Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-dev:master commit in: sec-policy/selinux-mozilla/files/, sec-policy/selinux-mozilla/, ...
Date: Tue, 02 Aug 2011 19:54:52
Message-Id: e67dd39d2a05726d5dde9f9086c1cad1dd918038.SwifT@gentoo
1 commit: e67dd39d2a05726d5dde9f9086c1cad1dd918038
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Tue Aug 2 19:54:06 2011 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Tue Aug 2 19:54:06 2011 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=e67dd39d
7
8 Update on 2.20101213 policy
9
10 ---
11 sec-policy/selinux-base-policy/ChangeLog | 550 ++++++++++++++++++++
12 sec-policy/selinux-base-policy/files/config | 15 +
13 sec-policy/selinux-base-policy/files/modules.conf | 49 ++
14 ...ndle-selinux-base-policy-2.20101213-r22.tar.bz2 | Bin 0 -> 20236 bytes
15 sec-policy/selinux-base-policy/metadata.xml | 14 +
16 .../selinux-base-policy-2.20101213-r22.ebuild | 147 ++++++
17 sec-policy/selinux-mozilla/ChangeLog | 40 ++
18 .../files/fix-apps-mozilla-r4.patch | 82 +++
19 sec-policy/selinux-mozilla/metadata.xml | 6 +
20 .../selinux-mozilla-2.20101213-r4.ebuild | 15 +
21 sec-policy/selinux-pan/ChangeLog | 33 ++
22 sec-policy/selinux-pan/files/fix-apps-pan-r1.patch | 110 ++++
23 sec-policy/selinux-pan/metadata.xml | 6 +
24 .../selinux-pan/selinux-pan-2.20101213-r1.ebuild | 16 +
25 sec-policy/selinux-skype/ChangeLog | 33 ++
26 .../selinux-skype/files/fix-apps-skype-r3.patch | 120 +++++
27 sec-policy/selinux-skype/metadata.xml | 6 +
28 .../selinux-skype-2.20101213-r3.ebuild | 16 +
29 18 files changed, 1258 insertions(+), 0 deletions(-)
30
31 diff --git a/sec-policy/selinux-base-policy/ChangeLog b/sec-policy/selinux-base-policy/ChangeLog
32 new file mode 100644
33 index 0000000..bb333fb
34 --- /dev/null
35 +++ b/sec-policy/selinux-base-policy/ChangeLog
36 @@ -0,0 +1,550 @@
37 +# ChangeLog for sec-policy/selinux-base-policy
38 +# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
39 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base-policy/ChangeLog,v 1.80 2011/07/11 01:59:36 blueness Exp $
40 +
41 +*selinux-base-policy-2.20101213-r22 (02 Aug 2011)
42 +
43 + 02 Aug 2011; <swift@g.o> +selinux-base-policy-2.20101213-r22.ebuild,
44 + +files/patchbundle-selinux-base-policy-2.20101213-r22.tar.bz2, +files/config,
45 + +files/modules.conf, +metadata.xml:
46 + Support cron-triggered portage administration tasks, add pan policy
47 +
48 +*selinux-base-policy-2.20101213-r20 (19 Jul 2011)
49 +
50 + 19 Jul 2011; <swift@g.o> -selinux-base-policy-2.20101213-r19.ebuild,
51 + +selinux-base-policy-2.20101213-r20.ebuild,
52 + -files/patchbundle-selinux-base-policy-2.20101213-r19.tar.bz2,
53 + +files/patchbundle-selinux-base-policy-2.20101213-r20.tar.bz2:
54 + Start with -r20 series
55 +
56 + 11 Jul 2011; Anthony G. Basile <blueness@g.o>
57 + -files/selinux-base-policy-20070329.diff,
58 + -selinux-base-policy-20080525.ebuild,
59 + -selinux-base-policy-20080525-r1.ebuild, -files/modules.conf.strict,
60 + -files/modules.conf.strict.20070928, -files/modules.conf.strict.20080525,
61 + -files/modules.conf.targeted, -files/modules.conf.targeted.20070928,
62 + -files/modules.conf.targeted.20080525:
63 + Removed all pre 2.20xx base policies
64 +
65 +*selinux-base-policy-2.20101213-r18 (10 Jul 2011)
66 +
67 + 10 Jul 2011; Anthony G. Basile <blueness@g.o>
68 + +selinux-base-policy-2.20101213-r18.ebuild:
69 + Bump to r18, improve support for openrc, allow portage to work with
70 + NFS-mounted locations, fix firefox plugin support, fix postgres init
71 + script support, fix syslog startup issue
72 +
73 + 03 Jul 2011; Anthony G. Basile <blueness@g.o>
74 + selinux-base-policy-2.20101213-r16.ebuild,
75 + selinux-base-policy-2.20101213-r17.ebuild,
76 + -files/patchbundle-selinux-base-policy-2.20101213-r16.tar.bz2,
77 + -files/patchbundle-selinux-base-policy-2.20101213-r17.tar.bz2:
78 + Moved patchbundles out of ${FILESDIR}, bug #370927
79 +
80 + 30 Jun 2011; Anthony G. Basile <blueness@g.o>
81 + -selinux-base-policy-2.20101213-r11.ebuild,
82 + -selinux-base-policy-2.20101213-r12.ebuild,
83 + -files/patchbundle-selinux-base-policy-2.20101213-r11.tar.bz2,
84 + -files/patchbundle-selinux-base-policy-2.20101213-r12.tar.bz2:
85 + Removed deprecated versions
86 +
87 +*selinux-base-policy-2.20101213-r17 (30 Jun 2011)
88 +
89 + 30 Jun 2011; Anthony G. Basile <blueness@g.o>
90 + +selinux-base-policy-2.20101213-r17.ebuild,
91 + +files/patchbundle-selinux-base-policy-2.20101213-r17.tar.bz2:
92 + Add support for zabbix
93 +
94 + 02 Jun 2011; Anthony G. Basile <blueness@g.o>
95 + selinux-base-policy-2.20101213-r16.ebuild:
96 + Stable amd64 x86
97 +
98 + 20 May 2011; Anthony G. Basile <blueness@g.o>
99 + -selinux-base-policy-2.20101213-r5.ebuild,
100 + -selinux-base-policy-2.20101213-r6.ebuild,
101 + -selinux-base-policy-2.20101213-r7.ebuild,
102 + -selinux-base-policy-2.20101213-r9.ebuild,
103 + -selinux-base-policy-2.20101213-r10.ebuild,
104 + -files/patchbundle-selinux-base-policy-2.20101213-r10.tar.bz2,
105 + -files/patchbundle-selinux-base-policy-2.20101213-r5.tar.bz2,
106 + -files/patchbundle-selinux-base-policy-2.20101213-r6.tar.bz2,
107 + -files/patchbundle-selinux-base-policy-2.20101213-r7.tar.bz2,
108 + -files/patchbundle-selinux-base-policy-2.20101213-r9.tar.bz2:
109 + Removed deprecated revisions of base policy 2.20101213
110 +
111 +*selinux-base-policy-2.20101213-r16 (20 May 2011)
112 +
113 + 20 May 2011; Anthony G. Basile <blueness@g.o>
114 + +selinux-base-policy-2.20101213-r16.ebuild,
115 + +files/patchbundle-selinux-base-policy-2.20101213-r16.tar.bz2, metadata.xml:
116 + Drop obsoleted policy builds, add openrc support (rc-update, rc-status),
117 + correct file contexts for /lib64, make UBAC optional (#257111 and #306393),
118 + use portage_srcrepo_t for live ebuilds and match mdadm policy with upstream
119 +
120 +*selinux-base-policy-2.20101213-r12 (16 Apr 2011)
121 +*selinux-base-policy-2.20101213-r11 (16 Apr 2011)
122 +
123 + 16 Apr 2011; Anthony G. Basile <blueness@g.o>
124 + +selinux-base-policy-2.20101213-r11.ebuild,
125 + +selinux-base-policy-2.20101213-r12.ebuild,
126 + +files/patchbundle-selinux-base-policy-2.20101213-r11.tar.bz2,
127 + +files/patchbundle-selinux-base-policy-2.20101213-r12.tar.bz2:
128 + Added new patchbundles for rev bumps to base policy 2.20101213
129 +
130 +*selinux-base-policy-2.20101213-r10 (07 Mar 2011)
131 +*selinux-base-policy-2.20101213-r9 (07 Mar 2011)
132 +
133 + 07 Mar 2011; Anthony G. Basile <blueness@g.o>
134 + +selinux-base-policy-2.20101213-r9.ebuild,
135 + +selinux-base-policy-2.20101213-r10.ebuild,
136 + +files/patchbundle-selinux-base-policy-2.20101213-r10.tar.bz2,
137 + +files/patchbundle-selinux-base-policy-2.20101213-r9.tar.bz2:
138 + Added new patchbundles for rev bumps to base policy 2.20101213
139 +
140 + 05 Feb 2011; Anthony G. Basile <blueness@g.o>
141 + +files/patchbundle-selinux-base-policy-2.20101213-r5.tar.bz2,
142 + +files/patchbundle-selinux-base-policy-2.20101213-r6.tar.bz2,
143 + +files/patchbundle-selinux-base-policy-2.20101213-r7.tar.bz2:
144 + Added patchbundle for base policy 2.20101213.
145 +
146 +*selinux-base-policy-2.20101213-r7 (05 Feb 2011)
147 +*selinux-base-policy-2.20101213-r6 (05 Feb 2011)
148 +*selinux-base-policy-2.20101213-r5 (05 Feb 2011)
149 +
150 + 05 Feb 2011; Anthony G. Basile <blueness@g.o>
151 + +selinux-base-policy-2.20101213-r5.ebuild,
152 + +selinux-base-policy-2.20101213-r6.ebuild,
153 + +selinux-base-policy-2.20101213-r7.ebuild:
154 + New upstream policy.
155 +
156 +*selinux-base-policy-2.20091215 (16 Dec 2009)
157 +
158 + 16 Dec 2009; Chris PeBenito <pebenito@g.o>
159 + +selinux-base-policy-2.20091215.ebuild:
160 + New upstream release.
161 +
162 +*selinux-base-policy-20080525-r1 (14 Sep 2009)
163 +
164 + 14 Sep 2009; Chris PeBenito <pebenito@g.o>
165 + +selinux-base-policy-20080525-r1.ebuild:
166 + Update old base policy to support ext4.
167 +
168 + 14 Aug 2009; Chris PeBenito <pebenito@g.o>
169 + -selinux-base-policy-20070329.ebuild,
170 + -selinux-base-policy-20070928.ebuild, selinux-base-policy-20080525.ebuild:
171 + Mark 20080525 stable, clear old ebuilds.
172 +
173 +*selinux-base-policy-2.20090814 (14 Aug 2009)
174 +
175 + 14 Aug 2009; Chris PeBenito <pebenito@g.o>
176 + +selinux-base-policy-2.20090814.ebuild:
177 + Git version of refpolicy for misc fixes including some cron problems.
178 +
179 +*selinux-base-policy-2.20090730 (03 Aug 2009)
180 +
181 + 03 Aug 2009; Chris PeBenito <pebenito@g.o>
182 + +selinux-base-policy-2.20090730.ebuild:
183 + New upstream release.
184 +
185 + 18 Jul 2009; Chris PeBenito <pebenito@g.o>
186 + selinux-base-policy-20070329.ebuild, selinux-base-policy-20070928.ebuild,
187 + selinux-base-policy-20080525.ebuild:
188 + Drop alpha, mips, ppc, sparc selinux support.
189 +
190 +*selinux-base-policy-20080525 (25 May 2008)
191 +
192 + 25 May 2008; Chris PeBenito <pebenito@g.o>
193 + +selinux-base-policy-20080525.ebuild:
194 + New SVN snapshot.
195 +
196 + 16 Mar 2008; Chris PeBenito <pebenito@g.o>
197 + -selinux-base-policy-20051022-r1.ebuild,
198 + -selinux-base-policy-20061114.ebuild:
199 + Remove old ebuilds.
200 +
201 + 03 Feb 2008; Chris PeBenito <pebenito@g.o>
202 + selinux-base-policy-20070928.ebuild:
203 + Mark stable.
204 +
205 +*selinux-base-policy-20070928 (26 Nov 2007)
206 +
207 + 26 Nov 2007; Chris PeBenito <pebenito@g.o>
208 + +selinux-base-policy-20070928.ebuild:
209 + New SVN snapshot.
210 +
211 + 04 Jun 2007; Chris PeBenito <pebenito@g.o>
212 + selinux-base-policy-20070329.ebuild:
213 + Mark stable.
214 +
215 + 30 Mar 2007; Chris PeBenito <pebenito@g.o>
216 + +files/selinux-base-policy-20070329.diff,
217 + selinux-base-policy-20070329.ebuild:
218 + Compile fix.
219 +
220 +*selinux-base-policy-20070329 (29 Mar 2007)
221 +
222 + 29 Mar 2007; Chris PeBenito <pebenito@g.o>
223 + +selinux-base-policy-20070329.ebuild:
224 + New SVN snapshot.
225 +
226 + 22 Feb 2007; Markus Ullmann <jokey@g.o> ChangeLog:
227 + Redigest for Manifest2
228 +
229 +*selinux-base-policy-20061114 (15 Nov 2006)
230 +
231 + 15 Nov 2006; Chris PeBenito <pebenito@g.o>
232 + +selinux-base-policy-20061114.ebuild:
233 + New SVN snapshot.
234 +
235 + 25 Oct 2006; Chris PeBenito <pebenito@g.o>
236 + selinux-base-policy-20061015.ebuild:
237 + Fix to have default POLICY_TYPES if it is empty.
238 +
239 + 21 Oct 2006; Chris PeBenito <pebenito@g.o>
240 + selinux-base-policy-20061015.ebuild:
241 + Fix xml generation failure to die.
242 +
243 +*selinux-base-policy-20061015 (15 Oct 2006)
244 +
245 + 15 Oct 2006; Chris PeBenito <pebenito@g.o>
246 + -selinux-base-policy-20061008.ebuild,
247 + +selinux-base-policy-20061015.ebuild:
248 + Update for testing fixes.
249 +
250 +*selinux-base-policy-20061008 (08 Oct 2006)
251 +
252 + 08 Oct 2006; Chris PeBenito <pebenito@g.o> -files/semanage.conf,
253 + +selinux-base-policy-20061008.ebuild,
254 + -selinux-base-policy-99999999.ebuild:
255 + First mainstream reference policy testing release.
256 +
257 + 29 Sep 2006; Chris PeBenito <pebenito@g.o>
258 + selinux-base-policy-99999999.ebuild:
259 + Fix for new SVN location. Fixes 147781.
260 +
261 + 22 Feb 2006; Stephen Bennett <spb@g.o>
262 + selinux-base-policy-20051022-r1.ebuild:
263 + Alpha stable
264 +
265 +*selinux-base-policy-99999999 (02 Feb 2006)
266 +
267 + 02 Feb 2006; Chris PeBenito <pebenito@g.o> +files/config,
268 + +files/modules.conf.strict, +files/modules.conf.targeted,
269 + +files/semanage.conf, +selinux-base-policy-99999999.ebuild:
270 + Add experimental policy for testing reference policy. Requires portage fix
271 + from bug #110857.
272 +
273 + 02 Feb 2006; Chris PeBenito <pebenito@g.o>
274 + -selinux-base-policy-20050322.ebuild,
275 + -selinux-base-policy-20050618.ebuild,
276 + -selinux-base-policy-20050821.ebuild,
277 + -selinux-base-policy-20051022.ebuild:
278 + Clean out old ebuilds.
279 +
280 + 14 Jan 2006; Stephen Bennett <spb@g.o>
281 + selinux-base-policy-20051022-r1.ebuild:
282 + Added ~alpha
283 +
284 +*selinux-base-policy-20051022-r1 (08 Dec 2005)
285 +
286 + 08 Dec 2005; Chris PeBenito <pebenito@g.o>
287 + +selinux-base-policy-20051022-r1.ebuild:
288 + Change to use compatability genhomedircon. Newer policycoreutils (1.28)
289 + breaks the backwards compatability this policy uses.
290 +
291 +*selinux-base-policy-20051022 (22 Oct 2005)
292 +
293 + 22 Oct 2005; Chris PeBenito <pebenito@g.o>
294 + +selinux-base-policy-20051022.ebuild:
295 + Very trivial fixes.
296 +
297 + 08 Sep 2005; Chris PeBenito <pebenito@g.o>
298 + selinux-base-policy-20050821.ebuild:
299 + Mark stable.
300 +
301 +*selinux-base-policy-20050821 (21 Aug 2005)
302 +
303 + 21 Aug 2005; Chris PeBenito <pebenito@g.o>
304 + +selinux-base-policy-20050821.ebuild:
305 + Minor updates for 2.6.12.
306 +
307 + 21 Jun 2005; Chris PeBenito <pebenito@g.o>
308 + selinux-base-policy-20050618.ebuild:
309 + Mark stable.
310 +
311 +*selinux-base-policy-20050618 (18 Jun 2005)
312 +
313 + 18 Jun 2005; Chris PeBenito <pebenito@g.o>
314 + -selinux-base-policy-20041123.ebuild,
315 + -selinux-base-policy-20050306.ebuild,
316 + +selinux-base-policy-20050618.ebuild:
317 + New release to support 2.6.12 features.
318 +
319 + 10 May 2005; Stephen Bennett <spb@g.o>
320 + selinux-base-policy-20050322.ebuild:
321 + mips stable
322 +
323 + 01 May 2005; Stephen Bennett <spb@g.o>
324 + selinux-base-policy-20050322.ebuild:
325 + Added ~mips.
326 +
327 +*selinux-base-policy-20050322 (23 Mar 2005)
328 +
329 + 23 Mar 2005; Chris PeBenito <pebenito@g.o>
330 + +selinux-base-policy-20050322.ebuild:
331 + New release.
332 +
333 +*selinux-base-policy-20050306 (06 Mar 2005)
334 +
335 + 06 Mar 2005; Chris PeBenito <pebenito@g.o>
336 + +selinux-base-policy-20050306.ebuild:
337 + Fix bad samba_domain dummy macro. Add policies needed for udev support.
338 +
339 +*selinux-base-policy-20050224 (24 Feb 2005)
340 +
341 + 24 Feb 2005; Chris PeBenito <pebenito@g.o>
342 + +selinux-base-policy-20050224.ebuild:
343 + New release.
344 +
345 + 19 Jan 2005; Chris PeBenito <pebenito@g.o>
346 + selinux-base-policy-20041123.ebuild:
347 + Mark stable.
348 +
349 +*selinux-base-policy-20041123 (23 Nov 2004)
350 +
351 + 23 Nov 2004; Chris PeBenito <pebenito@g.o>
352 + +selinux-base-policy-20041123.ebuild:
353 + New release with 1.18 merge.
354 +
355 +*selinux-base-policy-20041023 (23 Oct 2004)
356 +
357 + 23 Oct 2004; Chris PeBenito <pebenito@g.o>
358 + +selinux-base-policy-20041023.ebuild:
359 + New release with 1.16 merge. Tcpd and inetd have been deprecated since they
360 + are not in the base system anymore, and probably no one uses them anyway.
361 +
362 +*selinux-base-policy-20040906 (06 Sep 2004)
363 +
364 + 06 Sep 2004; Chris PeBenito <pebenito@g.o>
365 + +selinux-base-policy-20040906.ebuild:
366 + New release with 1.14 merge, which has policy 18 (fine-grained netlink)
367 + features.
368 +
369 + 05 Sep 2004; Chris PeBenito <pebenito@g.o>
370 + selinux-base-policy-20040225.ebuild, -selinux-base-policy-20040509.ebuild,
371 + -selinux-base-policy-20040604.ebuild, selinux-base-policy-20040629.ebuild,
372 + selinux-base-policy-20040702.ebuild:
373 + Remove old builds, switch to epause and ebeep in remaining builds.
374 +
375 +*selinux-base-policy-20040702 (02 Jul 2004)
376 +
377 + 02 Jul 2004; Chris PeBenito <pebenito@g.o>
378 + +selinux-base-policy-20040702.ebuild:
379 + Same as 20040629, except with updated flask headers, which will come out in
380 + 2.6.8.
381 +
382 +*selinux-base-policy-20040629 (29 Jun 2004)
383 +
384 + 29 Jun 2004; Chris PeBenito <pebenito@g.o>
385 + +selinux-base-policy-20040629.ebuild:
386 + Large sysadmfile cleanup: disable admin_separation to give sysadm_r back its
387 + ablility to modify all files. Minor fixes: portage_r works again, syslog-ng
388 + breakage fixed, put back manual PaX policy for pageexec/segmexec.
389 +
390 + 16 Jun 2004; Chris PeBenito <pebenito@g.o>
391 + selinux-base-policy-20040604.ebuild:
392 + Mark stable.
393 +
394 + 10 Jun 2004; Chris PeBenito <pebenito@g.o>
395 + selinux-base-policy-20040225.ebuild, selinux-base-policy-20040509.ebuild,
396 + selinux-base-policy-20040604.ebuild:
397 + Add src_compile() stub
398 +
399 +*selinux-base-policy-20040604 (04 Jun 2004)
400 +
401 + 04 Jun 2004; Chris PeBenito <pebenito@g.o>
402 + +selinux-base-policy-20040604.ebuild:
403 + New release including 1.12 NSA policy, and experimental sesandbox.
404 +
405 + 15 May 2004; Chris PeBenito <pebenito@g.o>
406 + selinux-base-policy-20040509.ebuild:
407 + Mark stable.
408 +
409 +*selinux-base-policy-20040509 (09 May 2004)
410 +
411 + 09 May 2004; Chris PeBenito <pebenito@g.o>
412 + +selinux-base-policy-20040509.ebuild:
413 + A few small cleanups. Make PaX non exec pages macro based on arch. Large
414 + portage update, get rid of portage_exec_fetch_t, portage will setexec. Add
415 + global_ssp tunable.
416 +
417 +*selinux-base-policy-20040418 (18 Apr 2004)
418 +
419 + 18 Apr 2004; Chris PeBenito <pebenito@g.o>
420 + +selinux-base-policy-20040418.ebuild:
421 + New release for checkpolicy 1.10
422 +
423 +*selinux-base-policy-20040414 (14 Apr 2004)
424 +
425 + 14 Apr 2004; Chris PeBenito <pebenito@g.o>
426 + -selinux-base-policy-20040408.ebuild, +selinux-base-policy-20040414.ebuild:
427 + Minor updates
428 +
429 +*selinux-base-policy-20040408 (08 Apr 2004)
430 +
431 + 08 Apr 2004; Chris PeBenito <pebenito@g.o>
432 + selinux-base-policy-20040408.ebuild:
433 + New update. Users.fc is now deprecated, as the contexts for user directories
434 + is now automatically generated. Portage fetching of distfiles now has a
435 + subdomain, for dropping priviledges.
436 +
437 + 28 Feb 2004; Chris PeBenito <pebenito@g.o>
438 + selinux-base-policy-20040225.ebuild:
439 + Mark stable.
440 +
441 +*selinux-base-policy-20040225 (25 Feb 2004)
442 +
443 + 25 Feb 2004; Chris PeBenito <pebenito@g.o>
444 + selinux-base-policy-20040225.ebuild:
445 + New support for PaX ACL hooks. Addition of tunable.te for configurable policy
446 + options. Rewrite of portage.te. Now auto-transition for sysadm is default, can
447 + reenable portage_r by tunable.te. Makefile update from NSA CVS.
448 +
449 +*selinux-base-policy-20040209 (09 Feb 2004)
450 +
451 + 09 Feb 2004; Chris PeBenito <pebenito@g.o>
452 + selinux-base-policy-20040209.ebuild:
453 + Minor revision to add XFS labeling and policy for integrated
454 + runscript-run_init.
455 +
456 + 07 Feb 2004; Chris PeBenito <pebenito@g.o>
457 + selinux-base-policy-20040202.ebuild:
458 + Mark x86 stable.
459 +
460 +*selinux-base-policy-20040202 (02 Feb 2004)
461 +
462 + 02 Feb 2004; Chris PeBenito <pebenito@g.o>
463 + selinux-base-policy-20040202.ebuild:
464 + A few misc fixes. Allow portage to update bootloader code, such as in lilo or
465 + grub postinst. This requires checkpolicy 1.4-r1.
466 +
467 +*selinux-base-policy-20031225 (25 Dec 2003)
468 +
469 + 25 Dec 2003; Chris PeBenito <pebenito@g.o>
470 + selinux-base-policy-20031225.ebuild:
471 + New release, with merged NSA 1.4 policy. One critical note, this policy
472 + requires pam 0.77. Much work has been done to minimize access to /etc/shadow,
473 + and one requirement is in the patch for pam 0.77. If you do not use this pam
474 + version or newer, you will be unable to authenticate in enforcing. Since
475 + devfs no longer is usable in SELinux, it's policy has been removed. You
476 + should merge the changes, remove the devfsd policy (devfsd.te and devfsd.fc),
477 + load the policy, and relabel.
478 +
479 + 27 Nov 2003; Chris PeBenito <pebenito@g.o>
480 + selinux-base-policy-20031010-r1.ebuild:
481 + Mark stable. Add build USE flag for stage building.
482 +
483 +*selinux-base-policy-20031010-r1 (12 Nov 2003)
484 +
485 + 12 Nov 2003; Chris PeBenito <pebenito@g.o>
486 + selinux-base-policy-20031010-r1.ebuild,
487 + files/selinux-base-policy-20031010-cvs.diff:
488 + Add fixes from policy cvs for compilers, so non x86 and ppc compilers can
489 + work. Also portage update as a side effect of updated setfiles code in
490 + portage, from bug 31748.
491 +
492 + 28 Oct 2003; Chris PeBenito <pebenito@g.o>
493 + selinux-base-policy-20031010.ebuild:
494 + Mark stable
495 +
496 +*selinux-base-policy-20031010 (10 Oct 2003)
497 +
498 + 10 Oct 2003; Chris PeBenito <pebenito@g.o>
499 + selinux-base-policy-20031010.ebuild:
500 + New release for new API. Massive cleanups all over the place.
501 +
502 +*selinux-base-policy-20030817 (17 Aug 2003)
503 +
504 + 17 Aug 2003; Chris PeBenito <pebenito@g.o>
505 + selinux-base-policy-20030817.ebuild:
506 + Initial commit of new API policy
507 +
508 + 10 Aug 2003; Chris PeBenito <pebenito@g.o>
509 + selinux-base-policy-20030729-r1.ebuild:
510 + Mark stable
511 +
512 +*selinux-base-policy-20030729-r1 (31 Jul 2003)
513 +
514 + 31 Jul 2003; Chris PeBenito <pebenito@g.o>
515 + selinux-base-policy-20030729-r1.ebuild:
516 + New rev that handles an empty POLICYDIR sanely.
517 +
518 +*selinux-base-policy-20030729 (29 Jul 2003)
519 +
520 + 29 Jul 2003; Chris PeBenito <pebenito@g.o>
521 + selinux-base-policy-20030729.ebuild:
522 + Make the ebuild use POLICYDIR. Important fix so portage can load policy so
523 + selinux-policy.eclass works. update_modules_t cleanup. Fix for an access when
524 + merging baselayout.
525 +
526 +*selinux-base-policy-20030720 (20 Jul 2003)
527 +
528 + 20 Jul 2003; Chris PeBenito <pebenito@g.o>
529 + selinux-base-policy-20030720.ebuild:
530 + Many fixes, including the syslog fix. File contexts have changed, so a relabel
531 + is needed. You may encounter problems relabeling /usr/portage, as its file
532 + context has changed, as files should not have the same type as a domain.
533 + Relabelling in permissive will fix this, or temporarily give portage_t a
534 + file_type attribute. Tightened the can_exec_any() macro. Moved staff.fc to
535 + users.fc, since all users with SELinux identities should have their home
536 + directories have the correct identity, not the generic identity.
537 +
538 + 06 Jun 2003; Chris PeBenito <pebenito@g.o>
539 + selinux-base-policy-20030604.ebuild:
540 + Mark stable
541 +
542 +*selinux-base-policy-20030604 (04 Jun 2003)
543 +
544 + 04 Jun 2003; Chris PeBenito <pebenito@g.o>
545 + selinux-base-policy-20030604.ebuild:
546 + Fix broken 20030603
547 +
548 + 04 Jun 2003; Chris PeBenito <pebenito@g.o>
549 + selinux-base-policy-20030603.ebuild:
550 + Pulling 20030603, as there are problems, 20030604 later today
551 +
552 +*selinux-base-policy-20030603 (03 Jun 2003)
553 +
554 + 03 Jun 2003; Chris PeBenito <pebenito@g.o>
555 + selinux-base-policy-20030603.ebuild:
556 + Numerous various fixes. Added staff role. Removed ipsec, gpm and gpg policies
557 + as they are not appropriate for the base policy, and untested.
558 +
559 +*selinux-base-policy-20030522 (22 May 2003)
560 +
561 + 22 May 2003; Chris PeBenito <pebenito@g.o>
562 + selinux-base-policy-20030522.ebuild:
563 + The policy is in pretty good shape now. I've been able to run in enforcing mode
564 + with little problem. I've also been able to successfully merge and unmerge
565 + packages in enforcing mode, with few exceptions (why does mysql need to run ps
566 + during configure?).
567 +
568 +*selinux-base-policy-20030514 (14 May 2003)
569 +
570 + 14 May 2003; Chris PeBenito <pebenito@g.o>
571 + selinux-base-policy-20030514.ebuild:
572 + Many improvements in many areas. Of note, rlogind policies were removed. Klogd
573 + is being merged into syslogd. The portage policy is much more complete, but
574 + still needs work. Its suggested that all changes be merged in, policy
575 + reloaded, then relabel.
576 +
577 +*selinux-base-policy-20030419 (19 Apr 2003)
578 +
579 + 23 Apr 2003; Chris PeBenito <pebenito@g.o>
580 + selinux-base-policy-20030419.ebuild:
581 + Marking stable for selinux-small stable usage
582 +
583 + 19 Apr 2003; Chris PeBenito <pebenito@g.o> Manifest,
584 + selinux-base-policy-20030419.ebuild:
585 + Initial commit. Base policies for SELinux, with Gentoo-specifics
586 +
587
588 diff --git a/sec-policy/selinux-base-policy/files/config b/sec-policy/selinux-base-policy/files/config
589 new file mode 100644
590 index 0000000..55933ea
591 --- /dev/null
592 +++ b/sec-policy/selinux-base-policy/files/config
593 @@ -0,0 +1,15 @@
594 +# This file controls the state of SELinux on the system on boot.
595 +
596 +# SELINUX can take one of these three values:
597 +# enforcing - SELinux security policy is enforced.
598 +# permissive - SELinux prints warnings instead of enforcing.
599 +# disabled - No SELinux policy is loaded.
600 +SELINUX=permissive
601 +
602 +# SELINUXTYPE can take one of these four values:
603 +# targeted - Only targeted network daemons are protected.
604 +# strict - Full SELinux protection.
605 +# mls - Full SELinux protection with Multi-Level Security
606 +# mcs - Full SELinux protection with Multi-Category Security
607 +# (mls, but only one sensitivity level)
608 +SELINUXTYPE=strict
609
610 diff --git a/sec-policy/selinux-base-policy/files/modules.conf b/sec-policy/selinux-base-policy/files/modules.conf
611 new file mode 100644
612 index 0000000..fcb3fd8
613 --- /dev/null
614 +++ b/sec-policy/selinux-base-policy/files/modules.conf
615 @@ -0,0 +1,49 @@
616 +application = base
617 +authlogin = base
618 +bootloader = base
619 +clock = base
620 +consoletype = base
621 +corecommands = base
622 +corenetwork = base
623 +cron = base
624 +devices = base
625 +dmesg = base
626 +domain = base
627 +files = base
628 +filesystem = base
629 +fstools = base
630 +getty = base
631 +hostname = base
632 +hotplug = base
633 +init = base
634 +iptables = base
635 +kernel = base
636 +libraries = base
637 +locallogin = base
638 +logging = base
639 +lvm = base
640 +miscfiles = base
641 +mcs = base
642 +mls = base
643 +modutils = base
644 +mount = base
645 +mta = base
646 +netutils = base
647 +nscd = base
648 +portage = base
649 +raid = base
650 +rsync = base
651 +selinux = base
652 +selinuxutil = base
653 +ssh = base
654 +staff = base
655 +storage = base
656 +su = base
657 +sysadm = base
658 +sysnetwork = base
659 +terminal = base
660 +ubac = base
661 +udev = base
662 +userdomain = base
663 +usermanage = base
664 +unprivuser = base
665
666 diff --git a/sec-policy/selinux-base-policy/files/patchbundle-selinux-base-policy-2.20101213-r22.tar.bz2 b/sec-policy/selinux-base-policy/files/patchbundle-selinux-base-policy-2.20101213-r22.tar.bz2
667 new file mode 100644
668 index 0000000..c530e0e
669 Binary files /dev/null and b/sec-policy/selinux-base-policy/files/patchbundle-selinux-base-policy-2.20101213-r22.tar.bz2 differ
670
671 diff --git a/sec-policy/selinux-base-policy/metadata.xml b/sec-policy/selinux-base-policy/metadata.xml
672 new file mode 100644
673 index 0000000..393f3bb
674 --- /dev/null
675 +++ b/sec-policy/selinux-base-policy/metadata.xml
676 @@ -0,0 +1,14 @@
677 +<?xml version="1.0" encoding="UTF-8"?>
678 +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
679 +<pkgmetadata>
680 + <herd>selinux</herd>
681 + <longdescription>
682 + Gentoo SELinux base policy. This contains policy for a system at the end of system installation.
683 + There is no extra policy in this package.
684 + </longdescription>
685 + <use>
686 + <flag name='peer_perms'>Enable the labeled networking peer permissions (SELinux policy capability).</flag>
687 + <flag name='open_perms'>Enable the open permissions for file object classes (SELinux policy capability).</flag>
688 + <flag name='ubac'>Enable User Based Access Control (UBAC) in the SELinux policy</flag>
689 + </use>
690 +</pkgmetadata>
691
692 diff --git a/sec-policy/selinux-base-policy/selinux-base-policy-2.20101213-r22.ebuild b/sec-policy/selinux-base-policy/selinux-base-policy-2.20101213-r22.ebuild
693 new file mode 100644
694 index 0000000..96d033e
695 --- /dev/null
696 +++ b/sec-policy/selinux-base-policy/selinux-base-policy-2.20101213-r22.ebuild
697 @@ -0,0 +1,147 @@
698 +# Copyright 1999-2011 Gentoo Foundation
699 +# Distributed under the terms of the GNU General Public License v2
700 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base-policy/selinux-base-policy-2.20101213-r18.ebuild,v 1.1 2011/07/10 02:30:17 blueness Exp $
701 +
702 +EAPI="1"
703 +IUSE="+peer_perms +open_perms +ubac"
704 +
705 +inherit eutils
706 +
707 +PATCHBUNDLE="${FILESDIR}/patchbundle-${PF}.tar.bz2"
708 +#PATCHBUNDLE="${DISTDIR}/patchbundle-${PF}.tar.bz2"
709 +DESCRIPTION="Gentoo base policy for SELinux"
710 +HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
711 +SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
712 +#SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
713 +# http://dev.gentoo.org/~blueness/patchbundle-selinux-base-policy/patchbundle-${PF}.tar.bz2"
714 +LICENSE="GPL-2"
715 +SLOT="0"
716 +
717 +KEYWORDS="~amd64 ~x86"
718 +
719 +RDEPEND=">=sys-apps/policycoreutils-1.30.30
720 + >=sys-fs/udev-151"
721 +DEPEND="${RDEPEND}
722 + sys-devel/m4
723 + >=sys-apps/checkpolicy-1.30.12"
724 +
725 +S=${WORKDIR}/
726 +
727 +src_unpack() {
728 + [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
729 +
730 + unpack ${A}
731 +
732 + cd "${S}"
733 + epatch "${PATCHBUNDLE}"
734 + cd "${S}/refpolicy"
735 + # Fix bug 257111
736 + sed -i -e 's:system_crond_t:system_cronjob_t:g' \
737 + "${S}/refpolicy/config/appconfig-standard/default_contexts"
738 + sed -i -e 's|system_r:cronjob_t|system_r:system_cronjob_t|g' \
739 + "${S}/refpolicy/config/appconfig-mls/default_contexts"
740 + sed -i -e 's|system_r:cronjob_t|system_r:system_cronjob_t|g' \
741 + "${S}/refpolicy/config/appconfig-mcs/default_contexts"
742 +
743 + if ! use peer_perms; then
744 + sed -i -e '/network_peer_controls/d' \
745 + "${S}/refpolicy/policy/policy_capabilities"
746 + fi
747 +
748 + if ! use open_perms; then
749 + sed -i -e '/open_perms/d' \
750 + "${S}/refpolicy/policy/policy_capabilities"
751 + fi
752 +
753 + for i in ${POLICY_TYPES}; do
754 + cp -a "${S}/refpolicy" "${S}/${i}"
755 +
756 + cd "${S}/${i}";
757 + make conf || die "Make conf in ${i} failed"
758 +
759 + # Define what we see as "base" and what we want to remain modular
760 + cp "${FILESDIR}/modules.conf" \
761 + "${S}/${i}/policy/modules.conf" \
762 + || die "failed to set up modules.conf"
763 + if [[ "${i}" == "targeted" ]];
764 + then
765 + echo "unconfined = base" >> "${S}/${i}/policy/modules.conf"
766 + fi
767 + sed -i -e '/^QUIET/s/n/y/' -e '/^MONOLITHIC/s/y/n/' \
768 + -e "/^NAME/s/refpolicy/$i/" "${S}/${i}/build.conf" \
769 + || die "build.conf setup failed."
770 +
771 + if [[ "${i}" == "mls" ]] || [[ "${i}" == "mcs" ]];
772 + then
773 + # MCS/MLS require additional settings
774 + sed -i -e "/^TYPE/s/standard/${i}/" "${S}/${i}/build.conf" \
775 + || die "failed to set type to mls"
776 + fi
777 +
778 + if ! use ubac; then
779 + sed -i -e 's:^UBAC = y:UBAC = n:g' "${S}/${i}/build.conf"
780 + fi
781 +
782 + echo "DISTRO = gentoo" >> "${S}/${i}/build.conf"
783 +
784 + if [ "${i}" == "targeted" ]; then
785 + sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \
786 + "${S}/${i}/config/appconfig-standard/seusers" \
787 + || die "targeted seusers setup failed."
788 + fi
789 + done
790 +}
791 +
792 +src_compile() {
793 + [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
794 +
795 + for i in ${POLICY_TYPES}; do
796 + cd "${S}/${i}"
797 + make base || die "${i} compile failed"
798 + done
799 +}
800 +
801 +src_install() {
802 + [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
803 +
804 + for i in ${POLICY_TYPES}; do
805 + cd "${S}/${i}"
806 +
807 + make DESTDIR="${D}" install \
808 + || die "${i} install failed."
809 +
810 + make DESTDIR="${D}" install-headers \
811 + || die "${i} headers install failed."
812 +
813 + echo "run_init_t" > "${D}/etc/selinux/${i}/contexts/run_init_type"
814 +
815 + echo "textrel_shlib_t" >> "${D}/etc/selinux/${i}/contexts/customizable_types"
816 +
817 + # libsemanage won't make this on its own
818 + keepdir "/etc/selinux/${i}/policy"
819 + done
820 +
821 + dodoc doc/Makefile.example doc/example.{te,fc,if}
822 +
823 + insinto /etc/selinux
824 + doins "${FILESDIR}/config"
825 +}
826 +
827 +pkg_preinst() {
828 + has_version "<${CATEGORY}/${PN}-2.20101213-r13"
829 + previous_less_than_r13=$?
830 +}
831 +
832 +pkg_postinst() {
833 + [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
834 +
835 + for i in ${POLICY_TYPES}; do
836 + einfo "Inserting base module into ${i} module store."
837 +
838 + cd "/usr/share/selinux/${i}"
839 + semodule -s "${i}" -b base.pp || die "Could not load in new base policy"
840 + done
841 + elog "Updates on policies might require you to relabel files. If you, after"
842 + elog "installing new SELinux policies, get 'permission denied' errors,"
843 + elog "relabelling your system using 'rlpkg -a -r' might resolve the issues."
844 +}
845
846 diff --git a/sec-policy/selinux-mozilla/ChangeLog b/sec-policy/selinux-mozilla/ChangeLog
847 new file mode 100644
848 index 0000000..dba730c
849 --- /dev/null
850 +++ b/sec-policy/selinux-mozilla/ChangeLog
851 @@ -0,0 +1,40 @@
852 +# ChangeLog for sec-policy/selinux-mozilla
853 +# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
854 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-mozilla/ChangeLog,v 1.5 2011/07/10 02:34:32 blueness Exp $
855 +
856 +*selinux-mozilla-2.20101213-r4 (02 Aug 2011)
857 +
858 + 02 Aug 2011; <swift@g.o> +files/fix-apps-mozilla-r4.patch,
859 + +selinux-mozilla-2.20101213-r4.ebuild, +metadata.xml:
860 + Allow mozilla to read ~/.local
861 +
862 +*selinux-mozilla-2.20101213-r3 (10 Jul 2011)
863 +
864 + 10 Jul 2011; Anthony G. Basile <blueness@g.o>
865 + +files/fix-apps-mozilla-r3.patch, +selinux-mozilla-2.20101213-r3.ebuild:
866 + Support proxy plugins and tor
867 +
868 + 04 Jun 2011; Anthony G. Basile <blueness@g.o>
869 + -selinux-mozilla-2.20101213.ebuild, -selinux-mozilla-2.20101213-r1.ebuild:
870 + Removed deprecated policies
871 +
872 + 02 Jun 2011; Anthony G. Basile <blueness@g.o>
873 + selinux-mozilla-2.20101213-r2.ebuild:
874 + Stable amd64 x86
875 +
876 +*selinux-mozilla-2.20101213-r2 (20 May 2011)
877 +
878 + 20 May 2011; Anthony G. Basile <blueness@g.o>
879 + +files/fix-apps-mozilla-r2.patch, +selinux-mozilla-2.20101213-r2.ebuild:
880 + Remove obsolete privileges
881 +
882 + 05 Feb 2011; Anthony G. Basile <blueness@g.o> ChangeLog:
883 + Initial commit to portage.
884 +
885 +*selinux-mozilla-2.20101213-r1 (22 Jan 2011)
886 +
887 + 22 Jan 2011; <swift@g.o> +selinux-mozilla-2.20101213-r1.ebuild,
888 + files/fix-mozilla.patch:
889 + Support binary firefox, add call to alsa interface and support tmp type
890 + for mozilla
891 +
892
893 diff --git a/sec-policy/selinux-mozilla/files/fix-apps-mozilla-r4.patch b/sec-policy/selinux-mozilla/files/fix-apps-mozilla-r4.patch
894 new file mode 100644
895 index 0000000..beef75d
896 --- /dev/null
897 +++ b/sec-policy/selinux-mozilla/files/fix-apps-mozilla-r4.patch
898 @@ -0,0 +1,82 @@
899 +--- apps/mozilla.te 2010-12-13 15:11:01.000000000 +0100
900 ++++ apps/mozilla.te 2011-07-24 16:48:16.221000672 +0200
901 +@@ -33,6 +33,10 @@
902 + files_tmpfs_file(mozilla_tmpfs_t)
903 + ubac_constrained(mozilla_tmpfs_t)
904 +
905 ++type mozilla_tmp_t;
906 ++files_tmp_file(mozilla_tmp_t)
907 ++ubac_constrained(mozilla_tmp_t)
908 ++
909 + ########################################
910 + #
911 + # Local policy
912 +@@ -68,6 +72,10 @@
913 + manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
914 + fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
915 +
916 ++manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
917 ++manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
918 ++files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir } )
919 ++
920 + kernel_read_kernel_sysctls(mozilla_t)
921 + kernel_read_network_state(mozilla_t)
922 + # Access /proc, sysctl
923 +@@ -89,15 +97,18 @@
924 + corenet_raw_sendrecv_generic_node(mozilla_t)
925 + corenet_tcp_sendrecv_http_port(mozilla_t)
926 + corenet_tcp_sendrecv_http_cache_port(mozilla_t)
927 ++corenet_tcp_sendrecv_tor_port(mozilla_t)
928 + corenet_tcp_sendrecv_ftp_port(mozilla_t)
929 + corenet_tcp_sendrecv_ipp_port(mozilla_t)
930 + corenet_tcp_connect_http_port(mozilla_t)
931 + corenet_tcp_connect_http_cache_port(mozilla_t)
932 ++corenet_tcp_connect_tor_port(mozilla_t)
933 + corenet_tcp_connect_ftp_port(mozilla_t)
934 + corenet_tcp_connect_ipp_port(mozilla_t)
935 + corenet_tcp_connect_generic_port(mozilla_t)
936 + corenet_tcp_connect_soundd_port(mozilla_t)
937 + corenet_sendrecv_http_client_packets(mozilla_t)
938 ++corenet_sendrecv_tor_client_packets(mozilla_t)
939 + corenet_sendrecv_http_cache_client_packets(mozilla_t)
940 + corenet_sendrecv_ftp_client_packets(mozilla_t)
941 + corenet_sendrecv_ipp_client_packets(mozilla_t)
942 +@@ -143,6 +154,7 @@
943 +
944 + userdom_use_user_ptys(mozilla_t)
945 +
946 ++
947 + xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
948 + xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
949 + xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
950 +@@ -193,6 +205,7 @@
951 + userdom_list_user_tmp(mozilla_t)
952 + userdom_read_user_tmp_files(mozilla_t)
953 + userdom_read_user_tmp_symlinks(mozilla_t)
954 ++ userdom_list_user_home_content(mozilla_t)
955 + userdom_read_user_home_content_files(mozilla_t)
956 + userdom_read_user_home_content_symlinks(mozilla_t)
957 +
958 +@@ -266,3 +279,7 @@
959 + optional_policy(`
960 + thunderbird_domtrans(mozilla_t)
961 + ')
962 ++
963 ++optional_policy(`
964 ++ alsa_read_rw_config(mozilla_t)
965 ++')
966 +--- apps/mozilla.fc 2010-08-03 15:11:03.000000000 +0200
967 ++++ apps/mozilla.fc 2011-07-21 10:08:43.909000256 +0200
968 +@@ -27,3 +27,12 @@
969 + /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
970 + /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
971 + /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
972 ++
973 ++ifdef(`distro_gentoo',`
974 ++/usr/bin/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
975 ++/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
976 ++/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
977 ++/opt/firefox/run-mozilla.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0)
978 ++/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
979 ++/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0)
980 ++')
981
982 diff --git a/sec-policy/selinux-mozilla/metadata.xml b/sec-policy/selinux-mozilla/metadata.xml
983 new file mode 100644
984 index 0000000..d718f1b
985 --- /dev/null
986 +++ b/sec-policy/selinux-mozilla/metadata.xml
987 @@ -0,0 +1,6 @@
988 +<?xml version="1.0" encoding="UTF-8"?>
989 +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
990 +<pkgmetadata>
991 + <herd>selinux</herd>
992 + <longdescription>Gentoo SELinux policy for mozilla</longdescription>
993 +</pkgmetadata>
994
995 diff --git a/sec-policy/selinux-mozilla/selinux-mozilla-2.20101213-r4.ebuild b/sec-policy/selinux-mozilla/selinux-mozilla-2.20101213-r4.ebuild
996 new file mode 100644
997 index 0000000..1a87091
998 --- /dev/null
999 +++ b/sec-policy/selinux-mozilla/selinux-mozilla-2.20101213-r4.ebuild
1000 @@ -0,0 +1,15 @@
1001 +# Copyright 1999-2011 Gentoo Foundation
1002 +# Distributed under the terms of the GNU General Public License v2
1003 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-mozilla/selinux-mozilla-2.20101213-r3.ebuild,v 1.1 2011/07/10 02:34:32 blueness Exp $
1004 +
1005 +IUSE=""
1006 +
1007 +MODS="mozilla"
1008 +
1009 +inherit selinux-policy-2
1010 +
1011 +DESCRIPTION="SELinux policy for general applications"
1012 +
1013 +KEYWORDS="~amd64 ~x86"
1014 +
1015 +POLICY_PATCH="${FILESDIR}/fix-apps-mozilla-r4.patch"
1016
1017 diff --git a/sec-policy/selinux-pan/ChangeLog b/sec-policy/selinux-pan/ChangeLog
1018 new file mode 100644
1019 index 0000000..39e044f
1020 --- /dev/null
1021 +++ b/sec-policy/selinux-pan/ChangeLog
1022 @@ -0,0 +1,33 @@
1023 +# ChangeLog for sec-policy/selinux-pan
1024 +# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
1025 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-skype/ChangeLog,v 1.3 2011/06/04 18:10:53 blueness Exp $
1026 +
1027 +*selinux-pan-2.20101213-r1 (02 Aug 2011)
1028 +
1029 + 02 Aug 2011; <swift@g.o> +files/fix-apps-pan-r1.patch,
1030 + +selinux-pan-2.20101213-r1.ebuild, +metadata.xml:
1031 + Initial policy for pan
1032 +
1033 + 04 Jun 2011; Anthony G. Basile <blueness@g.o>
1034 + -selinux-skype-2.20101213.ebuild, -selinux-skype-2.20101213-r1.ebuild:
1035 + Removed deprecated policies
1036 +
1037 + 02 Jun 2011; Anthony G. Basile <blueness@g.o>
1038 + selinux-skype-2.20101213-r2.ebuild:
1039 + Stable amd64 x86
1040 +
1041 + 05 Feb 2011; Anthony G. Basile <blueness@g.o> ChangeLog:
1042 + Initial commit to portage.
1043 +
1044 +*selinux-skype-2.20101213-r2 (31 Jan 2011)
1045 +
1046 + 31 Jan 2011; <swift@g.o> +files/add-apps-skype-r2.patch,
1047 + +selinux-skype-2.20101213-r2.ebuild:
1048 + Allow userhome access, set some dontaudits etc.
1049 +
1050 +*selinux-skype-2.20101213-r1 (22 Jan 2011)
1051 +
1052 + 22 Jan 2011; <swift@g.o> +selinux-skype-2.20101213-r1.ebuild,
1053 + +files/add-apps-skype.patch:
1054 + Update skype module to 'comply' with suggested approach for domains
1055 +
1056
1057 diff --git a/sec-policy/selinux-pan/files/fix-apps-pan-r1.patch b/sec-policy/selinux-pan/files/fix-apps-pan-r1.patch
1058 new file mode 100644
1059 index 0000000..af477bf
1060 --- /dev/null
1061 +++ b/sec-policy/selinux-pan/files/fix-apps-pan-r1.patch
1062 @@ -0,0 +1,110 @@
1063 +--- apps/pan.te 1970-01-01 01:00:00.000000000 +0100
1064 ++++ apps/pan.te 2011-07-24 18:31:32.760000849 +0200
1065 +@@ -0,0 +1,102 @@
1066 ++policy_module(pan, 1.0)
1067 ++
1068 ++########################################
1069 ++#
1070 ++# Declarations
1071 ++#
1072 ++
1073 ++type pan_t;
1074 ++type pan_exec_t;
1075 ++application_domain(pan_t, pan_exec_t)
1076 ++ubac_constrained(pan_t)
1077 ++
1078 ++type pan_home_t;
1079 ++userdom_user_home_content(pan_home_t)
1080 ++
1081 ++#type pan_tmp_t;
1082 ++#files_tmp_file(pan_tmp_t)
1083 ++#ubac_constrained(pan_tmp_t)
1084 ++
1085 ++type pan_tmpfs_t;
1086 ++files_tmpfs_file(pan_tmpfs_t)
1087 ++ubac_constrained(pan_tmpfs_t)
1088 ++
1089 ++########################################
1090 ++#
1091 ++# Pan local policy
1092 ++#
1093 ++allow pan_t self:process { getsched signal };
1094 ++allow pan_t self:fifo_file rw_fifo_file_perms;
1095 ++allow pan_t pan_tmpfs_t:file { read write };
1096 ++
1097 ++# Allow pan to work with its ~/.pan2 location
1098 ++manage_dirs_pattern(pan_t, pan_home_t, pan_home_t)
1099 ++manage_files_pattern(pan_t, pan_home_t, pan_home_t)
1100 ++manage_lnk_files_pattern(pan_t, pan_home_t, pan_home_t)
1101 ++
1102 ++# Support for shared memory
1103 ++fs_tmpfs_filetrans(pan_t, pan_tmpfs_t, file)
1104 ++
1105 ++## Kernel layer calls
1106 ++#
1107 ++kernel_dontaudit_read_system_state(pan_t)
1108 ++files_read_etc_files(pan_t)
1109 ++files_read_usr_files(pan_t)
1110 ++corenet_all_recvfrom_unlabeled(pan_t)
1111 ++corenet_all_recvfrom_netlabel(pan_t)
1112 ++corenet_tcp_connect_innd_port(pan_t)
1113 ++corenet_tcp_sendrecv_generic_if(pan_t)
1114 ++corenet_tcp_sendrecv_generic_node(pan_t)
1115 ++corenet_tcp_sendrecv_innd_port(pan_t)
1116 ++corenet_sendrecv_innd_client_packets(pan_t)
1117 ++
1118 ++## System layer calls
1119 ++#
1120 ++miscfiles_read_localization(pan_t)
1121 ++sysnet_dns_name_resolve(pan_t)
1122 ++userdom_manage_user_home_content_dirs(pan_t)
1123 ++userdom_manage_user_home_content_files(pan_t)
1124 ++
1125 ++## Other yayer calls
1126 ++#
1127 ++xserver_user_x_domain_template(pan, pan_t, pan_tmpfs_t)
1128 ++
1129 ++tunable_policy(`use_nfs_home_dirs',`
1130 ++ fs_manage_nfs_dirs(pan_t)
1131 ++ fs_manage_nfs_files(pan_t)
1132 ++ fs_manage_nfs_symlinks(pan_t)
1133 ++')
1134 ++
1135 ++tunable_policy(`use_samba_home_dirs',`
1136 ++ fs_manage_cifs_dirs(pan_t)
1137 ++ fs_manage_cifs_files(pan_t)
1138 ++ fs_manage_cifs_symlinks(pan_t)
1139 ++')
1140 ++
1141 ++optional_policy(`
1142 ++ cups_read_rw_config(pan_t)
1143 ++')
1144 ++
1145 ++optional_policy(`
1146 ++ dbus_system_bus_client(pan_t)
1147 ++ dbus_session_bus_client(pan_t)
1148 ++')
1149 ++
1150 ++optional_policy(`
1151 ++ gnome_stream_connect_gconf(pan_t)
1152 ++')
1153 ++
1154 ++optional_policy(`
1155 ++ gpg_domtrans(pan_t)
1156 ++ gpg_signal(pan_t)
1157 ++')
1158 ++
1159 ++optional_policy(`
1160 ++ lpd_domtrans_lpr(pan_t)
1161 ++')
1162 ++
1163 ++optional_policy(`
1164 ++ mozilla_read_user_home_files(pan_t)
1165 ++ mozilla_domtrans(pan_t)
1166 ++')
1167 ++
1168 +--- apps/pan.fc 1970-01-01 01:00:00.000000000 +0100
1169 ++++ apps/pan.fc 2011-07-24 17:56:50.338000789 +0200
1170 +@@ -0,0 +1,2 @@
1171 ++/usr/bin/pan -- gen_context(system_u:object_r:pan_exec_t,s0)
1172 ++HOME_DIR/\.pan2(/.*)? gen_context(system_u:object_r:pan_home_t,s0)
1173
1174 diff --git a/sec-policy/selinux-pan/metadata.xml b/sec-policy/selinux-pan/metadata.xml
1175 new file mode 100644
1176 index 0000000..95a7e9f
1177 --- /dev/null
1178 +++ b/sec-policy/selinux-pan/metadata.xml
1179 @@ -0,0 +1,6 @@
1180 +<?xml version="1.0" encoding="UTF-8"?>
1181 +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
1182 +<pkgmetadata>
1183 + <herd>selinux</herd>
1184 + <longdescription>Gentoo SELinux policy for pan</longdescription>
1185 +</pkgmetadata>
1186
1187 diff --git a/sec-policy/selinux-pan/selinux-pan-2.20101213-r1.ebuild b/sec-policy/selinux-pan/selinux-pan-2.20101213-r1.ebuild
1188 new file mode 100644
1189 index 0000000..5b30d33
1190 --- /dev/null
1191 +++ b/sec-policy/selinux-pan/selinux-pan-2.20101213-r1.ebuild
1192 @@ -0,0 +1,16 @@
1193 +# Copyright 1999-2011 Gentoo Foundation
1194 +# Distributed under the terms of the GNU General Public License v2
1195 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-skype/selinux-skype-2.20101213-r2.ebuild,v 1.2 2011/06/02 12:56:29 blueness Exp $
1196 +
1197 +IUSE=""
1198 +
1199 +MODS="pan"
1200 +
1201 +inherit selinux-policy-2
1202 +
1203 +DESCRIPTION="SELinux policy for general applications"
1204 +
1205 +KEYWORDS="~amd64 ~x86"
1206 +
1207 +POLICY_PATCH="${FILESDIR}/fix-apps-pan-r1.patch"
1208 +RDEPEND=">=sec-policy/selinux-base-policy-2.20101213-r22"
1209
1210 diff --git a/sec-policy/selinux-skype/ChangeLog b/sec-policy/selinux-skype/ChangeLog
1211 new file mode 100644
1212 index 0000000..e89dec5
1213 --- /dev/null
1214 +++ b/sec-policy/selinux-skype/ChangeLog
1215 @@ -0,0 +1,33 @@
1216 +# ChangeLog for sec-policy/selinux-skype
1217 +# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
1218 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-skype/ChangeLog,v 1.3 2011/06/04 18:10:53 blueness Exp $
1219 +
1220 +*selinux-skype-2.20101213-r3 (02 Aug 2011)
1221 +
1222 + 02 Aug 2011; <swift@g.o> +files/fix-apps-skype-r3.patch,
1223 + +selinux-skype-2.20101213-r3.ebuild, +metadata.xml:
1224 + Improve policy style, do not require libs_use_ld_so
1225 +
1226 + 04 Jun 2011; Anthony G. Basile <blueness@g.o>
1227 + -selinux-skype-2.20101213.ebuild, -selinux-skype-2.20101213-r1.ebuild:
1228 + Removed deprecated policies
1229 +
1230 + 02 Jun 2011; Anthony G. Basile <blueness@g.o>
1231 + selinux-skype-2.20101213-r2.ebuild:
1232 + Stable amd64 x86
1233 +
1234 + 05 Feb 2011; Anthony G. Basile <blueness@g.o> ChangeLog:
1235 + Initial commit to portage.
1236 +
1237 +*selinux-skype-2.20101213-r2 (31 Jan 2011)
1238 +
1239 + 31 Jan 2011; <swift@g.o> +files/add-apps-skype-r2.patch,
1240 + +selinux-skype-2.20101213-r2.ebuild:
1241 + Allow userhome access, set some dontaudits etc.
1242 +
1243 +*selinux-skype-2.20101213-r1 (22 Jan 2011)
1244 +
1245 + 22 Jan 2011; <swift@g.o> +selinux-skype-2.20101213-r1.ebuild,
1246 + +files/add-apps-skype.patch:
1247 + Update skype module to 'comply' with suggested approach for domains
1248 +
1249
1250 diff --git a/sec-policy/selinux-skype/files/fix-apps-skype-r3.patch b/sec-policy/selinux-skype/files/fix-apps-skype-r3.patch
1251 new file mode 100644
1252 index 0000000..337f395
1253 --- /dev/null
1254 +++ b/sec-policy/selinux-skype/files/fix-apps-skype-r3.patch
1255 @@ -0,0 +1,120 @@
1256 +--- apps/skype.te 1970-01-01 01:00:00.000000000 +0100
1257 ++++ apps/skype.te 2011-07-24 17:24:40.996000734 +0200
1258 +@@ -0,0 +1,111 @@
1259 ++policy_module(skype, 0.0.2)
1260 ++
1261 ++############################
1262 ++#
1263 ++# Declarations
1264 ++#
1265 ++
1266 ++type skype_t;
1267 ++type skype_exec_t;
1268 ++application_domain(skype_t, skype_exec_t)
1269 ++
1270 ++type skype_home_t;
1271 ++
1272 ++type skype_tmpfs_t;
1273 ++files_tmpfs_file(skype_tmpfs_t)
1274 ++ubac_constrained(skype_tmpfs_t)
1275 ++
1276 ++############################
1277 ++#
1278 ++# Policy
1279 ++#
1280 ++
1281 ++allow skype_t self:process { getsched setsched execmem signal };
1282 ++allow skype_t self:fifo_file rw_fifo_file_perms;
1283 ++allow skype_t self:unix_stream_socket create_socket_perms;
1284 ++allow skype_t self:sem create_sem_perms;
1285 ++allow skype_t self:tcp_socket create_stream_socket_perms;
1286 ++
1287 ++# Allow skype to work with its ~/.skype location
1288 ++manage_dirs_pattern(skype_t, skype_home_t, skype_home_t)
1289 ++manage_files_pattern(skype_t, skype_home_t, skype_home_t)
1290 ++manage_lnk_files_pattern(skype_t, skype_home_t, skype_home_t)
1291 ++
1292 ++# Needed for supporting X11 & shared memory
1293 ++manage_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
1294 ++manage_lnk_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
1295 ++manage_fifo_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
1296 ++manage_sock_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
1297 ++fs_tmpfs_filetrans(skype_t, skype_tmpfs_t, { file lnk_file sock_file fifo_file })
1298 ++
1299 ++# In Gentoo, the skype script calls skype binary. To keep the
1300 ++# number of privileges for the user domain sufficiently manageable,
1301 ++# we already label the script as skype_exec_t. Hence, the script
1302 ++# needs to be able to execute skype_exec_t files too.
1303 ++can_exec(skype_t, skype_exec_t)
1304 ++
1305 ++## Kernel layer calls
1306 ++#
1307 ++kernel_dontaudit_search_sysctl(skype_t)
1308 ++kernel_read_system_state(skype_t)
1309 ++
1310 ++corecmd_exec_bin(skype_t)
1311 ++corecmd_exec_shell(skype_t)
1312 ++
1313 ++corenet_all_recvfrom_netlabel(skype_t)
1314 ++corenet_all_recvfrom_unlabeled(skype_t)
1315 ++corenet_sendrecv_http_client_packets(skype_t)
1316 ++corenet_tcp_bind_generic_node(skype_t)
1317 ++corenet_tcp_bind_generic_port(skype_t)
1318 ++corenet_tcp_connect_generic_port(skype_t)
1319 ++corenet_tcp_connect_http_port(skype_t)
1320 ++corenet_tcp_sendrecv_http_port(skype_t)
1321 ++corenet_udp_bind_generic_node(skype_t)
1322 ++corenet_udp_bind_generic_port(skype_t)
1323 ++
1324 ++dev_read_sound(skype_t)
1325 ++dev_read_video_dev(skype_t)
1326 ++dev_write_sound(skype_t)
1327 ++dev_write_video_dev(skype_t)
1328 ++
1329 ++# Needed to debug skype (start through commandline)
1330 ++domain_use_interactive_fds(skype_t)
1331 ++
1332 ++files_read_etc_files(skype_t)
1333 ++files_read_usr_files(skype_t)
1334 ++
1335 ++## System layer calls
1336 ++#
1337 ++auth_use_nsswitch(skype_t)
1338 ++miscfiles_dontaudit_setattr_fonts_dirs(skype_t)
1339 ++miscfiles_read_localization(skype_t)
1340 ++userdom_manage_user_home_content_dirs(skype_t)
1341 ++userdom_manage_user_home_content_files(skype_t)
1342 ++userdom_use_user_terminals(skype_t)
1343 ++userdom_user_home_dir_filetrans(skype_t, skype_home_t, dir)
1344 ++userdom_user_home_content(skype_home_t)
1345 ++
1346 ++## Other calls
1347 ++#
1348 ++xserver_user_x_domain_template(skype, skype_t, skype_tmpfs_t)
1349 ++
1350 ++tunable_policy(`gentoo_try_dontaudit',`
1351 ++ dev_dontaudit_search_sysfs(skype_t)
1352 ++ fs_dontaudit_getattr_xattr_fs(skype_t)
1353 ++')
1354 ++
1355 ++optional_policy(`
1356 ++ tunable_policy(`gentoo_try_dontaudit',`
1357 ++ mozilla_dontaudit_manage_user_home_files(skype_t)
1358 ++ ')
1359 ++')
1360 ++
1361 ++optional_policy(`
1362 ++ alsa_read_rw_config(skype_t)
1363 ++')
1364 ++
1365 ++optional_policy(`
1366 ++ dbus_system_bus_client(skype_t)
1367 ++ dbus_session_bus_client(skype_t)
1368 ++')
1369 ++
1370 +--- apps/skype.fc 1970-01-01 01:00:00.000000000 +0100
1371 ++++ apps/skype.fc 2011-07-21 10:08:43.824000256 +0200
1372 +@@ -0,0 +1,3 @@
1373 ++/usr/bin/skype -- gen_context(system_u:object_r:skype_exec_t,s0)
1374 ++/opt/skype/skype -- gen_context(system_u:object_r:skype_exec_t,s0)
1375 ++HOME_DIR/\.Skype(/.*)? gen_context(system_u:object_r:skype_home_t,s0)
1376
1377 diff --git a/sec-policy/selinux-skype/metadata.xml b/sec-policy/selinux-skype/metadata.xml
1378 new file mode 100644
1379 index 0000000..810b563
1380 --- /dev/null
1381 +++ b/sec-policy/selinux-skype/metadata.xml
1382 @@ -0,0 +1,6 @@
1383 +<?xml version="1.0" encoding="UTF-8"?>
1384 +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
1385 +<pkgmetadata>
1386 + <herd>selinux</herd>
1387 + <longdescription>Gentoo SELinux policy for skype</longdescription>
1388 +</pkgmetadata>
1389
1390 diff --git a/sec-policy/selinux-skype/selinux-skype-2.20101213-r3.ebuild b/sec-policy/selinux-skype/selinux-skype-2.20101213-r3.ebuild
1391 new file mode 100644
1392 index 0000000..663bd97
1393 --- /dev/null
1394 +++ b/sec-policy/selinux-skype/selinux-skype-2.20101213-r3.ebuild
1395 @@ -0,0 +1,16 @@
1396 +# Copyright 1999-2011 Gentoo Foundation
1397 +# Distributed under the terms of the GNU General Public License v2
1398 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-skype/selinux-skype-2.20101213-r2.ebuild,v 1.2 2011/06/02 12:56:29 blueness Exp $
1399 +
1400 +IUSE=""
1401 +
1402 +MODS="skype"
1403 +
1404 +inherit selinux-policy-2
1405 +
1406 +DESCRIPTION="SELinux policy for general applications"
1407 +
1408 +KEYWORDS="~amd64 ~x86"
1409 +
1410 +POLICY_PATCH="${FILESDIR}/fix-apps-skype-r3.patch"
1411 +RDEPEND=">=sec-policy/selinux-base-policy-2.20101213-r20"
Report Message
Find on MARC Find on Google Groups