1 |
commit: e67dd39d2a05726d5dde9f9086c1cad1dd918038 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Tue Aug 2 19:54:06 2011 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Aug 2 19:54:06 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=e67dd39d |
7 |
|
8 |
Update on 2.20101213 policy |
9 |
|
10 |
--- |
11 |
sec-policy/selinux-base-policy/ChangeLog | 550 ++++++++++++++++++++ |
12 |
sec-policy/selinux-base-policy/files/config | 15 + |
13 |
sec-policy/selinux-base-policy/files/modules.conf | 49 ++ |
14 |
...ndle-selinux-base-policy-2.20101213-r22.tar.bz2 | Bin 0 -> 20236 bytes |
15 |
sec-policy/selinux-base-policy/metadata.xml | 14 + |
16 |
.../selinux-base-policy-2.20101213-r22.ebuild | 147 ++++++ |
17 |
sec-policy/selinux-mozilla/ChangeLog | 40 ++ |
18 |
.../files/fix-apps-mozilla-r4.patch | 82 +++ |
19 |
sec-policy/selinux-mozilla/metadata.xml | 6 + |
20 |
.../selinux-mozilla-2.20101213-r4.ebuild | 15 + |
21 |
sec-policy/selinux-pan/ChangeLog | 33 ++ |
22 |
sec-policy/selinux-pan/files/fix-apps-pan-r1.patch | 110 ++++ |
23 |
sec-policy/selinux-pan/metadata.xml | 6 + |
24 |
.../selinux-pan/selinux-pan-2.20101213-r1.ebuild | 16 + |
25 |
sec-policy/selinux-skype/ChangeLog | 33 ++ |
26 |
.../selinux-skype/files/fix-apps-skype-r3.patch | 120 +++++ |
27 |
sec-policy/selinux-skype/metadata.xml | 6 + |
28 |
.../selinux-skype-2.20101213-r3.ebuild | 16 + |
29 |
18 files changed, 1258 insertions(+), 0 deletions(-) |
30 |
|
31 |
diff --git a/sec-policy/selinux-base-policy/ChangeLog b/sec-policy/selinux-base-policy/ChangeLog |
32 |
new file mode 100644 |
33 |
index 0000000..bb333fb |
34 |
--- /dev/null |
35 |
+++ b/sec-policy/selinux-base-policy/ChangeLog |
36 |
@@ -0,0 +1,550 @@ |
37 |
+# ChangeLog for sec-policy/selinux-base-policy |
38 |
+# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 |
39 |
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base-policy/ChangeLog,v 1.80 2011/07/11 01:59:36 blueness Exp $ |
40 |
+ |
41 |
+*selinux-base-policy-2.20101213-r22 (02 Aug 2011) |
42 |
+ |
43 |
+ 02 Aug 2011; <swift@g.o> +selinux-base-policy-2.20101213-r22.ebuild, |
44 |
+ +files/patchbundle-selinux-base-policy-2.20101213-r22.tar.bz2, +files/config, |
45 |
+ +files/modules.conf, +metadata.xml: |
46 |
+ Support cron-triggered portage administration tasks, add pan policy |
47 |
+ |
48 |
+*selinux-base-policy-2.20101213-r20 (19 Jul 2011) |
49 |
+ |
50 |
+ 19 Jul 2011; <swift@g.o> -selinux-base-policy-2.20101213-r19.ebuild, |
51 |
+ +selinux-base-policy-2.20101213-r20.ebuild, |
52 |
+ -files/patchbundle-selinux-base-policy-2.20101213-r19.tar.bz2, |
53 |
+ +files/patchbundle-selinux-base-policy-2.20101213-r20.tar.bz2: |
54 |
+ Start with -r20 series |
55 |
+ |
56 |
+ 11 Jul 2011; Anthony G. Basile <blueness@g.o> |
57 |
+ -files/selinux-base-policy-20070329.diff, |
58 |
+ -selinux-base-policy-20080525.ebuild, |
59 |
+ -selinux-base-policy-20080525-r1.ebuild, -files/modules.conf.strict, |
60 |
+ -files/modules.conf.strict.20070928, -files/modules.conf.strict.20080525, |
61 |
+ -files/modules.conf.targeted, -files/modules.conf.targeted.20070928, |
62 |
+ -files/modules.conf.targeted.20080525: |
63 |
+ Removed all pre 2.20xx base policies |
64 |
+ |
65 |
+*selinux-base-policy-2.20101213-r18 (10 Jul 2011) |
66 |
+ |
67 |
+ 10 Jul 2011; Anthony G. Basile <blueness@g.o> |
68 |
+ +selinux-base-policy-2.20101213-r18.ebuild: |
69 |
+ Bump to r18, improve support for openrc, allow portage to work with |
70 |
+ NFS-mounted locations, fix firefox plugin support, fix postgres init |
71 |
+ script support, fix syslog startup issue |
72 |
+ |
73 |
+ 03 Jul 2011; Anthony G. Basile <blueness@g.o> |
74 |
+ selinux-base-policy-2.20101213-r16.ebuild, |
75 |
+ selinux-base-policy-2.20101213-r17.ebuild, |
76 |
+ -files/patchbundle-selinux-base-policy-2.20101213-r16.tar.bz2, |
77 |
+ -files/patchbundle-selinux-base-policy-2.20101213-r17.tar.bz2: |
78 |
+ Moved patchbundles out of ${FILESDIR}, bug #370927 |
79 |
+ |
80 |
+ 30 Jun 2011; Anthony G. Basile <blueness@g.o> |
81 |
+ -selinux-base-policy-2.20101213-r11.ebuild, |
82 |
+ -selinux-base-policy-2.20101213-r12.ebuild, |
83 |
+ -files/patchbundle-selinux-base-policy-2.20101213-r11.tar.bz2, |
84 |
+ -files/patchbundle-selinux-base-policy-2.20101213-r12.tar.bz2: |
85 |
+ Removed deprecated versions |
86 |
+ |
87 |
+*selinux-base-policy-2.20101213-r17 (30 Jun 2011) |
88 |
+ |
89 |
+ 30 Jun 2011; Anthony G. Basile <blueness@g.o> |
90 |
+ +selinux-base-policy-2.20101213-r17.ebuild, |
91 |
+ +files/patchbundle-selinux-base-policy-2.20101213-r17.tar.bz2: |
92 |
+ Add support for zabbix |
93 |
+ |
94 |
+ 02 Jun 2011; Anthony G. Basile <blueness@g.o> |
95 |
+ selinux-base-policy-2.20101213-r16.ebuild: |
96 |
+ Stable amd64 x86 |
97 |
+ |
98 |
+ 20 May 2011; Anthony G. Basile <blueness@g.o> |
99 |
+ -selinux-base-policy-2.20101213-r5.ebuild, |
100 |
+ -selinux-base-policy-2.20101213-r6.ebuild, |
101 |
+ -selinux-base-policy-2.20101213-r7.ebuild, |
102 |
+ -selinux-base-policy-2.20101213-r9.ebuild, |
103 |
+ -selinux-base-policy-2.20101213-r10.ebuild, |
104 |
+ -files/patchbundle-selinux-base-policy-2.20101213-r10.tar.bz2, |
105 |
+ -files/patchbundle-selinux-base-policy-2.20101213-r5.tar.bz2, |
106 |
+ -files/patchbundle-selinux-base-policy-2.20101213-r6.tar.bz2, |
107 |
+ -files/patchbundle-selinux-base-policy-2.20101213-r7.tar.bz2, |
108 |
+ -files/patchbundle-selinux-base-policy-2.20101213-r9.tar.bz2: |
109 |
+ Removed deprecated revisions of base policy 2.20101213 |
110 |
+ |
111 |
+*selinux-base-policy-2.20101213-r16 (20 May 2011) |
112 |
+ |
113 |
+ 20 May 2011; Anthony G. Basile <blueness@g.o> |
114 |
+ +selinux-base-policy-2.20101213-r16.ebuild, |
115 |
+ +files/patchbundle-selinux-base-policy-2.20101213-r16.tar.bz2, metadata.xml: |
116 |
+ Drop obsoleted policy builds, add openrc support (rc-update, rc-status), |
117 |
+ correct file contexts for /lib64, make UBAC optional (#257111 and #306393), |
118 |
+ use portage_srcrepo_t for live ebuilds and match mdadm policy with upstream |
119 |
+ |
120 |
+*selinux-base-policy-2.20101213-r12 (16 Apr 2011) |
121 |
+*selinux-base-policy-2.20101213-r11 (16 Apr 2011) |
122 |
+ |
123 |
+ 16 Apr 2011; Anthony G. Basile <blueness@g.o> |
124 |
+ +selinux-base-policy-2.20101213-r11.ebuild, |
125 |
+ +selinux-base-policy-2.20101213-r12.ebuild, |
126 |
+ +files/patchbundle-selinux-base-policy-2.20101213-r11.tar.bz2, |
127 |
+ +files/patchbundle-selinux-base-policy-2.20101213-r12.tar.bz2: |
128 |
+ Added new patchbundles for rev bumps to base policy 2.20101213 |
129 |
+ |
130 |
+*selinux-base-policy-2.20101213-r10 (07 Mar 2011) |
131 |
+*selinux-base-policy-2.20101213-r9 (07 Mar 2011) |
132 |
+ |
133 |
+ 07 Mar 2011; Anthony G. Basile <blueness@g.o> |
134 |
+ +selinux-base-policy-2.20101213-r9.ebuild, |
135 |
+ +selinux-base-policy-2.20101213-r10.ebuild, |
136 |
+ +files/patchbundle-selinux-base-policy-2.20101213-r10.tar.bz2, |
137 |
+ +files/patchbundle-selinux-base-policy-2.20101213-r9.tar.bz2: |
138 |
+ Added new patchbundles for rev bumps to base policy 2.20101213 |
139 |
+ |
140 |
+ 05 Feb 2011; Anthony G. Basile <blueness@g.o> |
141 |
+ +files/patchbundle-selinux-base-policy-2.20101213-r5.tar.bz2, |
142 |
+ +files/patchbundle-selinux-base-policy-2.20101213-r6.tar.bz2, |
143 |
+ +files/patchbundle-selinux-base-policy-2.20101213-r7.tar.bz2: |
144 |
+ Added patchbundle for base policy 2.20101213. |
145 |
+ |
146 |
+*selinux-base-policy-2.20101213-r7 (05 Feb 2011) |
147 |
+*selinux-base-policy-2.20101213-r6 (05 Feb 2011) |
148 |
+*selinux-base-policy-2.20101213-r5 (05 Feb 2011) |
149 |
+ |
150 |
+ 05 Feb 2011; Anthony G. Basile <blueness@g.o> |
151 |
+ +selinux-base-policy-2.20101213-r5.ebuild, |
152 |
+ +selinux-base-policy-2.20101213-r6.ebuild, |
153 |
+ +selinux-base-policy-2.20101213-r7.ebuild: |
154 |
+ New upstream policy. |
155 |
+ |
156 |
+*selinux-base-policy-2.20091215 (16 Dec 2009) |
157 |
+ |
158 |
+ 16 Dec 2009; Chris PeBenito <pebenito@g.o> |
159 |
+ +selinux-base-policy-2.20091215.ebuild: |
160 |
+ New upstream release. |
161 |
+ |
162 |
+*selinux-base-policy-20080525-r1 (14 Sep 2009) |
163 |
+ |
164 |
+ 14 Sep 2009; Chris PeBenito <pebenito@g.o> |
165 |
+ +selinux-base-policy-20080525-r1.ebuild: |
166 |
+ Update old base policy to support ext4. |
167 |
+ |
168 |
+ 14 Aug 2009; Chris PeBenito <pebenito@g.o> |
169 |
+ -selinux-base-policy-20070329.ebuild, |
170 |
+ -selinux-base-policy-20070928.ebuild, selinux-base-policy-20080525.ebuild: |
171 |
+ Mark 20080525 stable, clear old ebuilds. |
172 |
+ |
173 |
+*selinux-base-policy-2.20090814 (14 Aug 2009) |
174 |
+ |
175 |
+ 14 Aug 2009; Chris PeBenito <pebenito@g.o> |
176 |
+ +selinux-base-policy-2.20090814.ebuild: |
177 |
+ Git version of refpolicy for misc fixes including some cron problems. |
178 |
+ |
179 |
+*selinux-base-policy-2.20090730 (03 Aug 2009) |
180 |
+ |
181 |
+ 03 Aug 2009; Chris PeBenito <pebenito@g.o> |
182 |
+ +selinux-base-policy-2.20090730.ebuild: |
183 |
+ New upstream release. |
184 |
+ |
185 |
+ 18 Jul 2009; Chris PeBenito <pebenito@g.o> |
186 |
+ selinux-base-policy-20070329.ebuild, selinux-base-policy-20070928.ebuild, |
187 |
+ selinux-base-policy-20080525.ebuild: |
188 |
+ Drop alpha, mips, ppc, sparc selinux support. |
189 |
+ |
190 |
+*selinux-base-policy-20080525 (25 May 2008) |
191 |
+ |
192 |
+ 25 May 2008; Chris PeBenito <pebenito@g.o> |
193 |
+ +selinux-base-policy-20080525.ebuild: |
194 |
+ New SVN snapshot. |
195 |
+ |
196 |
+ 16 Mar 2008; Chris PeBenito <pebenito@g.o> |
197 |
+ -selinux-base-policy-20051022-r1.ebuild, |
198 |
+ -selinux-base-policy-20061114.ebuild: |
199 |
+ Remove old ebuilds. |
200 |
+ |
201 |
+ 03 Feb 2008; Chris PeBenito <pebenito@g.o> |
202 |
+ selinux-base-policy-20070928.ebuild: |
203 |
+ Mark stable. |
204 |
+ |
205 |
+*selinux-base-policy-20070928 (26 Nov 2007) |
206 |
+ |
207 |
+ 26 Nov 2007; Chris PeBenito <pebenito@g.o> |
208 |
+ +selinux-base-policy-20070928.ebuild: |
209 |
+ New SVN snapshot. |
210 |
+ |
211 |
+ 04 Jun 2007; Chris PeBenito <pebenito@g.o> |
212 |
+ selinux-base-policy-20070329.ebuild: |
213 |
+ Mark stable. |
214 |
+ |
215 |
+ 30 Mar 2007; Chris PeBenito <pebenito@g.o> |
216 |
+ +files/selinux-base-policy-20070329.diff, |
217 |
+ selinux-base-policy-20070329.ebuild: |
218 |
+ Compile fix. |
219 |
+ |
220 |
+*selinux-base-policy-20070329 (29 Mar 2007) |
221 |
+ |
222 |
+ 29 Mar 2007; Chris PeBenito <pebenito@g.o> |
223 |
+ +selinux-base-policy-20070329.ebuild: |
224 |
+ New SVN snapshot. |
225 |
+ |
226 |
+ 22 Feb 2007; Markus Ullmann <jokey@g.o> ChangeLog: |
227 |
+ Redigest for Manifest2 |
228 |
+ |
229 |
+*selinux-base-policy-20061114 (15 Nov 2006) |
230 |
+ |
231 |
+ 15 Nov 2006; Chris PeBenito <pebenito@g.o> |
232 |
+ +selinux-base-policy-20061114.ebuild: |
233 |
+ New SVN snapshot. |
234 |
+ |
235 |
+ 25 Oct 2006; Chris PeBenito <pebenito@g.o> |
236 |
+ selinux-base-policy-20061015.ebuild: |
237 |
+ Fix to have default POLICY_TYPES if it is empty. |
238 |
+ |
239 |
+ 21 Oct 2006; Chris PeBenito <pebenito@g.o> |
240 |
+ selinux-base-policy-20061015.ebuild: |
241 |
+ Fix xml generation failure to die. |
242 |
+ |
243 |
+*selinux-base-policy-20061015 (15 Oct 2006) |
244 |
+ |
245 |
+ 15 Oct 2006; Chris PeBenito <pebenito@g.o> |
246 |
+ -selinux-base-policy-20061008.ebuild, |
247 |
+ +selinux-base-policy-20061015.ebuild: |
248 |
+ Update for testing fixes. |
249 |
+ |
250 |
+*selinux-base-policy-20061008 (08 Oct 2006) |
251 |
+ |
252 |
+ 08 Oct 2006; Chris PeBenito <pebenito@g.o> -files/semanage.conf, |
253 |
+ +selinux-base-policy-20061008.ebuild, |
254 |
+ -selinux-base-policy-99999999.ebuild: |
255 |
+ First mainstream reference policy testing release. |
256 |
+ |
257 |
+ 29 Sep 2006; Chris PeBenito <pebenito@g.o> |
258 |
+ selinux-base-policy-99999999.ebuild: |
259 |
+ Fix for new SVN location. Fixes 147781. |
260 |
+ |
261 |
+ 22 Feb 2006; Stephen Bennett <spb@g.o> |
262 |
+ selinux-base-policy-20051022-r1.ebuild: |
263 |
+ Alpha stable |
264 |
+ |
265 |
+*selinux-base-policy-99999999 (02 Feb 2006) |
266 |
+ |
267 |
+ 02 Feb 2006; Chris PeBenito <pebenito@g.o> +files/config, |
268 |
+ +files/modules.conf.strict, +files/modules.conf.targeted, |
269 |
+ +files/semanage.conf, +selinux-base-policy-99999999.ebuild: |
270 |
+ Add experimental policy for testing reference policy. Requires portage fix |
271 |
+ from bug #110857. |
272 |
+ |
273 |
+ 02 Feb 2006; Chris PeBenito <pebenito@g.o> |
274 |
+ -selinux-base-policy-20050322.ebuild, |
275 |
+ -selinux-base-policy-20050618.ebuild, |
276 |
+ -selinux-base-policy-20050821.ebuild, |
277 |
+ -selinux-base-policy-20051022.ebuild: |
278 |
+ Clean out old ebuilds. |
279 |
+ |
280 |
+ 14 Jan 2006; Stephen Bennett <spb@g.o> |
281 |
+ selinux-base-policy-20051022-r1.ebuild: |
282 |
+ Added ~alpha |
283 |
+ |
284 |
+*selinux-base-policy-20051022-r1 (08 Dec 2005) |
285 |
+ |
286 |
+ 08 Dec 2005; Chris PeBenito <pebenito@g.o> |
287 |
+ +selinux-base-policy-20051022-r1.ebuild: |
288 |
+ Change to use compatability genhomedircon. Newer policycoreutils (1.28) |
289 |
+ breaks the backwards compatability this policy uses. |
290 |
+ |
291 |
+*selinux-base-policy-20051022 (22 Oct 2005) |
292 |
+ |
293 |
+ 22 Oct 2005; Chris PeBenito <pebenito@g.o> |
294 |
+ +selinux-base-policy-20051022.ebuild: |
295 |
+ Very trivial fixes. |
296 |
+ |
297 |
+ 08 Sep 2005; Chris PeBenito <pebenito@g.o> |
298 |
+ selinux-base-policy-20050821.ebuild: |
299 |
+ Mark stable. |
300 |
+ |
301 |
+*selinux-base-policy-20050821 (21 Aug 2005) |
302 |
+ |
303 |
+ 21 Aug 2005; Chris PeBenito <pebenito@g.o> |
304 |
+ +selinux-base-policy-20050821.ebuild: |
305 |
+ Minor updates for 2.6.12. |
306 |
+ |
307 |
+ 21 Jun 2005; Chris PeBenito <pebenito@g.o> |
308 |
+ selinux-base-policy-20050618.ebuild: |
309 |
+ Mark stable. |
310 |
+ |
311 |
+*selinux-base-policy-20050618 (18 Jun 2005) |
312 |
+ |
313 |
+ 18 Jun 2005; Chris PeBenito <pebenito@g.o> |
314 |
+ -selinux-base-policy-20041123.ebuild, |
315 |
+ -selinux-base-policy-20050306.ebuild, |
316 |
+ +selinux-base-policy-20050618.ebuild: |
317 |
+ New release to support 2.6.12 features. |
318 |
+ |
319 |
+ 10 May 2005; Stephen Bennett <spb@g.o> |
320 |
+ selinux-base-policy-20050322.ebuild: |
321 |
+ mips stable |
322 |
+ |
323 |
+ 01 May 2005; Stephen Bennett <spb@g.o> |
324 |
+ selinux-base-policy-20050322.ebuild: |
325 |
+ Added ~mips. |
326 |
+ |
327 |
+*selinux-base-policy-20050322 (23 Mar 2005) |
328 |
+ |
329 |
+ 23 Mar 2005; Chris PeBenito <pebenito@g.o> |
330 |
+ +selinux-base-policy-20050322.ebuild: |
331 |
+ New release. |
332 |
+ |
333 |
+*selinux-base-policy-20050306 (06 Mar 2005) |
334 |
+ |
335 |
+ 06 Mar 2005; Chris PeBenito <pebenito@g.o> |
336 |
+ +selinux-base-policy-20050306.ebuild: |
337 |
+ Fix bad samba_domain dummy macro. Add policies needed for udev support. |
338 |
+ |
339 |
+*selinux-base-policy-20050224 (24 Feb 2005) |
340 |
+ |
341 |
+ 24 Feb 2005; Chris PeBenito <pebenito@g.o> |
342 |
+ +selinux-base-policy-20050224.ebuild: |
343 |
+ New release. |
344 |
+ |
345 |
+ 19 Jan 2005; Chris PeBenito <pebenito@g.o> |
346 |
+ selinux-base-policy-20041123.ebuild: |
347 |
+ Mark stable. |
348 |
+ |
349 |
+*selinux-base-policy-20041123 (23 Nov 2004) |
350 |
+ |
351 |
+ 23 Nov 2004; Chris PeBenito <pebenito@g.o> |
352 |
+ +selinux-base-policy-20041123.ebuild: |
353 |
+ New release with 1.18 merge. |
354 |
+ |
355 |
+*selinux-base-policy-20041023 (23 Oct 2004) |
356 |
+ |
357 |
+ 23 Oct 2004; Chris PeBenito <pebenito@g.o> |
358 |
+ +selinux-base-policy-20041023.ebuild: |
359 |
+ New release with 1.16 merge. Tcpd and inetd have been deprecated since they |
360 |
+ are not in the base system anymore, and probably no one uses them anyway. |
361 |
+ |
362 |
+*selinux-base-policy-20040906 (06 Sep 2004) |
363 |
+ |
364 |
+ 06 Sep 2004; Chris PeBenito <pebenito@g.o> |
365 |
+ +selinux-base-policy-20040906.ebuild: |
366 |
+ New release with 1.14 merge, which has policy 18 (fine-grained netlink) |
367 |
+ features. |
368 |
+ |
369 |
+ 05 Sep 2004; Chris PeBenito <pebenito@g.o> |
370 |
+ selinux-base-policy-20040225.ebuild, -selinux-base-policy-20040509.ebuild, |
371 |
+ -selinux-base-policy-20040604.ebuild, selinux-base-policy-20040629.ebuild, |
372 |
+ selinux-base-policy-20040702.ebuild: |
373 |
+ Remove old builds, switch to epause and ebeep in remaining builds. |
374 |
+ |
375 |
+*selinux-base-policy-20040702 (02 Jul 2004) |
376 |
+ |
377 |
+ 02 Jul 2004; Chris PeBenito <pebenito@g.o> |
378 |
+ +selinux-base-policy-20040702.ebuild: |
379 |
+ Same as 20040629, except with updated flask headers, which will come out in |
380 |
+ 2.6.8. |
381 |
+ |
382 |
+*selinux-base-policy-20040629 (29 Jun 2004) |
383 |
+ |
384 |
+ 29 Jun 2004; Chris PeBenito <pebenito@g.o> |
385 |
+ +selinux-base-policy-20040629.ebuild: |
386 |
+ Large sysadmfile cleanup: disable admin_separation to give sysadm_r back its |
387 |
+ ablility to modify all files. Minor fixes: portage_r works again, syslog-ng |
388 |
+ breakage fixed, put back manual PaX policy for pageexec/segmexec. |
389 |
+ |
390 |
+ 16 Jun 2004; Chris PeBenito <pebenito@g.o> |
391 |
+ selinux-base-policy-20040604.ebuild: |
392 |
+ Mark stable. |
393 |
+ |
394 |
+ 10 Jun 2004; Chris PeBenito <pebenito@g.o> |
395 |
+ selinux-base-policy-20040225.ebuild, selinux-base-policy-20040509.ebuild, |
396 |
+ selinux-base-policy-20040604.ebuild: |
397 |
+ Add src_compile() stub |
398 |
+ |
399 |
+*selinux-base-policy-20040604 (04 Jun 2004) |
400 |
+ |
401 |
+ 04 Jun 2004; Chris PeBenito <pebenito@g.o> |
402 |
+ +selinux-base-policy-20040604.ebuild: |
403 |
+ New release including 1.12 NSA policy, and experimental sesandbox. |
404 |
+ |
405 |
+ 15 May 2004; Chris PeBenito <pebenito@g.o> |
406 |
+ selinux-base-policy-20040509.ebuild: |
407 |
+ Mark stable. |
408 |
+ |
409 |
+*selinux-base-policy-20040509 (09 May 2004) |
410 |
+ |
411 |
+ 09 May 2004; Chris PeBenito <pebenito@g.o> |
412 |
+ +selinux-base-policy-20040509.ebuild: |
413 |
+ A few small cleanups. Make PaX non exec pages macro based on arch. Large |
414 |
+ portage update, get rid of portage_exec_fetch_t, portage will setexec. Add |
415 |
+ global_ssp tunable. |
416 |
+ |
417 |
+*selinux-base-policy-20040418 (18 Apr 2004) |
418 |
+ |
419 |
+ 18 Apr 2004; Chris PeBenito <pebenito@g.o> |
420 |
+ +selinux-base-policy-20040418.ebuild: |
421 |
+ New release for checkpolicy 1.10 |
422 |
+ |
423 |
+*selinux-base-policy-20040414 (14 Apr 2004) |
424 |
+ |
425 |
+ 14 Apr 2004; Chris PeBenito <pebenito@g.o> |
426 |
+ -selinux-base-policy-20040408.ebuild, +selinux-base-policy-20040414.ebuild: |
427 |
+ Minor updates |
428 |
+ |
429 |
+*selinux-base-policy-20040408 (08 Apr 2004) |
430 |
+ |
431 |
+ 08 Apr 2004; Chris PeBenito <pebenito@g.o> |
432 |
+ selinux-base-policy-20040408.ebuild: |
433 |
+ New update. Users.fc is now deprecated, as the contexts for user directories |
434 |
+ is now automatically generated. Portage fetching of distfiles now has a |
435 |
+ subdomain, for dropping priviledges. |
436 |
+ |
437 |
+ 28 Feb 2004; Chris PeBenito <pebenito@g.o> |
438 |
+ selinux-base-policy-20040225.ebuild: |
439 |
+ Mark stable. |
440 |
+ |
441 |
+*selinux-base-policy-20040225 (25 Feb 2004) |
442 |
+ |
443 |
+ 25 Feb 2004; Chris PeBenito <pebenito@g.o> |
444 |
+ selinux-base-policy-20040225.ebuild: |
445 |
+ New support for PaX ACL hooks. Addition of tunable.te for configurable policy |
446 |
+ options. Rewrite of portage.te. Now auto-transition for sysadm is default, can |
447 |
+ reenable portage_r by tunable.te. Makefile update from NSA CVS. |
448 |
+ |
449 |
+*selinux-base-policy-20040209 (09 Feb 2004) |
450 |
+ |
451 |
+ 09 Feb 2004; Chris PeBenito <pebenito@g.o> |
452 |
+ selinux-base-policy-20040209.ebuild: |
453 |
+ Minor revision to add XFS labeling and policy for integrated |
454 |
+ runscript-run_init. |
455 |
+ |
456 |
+ 07 Feb 2004; Chris PeBenito <pebenito@g.o> |
457 |
+ selinux-base-policy-20040202.ebuild: |
458 |
+ Mark x86 stable. |
459 |
+ |
460 |
+*selinux-base-policy-20040202 (02 Feb 2004) |
461 |
+ |
462 |
+ 02 Feb 2004; Chris PeBenito <pebenito@g.o> |
463 |
+ selinux-base-policy-20040202.ebuild: |
464 |
+ A few misc fixes. Allow portage to update bootloader code, such as in lilo or |
465 |
+ grub postinst. This requires checkpolicy 1.4-r1. |
466 |
+ |
467 |
+*selinux-base-policy-20031225 (25 Dec 2003) |
468 |
+ |
469 |
+ 25 Dec 2003; Chris PeBenito <pebenito@g.o> |
470 |
+ selinux-base-policy-20031225.ebuild: |
471 |
+ New release, with merged NSA 1.4 policy. One critical note, this policy |
472 |
+ requires pam 0.77. Much work has been done to minimize access to /etc/shadow, |
473 |
+ and one requirement is in the patch for pam 0.77. If you do not use this pam |
474 |
+ version or newer, you will be unable to authenticate in enforcing. Since |
475 |
+ devfs no longer is usable in SELinux, it's policy has been removed. You |
476 |
+ should merge the changes, remove the devfsd policy (devfsd.te and devfsd.fc), |
477 |
+ load the policy, and relabel. |
478 |
+ |
479 |
+ 27 Nov 2003; Chris PeBenito <pebenito@g.o> |
480 |
+ selinux-base-policy-20031010-r1.ebuild: |
481 |
+ Mark stable. Add build USE flag for stage building. |
482 |
+ |
483 |
+*selinux-base-policy-20031010-r1 (12 Nov 2003) |
484 |
+ |
485 |
+ 12 Nov 2003; Chris PeBenito <pebenito@g.o> |
486 |
+ selinux-base-policy-20031010-r1.ebuild, |
487 |
+ files/selinux-base-policy-20031010-cvs.diff: |
488 |
+ Add fixes from policy cvs for compilers, so non x86 and ppc compilers can |
489 |
+ work. Also portage update as a side effect of updated setfiles code in |
490 |
+ portage, from bug 31748. |
491 |
+ |
492 |
+ 28 Oct 2003; Chris PeBenito <pebenito@g.o> |
493 |
+ selinux-base-policy-20031010.ebuild: |
494 |
+ Mark stable |
495 |
+ |
496 |
+*selinux-base-policy-20031010 (10 Oct 2003) |
497 |
+ |
498 |
+ 10 Oct 2003; Chris PeBenito <pebenito@g.o> |
499 |
+ selinux-base-policy-20031010.ebuild: |
500 |
+ New release for new API. Massive cleanups all over the place. |
501 |
+ |
502 |
+*selinux-base-policy-20030817 (17 Aug 2003) |
503 |
+ |
504 |
+ 17 Aug 2003; Chris PeBenito <pebenito@g.o> |
505 |
+ selinux-base-policy-20030817.ebuild: |
506 |
+ Initial commit of new API policy |
507 |
+ |
508 |
+ 10 Aug 2003; Chris PeBenito <pebenito@g.o> |
509 |
+ selinux-base-policy-20030729-r1.ebuild: |
510 |
+ Mark stable |
511 |
+ |
512 |
+*selinux-base-policy-20030729-r1 (31 Jul 2003) |
513 |
+ |
514 |
+ 31 Jul 2003; Chris PeBenito <pebenito@g.o> |
515 |
+ selinux-base-policy-20030729-r1.ebuild: |
516 |
+ New rev that handles an empty POLICYDIR sanely. |
517 |
+ |
518 |
+*selinux-base-policy-20030729 (29 Jul 2003) |
519 |
+ |
520 |
+ 29 Jul 2003; Chris PeBenito <pebenito@g.o> |
521 |
+ selinux-base-policy-20030729.ebuild: |
522 |
+ Make the ebuild use POLICYDIR. Important fix so portage can load policy so |
523 |
+ selinux-policy.eclass works. update_modules_t cleanup. Fix for an access when |
524 |
+ merging baselayout. |
525 |
+ |
526 |
+*selinux-base-policy-20030720 (20 Jul 2003) |
527 |
+ |
528 |
+ 20 Jul 2003; Chris PeBenito <pebenito@g.o> |
529 |
+ selinux-base-policy-20030720.ebuild: |
530 |
+ Many fixes, including the syslog fix. File contexts have changed, so a relabel |
531 |
+ is needed. You may encounter problems relabeling /usr/portage, as its file |
532 |
+ context has changed, as files should not have the same type as a domain. |
533 |
+ Relabelling in permissive will fix this, or temporarily give portage_t a |
534 |
+ file_type attribute. Tightened the can_exec_any() macro. Moved staff.fc to |
535 |
+ users.fc, since all users with SELinux identities should have their home |
536 |
+ directories have the correct identity, not the generic identity. |
537 |
+ |
538 |
+ 06 Jun 2003; Chris PeBenito <pebenito@g.o> |
539 |
+ selinux-base-policy-20030604.ebuild: |
540 |
+ Mark stable |
541 |
+ |
542 |
+*selinux-base-policy-20030604 (04 Jun 2003) |
543 |
+ |
544 |
+ 04 Jun 2003; Chris PeBenito <pebenito@g.o> |
545 |
+ selinux-base-policy-20030604.ebuild: |
546 |
+ Fix broken 20030603 |
547 |
+ |
548 |
+ 04 Jun 2003; Chris PeBenito <pebenito@g.o> |
549 |
+ selinux-base-policy-20030603.ebuild: |
550 |
+ Pulling 20030603, as there are problems, 20030604 later today |
551 |
+ |
552 |
+*selinux-base-policy-20030603 (03 Jun 2003) |
553 |
+ |
554 |
+ 03 Jun 2003; Chris PeBenito <pebenito@g.o> |
555 |
+ selinux-base-policy-20030603.ebuild: |
556 |
+ Numerous various fixes. Added staff role. Removed ipsec, gpm and gpg policies |
557 |
+ as they are not appropriate for the base policy, and untested. |
558 |
+ |
559 |
+*selinux-base-policy-20030522 (22 May 2003) |
560 |
+ |
561 |
+ 22 May 2003; Chris PeBenito <pebenito@g.o> |
562 |
+ selinux-base-policy-20030522.ebuild: |
563 |
+ The policy is in pretty good shape now. I've been able to run in enforcing mode |
564 |
+ with little problem. I've also been able to successfully merge and unmerge |
565 |
+ packages in enforcing mode, with few exceptions (why does mysql need to run ps |
566 |
+ during configure?). |
567 |
+ |
568 |
+*selinux-base-policy-20030514 (14 May 2003) |
569 |
+ |
570 |
+ 14 May 2003; Chris PeBenito <pebenito@g.o> |
571 |
+ selinux-base-policy-20030514.ebuild: |
572 |
+ Many improvements in many areas. Of note, rlogind policies were removed. Klogd |
573 |
+ is being merged into syslogd. The portage policy is much more complete, but |
574 |
+ still needs work. Its suggested that all changes be merged in, policy |
575 |
+ reloaded, then relabel. |
576 |
+ |
577 |
+*selinux-base-policy-20030419 (19 Apr 2003) |
578 |
+ |
579 |
+ 23 Apr 2003; Chris PeBenito <pebenito@g.o> |
580 |
+ selinux-base-policy-20030419.ebuild: |
581 |
+ Marking stable for selinux-small stable usage |
582 |
+ |
583 |
+ 19 Apr 2003; Chris PeBenito <pebenito@g.o> Manifest, |
584 |
+ selinux-base-policy-20030419.ebuild: |
585 |
+ Initial commit. Base policies for SELinux, with Gentoo-specifics |
586 |
+ |
587 |
|
588 |
diff --git a/sec-policy/selinux-base-policy/files/config b/sec-policy/selinux-base-policy/files/config |
589 |
new file mode 100644 |
590 |
index 0000000..55933ea |
591 |
--- /dev/null |
592 |
+++ b/sec-policy/selinux-base-policy/files/config |
593 |
@@ -0,0 +1,15 @@ |
594 |
+# This file controls the state of SELinux on the system on boot. |
595 |
+ |
596 |
+# SELINUX can take one of these three values: |
597 |
+# enforcing - SELinux security policy is enforced. |
598 |
+# permissive - SELinux prints warnings instead of enforcing. |
599 |
+# disabled - No SELinux policy is loaded. |
600 |
+SELINUX=permissive |
601 |
+ |
602 |
+# SELINUXTYPE can take one of these four values: |
603 |
+# targeted - Only targeted network daemons are protected. |
604 |
+# strict - Full SELinux protection. |
605 |
+# mls - Full SELinux protection with Multi-Level Security |
606 |
+# mcs - Full SELinux protection with Multi-Category Security |
607 |
+# (mls, but only one sensitivity level) |
608 |
+SELINUXTYPE=strict |
609 |
|
610 |
diff --git a/sec-policy/selinux-base-policy/files/modules.conf b/sec-policy/selinux-base-policy/files/modules.conf |
611 |
new file mode 100644 |
612 |
index 0000000..fcb3fd8 |
613 |
--- /dev/null |
614 |
+++ b/sec-policy/selinux-base-policy/files/modules.conf |
615 |
@@ -0,0 +1,49 @@ |
616 |
+application = base |
617 |
+authlogin = base |
618 |
+bootloader = base |
619 |
+clock = base |
620 |
+consoletype = base |
621 |
+corecommands = base |
622 |
+corenetwork = base |
623 |
+cron = base |
624 |
+devices = base |
625 |
+dmesg = base |
626 |
+domain = base |
627 |
+files = base |
628 |
+filesystem = base |
629 |
+fstools = base |
630 |
+getty = base |
631 |
+hostname = base |
632 |
+hotplug = base |
633 |
+init = base |
634 |
+iptables = base |
635 |
+kernel = base |
636 |
+libraries = base |
637 |
+locallogin = base |
638 |
+logging = base |
639 |
+lvm = base |
640 |
+miscfiles = base |
641 |
+mcs = base |
642 |
+mls = base |
643 |
+modutils = base |
644 |
+mount = base |
645 |
+mta = base |
646 |
+netutils = base |
647 |
+nscd = base |
648 |
+portage = base |
649 |
+raid = base |
650 |
+rsync = base |
651 |
+selinux = base |
652 |
+selinuxutil = base |
653 |
+ssh = base |
654 |
+staff = base |
655 |
+storage = base |
656 |
+su = base |
657 |
+sysadm = base |
658 |
+sysnetwork = base |
659 |
+terminal = base |
660 |
+ubac = base |
661 |
+udev = base |
662 |
+userdomain = base |
663 |
+usermanage = base |
664 |
+unprivuser = base |
665 |
|
666 |
diff --git a/sec-policy/selinux-base-policy/files/patchbundle-selinux-base-policy-2.20101213-r22.tar.bz2 b/sec-policy/selinux-base-policy/files/patchbundle-selinux-base-policy-2.20101213-r22.tar.bz2 |
667 |
new file mode 100644 |
668 |
index 0000000..c530e0e |
669 |
Binary files /dev/null and b/sec-policy/selinux-base-policy/files/patchbundle-selinux-base-policy-2.20101213-r22.tar.bz2 differ |
670 |
|
671 |
diff --git a/sec-policy/selinux-base-policy/metadata.xml b/sec-policy/selinux-base-policy/metadata.xml |
672 |
new file mode 100644 |
673 |
index 0000000..393f3bb |
674 |
--- /dev/null |
675 |
+++ b/sec-policy/selinux-base-policy/metadata.xml |
676 |
@@ -0,0 +1,14 @@ |
677 |
+<?xml version="1.0" encoding="UTF-8"?> |
678 |
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> |
679 |
+<pkgmetadata> |
680 |
+ <herd>selinux</herd> |
681 |
+ <longdescription> |
682 |
+ Gentoo SELinux base policy. This contains policy for a system at the end of system installation. |
683 |
+ There is no extra policy in this package. |
684 |
+ </longdescription> |
685 |
+ <use> |
686 |
+ <flag name='peer_perms'>Enable the labeled networking peer permissions (SELinux policy capability).</flag> |
687 |
+ <flag name='open_perms'>Enable the open permissions for file object classes (SELinux policy capability).</flag> |
688 |
+ <flag name='ubac'>Enable User Based Access Control (UBAC) in the SELinux policy</flag> |
689 |
+ </use> |
690 |
+</pkgmetadata> |
691 |
|
692 |
diff --git a/sec-policy/selinux-base-policy/selinux-base-policy-2.20101213-r22.ebuild b/sec-policy/selinux-base-policy/selinux-base-policy-2.20101213-r22.ebuild |
693 |
new file mode 100644 |
694 |
index 0000000..96d033e |
695 |
--- /dev/null |
696 |
+++ b/sec-policy/selinux-base-policy/selinux-base-policy-2.20101213-r22.ebuild |
697 |
@@ -0,0 +1,147 @@ |
698 |
+# Copyright 1999-2011 Gentoo Foundation |
699 |
+# Distributed under the terms of the GNU General Public License v2 |
700 |
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base-policy/selinux-base-policy-2.20101213-r18.ebuild,v 1.1 2011/07/10 02:30:17 blueness Exp $ |
701 |
+ |
702 |
+EAPI="1" |
703 |
+IUSE="+peer_perms +open_perms +ubac" |
704 |
+ |
705 |
+inherit eutils |
706 |
+ |
707 |
+PATCHBUNDLE="${FILESDIR}/patchbundle-${PF}.tar.bz2" |
708 |
+#PATCHBUNDLE="${DISTDIR}/patchbundle-${PF}.tar.bz2" |
709 |
+DESCRIPTION="Gentoo base policy for SELinux" |
710 |
+HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/" |
711 |
+SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2" |
712 |
+#SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2 |
713 |
+# http://dev.gentoo.org/~blueness/patchbundle-selinux-base-policy/patchbundle-${PF}.tar.bz2" |
714 |
+LICENSE="GPL-2" |
715 |
+SLOT="0" |
716 |
+ |
717 |
+KEYWORDS="~amd64 ~x86" |
718 |
+ |
719 |
+RDEPEND=">=sys-apps/policycoreutils-1.30.30 |
720 |
+ >=sys-fs/udev-151" |
721 |
+DEPEND="${RDEPEND} |
722 |
+ sys-devel/m4 |
723 |
+ >=sys-apps/checkpolicy-1.30.12" |
724 |
+ |
725 |
+S=${WORKDIR}/ |
726 |
+ |
727 |
+src_unpack() { |
728 |
+ [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" |
729 |
+ |
730 |
+ unpack ${A} |
731 |
+ |
732 |
+ cd "${S}" |
733 |
+ epatch "${PATCHBUNDLE}" |
734 |
+ cd "${S}/refpolicy" |
735 |
+ # Fix bug 257111 |
736 |
+ sed -i -e 's:system_crond_t:system_cronjob_t:g' \ |
737 |
+ "${S}/refpolicy/config/appconfig-standard/default_contexts" |
738 |
+ sed -i -e 's|system_r:cronjob_t|system_r:system_cronjob_t|g' \ |
739 |
+ "${S}/refpolicy/config/appconfig-mls/default_contexts" |
740 |
+ sed -i -e 's|system_r:cronjob_t|system_r:system_cronjob_t|g' \ |
741 |
+ "${S}/refpolicy/config/appconfig-mcs/default_contexts" |
742 |
+ |
743 |
+ if ! use peer_perms; then |
744 |
+ sed -i -e '/network_peer_controls/d' \ |
745 |
+ "${S}/refpolicy/policy/policy_capabilities" |
746 |
+ fi |
747 |
+ |
748 |
+ if ! use open_perms; then |
749 |
+ sed -i -e '/open_perms/d' \ |
750 |
+ "${S}/refpolicy/policy/policy_capabilities" |
751 |
+ fi |
752 |
+ |
753 |
+ for i in ${POLICY_TYPES}; do |
754 |
+ cp -a "${S}/refpolicy" "${S}/${i}" |
755 |
+ |
756 |
+ cd "${S}/${i}"; |
757 |
+ make conf || die "Make conf in ${i} failed" |
758 |
+ |
759 |
+ # Define what we see as "base" and what we want to remain modular |
760 |
+ cp "${FILESDIR}/modules.conf" \ |
761 |
+ "${S}/${i}/policy/modules.conf" \ |
762 |
+ || die "failed to set up modules.conf" |
763 |
+ if [[ "${i}" == "targeted" ]]; |
764 |
+ then |
765 |
+ echo "unconfined = base" >> "${S}/${i}/policy/modules.conf" |
766 |
+ fi |
767 |
+ sed -i -e '/^QUIET/s/n/y/' -e '/^MONOLITHIC/s/y/n/' \ |
768 |
+ -e "/^NAME/s/refpolicy/$i/" "${S}/${i}/build.conf" \ |
769 |
+ || die "build.conf setup failed." |
770 |
+ |
771 |
+ if [[ "${i}" == "mls" ]] || [[ "${i}" == "mcs" ]]; |
772 |
+ then |
773 |
+ # MCS/MLS require additional settings |
774 |
+ sed -i -e "/^TYPE/s/standard/${i}/" "${S}/${i}/build.conf" \ |
775 |
+ || die "failed to set type to mls" |
776 |
+ fi |
777 |
+ |
778 |
+ if ! use ubac; then |
779 |
+ sed -i -e 's:^UBAC = y:UBAC = n:g' "${S}/${i}/build.conf" |
780 |
+ fi |
781 |
+ |
782 |
+ echo "DISTRO = gentoo" >> "${S}/${i}/build.conf" |
783 |
+ |
784 |
+ if [ "${i}" == "targeted" ]; then |
785 |
+ sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \ |
786 |
+ "${S}/${i}/config/appconfig-standard/seusers" \ |
787 |
+ || die "targeted seusers setup failed." |
788 |
+ fi |
789 |
+ done |
790 |
+} |
791 |
+ |
792 |
+src_compile() { |
793 |
+ [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" |
794 |
+ |
795 |
+ for i in ${POLICY_TYPES}; do |
796 |
+ cd "${S}/${i}" |
797 |
+ make base || die "${i} compile failed" |
798 |
+ done |
799 |
+} |
800 |
+ |
801 |
+src_install() { |
802 |
+ [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" |
803 |
+ |
804 |
+ for i in ${POLICY_TYPES}; do |
805 |
+ cd "${S}/${i}" |
806 |
+ |
807 |
+ make DESTDIR="${D}" install \ |
808 |
+ || die "${i} install failed." |
809 |
+ |
810 |
+ make DESTDIR="${D}" install-headers \ |
811 |
+ || die "${i} headers install failed." |
812 |
+ |
813 |
+ echo "run_init_t" > "${D}/etc/selinux/${i}/contexts/run_init_type" |
814 |
+ |
815 |
+ echo "textrel_shlib_t" >> "${D}/etc/selinux/${i}/contexts/customizable_types" |
816 |
+ |
817 |
+ # libsemanage won't make this on its own |
818 |
+ keepdir "/etc/selinux/${i}/policy" |
819 |
+ done |
820 |
+ |
821 |
+ dodoc doc/Makefile.example doc/example.{te,fc,if} |
822 |
+ |
823 |
+ insinto /etc/selinux |
824 |
+ doins "${FILESDIR}/config" |
825 |
+} |
826 |
+ |
827 |
+pkg_preinst() { |
828 |
+ has_version "<${CATEGORY}/${PN}-2.20101213-r13" |
829 |
+ previous_less_than_r13=$? |
830 |
+} |
831 |
+ |
832 |
+pkg_postinst() { |
833 |
+ [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" |
834 |
+ |
835 |
+ for i in ${POLICY_TYPES}; do |
836 |
+ einfo "Inserting base module into ${i} module store." |
837 |
+ |
838 |
+ cd "/usr/share/selinux/${i}" |
839 |
+ semodule -s "${i}" -b base.pp || die "Could not load in new base policy" |
840 |
+ done |
841 |
+ elog "Updates on policies might require you to relabel files. If you, after" |
842 |
+ elog "installing new SELinux policies, get 'permission denied' errors," |
843 |
+ elog "relabelling your system using 'rlpkg -a -r' might resolve the issues." |
844 |
+} |
845 |
|
846 |
diff --git a/sec-policy/selinux-mozilla/ChangeLog b/sec-policy/selinux-mozilla/ChangeLog |
847 |
new file mode 100644 |
848 |
index 0000000..dba730c |
849 |
--- /dev/null |
850 |
+++ b/sec-policy/selinux-mozilla/ChangeLog |
851 |
@@ -0,0 +1,40 @@ |
852 |
+# ChangeLog for sec-policy/selinux-mozilla |
853 |
+# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 |
854 |
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-mozilla/ChangeLog,v 1.5 2011/07/10 02:34:32 blueness Exp $ |
855 |
+ |
856 |
+*selinux-mozilla-2.20101213-r4 (02 Aug 2011) |
857 |
+ |
858 |
+ 02 Aug 2011; <swift@g.o> +files/fix-apps-mozilla-r4.patch, |
859 |
+ +selinux-mozilla-2.20101213-r4.ebuild, +metadata.xml: |
860 |
+ Allow mozilla to read ~/.local |
861 |
+ |
862 |
+*selinux-mozilla-2.20101213-r3 (10 Jul 2011) |
863 |
+ |
864 |
+ 10 Jul 2011; Anthony G. Basile <blueness@g.o> |
865 |
+ +files/fix-apps-mozilla-r3.patch, +selinux-mozilla-2.20101213-r3.ebuild: |
866 |
+ Support proxy plugins and tor |
867 |
+ |
868 |
+ 04 Jun 2011; Anthony G. Basile <blueness@g.o> |
869 |
+ -selinux-mozilla-2.20101213.ebuild, -selinux-mozilla-2.20101213-r1.ebuild: |
870 |
+ Removed deprecated policies |
871 |
+ |
872 |
+ 02 Jun 2011; Anthony G. Basile <blueness@g.o> |
873 |
+ selinux-mozilla-2.20101213-r2.ebuild: |
874 |
+ Stable amd64 x86 |
875 |
+ |
876 |
+*selinux-mozilla-2.20101213-r2 (20 May 2011) |
877 |
+ |
878 |
+ 20 May 2011; Anthony G. Basile <blueness@g.o> |
879 |
+ +files/fix-apps-mozilla-r2.patch, +selinux-mozilla-2.20101213-r2.ebuild: |
880 |
+ Remove obsolete privileges |
881 |
+ |
882 |
+ 05 Feb 2011; Anthony G. Basile <blueness@g.o> ChangeLog: |
883 |
+ Initial commit to portage. |
884 |
+ |
885 |
+*selinux-mozilla-2.20101213-r1 (22 Jan 2011) |
886 |
+ |
887 |
+ 22 Jan 2011; <swift@g.o> +selinux-mozilla-2.20101213-r1.ebuild, |
888 |
+ files/fix-mozilla.patch: |
889 |
+ Support binary firefox, add call to alsa interface and support tmp type |
890 |
+ for mozilla |
891 |
+ |
892 |
|
893 |
diff --git a/sec-policy/selinux-mozilla/files/fix-apps-mozilla-r4.patch b/sec-policy/selinux-mozilla/files/fix-apps-mozilla-r4.patch |
894 |
new file mode 100644 |
895 |
index 0000000..beef75d |
896 |
--- /dev/null |
897 |
+++ b/sec-policy/selinux-mozilla/files/fix-apps-mozilla-r4.patch |
898 |
@@ -0,0 +1,82 @@ |
899 |
+--- apps/mozilla.te 2010-12-13 15:11:01.000000000 +0100 |
900 |
++++ apps/mozilla.te 2011-07-24 16:48:16.221000672 +0200 |
901 |
+@@ -33,6 +33,10 @@ |
902 |
+ files_tmpfs_file(mozilla_tmpfs_t) |
903 |
+ ubac_constrained(mozilla_tmpfs_t) |
904 |
+ |
905 |
++type mozilla_tmp_t; |
906 |
++files_tmp_file(mozilla_tmp_t) |
907 |
++ubac_constrained(mozilla_tmp_t) |
908 |
++ |
909 |
+ ######################################## |
910 |
+ # |
911 |
+ # Local policy |
912 |
+@@ -68,6 +72,10 @@ |
913 |
+ manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) |
914 |
+ fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) |
915 |
+ |
916 |
++manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) |
917 |
++manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) |
918 |
++files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir } ) |
919 |
++ |
920 |
+ kernel_read_kernel_sysctls(mozilla_t) |
921 |
+ kernel_read_network_state(mozilla_t) |
922 |
+ # Access /proc, sysctl |
923 |
+@@ -89,15 +97,18 @@ |
924 |
+ corenet_raw_sendrecv_generic_node(mozilla_t) |
925 |
+ corenet_tcp_sendrecv_http_port(mozilla_t) |
926 |
+ corenet_tcp_sendrecv_http_cache_port(mozilla_t) |
927 |
++corenet_tcp_sendrecv_tor_port(mozilla_t) |
928 |
+ corenet_tcp_sendrecv_ftp_port(mozilla_t) |
929 |
+ corenet_tcp_sendrecv_ipp_port(mozilla_t) |
930 |
+ corenet_tcp_connect_http_port(mozilla_t) |
931 |
+ corenet_tcp_connect_http_cache_port(mozilla_t) |
932 |
++corenet_tcp_connect_tor_port(mozilla_t) |
933 |
+ corenet_tcp_connect_ftp_port(mozilla_t) |
934 |
+ corenet_tcp_connect_ipp_port(mozilla_t) |
935 |
+ corenet_tcp_connect_generic_port(mozilla_t) |
936 |
+ corenet_tcp_connect_soundd_port(mozilla_t) |
937 |
+ corenet_sendrecv_http_client_packets(mozilla_t) |
938 |
++corenet_sendrecv_tor_client_packets(mozilla_t) |
939 |
+ corenet_sendrecv_http_cache_client_packets(mozilla_t) |
940 |
+ corenet_sendrecv_ftp_client_packets(mozilla_t) |
941 |
+ corenet_sendrecv_ipp_client_packets(mozilla_t) |
942 |
+@@ -143,6 +154,7 @@ |
943 |
+ |
944 |
+ userdom_use_user_ptys(mozilla_t) |
945 |
+ |
946 |
++ |
947 |
+ xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) |
948 |
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_t) |
949 |
+ xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) |
950 |
+@@ -193,6 +205,7 @@ |
951 |
+ userdom_list_user_tmp(mozilla_t) |
952 |
+ userdom_read_user_tmp_files(mozilla_t) |
953 |
+ userdom_read_user_tmp_symlinks(mozilla_t) |
954 |
++ userdom_list_user_home_content(mozilla_t) |
955 |
+ userdom_read_user_home_content_files(mozilla_t) |
956 |
+ userdom_read_user_home_content_symlinks(mozilla_t) |
957 |
+ |
958 |
+@@ -266,3 +279,7 @@ |
959 |
+ optional_policy(` |
960 |
+ thunderbird_domtrans(mozilla_t) |
961 |
+ ') |
962 |
++ |
963 |
++optional_policy(` |
964 |
++ alsa_read_rw_config(mozilla_t) |
965 |
++') |
966 |
+--- apps/mozilla.fc 2010-08-03 15:11:03.000000000 +0200 |
967 |
++++ apps/mozilla.fc 2011-07-21 10:08:43.909000256 +0200 |
968 |
+@@ -27,3 +27,12 @@ |
969 |
+ /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
970 |
+ /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
971 |
+ /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
972 |
++ |
973 |
++ifdef(`distro_gentoo',` |
974 |
++/usr/bin/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
975 |
++/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
976 |
++/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
977 |
++/opt/firefox/run-mozilla.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
978 |
++/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
979 |
++/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
980 |
++') |
981 |
|
982 |
diff --git a/sec-policy/selinux-mozilla/metadata.xml b/sec-policy/selinux-mozilla/metadata.xml |
983 |
new file mode 100644 |
984 |
index 0000000..d718f1b |
985 |
--- /dev/null |
986 |
+++ b/sec-policy/selinux-mozilla/metadata.xml |
987 |
@@ -0,0 +1,6 @@ |
988 |
+<?xml version="1.0" encoding="UTF-8"?> |
989 |
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> |
990 |
+<pkgmetadata> |
991 |
+ <herd>selinux</herd> |
992 |
+ <longdescription>Gentoo SELinux policy for mozilla</longdescription> |
993 |
+</pkgmetadata> |
994 |
|
995 |
diff --git a/sec-policy/selinux-mozilla/selinux-mozilla-2.20101213-r4.ebuild b/sec-policy/selinux-mozilla/selinux-mozilla-2.20101213-r4.ebuild |
996 |
new file mode 100644 |
997 |
index 0000000..1a87091 |
998 |
--- /dev/null |
999 |
+++ b/sec-policy/selinux-mozilla/selinux-mozilla-2.20101213-r4.ebuild |
1000 |
@@ -0,0 +1,15 @@ |
1001 |
+# Copyright 1999-2011 Gentoo Foundation |
1002 |
+# Distributed under the terms of the GNU General Public License v2 |
1003 |
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-mozilla/selinux-mozilla-2.20101213-r3.ebuild,v 1.1 2011/07/10 02:34:32 blueness Exp $ |
1004 |
+ |
1005 |
+IUSE="" |
1006 |
+ |
1007 |
+MODS="mozilla" |
1008 |
+ |
1009 |
+inherit selinux-policy-2 |
1010 |
+ |
1011 |
+DESCRIPTION="SELinux policy for general applications" |
1012 |
+ |
1013 |
+KEYWORDS="~amd64 ~x86" |
1014 |
+ |
1015 |
+POLICY_PATCH="${FILESDIR}/fix-apps-mozilla-r4.patch" |
1016 |
|
1017 |
diff --git a/sec-policy/selinux-pan/ChangeLog b/sec-policy/selinux-pan/ChangeLog |
1018 |
new file mode 100644 |
1019 |
index 0000000..39e044f |
1020 |
--- /dev/null |
1021 |
+++ b/sec-policy/selinux-pan/ChangeLog |
1022 |
@@ -0,0 +1,33 @@ |
1023 |
+# ChangeLog for sec-policy/selinux-pan |
1024 |
+# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 |
1025 |
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-skype/ChangeLog,v 1.3 2011/06/04 18:10:53 blueness Exp $ |
1026 |
+ |
1027 |
+*selinux-pan-2.20101213-r1 (02 Aug 2011) |
1028 |
+ |
1029 |
+ 02 Aug 2011; <swift@g.o> +files/fix-apps-pan-r1.patch, |
1030 |
+ +selinux-pan-2.20101213-r1.ebuild, +metadata.xml: |
1031 |
+ Initial policy for pan |
1032 |
+ |
1033 |
+ 04 Jun 2011; Anthony G. Basile <blueness@g.o> |
1034 |
+ -selinux-skype-2.20101213.ebuild, -selinux-skype-2.20101213-r1.ebuild: |
1035 |
+ Removed deprecated policies |
1036 |
+ |
1037 |
+ 02 Jun 2011; Anthony G. Basile <blueness@g.o> |
1038 |
+ selinux-skype-2.20101213-r2.ebuild: |
1039 |
+ Stable amd64 x86 |
1040 |
+ |
1041 |
+ 05 Feb 2011; Anthony G. Basile <blueness@g.o> ChangeLog: |
1042 |
+ Initial commit to portage. |
1043 |
+ |
1044 |
+*selinux-skype-2.20101213-r2 (31 Jan 2011) |
1045 |
+ |
1046 |
+ 31 Jan 2011; <swift@g.o> +files/add-apps-skype-r2.patch, |
1047 |
+ +selinux-skype-2.20101213-r2.ebuild: |
1048 |
+ Allow userhome access, set some dontaudits etc. |
1049 |
+ |
1050 |
+*selinux-skype-2.20101213-r1 (22 Jan 2011) |
1051 |
+ |
1052 |
+ 22 Jan 2011; <swift@g.o> +selinux-skype-2.20101213-r1.ebuild, |
1053 |
+ +files/add-apps-skype.patch: |
1054 |
+ Update skype module to 'comply' with suggested approach for domains |
1055 |
+ |
1056 |
|
1057 |
diff --git a/sec-policy/selinux-pan/files/fix-apps-pan-r1.patch b/sec-policy/selinux-pan/files/fix-apps-pan-r1.patch |
1058 |
new file mode 100644 |
1059 |
index 0000000..af477bf |
1060 |
--- /dev/null |
1061 |
+++ b/sec-policy/selinux-pan/files/fix-apps-pan-r1.patch |
1062 |
@@ -0,0 +1,110 @@ |
1063 |
+--- apps/pan.te 1970-01-01 01:00:00.000000000 +0100 |
1064 |
++++ apps/pan.te 2011-07-24 18:31:32.760000849 +0200 |
1065 |
+@@ -0,0 +1,102 @@ |
1066 |
++policy_module(pan, 1.0) |
1067 |
++ |
1068 |
++######################################## |
1069 |
++# |
1070 |
++# Declarations |
1071 |
++# |
1072 |
++ |
1073 |
++type pan_t; |
1074 |
++type pan_exec_t; |
1075 |
++application_domain(pan_t, pan_exec_t) |
1076 |
++ubac_constrained(pan_t) |
1077 |
++ |
1078 |
++type pan_home_t; |
1079 |
++userdom_user_home_content(pan_home_t) |
1080 |
++ |
1081 |
++#type pan_tmp_t; |
1082 |
++#files_tmp_file(pan_tmp_t) |
1083 |
++#ubac_constrained(pan_tmp_t) |
1084 |
++ |
1085 |
++type pan_tmpfs_t; |
1086 |
++files_tmpfs_file(pan_tmpfs_t) |
1087 |
++ubac_constrained(pan_tmpfs_t) |
1088 |
++ |
1089 |
++######################################## |
1090 |
++# |
1091 |
++# Pan local policy |
1092 |
++# |
1093 |
++allow pan_t self:process { getsched signal }; |
1094 |
++allow pan_t self:fifo_file rw_fifo_file_perms; |
1095 |
++allow pan_t pan_tmpfs_t:file { read write }; |
1096 |
++ |
1097 |
++# Allow pan to work with its ~/.pan2 location |
1098 |
++manage_dirs_pattern(pan_t, pan_home_t, pan_home_t) |
1099 |
++manage_files_pattern(pan_t, pan_home_t, pan_home_t) |
1100 |
++manage_lnk_files_pattern(pan_t, pan_home_t, pan_home_t) |
1101 |
++ |
1102 |
++# Support for shared memory |
1103 |
++fs_tmpfs_filetrans(pan_t, pan_tmpfs_t, file) |
1104 |
++ |
1105 |
++## Kernel layer calls |
1106 |
++# |
1107 |
++kernel_dontaudit_read_system_state(pan_t) |
1108 |
++files_read_etc_files(pan_t) |
1109 |
++files_read_usr_files(pan_t) |
1110 |
++corenet_all_recvfrom_unlabeled(pan_t) |
1111 |
++corenet_all_recvfrom_netlabel(pan_t) |
1112 |
++corenet_tcp_connect_innd_port(pan_t) |
1113 |
++corenet_tcp_sendrecv_generic_if(pan_t) |
1114 |
++corenet_tcp_sendrecv_generic_node(pan_t) |
1115 |
++corenet_tcp_sendrecv_innd_port(pan_t) |
1116 |
++corenet_sendrecv_innd_client_packets(pan_t) |
1117 |
++ |
1118 |
++## System layer calls |
1119 |
++# |
1120 |
++miscfiles_read_localization(pan_t) |
1121 |
++sysnet_dns_name_resolve(pan_t) |
1122 |
++userdom_manage_user_home_content_dirs(pan_t) |
1123 |
++userdom_manage_user_home_content_files(pan_t) |
1124 |
++ |
1125 |
++## Other yayer calls |
1126 |
++# |
1127 |
++xserver_user_x_domain_template(pan, pan_t, pan_tmpfs_t) |
1128 |
++ |
1129 |
++tunable_policy(`use_nfs_home_dirs',` |
1130 |
++ fs_manage_nfs_dirs(pan_t) |
1131 |
++ fs_manage_nfs_files(pan_t) |
1132 |
++ fs_manage_nfs_symlinks(pan_t) |
1133 |
++') |
1134 |
++ |
1135 |
++tunable_policy(`use_samba_home_dirs',` |
1136 |
++ fs_manage_cifs_dirs(pan_t) |
1137 |
++ fs_manage_cifs_files(pan_t) |
1138 |
++ fs_manage_cifs_symlinks(pan_t) |
1139 |
++') |
1140 |
++ |
1141 |
++optional_policy(` |
1142 |
++ cups_read_rw_config(pan_t) |
1143 |
++') |
1144 |
++ |
1145 |
++optional_policy(` |
1146 |
++ dbus_system_bus_client(pan_t) |
1147 |
++ dbus_session_bus_client(pan_t) |
1148 |
++') |
1149 |
++ |
1150 |
++optional_policy(` |
1151 |
++ gnome_stream_connect_gconf(pan_t) |
1152 |
++') |
1153 |
++ |
1154 |
++optional_policy(` |
1155 |
++ gpg_domtrans(pan_t) |
1156 |
++ gpg_signal(pan_t) |
1157 |
++') |
1158 |
++ |
1159 |
++optional_policy(` |
1160 |
++ lpd_domtrans_lpr(pan_t) |
1161 |
++') |
1162 |
++ |
1163 |
++optional_policy(` |
1164 |
++ mozilla_read_user_home_files(pan_t) |
1165 |
++ mozilla_domtrans(pan_t) |
1166 |
++') |
1167 |
++ |
1168 |
+--- apps/pan.fc 1970-01-01 01:00:00.000000000 +0100 |
1169 |
++++ apps/pan.fc 2011-07-24 17:56:50.338000789 +0200 |
1170 |
+@@ -0,0 +1,2 @@ |
1171 |
++/usr/bin/pan -- gen_context(system_u:object_r:pan_exec_t,s0) |
1172 |
++HOME_DIR/\.pan2(/.*)? gen_context(system_u:object_r:pan_home_t,s0) |
1173 |
|
1174 |
diff --git a/sec-policy/selinux-pan/metadata.xml b/sec-policy/selinux-pan/metadata.xml |
1175 |
new file mode 100644 |
1176 |
index 0000000..95a7e9f |
1177 |
--- /dev/null |
1178 |
+++ b/sec-policy/selinux-pan/metadata.xml |
1179 |
@@ -0,0 +1,6 @@ |
1180 |
+<?xml version="1.0" encoding="UTF-8"?> |
1181 |
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> |
1182 |
+<pkgmetadata> |
1183 |
+ <herd>selinux</herd> |
1184 |
+ <longdescription>Gentoo SELinux policy for pan</longdescription> |
1185 |
+</pkgmetadata> |
1186 |
|
1187 |
diff --git a/sec-policy/selinux-pan/selinux-pan-2.20101213-r1.ebuild b/sec-policy/selinux-pan/selinux-pan-2.20101213-r1.ebuild |
1188 |
new file mode 100644 |
1189 |
index 0000000..5b30d33 |
1190 |
--- /dev/null |
1191 |
+++ b/sec-policy/selinux-pan/selinux-pan-2.20101213-r1.ebuild |
1192 |
@@ -0,0 +1,16 @@ |
1193 |
+# Copyright 1999-2011 Gentoo Foundation |
1194 |
+# Distributed under the terms of the GNU General Public License v2 |
1195 |
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-skype/selinux-skype-2.20101213-r2.ebuild,v 1.2 2011/06/02 12:56:29 blueness Exp $ |
1196 |
+ |
1197 |
+IUSE="" |
1198 |
+ |
1199 |
+MODS="pan" |
1200 |
+ |
1201 |
+inherit selinux-policy-2 |
1202 |
+ |
1203 |
+DESCRIPTION="SELinux policy for general applications" |
1204 |
+ |
1205 |
+KEYWORDS="~amd64 ~x86" |
1206 |
+ |
1207 |
+POLICY_PATCH="${FILESDIR}/fix-apps-pan-r1.patch" |
1208 |
+RDEPEND=">=sec-policy/selinux-base-policy-2.20101213-r22" |
1209 |
|
1210 |
diff --git a/sec-policy/selinux-skype/ChangeLog b/sec-policy/selinux-skype/ChangeLog |
1211 |
new file mode 100644 |
1212 |
index 0000000..e89dec5 |
1213 |
--- /dev/null |
1214 |
+++ b/sec-policy/selinux-skype/ChangeLog |
1215 |
@@ -0,0 +1,33 @@ |
1216 |
+# ChangeLog for sec-policy/selinux-skype |
1217 |
+# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 |
1218 |
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-skype/ChangeLog,v 1.3 2011/06/04 18:10:53 blueness Exp $ |
1219 |
+ |
1220 |
+*selinux-skype-2.20101213-r3 (02 Aug 2011) |
1221 |
+ |
1222 |
+ 02 Aug 2011; <swift@g.o> +files/fix-apps-skype-r3.patch, |
1223 |
+ +selinux-skype-2.20101213-r3.ebuild, +metadata.xml: |
1224 |
+ Improve policy style, do not require libs_use_ld_so |
1225 |
+ |
1226 |
+ 04 Jun 2011; Anthony G. Basile <blueness@g.o> |
1227 |
+ -selinux-skype-2.20101213.ebuild, -selinux-skype-2.20101213-r1.ebuild: |
1228 |
+ Removed deprecated policies |
1229 |
+ |
1230 |
+ 02 Jun 2011; Anthony G. Basile <blueness@g.o> |
1231 |
+ selinux-skype-2.20101213-r2.ebuild: |
1232 |
+ Stable amd64 x86 |
1233 |
+ |
1234 |
+ 05 Feb 2011; Anthony G. Basile <blueness@g.o> ChangeLog: |
1235 |
+ Initial commit to portage. |
1236 |
+ |
1237 |
+*selinux-skype-2.20101213-r2 (31 Jan 2011) |
1238 |
+ |
1239 |
+ 31 Jan 2011; <swift@g.o> +files/add-apps-skype-r2.patch, |
1240 |
+ +selinux-skype-2.20101213-r2.ebuild: |
1241 |
+ Allow userhome access, set some dontaudits etc. |
1242 |
+ |
1243 |
+*selinux-skype-2.20101213-r1 (22 Jan 2011) |
1244 |
+ |
1245 |
+ 22 Jan 2011; <swift@g.o> +selinux-skype-2.20101213-r1.ebuild, |
1246 |
+ +files/add-apps-skype.patch: |
1247 |
+ Update skype module to 'comply' with suggested approach for domains |
1248 |
+ |
1249 |
|
1250 |
diff --git a/sec-policy/selinux-skype/files/fix-apps-skype-r3.patch b/sec-policy/selinux-skype/files/fix-apps-skype-r3.patch |
1251 |
new file mode 100644 |
1252 |
index 0000000..337f395 |
1253 |
--- /dev/null |
1254 |
+++ b/sec-policy/selinux-skype/files/fix-apps-skype-r3.patch |
1255 |
@@ -0,0 +1,120 @@ |
1256 |
+--- apps/skype.te 1970-01-01 01:00:00.000000000 +0100 |
1257 |
++++ apps/skype.te 2011-07-24 17:24:40.996000734 +0200 |
1258 |
+@@ -0,0 +1,111 @@ |
1259 |
++policy_module(skype, 0.0.2) |
1260 |
++ |
1261 |
++############################ |
1262 |
++# |
1263 |
++# Declarations |
1264 |
++# |
1265 |
++ |
1266 |
++type skype_t; |
1267 |
++type skype_exec_t; |
1268 |
++application_domain(skype_t, skype_exec_t) |
1269 |
++ |
1270 |
++type skype_home_t; |
1271 |
++ |
1272 |
++type skype_tmpfs_t; |
1273 |
++files_tmpfs_file(skype_tmpfs_t) |
1274 |
++ubac_constrained(skype_tmpfs_t) |
1275 |
++ |
1276 |
++############################ |
1277 |
++# |
1278 |
++# Policy |
1279 |
++# |
1280 |
++ |
1281 |
++allow skype_t self:process { getsched setsched execmem signal }; |
1282 |
++allow skype_t self:fifo_file rw_fifo_file_perms; |
1283 |
++allow skype_t self:unix_stream_socket create_socket_perms; |
1284 |
++allow skype_t self:sem create_sem_perms; |
1285 |
++allow skype_t self:tcp_socket create_stream_socket_perms; |
1286 |
++ |
1287 |
++# Allow skype to work with its ~/.skype location |
1288 |
++manage_dirs_pattern(skype_t, skype_home_t, skype_home_t) |
1289 |
++manage_files_pattern(skype_t, skype_home_t, skype_home_t) |
1290 |
++manage_lnk_files_pattern(skype_t, skype_home_t, skype_home_t) |
1291 |
++ |
1292 |
++# Needed for supporting X11 & shared memory |
1293 |
++manage_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) |
1294 |
++manage_lnk_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) |
1295 |
++manage_fifo_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) |
1296 |
++manage_sock_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) |
1297 |
++fs_tmpfs_filetrans(skype_t, skype_tmpfs_t, { file lnk_file sock_file fifo_file }) |
1298 |
++ |
1299 |
++# In Gentoo, the skype script calls skype binary. To keep the |
1300 |
++# number of privileges for the user domain sufficiently manageable, |
1301 |
++# we already label the script as skype_exec_t. Hence, the script |
1302 |
++# needs to be able to execute skype_exec_t files too. |
1303 |
++can_exec(skype_t, skype_exec_t) |
1304 |
++ |
1305 |
++## Kernel layer calls |
1306 |
++# |
1307 |
++kernel_dontaudit_search_sysctl(skype_t) |
1308 |
++kernel_read_system_state(skype_t) |
1309 |
++ |
1310 |
++corecmd_exec_bin(skype_t) |
1311 |
++corecmd_exec_shell(skype_t) |
1312 |
++ |
1313 |
++corenet_all_recvfrom_netlabel(skype_t) |
1314 |
++corenet_all_recvfrom_unlabeled(skype_t) |
1315 |
++corenet_sendrecv_http_client_packets(skype_t) |
1316 |
++corenet_tcp_bind_generic_node(skype_t) |
1317 |
++corenet_tcp_bind_generic_port(skype_t) |
1318 |
++corenet_tcp_connect_generic_port(skype_t) |
1319 |
++corenet_tcp_connect_http_port(skype_t) |
1320 |
++corenet_tcp_sendrecv_http_port(skype_t) |
1321 |
++corenet_udp_bind_generic_node(skype_t) |
1322 |
++corenet_udp_bind_generic_port(skype_t) |
1323 |
++ |
1324 |
++dev_read_sound(skype_t) |
1325 |
++dev_read_video_dev(skype_t) |
1326 |
++dev_write_sound(skype_t) |
1327 |
++dev_write_video_dev(skype_t) |
1328 |
++ |
1329 |
++# Needed to debug skype (start through commandline) |
1330 |
++domain_use_interactive_fds(skype_t) |
1331 |
++ |
1332 |
++files_read_etc_files(skype_t) |
1333 |
++files_read_usr_files(skype_t) |
1334 |
++ |
1335 |
++## System layer calls |
1336 |
++# |
1337 |
++auth_use_nsswitch(skype_t) |
1338 |
++miscfiles_dontaudit_setattr_fonts_dirs(skype_t) |
1339 |
++miscfiles_read_localization(skype_t) |
1340 |
++userdom_manage_user_home_content_dirs(skype_t) |
1341 |
++userdom_manage_user_home_content_files(skype_t) |
1342 |
++userdom_use_user_terminals(skype_t) |
1343 |
++userdom_user_home_dir_filetrans(skype_t, skype_home_t, dir) |
1344 |
++userdom_user_home_content(skype_home_t) |
1345 |
++ |
1346 |
++## Other calls |
1347 |
++# |
1348 |
++xserver_user_x_domain_template(skype, skype_t, skype_tmpfs_t) |
1349 |
++ |
1350 |
++tunable_policy(`gentoo_try_dontaudit',` |
1351 |
++ dev_dontaudit_search_sysfs(skype_t) |
1352 |
++ fs_dontaudit_getattr_xattr_fs(skype_t) |
1353 |
++') |
1354 |
++ |
1355 |
++optional_policy(` |
1356 |
++ tunable_policy(`gentoo_try_dontaudit',` |
1357 |
++ mozilla_dontaudit_manage_user_home_files(skype_t) |
1358 |
++ ') |
1359 |
++') |
1360 |
++ |
1361 |
++optional_policy(` |
1362 |
++ alsa_read_rw_config(skype_t) |
1363 |
++') |
1364 |
++ |
1365 |
++optional_policy(` |
1366 |
++ dbus_system_bus_client(skype_t) |
1367 |
++ dbus_session_bus_client(skype_t) |
1368 |
++') |
1369 |
++ |
1370 |
+--- apps/skype.fc 1970-01-01 01:00:00.000000000 +0100 |
1371 |
++++ apps/skype.fc 2011-07-21 10:08:43.824000256 +0200 |
1372 |
+@@ -0,0 +1,3 @@ |
1373 |
++/usr/bin/skype -- gen_context(system_u:object_r:skype_exec_t,s0) |
1374 |
++/opt/skype/skype -- gen_context(system_u:object_r:skype_exec_t,s0) |
1375 |
++HOME_DIR/\.Skype(/.*)? gen_context(system_u:object_r:skype_home_t,s0) |
1376 |
|
1377 |
diff --git a/sec-policy/selinux-skype/metadata.xml b/sec-policy/selinux-skype/metadata.xml |
1378 |
new file mode 100644 |
1379 |
index 0000000..810b563 |
1380 |
--- /dev/null |
1381 |
+++ b/sec-policy/selinux-skype/metadata.xml |
1382 |
@@ -0,0 +1,6 @@ |
1383 |
+<?xml version="1.0" encoding="UTF-8"?> |
1384 |
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> |
1385 |
+<pkgmetadata> |
1386 |
+ <herd>selinux</herd> |
1387 |
+ <longdescription>Gentoo SELinux policy for skype</longdescription> |
1388 |
+</pkgmetadata> |
1389 |
|
1390 |
diff --git a/sec-policy/selinux-skype/selinux-skype-2.20101213-r3.ebuild b/sec-policy/selinux-skype/selinux-skype-2.20101213-r3.ebuild |
1391 |
new file mode 100644 |
1392 |
index 0000000..663bd97 |
1393 |
--- /dev/null |
1394 |
+++ b/sec-policy/selinux-skype/selinux-skype-2.20101213-r3.ebuild |
1395 |
@@ -0,0 +1,16 @@ |
1396 |
+# Copyright 1999-2011 Gentoo Foundation |
1397 |
+# Distributed under the terms of the GNU General Public License v2 |
1398 |
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-skype/selinux-skype-2.20101213-r2.ebuild,v 1.2 2011/06/02 12:56:29 blueness Exp $ |
1399 |
+ |
1400 |
+IUSE="" |
1401 |
+ |
1402 |
+MODS="skype" |
1403 |
+ |
1404 |
+inherit selinux-policy-2 |
1405 |
+ |
1406 |
+DESCRIPTION="SELinux policy for general applications" |
1407 |
+ |
1408 |
+KEYWORDS="~amd64 ~x86" |
1409 |
+ |
1410 |
+POLICY_PATCH="${FILESDIR}/fix-apps-skype-r3.patch" |
1411 |
+RDEPEND=">=sec-policy/selinux-base-policy-2.20101213-r20" |