[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Thu, 25 May 2017 16:43:34
Message-Id:	`1495729911.510589e13d0ae9fa2672673524eab27f833cce1c.perfinion@gentoo`

1

commit:     510589e13d0ae9fa2672673524eab27f833cce1c

2

Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>

3

AuthorDate: Wed May 24 00:59:44 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Thu May 25 16:31:51 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=510589e1

7

8

openoffice: minor update

9

10

Minor update for the Apache OpenOffice(R) module: part 2/3.

11

12

This patch introduces a few minor changes to the Apache

13

OpenOffice(R) module, including fixes for smoother integration

14

with gnome.

15

16

It does no longer require the userdomain interface that was

17

previously introduced with part 1/3 (now dropped) because

18

it now uses an OpenOffice interface (thanks to Christopher

19

PeBenito for suggesting this improvement).

20

21

This is the third version (v3).

22

23

Signed-off-by: Guido Trentalancia <guido at trentalancia.com>

24

25

 policy/modules/contrib/openoffice.if | 26 ++++++++++++++++++++++++++

26

 policy/modules/contrib/openoffice.te | 15 +++++++++++++++

27

 2 files changed, 41 insertions(+)

28

29

diff --git a/policy/modules/contrib/openoffice.if b/policy/modules/contrib/openoffice.if

30

index 19f62381..4cb669c8 100644

31

--- a/policy/modules/contrib/openoffice.if

32

+++ b/policy/modules/contrib/openoffice.if

33

@@ -29,6 +29,10 @@ interface(`ooffice_role',`

34

35

 	allow $2 ooffice_t:process { ptrace signal_perms };

36

 	ps_process_pattern($2, ooffice_t)

37

+

38

+	optional_policy(`

39

+		ooffice_dbus_chat($2)

40

+	')

41

')

42

43

 ########################################

44

@@ -86,3 +90,25 @@ interface(`ooffice_rw_tmp_files',`

45

46

 	rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)

47

')

48

+

49

+#######################################

50

+## <summary>

51

+##	Send and receive dbus messages

52

+##	from and to the openoffice

53

+##	domain.

54

+## </summary>

55

+## <param name="domain">

56

+##	<summary>

57

+##	Domain allowed access.

58

+##	</summary>

59

+## </param>

60

+#

61

+interface(`ooffice_dbus_chat',`

62

+	gen_require(`

63

+		type ooffice_t;

64

+		class dbus send_msg;

65

+	')

66

+

67

+	allow $1 ooffice_t:dbus send_msg;

68

+	allow ooffice_t $1:dbus send_msg;

69

+')

70

71

diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te

72

index fe241429..01244b94 100644

73

--- a/policy/modules/contrib/openoffice.te

74

+++ b/policy/modules/contrib/openoffice.te

75

@@ -66,12 +66,16 @@ files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })

76

77

 can_exec(ooffice_t, ooffice_exec_t)

78

79

+kernel_dontaudit_read_system_state(ooffice_t)

80

+

81

 corecmd_exec_bin(ooffice_t)

82

 corecmd_exec_shell(ooffice_t)

83

84

 dev_read_sysfs(ooffice_t)

85

 dev_read_urand(ooffice_t)

86

87

+domain_use_interactive_fds(ooffice_t)

88

+

89

 files_getattr_all_dirs(ooffice_t)

90

 files_getattr_all_files(ooffice_t)

91

 files_getattr_all_symlinks(ooffice_t)

92

@@ -88,12 +92,18 @@ ooffice_dontaudit_exec_tmp_files(ooffice_t)

93

 sysnet_dns_name_resolve(ooffice_t)

94

95

 userdom_dontaudit_exec_user_home_content_files(ooffice_t)

96

+userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)

97

+

98

 userdom_read_user_tmp_files(ooffice_t)

99

 userdom_manage_user_home_content_dirs(ooffice_t)

100

 userdom_manage_user_home_content_files(ooffice_t)

101

 userdom_manage_user_home_content_symlinks(ooffice_t)

102

 userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })

103

104

+userdom_manage_user_tmp_sockets(ooffice_t)

105

+

106

+userdom_use_inherited_user_terminals(ooffice_t)

107

+

108

 tunable_policy(`openoffice_allow_update',`

109

 	corenet_tcp_connect_http_port(ooffice_t)

110

')

111

@@ -119,6 +129,11 @@ optional_policy(`

112

')

113

114

 optional_policy(`

115

+	gnome_dbus_chat_gconfd(ooffice_t)

116

+	gnome_stream_connect_gconf(ooffice_t)

117

+')

118

+

119

+optional_policy(`

120

 	hostname_exec(ooffice_t)

121

')

1	commit: 510589e13d0ae9fa2672673524eab27f833cce1c
2	Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
3	AuthorDate: Wed May 24 00:59:44 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Thu May 25 16:31:51 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=510589e1
7
8	openoffice: minor update
9
10	Minor update for the Apache OpenOffice(R) module: part 2/3.
11
12	This patch introduces a few minor changes to the Apache
13	OpenOffice(R) module, including fixes for smoother integration
14	with gnome.
15
16	It does no longer require the userdomain interface that was
17	previously introduced with part 1/3 (now dropped) because
18	it now uses an OpenOffice interface (thanks to Christopher
19	PeBenito for suggesting this improvement).
20
21	This is the third version (v3).
22
23	Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
24
25	policy/modules/contrib/openoffice.if \| 26 ++++++++++++++++++++++++++
26	policy/modules/contrib/openoffice.te \| 15 +++++++++++++++
27	2 files changed, 41 insertions(+)
28
29	diff --git a/policy/modules/contrib/openoffice.if b/policy/modules/contrib/openoffice.if
30	index 19f62381..4cb669c8 100644
31	--- a/policy/modules/contrib/openoffice.if
32	+++ b/policy/modules/contrib/openoffice.if
33	@@ -29,6 +29,10 @@ interface(`ooffice_role',`
34
35	allow $2 ooffice_t:process { ptrace signal_perms };
36	ps_process_pattern($2, ooffice_t)
37	+
38	+ optional_policy(`
39	+ ooffice_dbus_chat($2)
40	+ ')
41	')
42
43	########################################
44	@@ -86,3 +90,25 @@ interface(`ooffice_rw_tmp_files',`
45
46	rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
47	')
48	+
49	+#######################################
50	+## <summary>
51	+## Send and receive dbus messages
52	+## from and to the openoffice
53	+## domain.
54	+## </summary>
55	+## <param name="domain">
56	+## <summary>
57	+## Domain allowed access.
58	+## </summary>
59	+## </param>
60	+#
61	+interface(`ooffice_dbus_chat',`
62	+ gen_require(`
63	+ type ooffice_t;
64	+ class dbus send_msg;
65	+ ')
66	+
67	+ allow $1 ooffice_t:dbus send_msg;
68	+ allow ooffice_t $1:dbus send_msg;
69	+')
70
71	diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te
72	index fe241429..01244b94 100644
73	--- a/policy/modules/contrib/openoffice.te
74	+++ b/policy/modules/contrib/openoffice.te
75	@@ -66,12 +66,16 @@ files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
76
77	can_exec(ooffice_t, ooffice_exec_t)
78
79	+kernel_dontaudit_read_system_state(ooffice_t)
80	+
81	corecmd_exec_bin(ooffice_t)
82	corecmd_exec_shell(ooffice_t)
83
84	dev_read_sysfs(ooffice_t)
85	dev_read_urand(ooffice_t)
86
87	+domain_use_interactive_fds(ooffice_t)
88	+
89	files_getattr_all_dirs(ooffice_t)
90	files_getattr_all_files(ooffice_t)
91	files_getattr_all_symlinks(ooffice_t)
92	@@ -88,12 +92,18 @@ ooffice_dontaudit_exec_tmp_files(ooffice_t)
93	sysnet_dns_name_resolve(ooffice_t)
94
95	userdom_dontaudit_exec_user_home_content_files(ooffice_t)
96	+userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
97	+
98	userdom_read_user_tmp_files(ooffice_t)
99	userdom_manage_user_home_content_dirs(ooffice_t)
100	userdom_manage_user_home_content_files(ooffice_t)
101	userdom_manage_user_home_content_symlinks(ooffice_t)
102	userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
103
104	+userdom_manage_user_tmp_sockets(ooffice_t)
105	+
106	+userdom_use_inherited_user_terminals(ooffice_t)
107	+
108	tunable_policy(`openoffice_allow_update',`
109	corenet_tcp_connect_http_port(ooffice_t)
110	')
111	@@ -119,6 +129,11 @@ optional_policy(`
112	')
113
114	optional_policy(`
115	+ gnome_dbus_chat_gconfd(ooffice_t)
116	+ gnome_stream_connect_gconf(ooffice_t)
117	+')
118	+
119	+optional_policy(`
120	hostname_exec(ooffice_t)
121	')

Gentoo Archives: gentoo-commits