[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Sun, 28 Oct 2012 18:02:49
Message-Id:	`1351447144.066a3a15354a32da9c52345cfa2a0b6a5d4026e7.SwifT@gentoo`

1

commit:     066a3a15354a32da9c52345cfa2a0b6a5d4026e7

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Sun Oct 28 12:51:30 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Sun Oct 28 17:59:04 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=066a3a15

7

8

Changes to the soundserver policy module

9

10

Module clean up

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/soundserver.fc |    3 ++-

16

 policy/modules/contrib/soundserver.if |   18 ++++++++++++------

17

 policy/modules/contrib/soundserver.te |   19 +++++++------------

18

 3 files changed, 21 insertions(+), 19 deletions(-)

19

20

diff --git a/policy/modules/contrib/soundserver.fc b/policy/modules/contrib/soundserver.fc

21

index 76d0f37..02c23b3 100644

22

--- a/policy/modules/contrib/soundserver.fc

23

+++ b/policy/modules/contrib/soundserver.fc

24

@@ -1,7 +1,8 @@

25

 /etc/nas(/.*)?	gen_context(system_u:object_r:soundd_etc_t,s0)

26

-/etc/rc\.d/init\.d/nasd	--	gen_context(system_u:object_r:soundd_initrc_exec_t,s0)

27

 /etc/yiff(/.*)?	gen_context(system_u:object_r:soundd_etc_t,s0)

28

29

+/etc/rc\.d/init\.d/nasd	--	gen_context(system_u:object_r:soundd_initrc_exec_t,s0)

30

+

31

 /usr/bin/nasd	--	gen_context(system_u:object_r:soundd_exec_t,s0)

32

 /usr/bin/gpe-soundserver	--	gen_context(system_u:object_r:soundd_exec_t,s0)

33

34

35

diff --git a/policy/modules/contrib/soundserver.if b/policy/modules/contrib/soundserver.if

36

index 93fe7bf..a5abc5a 100644

37

--- a/policy/modules/contrib/soundserver.if

38

+++ b/policy/modules/contrib/soundserver.if

39

@@ -16,8 +16,8 @@ interface(`soundserver_tcp_connect',`

40

41

 ########################################

42

 ## <summary>

43

-##	All of the rules required to administrate 

44

-##	an soundd environment

45

+##	All of the rules required to

46

+##	administrate an soundd environment.

47

 ## </summary>

48

 ## <param name="domain">

49

 ##	<summary>

50

@@ -26,16 +26,16 @@ interface(`soundserver_tcp_connect',`

51

 ## </param>

52

 ## <param name="role">

53

 ##	<summary>

54

-##	The role to be allowed to manage the soundd domain.

55

+##	Role allowed access.

56

 ##	</summary>

57

 ## </param>

58

 ## <rolecap/>

59

#

60

 interface(`soundserver_admin',`

61

 	gen_require(`

62

-		type soundd_t, soundd_etc_t;

63

-		type soundd_tmp_t, soundd_var_run_t;

64

-		type soundd_initrc_exec_t;

65

+		type soundd_t, soundd_etc_t, soundd_initrc_exec_t;

66

+		type soundd_tmp_t, soundd_var_run_t, soundd_tmpfs_t;

67

+		type soundd_state_t;

68

')

69

70

 	allow $1 soundd_t:process { ptrace signal_perms };

71

@@ -52,6 +52,12 @@ interface(`soundserver_admin',`

72

 	files_list_tmp($1)

73

 	admin_pattern($1, soundd_tmp_t)

74

75

+	fs_list_tmpfs($1)

76

+	admin_pattern($1, soundd_tmpfs_t)

77

+

78

+	files_list_var($1)

79

+	admin_pattern($1, soundd_state_t)

80

+

81

 	files_list_pids($1)

82

 	admin_pattern($1, soundd_var_run_t)

83

')

84

85

diff --git a/policy/modules/contrib/soundserver.te b/policy/modules/contrib/soundserver.te

86

index 3217605..db1bc6f 100644

87

--- a/policy/modules/contrib/soundserver.te

88

+++ b/policy/modules/contrib/soundserver.te

89

@@ -1,4 +1,4 @@

90

-policy_module(soundserver, 1.8.0)

91

+policy_module(soundserver, 1.8.1)

92

93

 ########################################

94

#

95

@@ -21,7 +21,6 @@ files_type(soundd_state_t)

96

 type soundd_tmp_t;

97

 files_tmp_file(soundd_tmp_t)

98

99

-# for yiff - probably need some rules for the client support too

100

 type soundd_tmpfs_t;

101

 files_tmpfs_file(soundd_tmpfs_t)

102

103

@@ -36,12 +35,10 @@ files_pid_file(soundd_var_run_t)

104

 allow soundd_t self:capability dac_override;

105

 dontaudit soundd_t self:capability sys_tty_config;

106

 allow soundd_t self:process { setpgid signal_perms };

107

+allow soundd_t self:shm create_shm_perms;

108

 allow soundd_t self:tcp_socket create_stream_socket_perms;

109

 allow soundd_t self:udp_socket create_socket_perms;

110

-allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };

111

-

112

-# for yiff

113

-allow soundd_t self:shm create_shm_perms;

114

+allow soundd_t self:unix_stream_socket { accept connectto listen };

115

116

 read_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)

117

 read_lnk_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)

118

@@ -59,9 +56,9 @@ manage_fifo_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)

119

 manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)

120

 fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file })

121

122

-manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)

123

 manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)

124

 manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)

125

+manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)

126

 files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir })

127

128

 kernel_read_kernel_sysctls(soundd_t)

129

@@ -71,14 +68,12 @@ kernel_read_proc_symlinks(soundd_t)

130

 corenet_all_recvfrom_unlabeled(soundd_t)

131

 corenet_all_recvfrom_netlabel(soundd_t)

132

 corenet_tcp_sendrecv_generic_if(soundd_t)

133

-corenet_udp_sendrecv_generic_if(soundd_t)

134

 corenet_tcp_sendrecv_generic_node(soundd_t)

135

-corenet_udp_sendrecv_generic_node(soundd_t)

136

-corenet_tcp_sendrecv_all_ports(soundd_t)

137

-corenet_udp_sendrecv_all_ports(soundd_t)

138

 corenet_tcp_bind_generic_node(soundd_t)

139

-corenet_tcp_bind_soundd_port(soundd_t)

140

+

141

 corenet_sendrecv_soundd_server_packets(soundd_t)

142

+corenet_tcp_bind_soundd_port(soundd_t)

143

+corenet_tcp_sendrecv_soundd_port(soundd_t)

144

145

 dev_read_sysfs(soundd_t)

146

 dev_read_sound(soundd_t)

1	commit: 066a3a15354a32da9c52345cfa2a0b6a5d4026e7
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Sun Oct 28 12:51:30 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Sun Oct 28 17:59:04 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=066a3a15
7
8	Changes to the soundserver policy module
9
10	Module clean up
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/soundserver.fc \| 3 ++-
16	policy/modules/contrib/soundserver.if \| 18 ++++++++++++------
17	policy/modules/contrib/soundserver.te \| 19 +++++++------------
18	3 files changed, 21 insertions(+), 19 deletions(-)
19
20	diff --git a/policy/modules/contrib/soundserver.fc b/policy/modules/contrib/soundserver.fc
21	index 76d0f37..02c23b3 100644
22	--- a/policy/modules/contrib/soundserver.fc
23	+++ b/policy/modules/contrib/soundserver.fc
24	@@ -1,7 +1,8 @@
25	/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
26	-/etc/rc\.d/init\.d/nasd -- gen_context(system_u:object_r:soundd_initrc_exec_t,s0)
27	/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
28
29	+/etc/rc\.d/init\.d/nasd -- gen_context(system_u:object_r:soundd_initrc_exec_t,s0)
30	+
31	/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
32	/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0)
33
34
35	diff --git a/policy/modules/contrib/soundserver.if b/policy/modules/contrib/soundserver.if
36	index 93fe7bf..a5abc5a 100644
37	--- a/policy/modules/contrib/soundserver.if
38	+++ b/policy/modules/contrib/soundserver.if
39	@@ -16,8 +16,8 @@ interface(`soundserver_tcp_connect',`
40
41	########################################
42	## <summary>
43	-## All of the rules required to administrate
44	-## an soundd environment
45	+## All of the rules required to
46	+## administrate an soundd environment.
47	## </summary>
48	## <param name="domain">
49	## <summary>
50	@@ -26,16 +26,16 @@ interface(`soundserver_tcp_connect',`
51	## </param>
52	## <param name="role">
53	## <summary>
54	-## The role to be allowed to manage the soundd domain.
55	+## Role allowed access.
56	## </summary>
57	## </param>
58	## <rolecap/>
59	#
60	interface(`soundserver_admin',`
61	gen_require(`
62	- type soundd_t, soundd_etc_t;
63	- type soundd_tmp_t, soundd_var_run_t;
64	- type soundd_initrc_exec_t;
65	+ type soundd_t, soundd_etc_t, soundd_initrc_exec_t;
66	+ type soundd_tmp_t, soundd_var_run_t, soundd_tmpfs_t;
67	+ type soundd_state_t;
68	')
69
70	allow $1 soundd_t:process { ptrace signal_perms };
71	@@ -52,6 +52,12 @@ interface(`soundserver_admin',`
72	files_list_tmp($1)
73	admin_pattern($1, soundd_tmp_t)
74
75	+ fs_list_tmpfs($1)
76	+ admin_pattern($1, soundd_tmpfs_t)
77	+
78	+ files_list_var($1)
79	+ admin_pattern($1, soundd_state_t)
80	+
81	files_list_pids($1)
82	admin_pattern($1, soundd_var_run_t)
83	')
84
85	diff --git a/policy/modules/contrib/soundserver.te b/policy/modules/contrib/soundserver.te
86	index 3217605..db1bc6f 100644
87	--- a/policy/modules/contrib/soundserver.te
88	+++ b/policy/modules/contrib/soundserver.te
89	@@ -1,4 +1,4 @@
90	-policy_module(soundserver, 1.8.0)
91	+policy_module(soundserver, 1.8.1)
92
93	########################################
94	#
95	@@ -21,7 +21,6 @@ files_type(soundd_state_t)
96	type soundd_tmp_t;
97	files_tmp_file(soundd_tmp_t)
98
99	-# for yiff - probably need some rules for the client support too
100	type soundd_tmpfs_t;
101	files_tmpfs_file(soundd_tmpfs_t)
102
103	@@ -36,12 +35,10 @@ files_pid_file(soundd_var_run_t)
104	allow soundd_t self:capability dac_override;
105	dontaudit soundd_t self:capability sys_tty_config;
106	allow soundd_t self:process { setpgid signal_perms };
107	+allow soundd_t self:shm create_shm_perms;
108	allow soundd_t self:tcp_socket create_stream_socket_perms;
109	allow soundd_t self:udp_socket create_socket_perms;
110	-allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
111	-
112	-# for yiff
113	-allow soundd_t self:shm create_shm_perms;
114	+allow soundd_t self:unix_stream_socket { accept connectto listen };
115
116	read_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)
117	read_lnk_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)
118	@@ -59,9 +56,9 @@ manage_fifo_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
119	manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
120	fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
121
122	-manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
123	manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
124	manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
125	+manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
126	files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir })
127
128	kernel_read_kernel_sysctls(soundd_t)
129	@@ -71,14 +68,12 @@ kernel_read_proc_symlinks(soundd_t)
130	corenet_all_recvfrom_unlabeled(soundd_t)
131	corenet_all_recvfrom_netlabel(soundd_t)
132	corenet_tcp_sendrecv_generic_if(soundd_t)
133	-corenet_udp_sendrecv_generic_if(soundd_t)
134	corenet_tcp_sendrecv_generic_node(soundd_t)
135	-corenet_udp_sendrecv_generic_node(soundd_t)
136	-corenet_tcp_sendrecv_all_ports(soundd_t)
137	-corenet_udp_sendrecv_all_ports(soundd_t)
138	corenet_tcp_bind_generic_node(soundd_t)
139	-corenet_tcp_bind_soundd_port(soundd_t)
140	+
141	corenet_sendrecv_soundd_server_packets(soundd_t)
142	+corenet_tcp_bind_soundd_port(soundd_t)
143	+corenet_tcp_sendrecv_soundd_port(soundd_t)
144
145	dev_read_sysfs(soundd_t)
146	dev_read_sound(soundd_t)

Gentoo Archives: gentoo-commits