[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Mon, 23 Jan 2017 15:44:23
Message-Id:	`1485176165.95bb9a0c4c8e7b00b48cd5ba7675efe259a03d41.perfinion@gentoo`

1

commit:     95bb9a0c4c8e7b00b48cd5ba7675efe259a03d41

2

Author:     cgzones <cgzones <AT> googlemail <DOT> com>

3

AuthorDate: Thu Jan  5 19:14:47 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Mon Jan 23 12:56:05 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=95bb9a0c

7

8

update screen module

9

10

 policy/modules/contrib/screen.fc | 10 +++++-----

11

 policy/modules/contrib/screen.if | 10 +++++-----

12

 policy/modules/contrib/screen.te | 29 ++++++++++++-----------------

13

 3 files changed, 22 insertions(+), 27 deletions(-)

14

15

diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc

16

index 975d48f..7196c59 100644

17

--- a/policy/modules/contrib/screen.fc

18

+++ b/policy/modules/contrib/screen.fc

19

@@ -1,9 +1,9 @@

20

-HOME_DIR/\.screen(/.*)?	gen_context(system_u:object_r:screen_home_t,s0)

21

+HOME_DIR/\.screen(/.*)?		gen_context(system_u:object_r:screen_home_t,s0)

22

 HOME_DIR/\.screenrc	--	gen_context(system_u:object_r:screen_home_t,s0)

23

 HOME_DIR/\.tmux\.conf	--	gen_context(system_u:object_r:screen_home_t,s0)

24

25

-/usr/bin/screen	--	gen_context(system_u:object_r:screen_exec_t,s0)

26

-/usr/bin/tmux	--	gen_context(system_u:object_r:screen_exec_t,s0)

27

+/run/screen(/.*)?		gen_context(system_u:object_r:screen_runtime_t,s0)

28

+/run/tmux(/.*)?			gen_context(system_u:object_r:screen_runtime_t,s0)

29

30

-/run/screen(/.*)?	gen_context(system_u:object_r:screen_var_run_t,s0)

31

-/run/tmux(/.*)?	gen_context(system_u:object_r:screen_var_run_t,s0)

32

+/usr/bin/screen		--	gen_context(system_u:object_r:screen_exec_t,s0)

33

+/usr/bin/tmux		--	gen_context(system_u:object_r:screen_exec_t,s0)

34

35

diff --git a/policy/modules/contrib/screen.if b/policy/modules/contrib/screen.if

36

index 2795f69..884e261 100644

37

--- a/policy/modules/contrib/screen.if

38

+++ b/policy/modules/contrib/screen.if

39

@@ -26,7 +26,7 @@ template(`screen_role_template',`

40

 		attribute screen_domain;

41

 		attribute_role screen_roles;

42

 		type screen_exec_t, screen_tmp_t;

43

-		type screen_home_t, screen_var_run_t;

44

+		type screen_home_t, screen_runtime_t;

45

')

46

47

 	########################################

48

@@ -69,10 +69,10 @@ template(`screen_role_template',`

49

 	userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")

50

 	userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")

51

52

-	manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)

53

-	manage_files_pattern($3, screen_var_run_t, screen_var_run_t)

54

-	manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)

55

-	manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)

56

+	manage_dirs_pattern($3, screen_runtime_t, screen_runtime_t)

57

+	manage_files_pattern($3, screen_runtime_t, screen_runtime_t)

58

+	manage_lnk_files_pattern($3, screen_runtime_t, screen_runtime_t)

59

+	manage_fifo_files_pattern($3, screen_runtime_t, screen_runtime_t)

60

61

 	corecmd_bin_domtrans($1_screen_t, $3)

62

 	corecmd_shell_domtrans($1_screen_t, $3)

63

64

diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te

65

index bebb3ec..d50f157 100644

66

--- a/policy/modules/contrib/screen.te

67

+++ b/policy/modules/contrib/screen.te

68

@@ -13,27 +13,23 @@ type screen_exec_t;

69

 application_executable_file(screen_exec_t)

70

71

 type screen_home_t;

72

-typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_screen_home_t };

73

-typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t };

74

 userdom_user_home_content(screen_home_t)

75

76

 type screen_tmp_t;

77

-typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };

78

-typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };

79

 userdom_user_tmp_file(screen_tmp_t)

80

81

-type screen_var_run_t;

82

-typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };

83

-typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };

84

-files_pid_file(screen_var_run_t)

85

-ubac_constrained(screen_var_run_t)

86

+type screen_runtime_t;

87

+typealias screen_runtime_t alias screen_var_run_t;

88

+files_pid_file(screen_runtime_t)

89

+ubac_constrained(screen_runtime_t)

90

91

 ########################################

92

#

93

 # Common screen domain local policy

94

#

95

96

-allow screen_domain self:capability { setuid setgid fsetid };

97

+# dac_override : read /dev/pts/ID

98

+allow screen_domain self:capability { setuid setgid fsetid dac_override };

99

 allow screen_domain self:process signal_perms;

100

 allow screen_domain self:fd use;

101

 allow screen_domain self:fifo_file rw_fifo_file_perms;

102

@@ -44,12 +40,12 @@ manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)

103

 manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)

104

 manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)

105

 files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })

106

-filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file)

107

+filetrans_pattern(screen_domain, screen_tmp_t, screen_runtime_t, sock_file)

108

109

-manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)

110

-manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)

111

-manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)

112

-files_pid_filetrans(screen_domain, screen_var_run_t, dir)

113

+manage_fifo_files_pattern(screen_domain, screen_runtime_t, screen_runtime_t)

114

+manage_dirs_pattern(screen_domain, screen_runtime_t, screen_runtime_t)

115

+manage_sock_files_pattern(screen_domain, screen_runtime_t, screen_runtime_t)

116

+files_pid_filetrans(screen_domain, screen_runtime_t, dir)

117

118

 manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)

119

 read_files_pattern(screen_domain, screen_home_t, screen_home_t)

120

@@ -91,8 +87,7 @@ fs_getattr_all_fs(screen_domain)

121

122

 auth_dontaudit_read_shadow(screen_domain)

123

 auth_dontaudit_exec_utempter(screen_domain)

124

-

125

-init_rw_utmp(screen_domain)

126

+auth_rw_utmp(screen_domain)

127

128

 logging_send_syslog_msg(screen_domain)

1	commit: 95bb9a0c4c8e7b00b48cd5ba7675efe259a03d41
2	Author: cgzones <cgzones <AT> googlemail <DOT> com>
3	AuthorDate: Thu Jan 5 19:14:47 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Mon Jan 23 12:56:05 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=95bb9a0c
7
8	update screen module
9
10	policy/modules/contrib/screen.fc \| 10 +++++-----
11	policy/modules/contrib/screen.if \| 10 +++++-----
12	policy/modules/contrib/screen.te \| 29 ++++++++++++-----------------
13	3 files changed, 22 insertions(+), 27 deletions(-)
14
15	diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc
16	index 975d48f..7196c59 100644
17	--- a/policy/modules/contrib/screen.fc
18	+++ b/policy/modules/contrib/screen.fc
19	@@ -1,9 +1,9 @@
20	-HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
21	+HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
22	HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
23	HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
24
25	-/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
26	-/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
27	+/run/screen(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
28	+/run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
29
30	-/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
31	-/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
32	+/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
33	+/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
34
35	diff --git a/policy/modules/contrib/screen.if b/policy/modules/contrib/screen.if
36	index 2795f69..884e261 100644
37	--- a/policy/modules/contrib/screen.if
38	+++ b/policy/modules/contrib/screen.if
39	@@ -26,7 +26,7 @@ template(`screen_role_template',`
40	attribute screen_domain;
41	attribute_role screen_roles;
42	type screen_exec_t, screen_tmp_t;
43	- type screen_home_t, screen_var_run_t;
44	+ type screen_home_t, screen_runtime_t;
45	')
46
47	########################################
48	@@ -69,10 +69,10 @@ template(`screen_role_template',`
49	userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
50	userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
51
52	- manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
53	- manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
54	- manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
55	- manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
56	+ manage_dirs_pattern($3, screen_runtime_t, screen_runtime_t)
57	+ manage_files_pattern($3, screen_runtime_t, screen_runtime_t)
58	+ manage_lnk_files_pattern($3, screen_runtime_t, screen_runtime_t)
59	+ manage_fifo_files_pattern($3, screen_runtime_t, screen_runtime_t)
60
61	corecmd_bin_domtrans($1_screen_t, $3)
62	corecmd_shell_domtrans($1_screen_t, $3)
63
64	diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te
65	index bebb3ec..d50f157 100644
66	--- a/policy/modules/contrib/screen.te
67	+++ b/policy/modules/contrib/screen.te
68	@@ -13,27 +13,23 @@ type screen_exec_t;
69	application_executable_file(screen_exec_t)
70
71	type screen_home_t;
72	-typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_screen_home_t };
73	-typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t };
74	userdom_user_home_content(screen_home_t)
75
76	type screen_tmp_t;
77	-typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
78	-typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
79	userdom_user_tmp_file(screen_tmp_t)
80
81	-type screen_var_run_t;
82	-typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
83	-typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
84	-files_pid_file(screen_var_run_t)
85	-ubac_constrained(screen_var_run_t)
86	+type screen_runtime_t;
87	+typealias screen_runtime_t alias screen_var_run_t;
88	+files_pid_file(screen_runtime_t)
89	+ubac_constrained(screen_runtime_t)
90
91	########################################
92	#
93	# Common screen domain local policy
94	#
95
96	-allow screen_domain self:capability { setuid setgid fsetid };
97	+# dac_override : read /dev/pts/ID
98	+allow screen_domain self:capability { setuid setgid fsetid dac_override };
99	allow screen_domain self:process signal_perms;
100	allow screen_domain self:fd use;
101	allow screen_domain self:fifo_file rw_fifo_file_perms;
102	@@ -44,12 +40,12 @@ manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
103	manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
104	manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
105	files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
106	-filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file)
107	+filetrans_pattern(screen_domain, screen_tmp_t, screen_runtime_t, sock_file)
108
109	-manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
110	-manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
111	-manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
112	-files_pid_filetrans(screen_domain, screen_var_run_t, dir)
113	+manage_fifo_files_pattern(screen_domain, screen_runtime_t, screen_runtime_t)
114	+manage_dirs_pattern(screen_domain, screen_runtime_t, screen_runtime_t)
115	+manage_sock_files_pattern(screen_domain, screen_runtime_t, screen_runtime_t)
116	+files_pid_filetrans(screen_domain, screen_runtime_t, dir)
117
118	manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
119	read_files_pattern(screen_domain, screen_home_t, screen_home_t)
120	@@ -91,8 +87,7 @@ fs_getattr_all_fs(screen_domain)
121
122	auth_dontaudit_read_shadow(screen_domain)
123	auth_dontaudit_exec_utempter(screen_domain)
124	-
125	-init_rw_utmp(screen_domain)
126	+auth_rw_utmp(screen_domain)
127
128	logging_send_syslog_msg(screen_domain)

Gentoo Archives: gentoo-commits