[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ - gentoo-commits

From:	Sven Vermeulen <swift@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
Date:	Fri, 06 Dec 2013 17:48:14
Message-Id:	`1386351937.c308e6f1f5a4cf7df16bc154da2d500dfa3703c9.swift@gentoo`

1

commit:     c308e6f1f5a4cf7df16bc154da2d500dfa3703c9

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Fri Dec  6 17:45:37 2013 +0000

4

Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>

5

CommitDate: Fri Dec  6 17:45:37 2013 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c308e6f1

7

8

Move gentoo specifics to lower part

9

10

---

11

 policy/modules/system/udev.te | 66 +++++++++++++++++++++++++++----------------

12

 1 file changed, 41 insertions(+), 25 deletions(-)

13

14

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te

15

index 2679c85..a7078c4 100644

16

--- a/policy/modules/system/udev.te

17

+++ b/policy/modules/system/udev.te

18

@@ -64,10 +64,7 @@ can_exec(udev_t, udev_helper_exec_t)

19

 # read udev config

20

 allow udev_t udev_etc_t:file read_file_perms;

21

22

-allow udev_t udev_tbl_t:dir relabelto;

23

-manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)

24

-manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)

25

-manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)

26

+allow udev_t udev_tbl_t:file manage_file_perms;

27

 dev_filetrans(udev_t, udev_tbl_t, file)

28

29

 list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)

30

@@ -79,24 +76,24 @@ manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)

31

 manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)

32

 files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev")

33

34

-kernel_dgram_send(udev_t)

35

+kernel_read_system_state(udev_t)

36

+kernel_request_load_module(udev_t)

37

 kernel_getattr_core_if(udev_t)

38

-kernel_load_module(udev_t)

39

+kernel_use_fds(udev_t)

40

 kernel_read_device_sysctls(udev_t)

41

 kernel_read_hotplug_sysctls(udev_t)

42

-kernel_read_kernel_sysctls(udev_t)

43

 kernel_read_modprobe_sysctls(udev_t)

44

-kernel_read_network_state(udev_t)

45

-kernel_read_software_raid_state(udev_t)

46

-kernel_read_system_state(udev_t)

47

-kernel_request_load_module(udev_t)

48

+kernel_read_kernel_sysctls(udev_t)

49

 kernel_rw_hotplug_sysctls(udev_t)

50

-#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182

51

-kernel_rw_net_sysctls(udev_t)

52

 kernel_rw_unix_dgram_sockets(udev_t)

53

-kernel_search_debugfs(udev_t)

54

+kernel_dgram_send(udev_t)

55

 kernel_signal(udev_t)

56

-kernel_use_fds(udev_t)

57

+kernel_search_debugfs(udev_t)

58

+

59

+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182

60

+kernel_rw_net_sysctls(udev_t)

61

+kernel_read_network_state(udev_t)

62

+kernel_read_software_raid_state(udev_t)

63

64

 corecmd_exec_all_executables(udev_t)

65

66

@@ -114,13 +111,12 @@ dev_manage_generic_symlinks(udev_t)

67

 domain_read_all_domains_state(udev_t)

68

 domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these

69

70

-files_exec_etc_files(udev_t)

71

-files_getattr_generic_locks(udev_t)

72

-files_read_etc_files(udev_t)

73

-files_read_etc_runtime_files(udev_t)

74

-files_read_kernel_modules(udev_t)

75

 files_read_usr_files(udev_t)

76

+files_read_etc_runtime_files(udev_t)

77

+files_read_etc_files(udev_t)

78

+files_exec_etc_files(udev_t)

79

 files_dontaudit_search_isid_type_dirs(udev_t)

80

+files_getattr_generic_locks(udev_t)

81

 files_search_mnt(udev_t)

82

83

 fs_getattr_all_fs(udev_t)

84

@@ -178,8 +174,6 @@ sysnet_etc_filetrans_config(udev_t)

85

86

 userdom_dontaudit_search_user_home_content(udev_t)

87

88

-udev_pid_filetrans_db(udev_t, dir, "data")

89

-

90

 ifdef(`distro_debian',`

91

 	files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")

92

93

@@ -197,12 +191,9 @@ ifdef(`distro_debian',`

94

')

95

96

 ifdef(`distro_gentoo',`

97

-	allow udev_t self:capability2 block_suspend;

98

-

99

 	# during boot, init scripts use /dev/.rcsysinit

100

 	# existance to determine if we are in early booting

101

 	init_getattr_script_status_files(udev_t)

102

-	init_domtrans_script(udev_t)

103

')

104

105

 ifdef(`distro_redhat',`

106

@@ -331,3 +322,28 @@ optional_policy(`

107

 optional_policy(`

108

 	xserver_read_xdm_pid(udev_t)

109

')

110

+

111

+ifdef(`distro_gentoo',`

112

+	#################################

113

+	#

114

+	# local udev_t policy

115

+	#

116

+	allow udev_t self:capability2 block_suspend;

117

+	allow udev_t udev_tbl_t:dir relabelto;

118

+

119

+	manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)

120

+	manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)

121

+	manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)

122

+

123

+	kernel_load_module(udev_t)

124

+

125

+	files_read_etc_files(udev_t)

126

+	files_read_etc_runtime_files(udev_t)

127

+	files_read_kernel_modules(udev_t)

128

+	files_read_usr_files(udev_t)

129

+	files_dontaudit_search_isid_type_dirs(udev_t)

130

+

131

+	udev_pid_filetrans_db(udev_t, dir, "data")

132

+

133

+	init_domtrans_script(udev_t)

134

+')

1	commit: c308e6f1f5a4cf7df16bc154da2d500dfa3703c9
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Fri Dec 6 17:45:37 2013 +0000
4	Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5	CommitDate: Fri Dec 6 17:45:37 2013 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c308e6f1
7
8	Move gentoo specifics to lower part
9
10	---
11	policy/modules/system/udev.te \| 66 +++++++++++++++++++++++++++----------------
12	1 file changed, 41 insertions(+), 25 deletions(-)
13
14	diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
15	index 2679c85..a7078c4 100644
16	--- a/policy/modules/system/udev.te
17	+++ b/policy/modules/system/udev.te
18	@@ -64,10 +64,7 @@ can_exec(udev_t, udev_helper_exec_t)
19	# read udev config
20	allow udev_t udev_etc_t:file read_file_perms;
21
22	-allow udev_t udev_tbl_t:dir relabelto;
23	-manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
24	-manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
25	-manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
26	+allow udev_t udev_tbl_t:file manage_file_perms;
27	dev_filetrans(udev_t, udev_tbl_t, file)
28
29	list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
30	@@ -79,24 +76,24 @@ manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
31	manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
32	files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev")
33
34	-kernel_dgram_send(udev_t)
35	+kernel_read_system_state(udev_t)
36	+kernel_request_load_module(udev_t)
37	kernel_getattr_core_if(udev_t)
38	-kernel_load_module(udev_t)
39	+kernel_use_fds(udev_t)
40	kernel_read_device_sysctls(udev_t)
41	kernel_read_hotplug_sysctls(udev_t)
42	-kernel_read_kernel_sysctls(udev_t)
43	kernel_read_modprobe_sysctls(udev_t)
44	-kernel_read_network_state(udev_t)
45	-kernel_read_software_raid_state(udev_t)
46	-kernel_read_system_state(udev_t)
47	-kernel_request_load_module(udev_t)
48	+kernel_read_kernel_sysctls(udev_t)
49	kernel_rw_hotplug_sysctls(udev_t)
50	-#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
51	-kernel_rw_net_sysctls(udev_t)
52	kernel_rw_unix_dgram_sockets(udev_t)
53	-kernel_search_debugfs(udev_t)
54	+kernel_dgram_send(udev_t)
55	kernel_signal(udev_t)
56	-kernel_use_fds(udev_t)
57	+kernel_search_debugfs(udev_t)
58	+
59	+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
60	+kernel_rw_net_sysctls(udev_t)
61	+kernel_read_network_state(udev_t)
62	+kernel_read_software_raid_state(udev_t)
63
64	corecmd_exec_all_executables(udev_t)
65
66	@@ -114,13 +111,12 @@ dev_manage_generic_symlinks(udev_t)
67	domain_read_all_domains_state(udev_t)
68	domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
69
70	-files_exec_etc_files(udev_t)
71	-files_getattr_generic_locks(udev_t)
72	-files_read_etc_files(udev_t)
73	-files_read_etc_runtime_files(udev_t)
74	-files_read_kernel_modules(udev_t)
75	files_read_usr_files(udev_t)
76	+files_read_etc_runtime_files(udev_t)
77	+files_read_etc_files(udev_t)
78	+files_exec_etc_files(udev_t)
79	files_dontaudit_search_isid_type_dirs(udev_t)
80	+files_getattr_generic_locks(udev_t)
81	files_search_mnt(udev_t)
82
83	fs_getattr_all_fs(udev_t)
84	@@ -178,8 +174,6 @@ sysnet_etc_filetrans_config(udev_t)
85
86	userdom_dontaudit_search_user_home_content(udev_t)
87
88	-udev_pid_filetrans_db(udev_t, dir, "data")
89	-
90	ifdef(`distro_debian',`
91	files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
92
93	@@ -197,12 +191,9 @@ ifdef(`distro_debian',`
94	')
95
96	ifdef(`distro_gentoo',`
97	- allow udev_t self:capability2 block_suspend;
98	-
99	# during boot, init scripts use /dev/.rcsysinit
100	# existance to determine if we are in early booting
101	init_getattr_script_status_files(udev_t)
102	- init_domtrans_script(udev_t)
103	')
104
105	ifdef(`distro_redhat',`
106	@@ -331,3 +322,28 @@ optional_policy(`
107	optional_policy(`
108	xserver_read_xdm_pid(udev_t)
109	')
110	+
111	+ifdef(`distro_gentoo',`
112	+ #################################
113	+ #
114	+ # local udev_t policy
115	+ #
116	+ allow udev_t self:capability2 block_suspend;
117	+ allow udev_t udev_tbl_t:dir relabelto;
118	+
119	+ manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
120	+ manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
121	+ manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
122	+
123	+ kernel_load_module(udev_t)
124	+
125	+ files_read_etc_files(udev_t)
126	+ files_read_etc_runtime_files(udev_t)
127	+ files_read_kernel_modules(udev_t)
128	+ files_read_usr_files(udev_t)
129	+ files_dontaudit_search_isid_type_dirs(udev_t)
130	+
131	+ udev_pid_filetrans_db(udev_t, dir, "data")
132	+
133	+ init_domtrans_script(udev_t)
134	+')

Gentoo Archives: gentoo-commits