[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/kernel/
commit: 8d12e0f32ff8a5776028c854f987b9af4b7adee6 Author: Chris PeBenito ieee org> AuthorDate: Sat Apr 27 14:51:06 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sun Apr 28 10:00:55 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8d12e0f3 various: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman perfinion.com> policy/modules/kernel/devices.te | 2 +- policy/modules/kernel/storage.te | 2 +- policy/modules/services/apache.te| 2 +- policy/modules/services/devicekit.te | 2 +- policy/modules/services/tuned.te | 2 +- policy/modules/system/init.te| 2 +- policy/modules/system/mount.te | 2 +- policy/modules/system/systemd.te | 2 +- policy/modules/system/unconfined.te | 2 +- policy/modules/system/userdomain.te | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index f36fcdc1..a0331212 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.24.1) +policy_module(devices, 1.24.2) # diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te index c10290c0..8f91eb2d 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -1,4 +1,4 @@ -policy_module(storage, 1.16.0) +policy_module(storage, 1.16.1) # diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index ea541a9d..ee95b305 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -1,4 +1,4 @@ -policy_module(apache, 2.16.0) +policy_module(apache, 2.16.1) # diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te index 7b0226e0..8aadd411 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -1,4 +1,4 @@ -policy_module(devicekit, 1.10.0) +policy_module(devicekit, 1.10.1) # diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te index 349a757b..aafa6be5 100644 --- a/policy/modules/services/tuned.te +++ b/policy/modules/services/tuned.te @@ -1,4 +1,4 @@ -policy_module(tuned, 1.5.0) +policy_module(tuned, 1.5.1) # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index b3385fed..aca76caa 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.6.5) +policy_module(init, 2.6.6) gen_require(` class passwd rootok; diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 0539abfa..1fbf3e2f 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -1,4 +1,4 @@ -policy_module(mount, 1.20.0) +policy_module(mount, 1.20.1) # diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index a5ebfdb3..29d5d4fc 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.7.6) +policy_module(systemd, 1.7.7) # # diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 29ed0217..1ca89af1 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,4 +1,4 @@ -policy_module(unconfined, 3.12.0) +policy_module(unconfined, 3.12.1) # diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index e3f0f09b..81d2da73 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,4 +1,4 @@ -policy_module(userdomain, 4.17.0) +policy_module(userdomain, 4.17.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/kernel/
commit: 8a23415215dd0c7be0bf930e02410d9950fe647f Author: Chris PeBenito ieee org> AuthorDate: Sat Feb 18 14:39:01 2017 + Commit: Jason Zaman gentoo org> CommitDate: Tue Feb 21 06:52:46 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8a234152 Little misc patches from Russell Coker. policy/modules/kernel/files.te | 3 ++- policy/modules/services/xserver.if | 20 policy/modules/services/xserver.te | 2 +- policy/modules/system/init.fc| 2 +- policy/modules/system/init.te| 14 +- policy/modules/system/logging.te | 14 +- policy/modules/system/lvm.te | 4 +++- policy/modules/system/selinuxutil.te | 14 +- policy/modules/system/sysnetwork.te | 14 +- policy/modules/system/udev.te| 3 ++- 10 files changed, 65 insertions(+), 25 deletions(-) diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 625768e2..9b06ff6e 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.23.2) +policy_module(files, 1.23.3) # @@ -11,6 +11,7 @@ attribute lockfile; attribute mountpoint; attribute pidfile; attribute configfile; +attribute spoolfile; # For labeling types that are to be polyinstantiated attribute polydir; diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index f0761c9b..7af0ab6a 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -934,6 +934,26 @@ interface(`xserver_create_xdm_tmp_sockets',` ## +## Delete a named socket in a XDM +## temporary directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_delete_xdm_tmp_sockets',` + gen_require(` + type xdm_tmp_t; + ') + + files_search_tmp($1) + delete_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) +') + + +## ## Read XDM pid files. ## ## diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 68014747..71786c59 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,4 +1,4 @@ -policy_module(xserver, 3.13.1) +policy_module(xserver, 3.13.2) gen_require(` class x_drawable all_x_drawable_perms; diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index 1fb15ae0..fe085d15 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -23,6 +23,7 @@ ifdef(`distro_gentoo',` # /usr # /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) /usr/lib/systemd/systemd --gen_context(system_u:object_r:init_exec_t,s0) /usr/lib/systemd/system-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0) @@ -34,7 +35,6 @@ ifdef(`distro_gentoo', ` /usr/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) ') - /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/libexec/dcc/stop-.* --gen_context(system_u:object_r:initrc_exec_t,s0) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 03aaae53..cad90ba5 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.2.2) +policy_module(init, 2.2.3) gen_require(` class passwd rootok; @@ -307,7 +307,9 @@ ifdef(`init_systemd',` ',` # Run the shell in the sysadm role for single-user mode. # causes problems with upstart - sysadm_shell_domtrans(init_t) + ifndef(`distro_debian',` + sysadm_shell_domtrans(init_t) + ') ') ') @@ -561,9 +563,6 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript miscfiles_read_generic_certs(initrc_t) -modutils_read_module_config(initrc_t) -modutils_domtrans_insmod(initrc_t) - seutil_read_config(initrc_t) userdom_read_user_home_content_files(initrc_t) @@ -953,6 +952,11 @@ optional_policy(` ') optional_policy(` + modutils_read_module_config(initrc_t) + modutils_domtrans_insmod(initrc_t) +') + +optional_policy(` mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 94be02e5..10d2fc9f 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,4 +1,4 @@ -policy_module(logging, 1.25.1) +policy_module(logging, 1.25.2) # @@ -124,8 +124,6 @@ term_use_all_terms(auditctl_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/kernel/, ...
commit: 465454fc28242165142d26bacbca592ca0565849 Author: Chris PeBenito cpebenito AT tresys DOT com AuthorDate: Wed Sep 24 17:10:37 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Sun Oct 12 08:24:27 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=465454fc Drop RHEL4 and RHEL5 support. --- Makefile | 5 README | 7 +++-- Rules.monolithic | 7 - policy/modules/admin/su.if | 54 -- policy/modules/kernel/kernel.if| 16 --- policy/modules/kernel/selinux.if | 20 -- policy/modules/kernel/selinux.te | 10 --- policy/modules/services/xserver.te | 8 -- policy/modules/system/init.if | 24 - 9 files changed, 3 insertions(+), 148 deletions(-) diff --git a/Makefile b/Makefile index 70b213a..09fae9d 100644 --- a/Makefile +++ b/Makefile @@ -188,11 +188,6 @@ ifneq ($(DISTRO),) M4PARAM += -D distro_$(DISTRO) endif -# rhel4 also implies redhat -ifeq $(DISTRO) rhel4 - M4PARAM += -D distro_redhat -endif - ifeq $(DISTRO) ubuntu M4PARAM += -D distro_debian endif diff --git a/README b/README index a3e8082..9a97ecf 100644 --- a/README +++ b/README @@ -95,10 +95,9 @@ NAME String (optional). Sets the name of the policy; the set, the policy type (TYPE) is used. DISTRO String (optional). Enable distribution-specific policy. - Available options are redhat, rhel4, gentoo, debian, - and suse. This option controls distro_redhat, - distro_rhel4, distro_gentoo, distro_debian, and - distro_suse policy blocks. + Available options are redhat, gentoo, and debian. + This option controls distro_redhat, distro_gentoo, and + distro_debian build option policy blocks. MONOLITHIC Boolean. If set, a monolithic policy is built, otherwise a modular policy is built. diff --git a/Rules.monolithic b/Rules.monolithic index 6505550..d2de916 100644 --- a/Rules.monolithic +++ b/Rules.monolithic @@ -195,13 +195,6 @@ $(fcpath): $(fc) $(loadpath) $(userpath)/system.users $(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath) $(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath) $(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD) -ifeq $(DISTRO) rhel4 -# Setfiles in RHEL4 does not look at file_contexts.homedirs. - $(verbose) cat $@.homedirs $@ -# Delete the file_contexts.homedirs in case the toolchain has -# been updated, to prevent duplicate match errors. - $(verbose) rm -f $@.homedirs -endif # diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 5437f9c..aea8a4f 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -100,25 +100,6 @@ template(`su_restricted_domain_template', ` ') ') - ifdef(`distro_rhel4',` - domain_role_change_exemption($1_su_t) - domain_subj_id_change_exemption($1_su_t) - domain_obj_id_change_exemption($1_su_t) - - selinux_get_fs_mount($1_su_t) - selinux_validate_context($1_su_t) - selinux_compute_access_vector($1_su_t) - selinux_compute_create_context($1_su_t) - selinux_compute_relabel_context($1_su_t) - selinux_compute_user_contexts($1_su_t) - - seutil_read_config($1_su_t) - seutil_read_default_contexts($1_su_t) - - # Only allow transitions to unprivileged user domains. - userdom_spec_domtrans_unpriv_users($1_su_t) - ') - ifdef(`hide_broken_symptoms',` # dontaudit leaked sockets from parent dontaudit $1_su_t $2:socket_class_set { read write }; @@ -246,41 +227,6 @@ template(`su_role_template',` ') ') - ifdef(`distro_rhel4',` - domain_role_change_exemption($1_su_t) - domain_subj_id_change_exemption($1_su_t) - domain_obj_id_change_exemption($1_su_t) - - selinux_get_fs_mount($1_su_t) - selinux_validate_context($1_su_t) - selinux_compute_create_context($1_su_t) - selinux_compute_relabel_context($1_su_t) - selinux_compute_user_contexts($1_su_t) - - # Relabel ttys and ptys. - term_relabel_all_ttys($1_su_t) - term_relabel_all_ptys($1_su_t) - # Close and re-open ttys and ptys to get the fd into the correct domain. - term_use_all_ttys($1_su_t) -
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/kernel/, ...
commit: 13f83f0575fad09b7904fa68baad76389d8f6d16 Author: Chris PeBenito cpebenito AT tresys DOT com AuthorDate: Tue Mar 11 12:16:57 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Mon Mar 17 08:19:06 2014 + URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=13f83f05 Bump module versions for release. --- policy/modules/admin/bootloader.te | 2 +- policy/modules/admin/dmesg.te | 2 +- policy/modules/admin/netutils.te| 2 +- policy/modules/admin/usermanage.te | 2 +- policy/modules/kernel/corecommands.te | 2 +- policy/modules/kernel/corenetwork.te.in | 2 +- policy/modules/kernel/devices.te| 2 +- policy/modules/kernel/files.te | 2 +- policy/modules/kernel/filesystem.te | 2 +- policy/modules/kernel/kernel.te | 2 +- policy/modules/kernel/selinux.te| 2 +- policy/modules/kernel/storage.te| 2 +- policy/modules/kernel/terminal.te | 2 +- policy/modules/roles/staff.te | 2 +- policy/modules/roles/sysadm.te | 2 +- policy/modules/roles/unprivuser.te | 2 +- policy/modules/services/ssh.te | 2 +- policy/modules/services/xserver.te | 2 +- policy/modules/system/authlogin.te | 2 +- policy/modules/system/clock.te | 2 +- policy/modules/system/fstools.te| 2 +- policy/modules/system/hostname.te | 2 +- policy/modules/system/hotplug.te| 2 +- policy/modules/system/init.te | 2 +- policy/modules/system/iptables.te | 2 +- policy/modules/system/libraries.te | 2 +- policy/modules/system/locallogin.te | 2 +- policy/modules/system/logging.te| 2 +- policy/modules/system/lvm.te| 2 +- policy/modules/system/modutils.te | 2 +- policy/modules/system/mount.te | 2 +- policy/modules/system/selinuxutil.te| 2 +- policy/modules/system/setrans.te| 2 +- policy/modules/system/sysnetwork.te | 2 +- policy/modules/system/udev.te | 2 +- policy/modules/system/unconfined.te | 2 +- policy/modules/system/userdomain.te | 2 +- 37 files changed, 37 insertions(+), 37 deletions(-) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 5b21248..4b837a8 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -1,4 +1,4 @@ -policy_module(bootloader, 1.14.2) +policy_module(bootloader, 1.15.0) # diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te index 914a836..ee07743 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -1,4 +1,4 @@ -policy_module(dmesg, 1.3.1) +policy_module(dmesg, 1.4.0) # diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index c44c359..7aa7384 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,4 +1,4 @@ -policy_module(netutils, 1.12.1) +policy_module(netutils, 1.13.0) # diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 7bfba16..4855693 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,4 +1,4 @@ -policy_module(usermanage, 1.19.1) +policy_module(usermanage, 1.20.0) # diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index eabf979..3c243cb 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,4 +1,4 @@ -policy_module(corecommands, 1.18.3) +policy_module(corecommands, 1.19.0) # diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 06ae4dc..fc18a14 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,4 +1,4 @@ -policy_module(corenetwork, 1.19.2) +policy_module(corenetwork, 1.20.0) # diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index f87ea59..14c178e 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.15.1) +policy_module(devices, 1.16.0) # diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index faaaf51..cdc1801 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.18.3) +policy_module(files, 1.19.0) # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index e3b00ef..0e09942 100644 --- a/policy/modules/kernel/filesystem.te +++