[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Tue, 30 Oct 2012 18:38:48
Message-Id:	`1351621965.40ed5e840cead0e4a47ea29d16133a505fc043d8.SwifT@gentoo`

1

commit:     40ed5e840cead0e4a47ea29d16133a505fc043d8

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Tue Oct 30 08:52:45 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Oct 30 18:32:45 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=40ed5e84

7

8

Changes to the tmpreaper policy module and relevant dependencies

9

10

We need a user_home_type attribute to be able to allow tmpreaper to

11

delete any and all user home content

12

13

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

14

15

---

16

 policy/modules/contrib/apache.if    |   18 ++++++++++++++++++

17

 policy/modules/contrib/apache.te    |    2 +-

18

 policy/modules/contrib/tmpreaper.fc |    2 --

19

 policy/modules/contrib/tmpreaper.if |    3 +--

20

 policy/modules/contrib/tmpreaper.te |   31 +++++++++++++++++--------------

21

 5 files changed, 37 insertions(+), 19 deletions(-)

22

23

diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if

24

index a3d2d09..81e541e 100644

25

--- a/policy/modules/contrib/apache.if

26

+++ b/policy/modules/contrib/apache.if

27

@@ -595,6 +595,24 @@ interface(`apache_rw_cache_files',`

28

29

 ########################################

30

 ## <summary>

31

+##	Delete httpd cache directories.

32

+## </summary>

33

+## <param name="domain">

34

+##	<summary>

35

+##	Domain allowed access.

36

+##	</summary>

37

+## </param>

38

+#

39

+interface(`apache_delete_cache_dirs',`

40

+	gen_require(`

41

+		type httpd_cache_t;

42

+	')

43

+

44

+	delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)

45

+')

46

+

47

+########################################

48

+## <summary>

49

 ##	Delete httpd cache files.

50

 ## </summary>

51

 ## <param name="domain">

52

53

diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te

54

index 00fee74..5ce752a 100644

55

--- a/policy/modules/contrib/apache.te

56

+++ b/policy/modules/contrib/apache.te

57

@@ -1,4 +1,4 @@

58

-policy_module(apache, 2.6.1)

59

+policy_module(apache, 2.6.2)

60

61

 ########################################

62

#

63

64

diff --git a/policy/modules/contrib/tmpreaper.fc b/policy/modules/contrib/tmpreaper.fc

65

index f081b72..ed08c94 100644

66

--- a/policy/modules/contrib/tmpreaper.fc

67

+++ b/policy/modules/contrib/tmpreaper.fc

68

@@ -1,7 +1,5 @@

69

-ifdef(`distro_debian',`

70

 /etc/rc\.d/init\.d/mountall-bootclean.sh	--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)

71

 /etc/rc\.d/init\.d/mountnfs-bootclean.sh	--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)

72

-')

73

74

 /usr/sbin/tmpreaper	--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)

75

 /usr/sbin/tmpwatch	--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)

76

77

diff --git a/policy/modules/contrib/tmpreaper.if b/policy/modules/contrib/tmpreaper.if

78

index 8dfbd80..f621a27 100644

79

--- a/policy/modules/contrib/tmpreaper.if

80

+++ b/policy/modules/contrib/tmpreaper.if

81

@@ -1,4 +1,4 @@

82

-## <summary>Manage temporary directory sizes and file ages</summary>

83

+## <summary>Manage temporary directory sizes and file ages.</summary>

84

85

 ########################################

86

 ## <summary>

87

@@ -15,7 +15,6 @@ interface(`tmpreaper_exec',`

88

 		type tmpreaper_exec_t;

89

')

90

91

-	files_search_usr($1)

92

 	corecmd_search_bin($1)

93

 	can_exec($1, tmpreaper_exec_t)

94

')

95

96

diff --git a/policy/modules/contrib/tmpreaper.te b/policy/modules/contrib/tmpreaper.te

97

index e4eadc0..ee33085 100644

98

--- a/policy/modules/contrib/tmpreaper.te

99

+++ b/policy/modules/contrib/tmpreaper.te

100

@@ -1,4 +1,4 @@

101

-policy_module(tmpreaper, 1.6.1)

102

+policy_module(tmpreaper, 1.6.2)

103

104

 ########################################

105

#

106

@@ -7,39 +7,41 @@ policy_module(tmpreaper, 1.6.1)

107

108

 type tmpreaper_t;

109

 type tmpreaper_exec_t;

110

-application_domain(tmpreaper_t, tmpreaper_exec_t)

111

-role system_r types tmpreaper_t;

112

+init_system_domain(tmpreaper_t, tmpreaper_exec_t)

113

114

 ########################################

115

#

116

 # Local Policy

117

#

118

119

-allow tmpreaper_t self:process { fork sigchld };

120

 allow tmpreaper_t self:capability { dac_override dac_read_search fowner };

121

122

+kernel_list_unlabeled(tmpreaper_t)

123

+kernel_read_system_state(tmpreaper_t)

124

+

125

 dev_read_urand(tmpreaper_t)

126

127

 fs_getattr_xattr_fs(tmpreaper_t)

128

+fs_list_all(tmpreaper_t)

129

130

-files_read_etc_files(tmpreaper_t)

131

+files_getattr_all_dirs(tmpreaper_t)

132

+files_getattr_all_files(tmpreaper_t)

133

 files_read_var_lib_files(tmpreaper_t)

134

 files_purge_tmp(tmpreaper_t)

135

-# why does it need setattr?

136

 files_setattr_all_tmp_dirs(tmpreaper_t)

137

-files_getattr_all_dirs(tmpreaper_t)

138

-files_getattr_all_files(tmpreaper_t)

139

140

+mcs_file_read_all(tmpreaper_t)

141

+mcs_file_write_all(tmpreaper_t)

142

 mls_file_read_all_levels(tmpreaper_t)

143

 mls_file_write_all_levels(tmpreaper_t)

144

145

+auth_use_nsswitch(tmpreaper_t)

146

+

147

 logging_send_syslog_msg(tmpreaper_t)

148

149

 miscfiles_read_localization(tmpreaper_t)

150

 miscfiles_delete_man_pages(tmpreaper_t)

151

152

-cron_system_entry(tmpreaper_t, tmpreaper_exec_t)

153

-

154

 ifdef(`distro_redhat',`

155

 	userdom_list_user_home_content(tmpreaper_t)

156

 	userdom_delete_user_home_content_dirs(tmpreaper_t)

157

@@ -53,22 +55,23 @@ optional_policy(`

158

159

 optional_policy(`

160

 	apache_list_cache(tmpreaper_t)

161

+	apache_delete_cache_dirs(tmpreaper_t)

162

 	apache_delete_cache_files(tmpreaper_t)

163

 	apache_setattr_cache_dirs(tmpreaper_t)

164

')

165

166

 optional_policy(`

167

-	kismet_manage_log(tmpreaper_t)

168

+	cron_system_entry(tmpreaper_t, tmpreaper_exec_t)

169

')

170

171

 optional_policy(`

172

-	lpd_manage_spool(tmpreaper_t)

173

+	kismet_manage_log(tmpreaper_t)

174

')

175

176

 optional_policy(`

177

-	rpm_manage_cache(tmpreaper_t)

178

+	lpd_manage_spool(tmpreaper_t)

179

')

180

181

 optional_policy(`

182

-	unconfined_domain(tmpreaper_t)

183

+	rpm_manage_cache(tmpreaper_t)

184

')

1	commit: 40ed5e840cead0e4a47ea29d16133a505fc043d8
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Tue Oct 30 08:52:45 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue Oct 30 18:32:45 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=40ed5e84
7
8	Changes to the tmpreaper policy module and relevant dependencies
9
10	We need a user_home_type attribute to be able to allow tmpreaper to
11	delete any and all user home content
12
13	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
14
15	---
16	policy/modules/contrib/apache.if \| 18 ++++++++++++++++++
17	policy/modules/contrib/apache.te \| 2 +-
18	policy/modules/contrib/tmpreaper.fc \| 2 --
19	policy/modules/contrib/tmpreaper.if \| 3 +--
20	policy/modules/contrib/tmpreaper.te \| 31 +++++++++++++++++--------------
21	5 files changed, 37 insertions(+), 19 deletions(-)
22
23	diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
24	index a3d2d09..81e541e 100644
25	--- a/policy/modules/contrib/apache.if
26	+++ b/policy/modules/contrib/apache.if
27	@@ -595,6 +595,24 @@ interface(`apache_rw_cache_files',`
28
29	########################################
30	## <summary>
31	+## Delete httpd cache directories.
32	+## </summary>
33	+## <param name="domain">
34	+## <summary>
35	+## Domain allowed access.
36	+## </summary>
37	+## </param>
38	+#
39	+interface(`apache_delete_cache_dirs',`
40	+ gen_require(`
41	+ type httpd_cache_t;
42	+ ')
43	+
44	+ delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
45	+')
46	+
47	+########################################
48	+## <summary>
49	## Delete httpd cache files.
50	## </summary>
51	## <param name="domain">
52
53	diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
54	index 00fee74..5ce752a 100644
55	--- a/policy/modules/contrib/apache.te
56	+++ b/policy/modules/contrib/apache.te
57	@@ -1,4 +1,4 @@
58	-policy_module(apache, 2.6.1)
59	+policy_module(apache, 2.6.2)
60
61	########################################
62	#
63
64	diff --git a/policy/modules/contrib/tmpreaper.fc b/policy/modules/contrib/tmpreaper.fc
65	index f081b72..ed08c94 100644
66	--- a/policy/modules/contrib/tmpreaper.fc
67	+++ b/policy/modules/contrib/tmpreaper.fc
68	@@ -1,7 +1,5 @@
69	-ifdef(`distro_debian',`
70	/etc/rc\.d/init\.d/mountall-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
71	/etc/rc\.d/init\.d/mountnfs-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
72	-')
73
74	/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
75	/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
76
77	diff --git a/policy/modules/contrib/tmpreaper.if b/policy/modules/contrib/tmpreaper.if
78	index 8dfbd80..f621a27 100644
79	--- a/policy/modules/contrib/tmpreaper.if
80	+++ b/policy/modules/contrib/tmpreaper.if
81	@@ -1,4 +1,4 @@
82	-## <summary>Manage temporary directory sizes and file ages</summary>
83	+## <summary>Manage temporary directory sizes and file ages.</summary>
84
85	########################################
86	## <summary>
87	@@ -15,7 +15,6 @@ interface(`tmpreaper_exec',`
88	type tmpreaper_exec_t;
89	')
90
91	- files_search_usr($1)
92	corecmd_search_bin($1)
93	can_exec($1, tmpreaper_exec_t)
94	')
95
96	diff --git a/policy/modules/contrib/tmpreaper.te b/policy/modules/contrib/tmpreaper.te
97	index e4eadc0..ee33085 100644
98	--- a/policy/modules/contrib/tmpreaper.te
99	+++ b/policy/modules/contrib/tmpreaper.te
100	@@ -1,4 +1,4 @@
101	-policy_module(tmpreaper, 1.6.1)
102	+policy_module(tmpreaper, 1.6.2)
103
104	########################################
105	#
106	@@ -7,39 +7,41 @@ policy_module(tmpreaper, 1.6.1)
107
108	type tmpreaper_t;
109	type tmpreaper_exec_t;
110	-application_domain(tmpreaper_t, tmpreaper_exec_t)
111	-role system_r types tmpreaper_t;
112	+init_system_domain(tmpreaper_t, tmpreaper_exec_t)
113
114	########################################
115	#
116	# Local Policy
117	#
118
119	-allow tmpreaper_t self:process { fork sigchld };
120	allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
121
122	+kernel_list_unlabeled(tmpreaper_t)
123	+kernel_read_system_state(tmpreaper_t)
124	+
125	dev_read_urand(tmpreaper_t)
126
127	fs_getattr_xattr_fs(tmpreaper_t)
128	+fs_list_all(tmpreaper_t)
129
130	-files_read_etc_files(tmpreaper_t)
131	+files_getattr_all_dirs(tmpreaper_t)
132	+files_getattr_all_files(tmpreaper_t)
133	files_read_var_lib_files(tmpreaper_t)
134	files_purge_tmp(tmpreaper_t)
135	-# why does it need setattr?
136	files_setattr_all_tmp_dirs(tmpreaper_t)
137	-files_getattr_all_dirs(tmpreaper_t)
138	-files_getattr_all_files(tmpreaper_t)
139
140	+mcs_file_read_all(tmpreaper_t)
141	+mcs_file_write_all(tmpreaper_t)
142	mls_file_read_all_levels(tmpreaper_t)
143	mls_file_write_all_levels(tmpreaper_t)
144
145	+auth_use_nsswitch(tmpreaper_t)
146	+
147	logging_send_syslog_msg(tmpreaper_t)
148
149	miscfiles_read_localization(tmpreaper_t)
150	miscfiles_delete_man_pages(tmpreaper_t)
151
152	-cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
153	-
154	ifdef(`distro_redhat',`
155	userdom_list_user_home_content(tmpreaper_t)
156	userdom_delete_user_home_content_dirs(tmpreaper_t)
157	@@ -53,22 +55,23 @@ optional_policy(`
158
159	optional_policy(`
160	apache_list_cache(tmpreaper_t)
161	+ apache_delete_cache_dirs(tmpreaper_t)
162	apache_delete_cache_files(tmpreaper_t)
163	apache_setattr_cache_dirs(tmpreaper_t)
164	')
165
166	optional_policy(`
167	- kismet_manage_log(tmpreaper_t)
168	+ cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
169	')
170
171	optional_policy(`
172	- lpd_manage_spool(tmpreaper_t)
173	+ kismet_manage_log(tmpreaper_t)
174	')
175
176	optional_policy(`
177	- rpm_manage_cache(tmpreaper_t)
178	+ lpd_manage_spool(tmpreaper_t)
179	')
180
181	optional_policy(`
182	- unconfined_domain(tmpreaper_t)
183	+ rpm_manage_cache(tmpreaper_t)
184	')

Gentoo Archives: gentoo-commits