[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Tue, 02 Oct 2012 18:25:37
Message-Id:	`1349201247.8725e760d87969766e0353cd32e814b28ef92fb5.SwifT@gentoo`

1

commit:     8725e760d87969766e0353cd32e814b28ef92fb5

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Tue Oct  2 08:06:58 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Oct  2 18:07:27 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8725e760

7

8

Changes to the games policy module

9

10

Use role attributes

11

Module clean up

12

13

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

14

15

---

16

 policy/modules/contrib/games.fc |   66 +++++++++++++++++---------------------

17

 policy/modules/contrib/games.if |   20 ++++++-----

18

 policy/modules/contrib/games.te |   21 ++++++------

19

 3 files changed, 51 insertions(+), 56 deletions(-)

20

21

diff --git a/policy/modules/contrib/games.fc b/policy/modules/contrib/games.fc

22

index 78dc515..5e2e4f2 100644

23

--- a/policy/modules/contrib/games.fc

24

+++ b/policy/modules/contrib/games.fc

25

@@ -1,33 +1,18 @@

26

-#

27

-# /usr

28

-#

29

-/usr/lib/games(/.*)? 		gen_context(system_u:object_r:games_exec_t,s0)

30

-/usr/games/.*		--	gen_context(system_u:object_r:games_exec_t,s0)

31

-

32

-#

33

-# /var

34

-#

35

-/var/lib/games(/.*)? 		gen_context(system_u:object_r:games_data_t,s0)

36

-/var/games(/.*)?		gen_context(system_u:object_r:games_data_t,s0)

37

-

38

-ifndef(`distro_debian',`

39

-/usr/bin/micq		--	gen_context(system_u:object_r:games_exec_t,s0)

40

+/usr/bin/atlantik	--	gen_context(system_u:object_r:games_exec_t,s0)

41

 /usr/bin/blackjack	--	gen_context(system_u:object_r:games_exec_t,s0)

42

-/usr/bin/gataxx		--	gen_context(system_u:object_r:games_exec_t,s0)

43

-/usr/bin/glines		--	gen_context(system_u:object_r:games_exec_t,s0)

44

-/usr/bin/gnect		--	gen_context(system_u:object_r:games_exec_t,s0)

45

+/usr/bin/civclient.*	--	gen_context(system_u:object_r:games_exec_t,s0)

46

+/usr/bin/civserver.*	--	gen_context(system_u:object_r:games_exec_t,s0)

47

+/usr/bin/gataxx	--	gen_context(system_u:object_r:games_exec_t,s0)

48

+/usr/bin/glines	--	gen_context(system_u:object_r:games_exec_t,s0)

49

+/usr/bin/gnect	--	gen_context(system_u:object_r:games_exec_t,s0)

50

 /usr/bin/gnibbles	--	gen_context(system_u:object_r:games_exec_t,s0)

51

 /usr/bin/gnobots2	--	gen_context(system_u:object_r:games_exec_t,s0)

52

 /usr/bin/gnome-stones	--	gen_context(system_u:object_r:games_exec_t,s0)

53

 /usr/bin/gnomine	--	gen_context(system_u:object_r:games_exec_t,s0)

54

 /usr/bin/gnotravex	--	gen_context(system_u:object_r:games_exec_t,s0)

55

 /usr/bin/gnotski	--	gen_context(system_u:object_r:games_exec_t,s0)

56

-/usr/bin/gtali		--	gen_context(system_u:object_r:games_exec_t,s0)

57

-/usr/bin/iagno		--	gen_context(system_u:object_r:games_exec_t,s0)

58

-/usr/bin/mahjongg	--	gen_context(system_u:object_r:games_exec_t,s0)

59

-/usr/bin/same-gnome	--	gen_context(system_u:object_r:games_exec_t,s0)

60

-/usr/bin/sol		--	gen_context(system_u:object_r:games_exec_t,s0)

61

-/usr/bin/atlantik	--	gen_context(system_u:object_r:games_exec_t,s0)

62

+/usr/bin/gtali	--	gen_context(system_u:object_r:games_exec_t,s0)

63

+/usr/bin/iagno	--	gen_context(system_u:object_r:games_exec_t,s0)

64

 /usr/bin/kasteroids	--	gen_context(system_u:object_r:games_exec_t,s0)

65

 /usr/bin/katomic	--	gen_context(system_u:object_r:games_exec_t,s0)

66

 /usr/bin/kbackgammon	--	gen_context(system_u:object_r:games_exec_t,s0)

67

@@ -39,28 +24,37 @@ ifndef(`distro_debian',`

68

 /usr/bin/kgoldrunner	--	gen_context(system_u:object_r:games_exec_t,s0)

69

 /usr/bin/kjumpingcube	--	gen_context(system_u:object_r:games_exec_t,s0)

70

 /usr/bin/klickety	--	gen_context(system_u:object_r:games_exec_t,s0)

71

-/usr/bin/klines		--	gen_context(system_u:object_r:games_exec_t,s0)

72

+/usr/bin/klines	--	gen_context(system_u:object_r:games_exec_t,s0)

73

 /usr/bin/kmahjongg	--	gen_context(system_u:object_r:games_exec_t,s0)

74

-/usr/bin/kmines		--	gen_context(system_u:object_r:games_exec_t,s0)

75

-/usr/bin/kolf		--	gen_context(system_u:object_r:games_exec_t,s0)

76

+/usr/bin/kmines	--	gen_context(system_u:object_r:games_exec_t,s0)

77

+/usr/bin/kolf	--	gen_context(system_u:object_r:games_exec_t,s0)

78

 /usr/bin/konquest	--	gen_context(system_u:object_r:games_exec_t,s0)

79

-/usr/bin/kpat		--	gen_context(system_u:object_r:games_exec_t,s0)

80

-/usr/bin/kpoker		--	gen_context(system_u:object_r:games_exec_t,s0)

81

+/usr/bin/kpat	--	gen_context(system_u:object_r:games_exec_t,s0)

82

+/usr/bin/kpoker	--	gen_context(system_u:object_r:games_exec_t,s0)

83

 /usr/bin/kreversi	--	gen_context(system_u:object_r:games_exec_t,s0)

84

-/usr/bin/ksame		--	gen_context(system_u:object_r:games_exec_t,s0)

85

+/usr/bin/ksame	--	gen_context(system_u:object_r:games_exec_t,s0)

86

 /usr/bin/kshisen	--	gen_context(system_u:object_r:games_exec_t,s0)

87

 /usr/bin/ksirtet	--	gen_context(system_u:object_r:games_exec_t,s0)

88

 /usr/bin/ksmiletris	--	gen_context(system_u:object_r:games_exec_t,s0)

89

-/usr/bin/ksnake		--	gen_context(system_u:object_r:games_exec_t,s0)

90

+/usr/bin/ksnake	--	gen_context(system_u:object_r:games_exec_t,s0)

91

 /usr/bin/ksokoban	--	gen_context(system_u:object_r:games_exec_t,s0)

92

 /usr/bin/kspaceduel	--	gen_context(system_u:object_r:games_exec_t,s0)

93

-/usr/bin/ktron		--	gen_context(system_u:object_r:games_exec_t,s0)

94

+/usr/bin/ktron	--	gen_context(system_u:object_r:games_exec_t,s0)

95

 /usr/bin/ktuberling	--	gen_context(system_u:object_r:games_exec_t,s0)

96

-/usr/bin/kwin4		--	gen_context(system_u:object_r:games_exec_t,s0)

97

+/usr/bin/kwin4	--	gen_context(system_u:object_r:games_exec_t,s0)

98

 /usr/bin/kwin4proc	--	gen_context(system_u:object_r:games_exec_t,s0)

99

-/usr/bin/lskat		--	gen_context(system_u:object_r:games_exec_t,s0)

100

+/usr/bin/lskat	--	gen_context(system_u:object_r:games_exec_t,s0)

101

 /usr/bin/lskatproc	--	gen_context(system_u:object_r:games_exec_t,s0)

102

 /usr/bin/Maelstrom	--	gen_context(system_u:object_r:games_exec_t,s0)

103

-/usr/bin/civclient.*	--	gen_context(system_u:object_r:games_exec_t,s0)

104

-/usr/bin/civserver.*	--	gen_context(system_u:object_r:games_exec_t,s0)

105

-')dnl end non-Debian section

106

+/usr/bin/mahjongg	--	gen_context(system_u:object_r:games_exec_t,s0)

107

+/usr/bin/micq	--	gen_context(system_u:object_r:games_exec_t,s0)

108

+/usr/bin/same-gnome	--	gen_context(system_u:object_r:games_exec_t,s0)

109

+/usr/bin/sol	--	gen_context(system_u:object_r:games_exec_t,s0)

110

+

111

+/usr/games/.*	--	gen_context(system_u:object_r:games_exec_t,s0)

112

+

113

+/usr/lib/games(/.*)?	gen_context(system_u:object_r:games_exec_t,s0)

114

+

115

+/var/games(/.*)?	gen_context(system_u:object_r:games_data_t,s0)

116

+

117

+/var/lib/games(/.*)?	gen_context(system_u:object_r:games_data_t,s0)

118

119

diff --git a/policy/modules/contrib/games.if b/policy/modules/contrib/games.if

120

index 7ac736d..f6fc226 100644

121

--- a/policy/modules/contrib/games.if

122

+++ b/policy/modules/contrib/games.if

123

@@ -1,39 +1,40 @@

124

-## <summary>Games</summary>

125

+## <summary>Various games.</summary>

126

127

-############################################################

128

+########################################

129

 ## <summary>

130

-##	Role access for games

131

+##	Role access for games.

132

 ## </summary>

133

 ## <param name="role">

134

 ##	<summary>

135

-##	Role allowed access

136

+##	Role allowed access.

137

 ##	</summary>

138

 ## </param>

139

 ## <param name="domain">

140

 ##	<summary>

141

-##	User domain for the role

142

+##	User domain for the role.

143

 ##	</summary>

144

 ## </param>

145

#

146

 interface(`games_role',`

147

 	gen_require(`

148

+		attribute_role games_roles;

149

 		type games_t, games_exec_t;

150

')

151

152

-	role $1 types games_t;

153

+	roleattribute $1 games_roles;

154

155

 	domtrans_pattern($2, games_exec_t, games_t)

156

+

157

 	allow $2 games_t:unix_stream_socket connectto;

158

 	allow games_t $2:unix_stream_socket connectto;

159

160

-	# Allow the user domain to signal/ps.

161

 	ps_process_pattern($2, games_t)

162

-	allow $2 games_t:process signal_perms;

163

+	allow $2 games_t:process { ptrace signal_perms };

164

')

165

166

 ########################################

167

 ## <summary>

168

-##	Allow the specified domain to read/write

169

+##	Read and write games data files.

170

 ##	games data.

171

 ## </summary>

172

 ## <param name="domain">

173

@@ -47,5 +48,6 @@ interface(`games_rw_data',`

174

 		type games_data_t;

175

')

176

177

+	files_search_var_lib($1)

178

 	rw_files_pattern($1, games_data_t, games_data_t)

179

')

180

181

diff --git a/policy/modules/contrib/games.te b/policy/modules/contrib/games.te

182

index b73d33c..0c08250 100644

183

--- a/policy/modules/contrib/games.te

184

+++ b/policy/modules/contrib/games.te

185

@@ -1,15 +1,18 @@

186

-policy_module(games, 2.2.0)

187

+policy_module(games, 2.2.1)

188

189

 ########################################

190

#

191

 # Declarations

192

#

193

194

+attribute_role games_roles;

195

+

196

 type games_t;

197

 type games_exec_t;

198

 typealias games_t alias { user_games_t staff_games_t sysadm_games_t };

199

 typealias games_t alias { auditadm_games_t secadm_games_t };

200

 userdom_user_application_domain(games_t, games_exec_t)

201

+role games_roles types games_t;

202

203

 type games_data_t;

204

 typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t };

205

@@ -23,8 +26,6 @@ typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t }

206

 term_pty(games_devpts_t)

207

 ubac_constrained(games_devpts_t)

208

209

-# games_srv_t is for system operation of games, generic games daemons and

210

-# games recovery scripts

211

 type games_srv_t;

212

 init_system_domain(games_srv_t, games_exec_t)

213

214

@@ -91,7 +92,7 @@ optional_policy(`

215

216

 ########################################

217

#

218

-# Local policy

219

+# Client local policy

220

#

221

222

 allow games_t self:sem create_sem_perms;

223

@@ -123,22 +124,21 @@ corecmd_exec_bin(games_t)

224

 corenet_all_recvfrom_unlabeled(games_t)

225

 corenet_all_recvfrom_netlabel(games_t)

226

 corenet_tcp_sendrecv_generic_if(games_t)

227

-corenet_udp_sendrecv_generic_if(games_t)

228

 corenet_tcp_sendrecv_generic_node(games_t)

229

-corenet_udp_sendrecv_generic_node(games_t)

230

 corenet_tcp_sendrecv_all_ports(games_t)

231

-corenet_udp_sendrecv_all_ports(games_t)

232

 corenet_tcp_bind_generic_node(games_t)

233

+

234

+corenet_sendrecv_generic_server_packets(games_t)

235

 corenet_tcp_bind_generic_port(games_t)

236

-corenet_tcp_connect_generic_port(games_t)

237

+

238

 corenet_sendrecv_generic_client_packets(games_t)

239

-corenet_sendrecv_generic_server_packets(games_t)

240

+corenet_tcp_connect_generic_port(games_t)

241

242

 dev_read_sound(games_t)

243

-dev_write_sound(games_t)

244

 dev_read_input(games_t)

245

 dev_read_mouse(games_t)

246

 dev_read_urand(games_t)

247

+dev_write_sound(games_t)

248

249

 files_list_var(games_t)

250

 files_search_var_lib(games_t)

251

@@ -160,7 +160,6 @@ userdom_manage_user_tmp_dirs(games_t)

252

 userdom_manage_user_tmp_files(games_t)

253

 userdom_manage_user_tmp_symlinks(games_t)

254

 userdom_manage_user_tmp_sockets(games_t)

255

-# Suppress .icons denial until properly implemented

256

 userdom_dontaudit_read_user_home_content_files(games_t)

257

258

 tunable_policy(`allow_execmem',`

1	commit: 8725e760d87969766e0353cd32e814b28ef92fb5
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Tue Oct 2 08:06:58 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue Oct 2 18:07:27 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8725e760
7
8	Changes to the games policy module
9
10	Use role attributes
11	Module clean up
12
13	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
14
15	---
16	policy/modules/contrib/games.fc \| 66 +++++++++++++++++---------------------
17	policy/modules/contrib/games.if \| 20 ++++++-----
18	policy/modules/contrib/games.te \| 21 ++++++------
19	3 files changed, 51 insertions(+), 56 deletions(-)
20
21	diff --git a/policy/modules/contrib/games.fc b/policy/modules/contrib/games.fc
22	index 78dc515..5e2e4f2 100644
23	--- a/policy/modules/contrib/games.fc
24	+++ b/policy/modules/contrib/games.fc
25	@@ -1,33 +1,18 @@
26	-#
27	-# /usr
28	-#
29	-/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0)
30	-/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0)
31	-
32	-#
33	-# /var
34	-#
35	-/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
36	-/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
37	-
38	-ifndef(`distro_debian',`
39	-/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0)
40	+/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0)
41	/usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0)
42	-/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0)
43	-/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0)
44	-/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0)
45	+/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0)
46	+/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0)
47	+/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0)
48	+/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0)
49	+/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0)
50	/usr/bin/gnibbles -- gen_context(system_u:object_r:games_exec_t,s0)
51	/usr/bin/gnobots2 -- gen_context(system_u:object_r:games_exec_t,s0)
52	/usr/bin/gnome-stones -- gen_context(system_u:object_r:games_exec_t,s0)
53	/usr/bin/gnomine -- gen_context(system_u:object_r:games_exec_t,s0)
54	/usr/bin/gnotravex -- gen_context(system_u:object_r:games_exec_t,s0)
55	/usr/bin/gnotski -- gen_context(system_u:object_r:games_exec_t,s0)
56	-/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0)
57	-/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0)
58	-/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
59	-/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0)
60	-/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0)
61	-/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0)
62	+/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0)
63	+/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0)
64	/usr/bin/kasteroids -- gen_context(system_u:object_r:games_exec_t,s0)
65	/usr/bin/katomic -- gen_context(system_u:object_r:games_exec_t,s0)
66	/usr/bin/kbackgammon -- gen_context(system_u:object_r:games_exec_t,s0)
67	@@ -39,28 +24,37 @@ ifndef(`distro_debian',`
68	/usr/bin/kgoldrunner -- gen_context(system_u:object_r:games_exec_t,s0)
69	/usr/bin/kjumpingcube -- gen_context(system_u:object_r:games_exec_t,s0)
70	/usr/bin/klickety -- gen_context(system_u:object_r:games_exec_t,s0)
71	-/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0)
72	+/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0)
73	/usr/bin/kmahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
74	-/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0)
75	-/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0)
76	+/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0)
77	+/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0)
78	/usr/bin/konquest -- gen_context(system_u:object_r:games_exec_t,s0)
79	-/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0)
80	-/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0)
81	+/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0)
82	+/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0)
83	/usr/bin/kreversi -- gen_context(system_u:object_r:games_exec_t,s0)
84	-/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0)
85	+/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0)
86	/usr/bin/kshisen -- gen_context(system_u:object_r:games_exec_t,s0)
87	/usr/bin/ksirtet -- gen_context(system_u:object_r:games_exec_t,s0)
88	/usr/bin/ksmiletris -- gen_context(system_u:object_r:games_exec_t,s0)
89	-/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0)
90	+/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0)
91	/usr/bin/ksokoban -- gen_context(system_u:object_r:games_exec_t,s0)
92	/usr/bin/kspaceduel -- gen_context(system_u:object_r:games_exec_t,s0)
93	-/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0)
94	+/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0)
95	/usr/bin/ktuberling -- gen_context(system_u:object_r:games_exec_t,s0)
96	-/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0)
97	+/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0)
98	/usr/bin/kwin4proc -- gen_context(system_u:object_r:games_exec_t,s0)
99	-/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0)
100	+/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0)
101	/usr/bin/lskatproc -- gen_context(system_u:object_r:games_exec_t,s0)
102	/usr/bin/Maelstrom -- gen_context(system_u:object_r:games_exec_t,s0)
103	-/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0)
104	-/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0)
105	-')dnl end non-Debian section
106	+/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
107	+/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0)
108	+/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0)
109	+/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0)
110	+
111	+/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0)
112	+
113	+/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0)
114	+
115	+/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
116	+
117	+/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
118
119	diff --git a/policy/modules/contrib/games.if b/policy/modules/contrib/games.if
120	index 7ac736d..f6fc226 100644
121	--- a/policy/modules/contrib/games.if
122	+++ b/policy/modules/contrib/games.if
123	@@ -1,39 +1,40 @@
124	-## <summary>Games</summary>
125	+## <summary>Various games.</summary>
126
127	-############################################################
128	+########################################
129	## <summary>
130	-## Role access for games
131	+## Role access for games.
132	## </summary>
133	## <param name="role">
134	## <summary>
135	-## Role allowed access
136	+## Role allowed access.
137	## </summary>
138	## </param>
139	## <param name="domain">
140	## <summary>
141	-## User domain for the role
142	+## User domain for the role.
143	## </summary>
144	## </param>
145	#
146	interface(`games_role',`
147	gen_require(`
148	+ attribute_role games_roles;
149	type games_t, games_exec_t;
150	')
151
152	- role $1 types games_t;
153	+ roleattribute $1 games_roles;
154
155	domtrans_pattern($2, games_exec_t, games_t)
156	+
157	allow $2 games_t:unix_stream_socket connectto;
158	allow games_t $2:unix_stream_socket connectto;
159
160	- # Allow the user domain to signal/ps.
161	ps_process_pattern($2, games_t)
162	- allow $2 games_t:process signal_perms;
163	+ allow $2 games_t:process { ptrace signal_perms };
164	')
165
166	########################################
167	## <summary>
168	-## Allow the specified domain to read/write
169	+## Read and write games data files.
170	## games data.
171	## </summary>
172	## <param name="domain">
173	@@ -47,5 +48,6 @@ interface(`games_rw_data',`
174	type games_data_t;
175	')
176
177	+ files_search_var_lib($1)
178	rw_files_pattern($1, games_data_t, games_data_t)
179	')
180
181	diff --git a/policy/modules/contrib/games.te b/policy/modules/contrib/games.te
182	index b73d33c..0c08250 100644
183	--- a/policy/modules/contrib/games.te
184	+++ b/policy/modules/contrib/games.te
185	@@ -1,15 +1,18 @@
186	-policy_module(games, 2.2.0)
187	+policy_module(games, 2.2.1)
188
189	########################################
190	#
191	# Declarations
192	#
193
194	+attribute_role games_roles;
195	+
196	type games_t;
197	type games_exec_t;
198	typealias games_t alias { user_games_t staff_games_t sysadm_games_t };
199	typealias games_t alias { auditadm_games_t secadm_games_t };
200	userdom_user_application_domain(games_t, games_exec_t)
201	+role games_roles types games_t;
202
203	type games_data_t;
204	typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t };
205	@@ -23,8 +26,6 @@ typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t }
206	term_pty(games_devpts_t)
207	ubac_constrained(games_devpts_t)
208
209	-# games_srv_t is for system operation of games, generic games daemons and
210	-# games recovery scripts
211	type games_srv_t;
212	init_system_domain(games_srv_t, games_exec_t)
213
214	@@ -91,7 +92,7 @@ optional_policy(`
215
216	########################################
217	#
218	-# Local policy
219	+# Client local policy
220	#
221
222	allow games_t self:sem create_sem_perms;
223	@@ -123,22 +124,21 @@ corecmd_exec_bin(games_t)
224	corenet_all_recvfrom_unlabeled(games_t)
225	corenet_all_recvfrom_netlabel(games_t)
226	corenet_tcp_sendrecv_generic_if(games_t)
227	-corenet_udp_sendrecv_generic_if(games_t)
228	corenet_tcp_sendrecv_generic_node(games_t)
229	-corenet_udp_sendrecv_generic_node(games_t)
230	corenet_tcp_sendrecv_all_ports(games_t)
231	-corenet_udp_sendrecv_all_ports(games_t)
232	corenet_tcp_bind_generic_node(games_t)
233	+
234	+corenet_sendrecv_generic_server_packets(games_t)
235	corenet_tcp_bind_generic_port(games_t)
236	-corenet_tcp_connect_generic_port(games_t)
237	+
238	corenet_sendrecv_generic_client_packets(games_t)
239	-corenet_sendrecv_generic_server_packets(games_t)
240	+corenet_tcp_connect_generic_port(games_t)
241
242	dev_read_sound(games_t)
243	-dev_write_sound(games_t)
244	dev_read_input(games_t)
245	dev_read_mouse(games_t)
246	dev_read_urand(games_t)
247	+dev_write_sound(games_t)
248
249	files_list_var(games_t)
250	files_search_var_lib(games_t)
251	@@ -160,7 +160,6 @@ userdom_manage_user_tmp_dirs(games_t)
252	userdom_manage_user_tmp_files(games_t)
253	userdom_manage_user_tmp_symlinks(games_t)
254	userdom_manage_user_tmp_sockets(games_t)
255	-# Suppress .icons denial until properly implemented
256	userdom_dontaudit_read_user_home_content_files(games_t)
257
258	tunable_policy(`allow_execmem',`

Gentoo Archives: gentoo-commits