[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Wed, 28 Nov 2012 20:22:32
Message-Id:	`1354134007.216ba03f525ec540f16c1514ebbeffed211c526b.SwifT@gentoo`

1

commit:     216ba03f525ec540f16c1514ebbeffed211c526b

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Wed Nov 28 16:29:18 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Wed Nov 28 20:20:07 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=216ba03f

7

8

Changes to the various policy modules

9

10

Revert setsched, sys_nice and list_tmp

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/cups.te      |   11 +++++------

16

 policy/modules/contrib/fail2ban.te  |    6 +++---

17

 policy/modules/contrib/firewalld.te |    5 +----

18

 policy/modules/contrib/logwatch.te  |    7 +++----

19

 4 files changed, 12 insertions(+), 17 deletions(-)

20

21

diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te

22

index bf41251..069141c 100644

23

--- a/policy/modules/contrib/cups.te

24

+++ b/policy/modules/contrib/cups.te

25

@@ -1,4 +1,4 @@

26

-policy_module(cups, 1.15.5)

27

+policy_module(cups, 1.15.6)

28

29

 ########################################

30

#

31

@@ -339,9 +339,9 @@ optional_policy(`

32

 # Configuration daemon local policy

33

#

34

35

-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid sys_nice };

36

+allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };

37

 dontaudit cupsd_config_t self:capability sys_tty_config;

38

-allow cupsd_config_t self:process { getsched setsched signal_perms };

39

+allow cupsd_config_t self:process { getsched signal_perms };

40

 allow cupsd_config_t self:fifo_file rw_fifo_file_perms;

41

 allow cupsd_config_t self:tcp_socket { accept listen };

42

43

@@ -401,7 +401,6 @@ files_read_etc_runtime_files(cupsd_config_t)

44

 files_read_usr_files(cupsd_config_t)

45

 files_read_var_symlinks(cupsd_config_t)

46

 files_search_all_mountpoints(cupsd_config_t)

47

-files_dontaudit_list_tmp(cupsd_config_t)

48

49

 fs_getattr_all_fs(cupsd_config_t)

50

 fs_search_auto_mountpoints(cupsd_config_t)

51

@@ -591,10 +590,10 @@ optional_policy(`

52

 # HPLIP local policy

53

#

54

55

-allow hplip_t self:capability { dac_override dac_read_search net_raw sys_nice };

56

+allow hplip_t self:capability { dac_override dac_read_search net_raw };

57

 dontaudit hplip_t self:capability sys_tty_config;

58

 allow hplip_t self:fifo_file rw_fifo_file_perms;

59

-allow hplip_t self:process { setsched signal_perms };

60

+allow hplip_t self:process signal_perms;

61

 allow hplip_t self:tcp_socket { accept listen };

62

 allow hplip_t self:rawip_socket create_socket_perms;

63

64

65

diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te

66

index 525f6c2..955be6e 100644

67

--- a/policy/modules/contrib/fail2ban.te

68

+++ b/policy/modules/contrib/fail2ban.te

69

@@ -1,4 +1,4 @@

70

-policy_module(fail2ban, 1.4.8)

71

+policy_module(fail2ban, 1.4.9)

72

73

 ########################################

74

#

75

@@ -36,8 +36,8 @@ role fail2ban_client_roles types fail2ban_client_t;

76

 # Server Local policy

77

#

78

79

-allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config sys_nice };

80

-allow fail2ban_t self:process { setsched signal };

81

+allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };

82

+allow fail2ban_t self:process signal;

83

 allow fail2ban_t self:fifo_file rw_fifo_file_perms;

84

 allow fail2ban_t self:unix_stream_socket { accept connectto listen };

85

 allow fail2ban_t self:tcp_socket { accept listen };

86

87

diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te

88

index edccdb3..711a2ab 100644

89

--- a/policy/modules/contrib/firewalld.te

90

+++ b/policy/modules/contrib/firewalld.te

91

@@ -1,4 +1,4 @@

92

-policy_module(firewalld, 1.0.4)

93

+policy_module(firewalld, 1.0.5)

94

95

 ########################################

96

#

97

@@ -26,9 +26,7 @@ files_pid_file(firewalld_var_run_t)

98

 # Local policy

99

#

100

101

-allow firewalld_t self:capability sys_nice;

102

 dontaudit firewalld_t self:capability sys_tty_config;

103

-allow firewalld_t self:process setsched;

104

 allow firewalld_t self:fifo_file rw_fifo_file_perms;

105

 allow firewalld_t self:unix_stream_socket { accept listen };

106

 allow firewalld_t self:udp_socket create_socket_perms;

107

@@ -55,7 +53,6 @@ dev_read_urand(firewalld_t)

108

109

 domain_use_interactive_fds(firewalld_t)

110

111

-files_list_tmp(firewalld_t)

112

 files_read_etc_files(firewalld_t)

113

 files_read_usr_files(firewalld_t)

114

 files_dontaudit_list_tmp(firewalld_t)

115

116

diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te

117

index 6269990..077a3f3 100644

118

--- a/policy/modules/contrib/logwatch.te

119

+++ b/policy/modules/contrib/logwatch.te

120

@@ -1,4 +1,4 @@

121

-policy_module(logwatch, 1.11.4)

122

+policy_module(logwatch, 1.11.5)

123

124

 #################################

125

#

126

@@ -29,8 +29,8 @@ role system_r types logwatch_mail_t;

127

 # Local policy

128

#

129

130

-allow logwatch_t self:capability { dac_override dac_read_search setgid sys_nice };

131

-allow logwatch_t self:process { setsched signal };

132

+allow logwatch_t self:capability { dac_override dac_read_search setgid };

133

+allow logwatch_t self:process signal;

134

 allow logwatch_t self:fifo_file rw_fifo_file_perms;

135

 allow logwatch_t self:unix_stream_socket { accept listen };

136

137

@@ -68,7 +68,6 @@ files_search_all(logwatch_t)

138

 files_read_var_symlinks(logwatch_t)

139

 files_read_etc_runtime_files(logwatch_t)

140

 files_read_usr_files(logwatch_t)

141

-files_dontaudit_list_tmp(logwatch_t)

142

143

 fs_getattr_all_fs(logwatch_t)

144

 fs_dontaudit_list_auto_mountpoints(logwatch_t)

1	commit: 216ba03f525ec540f16c1514ebbeffed211c526b
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Wed Nov 28 16:29:18 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Wed Nov 28 20:20:07 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=216ba03f
7
8	Changes to the various policy modules
9
10	Revert setsched, sys_nice and list_tmp
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/cups.te \| 11 +++++------
16	policy/modules/contrib/fail2ban.te \| 6 +++---
17	policy/modules/contrib/firewalld.te \| 5 +----
18	policy/modules/contrib/logwatch.te \| 7 +++----
19	4 files changed, 12 insertions(+), 17 deletions(-)
20
21	diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
22	index bf41251..069141c 100644
23	--- a/policy/modules/contrib/cups.te
24	+++ b/policy/modules/contrib/cups.te
25	@@ -1,4 +1,4 @@
26	-policy_module(cups, 1.15.5)
27	+policy_module(cups, 1.15.6)
28
29	########################################
30	#
31	@@ -339,9 +339,9 @@ optional_policy(`
32	# Configuration daemon local policy
33	#
34
35	-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid sys_nice };
36	+allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };
37	dontaudit cupsd_config_t self:capability sys_tty_config;
38	-allow cupsd_config_t self:process { getsched setsched signal_perms };
39	+allow cupsd_config_t self:process { getsched signal_perms };
40	allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
41	allow cupsd_config_t self:tcp_socket { accept listen };
42
43	@@ -401,7 +401,6 @@ files_read_etc_runtime_files(cupsd_config_t)
44	files_read_usr_files(cupsd_config_t)
45	files_read_var_symlinks(cupsd_config_t)
46	files_search_all_mountpoints(cupsd_config_t)
47	-files_dontaudit_list_tmp(cupsd_config_t)
48
49	fs_getattr_all_fs(cupsd_config_t)
50	fs_search_auto_mountpoints(cupsd_config_t)
51	@@ -591,10 +590,10 @@ optional_policy(`
52	# HPLIP local policy
53	#
54
55	-allow hplip_t self:capability { dac_override dac_read_search net_raw sys_nice };
56	+allow hplip_t self:capability { dac_override dac_read_search net_raw };
57	dontaudit hplip_t self:capability sys_tty_config;
58	allow hplip_t self:fifo_file rw_fifo_file_perms;
59	-allow hplip_t self:process { setsched signal_perms };
60	+allow hplip_t self:process signal_perms;
61	allow hplip_t self:tcp_socket { accept listen };
62	allow hplip_t self:rawip_socket create_socket_perms;
63
64
65	diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
66	index 525f6c2..955be6e 100644
67	--- a/policy/modules/contrib/fail2ban.te
68	+++ b/policy/modules/contrib/fail2ban.te
69	@@ -1,4 +1,4 @@
70	-policy_module(fail2ban, 1.4.8)
71	+policy_module(fail2ban, 1.4.9)
72
73	########################################
74	#
75	@@ -36,8 +36,8 @@ role fail2ban_client_roles types fail2ban_client_t;
76	# Server Local policy
77	#
78
79	-allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config sys_nice };
80	-allow fail2ban_t self:process { setsched signal };
81	+allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
82	+allow fail2ban_t self:process signal;
83	allow fail2ban_t self:fifo_file rw_fifo_file_perms;
84	allow fail2ban_t self:unix_stream_socket { accept connectto listen };
85	allow fail2ban_t self:tcp_socket { accept listen };
86
87	diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
88	index edccdb3..711a2ab 100644
89	--- a/policy/modules/contrib/firewalld.te
90	+++ b/policy/modules/contrib/firewalld.te
91	@@ -1,4 +1,4 @@
92	-policy_module(firewalld, 1.0.4)
93	+policy_module(firewalld, 1.0.5)
94
95	########################################
96	#
97	@@ -26,9 +26,7 @@ files_pid_file(firewalld_var_run_t)
98	# Local policy
99	#
100
101	-allow firewalld_t self:capability sys_nice;
102	dontaudit firewalld_t self:capability sys_tty_config;
103	-allow firewalld_t self:process setsched;
104	allow firewalld_t self:fifo_file rw_fifo_file_perms;
105	allow firewalld_t self:unix_stream_socket { accept listen };
106	allow firewalld_t self:udp_socket create_socket_perms;
107	@@ -55,7 +53,6 @@ dev_read_urand(firewalld_t)
108
109	domain_use_interactive_fds(firewalld_t)
110
111	-files_list_tmp(firewalld_t)
112	files_read_etc_files(firewalld_t)
113	files_read_usr_files(firewalld_t)
114	files_dontaudit_list_tmp(firewalld_t)
115
116	diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
117	index 6269990..077a3f3 100644
118	--- a/policy/modules/contrib/logwatch.te
119	+++ b/policy/modules/contrib/logwatch.te
120	@@ -1,4 +1,4 @@
121	-policy_module(logwatch, 1.11.4)
122	+policy_module(logwatch, 1.11.5)
123
124	#################################
125	#
126	@@ -29,8 +29,8 @@ role system_r types logwatch_mail_t;
127	# Local policy
128	#
129
130	-allow logwatch_t self:capability { dac_override dac_read_search setgid sys_nice };
131	-allow logwatch_t self:process { setsched signal };
132	+allow logwatch_t self:capability { dac_override dac_read_search setgid };
133	+allow logwatch_t self:process signal;
134	allow logwatch_t self:fifo_file rw_fifo_file_perms;
135	allow logwatch_t self:unix_stream_socket { accept listen };
136
137	@@ -68,7 +68,6 @@ files_search_all(logwatch_t)
138	files_read_var_symlinks(logwatch_t)
139	files_read_etc_runtime_files(logwatch_t)
140	files_read_usr_files(logwatch_t)
141	-files_dontaudit_list_tmp(logwatch_t)
142
143	fs_getattr_all_fs(logwatch_t)
144	fs_dontaudit_list_auto_mountpoints(logwatch_t)

Gentoo Archives: gentoo-commits