Gentoo Archives: gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Fri, 28 Sep 2012 17:52:19
Message-Id:	`1348854493.69ad7c3bc5fc98a33968fe6b615e1b93ee66ccd7.SwifT@gentoo`

1	commit: 69ad7c3bc5fc98a33968fe6b615e1b93ee66ccd7
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Fri Sep 28 10:59:44 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Fri Sep 28 17:48:13 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=69ad7c3b
7
8	Changes to the dmidecode policy module
9
10	Add a file context specification for biosdecode
11	Use role attributes
12	Module clean up
13
14	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
15
16	---
17	policy/modules/contrib/dmidecode.fc \| 2 +-
18	policy/modules/contrib/dmidecode.if \| 17 +++++++----------
19	policy/modules/contrib/dmidecode.te \| 8 +++++---
20	3 files changed, 13 insertions(+), 14 deletions(-)
21
22	diff --git a/policy/modules/contrib/dmidecode.fc b/policy/modules/contrib/dmidecode.fc
23	index 016e6b8..c394e45 100644
24	--- a/policy/modules/contrib/dmidecode.fc
25	+++ b/policy/modules/contrib/dmidecode.fc
26	@@ -1,4 +1,4 @@
27	-
28	+/usr/sbin/biosdecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
29	/usr/sbin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
30	/usr/sbin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
31	/usr/sbin/vpddecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
32
33	diff --git a/policy/modules/contrib/dmidecode.if b/policy/modules/contrib/dmidecode.if
34	index 4bf435c..41c3f67 100644
35	--- a/policy/modules/contrib/dmidecode.if
36	+++ b/policy/modules/contrib/dmidecode.if
37	@@ -15,18 +15,15 @@ interface(`dmidecode_domtrans',`
38	type dmidecode_t, dmidecode_exec_t;
39	')
40
41	- domain_auto_trans($1, dmidecode_exec_t, dmidecode_t)
42	-
43	- allow $1 dmidecode_t:fd use;
44	- allow dmidecode_t $1:fd use;
45	- allow dmidecode_t $1:fifo_file rw_file_perms;
46	- allow dmidecode_t $1:process sigchld;
47	+ corecmd_search_bin($1)
48	+ domtrans_pattern($1, dmidecode_exec_t, dmidecode_t)
49	')
50
51	########################################
52	## <summary>
53	-## Execute dmidecode in the dmidecode domain, and
54	-## allow the specified role the dmidecode domain.
55	+## Execute dmidecode in the dmidecode
56	+## domain, and allow the specified
57	+## role the dmidecode domain.
58	## </summary>
59	## <param name="domain">
60	## <summary>
61	@@ -42,9 +39,9 @@ interface(`dmidecode_domtrans',`
62	#
63	interface(`dmidecode_run',`
64	gen_require(`
65	- type dmidecode_t;
66	+ attribute_role dmidecode_roles;
67	')
68
69	dmidecode_domtrans($1)
70	- role $2 types dmidecode_t;
71	+ roleattribute $2 dmidecode_roles;
72	')
73
74	diff --git a/policy/modules/contrib/dmidecode.te b/policy/modules/contrib/dmidecode.te
75	index d6356b5..c947c2c 100644
76	--- a/policy/modules/contrib/dmidecode.te
77	+++ b/policy/modules/contrib/dmidecode.te
78	@@ -1,14 +1,17 @@
79	-policy_module(dmidecode, 1.4.0)
80	+policy_module(dmidecode, 1.4.1)
81
82	########################################
83	#
84	# Declarations
85	#
86
87	+attribute_role dmidecode_roles;
88	+roleattribute system_r dmidecode_roles;
89	+
90	type dmidecode_t;
91	type dmidecode_exec_t;
92	application_domain(dmidecode_t, dmidecode_exec_t)
93	-role system_r types dmidecode_t;
94	+role dmidecode_roles types dmidecode_t;
95
96	########################################
97	#
98	@@ -18,7 +21,6 @@ role system_r types dmidecode_t;
99	allow dmidecode_t self:capability sys_rawio;
100
101	dev_read_sysfs(dmidecode_t)
102	-# Allow dmidecode to read /dev/mem
103	dev_read_raw_memory(dmidecode_t)
104
105	mls_file_read_all_levels(dmidecode_t)

Report Message

Find on MARC Find on Google Groups