -66,6 +66,7 @@ ifdef(`init_systemd',`
417
418	optional_policy(`
419	systemd_dbus_chat_resolved(unconfined_t)
420	+ systemd_filetrans_passwd_runtime_dirs(unconfined_t)
421	')
422	')

Gentoo Archives: gentoo-commits