[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Tue, 02 Oct 2012 18:24:39
Message-Id:	`1349201235.dd202cba6ebbae36b4624a86292253520b1da82b.SwifT@gentoo`

1

commit:     dd202cba6ebbae36b4624a86292253520b1da82b

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Mon Oct  1 08:59:36 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Oct  2 18:07:15 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dd202cba

7

8

Changes to the fprint policy module and relevant dependencies

9

10

Ported from Fedora with changes

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/fprintd.fc   |    3 ++-

16

 policy/modules/contrib/fprintd.if   |    4 ++--

17

 policy/modules/contrib/fprintd.te   |   28 ++++++++++++++++------------

18

 policy/modules/contrib/policykit.if |   21 +++++++++++++++++++++

19

 policy/modules/contrib/policykit.te |    2 +-

20

 5 files changed, 42 insertions(+), 16 deletions(-)

21

22

diff --git a/policy/modules/contrib/fprintd.fc b/policy/modules/contrib/fprintd.fc

23

index a4f5fb1..d861e88 100644

24

--- a/policy/modules/contrib/fprintd.fc

25

+++ b/policy/modules/contrib/fprintd.fc

26

@@ -1,2 +1,3 @@

27

 /usr/libexec/fprintd	--	gen_context(system_u:object_r:fprintd_exec_t,s0)

28

-/var/lib/fprint(/.*)?		gen_context(system_u:object_r:fprintd_var_lib_t,s0)

29

+

30

+/var/lib/fprint(/.*)?	gen_context(system_u:object_r:fprintd_var_lib_t,s0)

31

32

diff --git a/policy/modules/contrib/fprintd.if b/policy/modules/contrib/fprintd.if

33

index ebad8c4..8081132 100644

34

--- a/policy/modules/contrib/fprintd.if

35

+++ b/policy/modules/contrib/fprintd.if

36

@@ -1,4 +1,4 @@

37

-## <summary>DBus fingerprint reader service</summary>

38

+## <summary>DBus fingerprint reader service.</summary>

39

40

 ########################################

41

 ## <summary>

42

@@ -15,6 +15,7 @@ interface(`fprintd_domtrans',`

43

 		type fprintd_t, fprintd_exec_t;

44

')

45

46

+	corecmd_search_bin($1)

47

 	domtrans_pattern($1, fprintd_exec_t, fprintd_t)

48

')

49

50

@@ -38,4 +39,3 @@ interface(`fprintd_dbus_chat',`

51

 	allow $1 fprintd_t:dbus send_msg;

52

 	allow fprintd_t $1:dbus send_msg;

53

')

54

-

55

56

diff --git a/policy/modules/contrib/fprintd.te b/policy/modules/contrib/fprintd.te

57

index 7df52c7..c81b6e8 100644

58

--- a/policy/modules/contrib/fprintd.te

59

+++ b/policy/modules/contrib/fprintd.te

60

@@ -1,4 +1,4 @@

61

-policy_module(fprintd, 1.1.0)

62

+policy_module(fprintd, 1.1.1)

63

64

 ########################################

65

#

66

@@ -7,7 +7,7 @@ policy_module(fprintd, 1.1.0)

67

68

 type fprintd_t;

69

 type fprintd_exec_t;

70

-dbus_system_domain(fprintd_t, fprintd_exec_t)

71

+init_daemon_domain(fprintd_t, fprintd_exec_t)

72

73

 type fprintd_var_lib_t;

74

 files_type(fprintd_var_lib_t)

75

@@ -17,23 +17,19 @@ files_type(fprintd_var_lib_t)

76

 # Local policy

77

#

78

79

-allow fprintd_t self:capability sys_ptrace;

80

+allow fprintd_t self:capability sys_nice;

81

+allow fprintd_t self:process { getsched setsched signal sigkill };

82

 allow fprintd_t self:fifo_file rw_fifo_file_perms;

83

-allow fprintd_t self:process { getsched signal };

84

85

 manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)

86

 manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)

87

-files_var_lib_filetrans(fprintd_t, fprintd_var_lib_t, { dir file })

88

89

 kernel_read_system_state(fprintd_t)

90

91

-corecmd_search_bin(fprintd_t)

92

-

93

 dev_list_usbfs(fprintd_t)

94

-dev_rw_generic_usb_dev(fprintd_t)

95

 dev_read_sysfs(fprintd_t)

96

+dev_rw_generic_usb_dev(fprintd_t)

97

98

-files_read_etc_files(fprintd_t)

99

 files_read_usr_files(fprintd_t)

100

101

 fs_getattr_all_fs(fprintd_t)

102

@@ -46,12 +42,20 @@ userdom_use_user_ptys(fprintd_t)

103

 userdom_read_all_users_state(fprintd_t)

104

105

 optional_policy(`

106

-	consolekit_dbus_chat(fprintd_t)

107

+	dbus_system_domain(fprintd_t, fprintd_exec_t)

108

+

109

+	optional_policy(`

110

+		consolekit_dbus_chat(fprintd_t)

111

+	')

112

+

113

+	optional_policy(`

114

+		policykit_dbus_chat(fprintd_t)

115

+		policykit_dbus_chat_auth(fprintd_t)

116

+	')

117

')

118

119

 optional_policy(`

120

+	policykit_domtrans_auth(fprintd_t)

121

 	policykit_read_reload(fprintd_t)

122

 	policykit_read_lib(fprintd_t)

123

-	policykit_dbus_chat(fprintd_t)

124

-	policykit_domtrans_auth(fprintd_t)

125

')

126

127

diff --git a/policy/modules/contrib/policykit.if b/policy/modules/contrib/policykit.if

128

index 48ff1e8..8aa58e5 100644

129

--- a/policy/modules/contrib/policykit.if

130

+++ b/policy/modules/contrib/policykit.if

131

@@ -23,6 +23,27 @@ interface(`policykit_dbus_chat',`

132

133

 ########################################

134

 ## <summary>

135

+##	Send and receive messages from

136

+##	policykit auth over dbus.

137

+## </summary>

138

+## <param name="domain">

139

+##	<summary>

140

+##	Domain allowed access.

141

+##	</summary>

142

+## </param>

143

+#

144

+interface(`policykit_dbus_chat_auth',`

145

+	gen_require(`

146

+		type policykit_auth_t;

147

+		class dbus send_msg;

148

+	')

149

+

150

+	allow $1 policykit_auth_t:dbus send_msg;

151

+	allow policykit_auth_t $1:dbus send_msg;

152

+')

153

+

154

+########################################

155

+## <summary>

156

 ##	Execute a domain transition to run polkit_auth.

157

 ## </summary>

158

 ## <param name="domain">

159

160

diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te

161

index 2c37cce..e76b78f 100644

162

--- a/policy/modules/contrib/policykit.te

163

+++ b/policy/modules/contrib/policykit.te

164

@@ -1,4 +1,4 @@

165

-policy_module(policykit, 1.2.2)

166

+policy_module(policykit, 1.2.3)

167

168

 ########################################

169

#

1	commit: dd202cba6ebbae36b4624a86292253520b1da82b
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Mon Oct 1 08:59:36 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue Oct 2 18:07:15 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dd202cba
7
8	Changes to the fprint policy module and relevant dependencies
9
10	Ported from Fedora with changes
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/fprintd.fc \| 3 ++-
16	policy/modules/contrib/fprintd.if \| 4 ++--
17	policy/modules/contrib/fprintd.te \| 28 ++++++++++++++++------------
18	policy/modules/contrib/policykit.if \| 21 +++++++++++++++++++++
19	policy/modules/contrib/policykit.te \| 2 +-
20	5 files changed, 42 insertions(+), 16 deletions(-)
21
22	diff --git a/policy/modules/contrib/fprintd.fc b/policy/modules/contrib/fprintd.fc
23	index a4f5fb1..d861e88 100644
24	--- a/policy/modules/contrib/fprintd.fc
25	+++ b/policy/modules/contrib/fprintd.fc
26	@@ -1,2 +1,3 @@
27	/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0)
28	-/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0)
29	+
30	+/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0)
31
32	diff --git a/policy/modules/contrib/fprintd.if b/policy/modules/contrib/fprintd.if
33	index ebad8c4..8081132 100644
34	--- a/policy/modules/contrib/fprintd.if
35	+++ b/policy/modules/contrib/fprintd.if
36	@@ -1,4 +1,4 @@
37	-## <summary>DBus fingerprint reader service</summary>
38	+## <summary>DBus fingerprint reader service.</summary>
39
40	########################################
41	## <summary>
42	@@ -15,6 +15,7 @@ interface(`fprintd_domtrans',`
43	type fprintd_t, fprintd_exec_t;
44	')
45
46	+ corecmd_search_bin($1)
47	domtrans_pattern($1, fprintd_exec_t, fprintd_t)
48	')
49
50	@@ -38,4 +39,3 @@ interface(`fprintd_dbus_chat',`
51	allow $1 fprintd_t:dbus send_msg;
52	allow fprintd_t $1:dbus send_msg;
53	')
54	-
55
56	diff --git a/policy/modules/contrib/fprintd.te b/policy/modules/contrib/fprintd.te
57	index 7df52c7..c81b6e8 100644
58	--- a/policy/modules/contrib/fprintd.te
59	+++ b/policy/modules/contrib/fprintd.te
60	@@ -1,4 +1,4 @@
61	-policy_module(fprintd, 1.1.0)
62	+policy_module(fprintd, 1.1.1)
63
64	########################################
65	#
66	@@ -7,7 +7,7 @@ policy_module(fprintd, 1.1.0)
67
68	type fprintd_t;
69	type fprintd_exec_t;
70	-dbus_system_domain(fprintd_t, fprintd_exec_t)
71	+init_daemon_domain(fprintd_t, fprintd_exec_t)
72
73	type fprintd_var_lib_t;
74	files_type(fprintd_var_lib_t)
75	@@ -17,23 +17,19 @@ files_type(fprintd_var_lib_t)
76	# Local policy
77	#
78
79	-allow fprintd_t self:capability sys_ptrace;
80	+allow fprintd_t self:capability sys_nice;
81	+allow fprintd_t self:process { getsched setsched signal sigkill };
82	allow fprintd_t self:fifo_file rw_fifo_file_perms;
83	-allow fprintd_t self:process { getsched signal };
84
85	manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
86	manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
87	-files_var_lib_filetrans(fprintd_t, fprintd_var_lib_t, { dir file })
88
89	kernel_read_system_state(fprintd_t)
90
91	-corecmd_search_bin(fprintd_t)
92	-
93	dev_list_usbfs(fprintd_t)
94	-dev_rw_generic_usb_dev(fprintd_t)
95	dev_read_sysfs(fprintd_t)
96	+dev_rw_generic_usb_dev(fprintd_t)
97
98	-files_read_etc_files(fprintd_t)
99	files_read_usr_files(fprintd_t)
100
101	fs_getattr_all_fs(fprintd_t)
102	@@ -46,12 +42,20 @@ userdom_use_user_ptys(fprintd_t)
103	userdom_read_all_users_state(fprintd_t)
104
105	optional_policy(`
106	- consolekit_dbus_chat(fprintd_t)
107	+ dbus_system_domain(fprintd_t, fprintd_exec_t)
108	+
109	+ optional_policy(`
110	+ consolekit_dbus_chat(fprintd_t)
111	+ ')
112	+
113	+ optional_policy(`
114	+ policykit_dbus_chat(fprintd_t)
115	+ policykit_dbus_chat_auth(fprintd_t)
116	+ ')
117	')
118
119	optional_policy(`
120	+ policykit_domtrans_auth(fprintd_t)
121	policykit_read_reload(fprintd_t)
122	policykit_read_lib(fprintd_t)
123	- policykit_dbus_chat(fprintd_t)
124	- policykit_domtrans_auth(fprintd_t)
125	')
126
127	diff --git a/policy/modules/contrib/policykit.if b/policy/modules/contrib/policykit.if
128	index 48ff1e8..8aa58e5 100644
129	--- a/policy/modules/contrib/policykit.if
130	+++ b/policy/modules/contrib/policykit.if
131	@@ -23,6 +23,27 @@ interface(`policykit_dbus_chat',`
132
133	########################################
134	## <summary>
135	+## Send and receive messages from
136	+## policykit auth over dbus.
137	+## </summary>
138	+## <param name="domain">
139	+## <summary>
140	+## Domain allowed access.
141	+## </summary>
142	+## </param>
143	+#
144	+interface(`policykit_dbus_chat_auth',`
145	+ gen_require(`
146	+ type policykit_auth_t;
147	+ class dbus send_msg;
148	+ ')
149	+
150	+ allow $1 policykit_auth_t:dbus send_msg;
151	+ allow policykit_auth_t $1:dbus send_msg;
152	+')
153	+
154	+########################################
155	+## <summary>
156	## Execute a domain transition to run polkit_auth.
157	## </summary>
158	## <param name="domain">
159
160	diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
161	index 2c37cce..e76b78f 100644
162	--- a/policy/modules/contrib/policykit.te
163	+++ b/policy/modules/contrib/policykit.te
164	@@ -1,4 +1,4 @@
165	-policy_module(policykit, 1.2.2)
166	+policy_module(policykit, 1.2.3)
167
168	########################################
169	#

Gentoo Archives: gentoo-commits