[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 170ab2bf6b82c6110ee26d9f2915c7cf52caae15
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Sun Oct 19 17:37:47 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=170ab2bf
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 6 +++
policy/modules/contrib/android.if | 98 ++
policy/modules/contrib/android.te | 108 ++
3 files changed, 212 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..a16fc47
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.gradle(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..f0173d5
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,98 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..08f3c83
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,108 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# th
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: fca81deb0372c2d4677d1f75c6264fb12a90187a
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Sun Oct 19 16:47:34 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fca81deb
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 6 +++
policy/modules/contrib/android.if | 99 ++
policy/modules/contrib/android.te | 108 ++
3 files changed, 213 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..a16fc47
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.gradle(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..531350a
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,108 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+#
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: d8e454d337908a542af806f3a5bea15d025c856c
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Sun Oct 19 16:32:24 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d8e454d3
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 6 +++
policy/modules/contrib/android.if | 99 ++
policy/modules/contrib/android.te | 108 ++
3 files changed, 213 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..a16fc47
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.gradle(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..feb6f2d
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,108 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+#
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 15fcebfa4b19872bda46b11d2ff20c5df001bd3f
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Sun Oct 19 15:34:29 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=15fcebfa
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 6 +++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 103 ++
3 files changed, 208 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..a16fc47
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.gradle(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..59a8c3d
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 66fe7729eca6c2a23b08e405811ab5a0b2255136
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Sun Oct 19 15:27:37 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66fe7729
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 6 +++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 102 ++
3 files changed, 207 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..a16fc47
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.gradle(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..ca22c61
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,102 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: ccd35664121c4796eadfff4f26a2e1740b32fcad
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Sun Oct 19 15:15:14 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ccd35664
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 102 ++
3 files changed, 206 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..ca22c61
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,102 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_use
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 6fb1490339e52fa260aee7f68edb0737aa519f51
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Sun Oct 12 11:32:35 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6fb14903
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99 +++
policy/modules/contrib/android.te | 105 ++
3 files changed, 209 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..e98ecf8
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,105 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: b00d95d26533a2ee7ac99c90e26d7d4240ad9209 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 12 09:51:25 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b00d95d2 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..4b5e7a7 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +# everything after here is gentoo-specific. ifdef's are not allowed for this unfortunately + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 63c4bbae315e8277a8323e88606853ad24feaa7f Author: Dominick Grift gmail com> AuthorDate: Wed Oct 1 10:35:50 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 12 08:23:16 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=63c4bbae Module version bump for changes to the networkmanager modules by Lubomir Rintel --- policy/modules/contrib/networkmanager.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te index b3deb5b..07701fd 100644 --- a/policy/modules/contrib/networkmanager.te +++ b/policy/modules/contrib/networkmanager.te @@ -1,4 +1,4 @@ -policy_module(networkmanager, 1.16.1) +policy_module(networkmanager, 1.16.2) #
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 34865b2af29b5f3d6ef837ed6d5d3f97ab1d337d
Author: Lubomir Rintel v3 sk>
AuthorDate: Wed Oct 1 09:39:17 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Sun Oct 12 08:23:13 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=34865b2a
Allow NetworkManager to create Bluetooth SDP sockets
It's going to do the the discovery for DUN service for modems with Bluez 5.
---
policy/modules/contrib/networkmanager.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/networkmanager.te
b/policy/modules/contrib/networkmanager.te
index 3f69757..b3deb5b 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -56,6 +56,7 @@ allow NetworkManager_t self:netlink_kobject_uevent_socket
create_socket_perms;
allow NetworkManager_t self:tcp_socket { accept listen };
allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom
relabelto };
allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:socket create_socket_perms;
allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: e5c495ff1bc090202eb7eb987398c7d09d74c6a6
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Sun Oct 12 09:51:25 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e5c495ff
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 104 ++
3 files changed, 208 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..25964e4
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,104 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 6ae1e2cafc642362f74bf4af6b20dc7f1314096e
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Sun Oct 12 08:27:18 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6ae1e2ca
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 104 ++
3 files changed, 208 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..25964e4
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,104 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 20ca153806d04725fa26c33a938b3ba56dbcf4f7 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Oct 12 08:27:18 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=20ca1538 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..4b5e7a7 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +# everything after here is gentoo-specific. ifdef's are not allowed for this unfortunately + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 2018bcabc5f6f7f47967613162f3f38fd1ce2799
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Fri Oct 10 10:04:02 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2018bcab
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 104 ++
3 files changed, 208 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..25964e4
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,104 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: ba78686115d9ba8c64326a842eb648a9eb7bba1c
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Wed Oct 8 16:40:59 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ba786861
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 104 ++
3 files changed, 208 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..f759628
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,104 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 288f610664759a92ce2ad88ba9f4902c62812906 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Oct 7 06:47:07 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=288f6106 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 32 policy/modules/contrib/java.te | 3 +++ 2 files changed, 35 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..7514b12 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,35 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: db50ad7bc927f63867e3d03e5ef64f5131f94e95
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Tue Oct 7 06:47:20 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=db50ad7b
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 103 ++
3 files changed, 207 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..e325c6f
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: f9de5f607bee0066cf3b1ab113ffa530a17ef2d2
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Thu Sep 25 10:50:21 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f9de5f60
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 103 ++
3 files changed, 207 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..e325c6f
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 25eaa145eeaeccdc63db876a9854dee6f9254f1a Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Thu Sep 25 10:50:21 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=25eaa145 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 02ead44621229d7014df3051e531ae8d846ac232 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Wed Sep 3 19:37:12 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=02ead446 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: b26dc9c9a461a660698ae735fbac71120cae0d72
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Wed Sep 3 19:37:13 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b26dc9c9
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 103 ++
3 files changed, 207 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..e325c6f
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 7c3b3eb2053160399219e558066986b85ecc7808
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Mon Sep 1 20:46:55 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7c3b3eb2
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 103 ++
3 files changed, 207 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..e325c6f
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: a1a1bc6ddcd549872db554924c509f97c0a710d2 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Mon Sep 1 20:46:54 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a1a1bc6d Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: c1a2275dd401ad5c2fc58916c3e33dcdaa00deba Author: Sven Vermeulen siphos be> AuthorDate: Mon Sep 1 20:02:48 2014 + Commit: Jason Zaman perfinion com> CommitDate: Mon Sep 1 20:02:48 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c1a2275d Courier authdaemon default socket location is in /var/lib --- policy/modules/contrib/courier.fc | 5 + 1 file changed, 5 insertions(+) diff --git a/policy/modules/contrib/courier.fc b/policy/modules/contrib/courier.fc index 2f017a0..c0f288b 100644 --- a/policy/modules/contrib/courier.fc +++ b/policy/modules/contrib/courier.fc @@ -30,3 +30,8 @@ /var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) /var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) + +ifdef(`distro_gentoo',` +# Default location for authdaemon socket, should be /var/run imo but meh +/var/lib/courier/authdaemon(/.*)? gen_context(system_u:object_r:courier_var_run_t,s0) +')
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: c604f614aeae6674059c83c4e1d574a1c115e7df
Author: Sven Vermeulen siphos be>
AuthorDate: Mon Sep 1 20:07:38 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Mon Sep 1 20:07:38 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c604f614
After succesful authentication, the courier_pop_t session uses setuid/setgid to
switch to the proper user credentials to access the user mailbox
---
policy/modules/contrib/courier.te | 4
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/courier.te
b/policy/modules/contrib/courier.te
index 4fdfade..58faaf7 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -201,6 +201,10 @@ ifdef(`distro_gentoo',`
#
# Courier imap/pop daemon policy
#
+
+ # Switch after succesfull authentication
+ allow courier_pop_t self:capability { setuid setgid };
+
files_search_var_lib(courier_pop_t)
search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
read_lnk_files_pattern(courier_pop_t, courier_var_lib_t,
courier_var_lib_t)
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: e729b10da16a724809e099b2f10f2fca51b8222d Author: Sven Vermeulen siphos be> AuthorDate: Mon Sep 1 20:09:19 2014 + Commit: Jason Zaman perfinion com> CommitDate: Mon Sep 1 20:09:19 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e729b10d courier_pop_t executes script to start user session --- policy/modules/contrib/courier.te | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te index 58faaf7..213a094 100644 --- a/policy/modules/contrib/courier.te +++ b/policy/modules/contrib/courier.te @@ -208,7 +208,10 @@ ifdef(`distro_gentoo',` files_search_var_lib(courier_pop_t) search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) - + + # Executes script /usr/lib64/courier-imap/courier-imapd.indirect after authentication and to start user session + corecmd_exec_shell(courier_pop_t) + courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t)
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 46d6e0a6f3eeadd6a61d468f7eff459c94fd6802 Author: Sven Vermeulen siphos be> AuthorDate: Mon Sep 1 20:04:43 2014 + Commit: Jason Zaman perfinion com> CommitDate: Mon Sep 1 20:04:43 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=46d6e0a6 Courier has imap managed through courier_pop_t as well, so remove gentoo comment block for IMAP --- policy/modules/contrib/courier.te | 8 +--- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te index 11aad5a..4fdfade 100644 --- a/policy/modules/contrib/courier.te +++ b/policy/modules/contrib/courier.te @@ -199,13 +199,7 @@ ifdef(`distro_gentoo',` # - # Courier imap daemon policy - # - - - - # - # Courier pop daemon policy + # Courier imap/pop daemon policy # files_search_var_lib(courier_pop_t) search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t)
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 32884aa76d0438d43b8dc42acfe4c17443690d69 Author: Sven Vermeulen siphos be> AuthorDate: Sun Aug 31 16:06:57 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Aug 31 16:06:57 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=32884aa7 Courier imapd creates pid in /var/run by default --- policy/modules/contrib/courier.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te index 5660ef5..11aad5a 100644 --- a/policy/modules/contrib/courier.te +++ b/policy/modules/contrib/courier.te @@ -217,6 +217,10 @@ ifdef(`distro_gentoo',` # # Courier tcpd daemon policy # + + # Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock + files_pid_filetrans(courier_tcpd_t, courier_var_run_t, file) + courier_authdaemon_stream_connect(courier_tcpd_t) courier_domtrans_authdaemon(courier_tcpd_t) ')
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: b1e0a75ca9dd68264191b04214a4e18d4312b8fc Author: Sven Vermeulen siphos be> AuthorDate: Sun Aug 31 16:04:34 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Aug 31 16:04:34 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b1e0a75c Move gentoo specifics downward --- policy/modules/contrib/courier.te | 53 --- 1 file changed, 33 insertions(+), 20 deletions(-) diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te index 9bd64f5..5660ef5 100644 --- a/policy/modules/contrib/courier.te +++ b/policy/modules/contrib/courier.te @@ -116,10 +116,6 @@ miscfiles_read_localization(courier_authdaemon_t) userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) -ifdef(`distro_gentoo',` - read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) -') - # # Calendar (PCP) local policy @@ -148,14 +144,6 @@ miscfiles_read_localization(courier_pop_t) userdom_manage_user_home_content_files(courier_pop_t) userdom_manage_user_home_content_dirs(courier_pop_t) -ifdef(`distro_gentoo',` - files_search_var_lib(courier_pop_t) - search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) - read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) - - courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t) -') - # # TCPd local policy @@ -186,11 +174,6 @@ dev_read_urand(courier_tcpd_t) miscfiles_read_localization(courier_tcpd_t) -ifdef(`distro_gentoo',` - courier_authdaemon_stream_connect(courier_tcpd_t) - courier_domtrans_authdaemon(courier_tcpd_t) -') - # # Webmail local policy @@ -198,12 +181,42 @@ ifdef(`distro_gentoo',` kernel_read_kernel_sysctls(courier_sqwebmail_t) +optional_policy(` + cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t) +') + ifdef(`distro_gentoo',` + + + # + # Courier authdaemon policy + # + read_lnk_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) + optional_policy(` mysql_stream_connect(courier_authdaemon_t) ') -') -optional_policy(` - cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t) + + # + # Courier imap daemon policy + # + + + + # + # Courier pop daemon policy + # + files_search_var_lib(courier_pop_t) + search_dirs_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) + read_lnk_files_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t) + + courier_authdaemon_rw_inherited_stream_sockets(courier_pop_t) + + + # + # Courier tcpd daemon policy + # + courier_authdaemon_stream_connect(courier_tcpd_t) + courier_domtrans_authdaemon(courier_tcpd_t) ')
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 02fa620d3ded0f4b2eeca78cb7c6bb13542c19af
Author: Sven Vermeulen siphos be>
AuthorDate: Sat Aug 30 20:15:48 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Sat Aug 30 20:15:48 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=02fa620d
Updates on salt policy - interaction with postfix
---
policy/modules/contrib/salt.te | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 180305f..279edfb 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -200,7 +200,7 @@ tunable_policy(`salt_master_read_nfs',`
allow salt_minion_t self:capability { fsetid chown net_admin sys_admin
sys_tty_config };
allow salt_minion_t self:capability2 block_suspend;
-allow salt_minion_t self:process { signull };
+allow salt_minion_t self:process { signal signull };
allow salt_minion_t self:tcp_socket create_stream_socket_perms;
allow salt_minion_t self:udp_socket create_socket_perms;
allow salt_minion_t self:unix_dgram_socket create_socket_perms;
@@ -277,8 +277,12 @@ fs_getattr_all_fs(salt_minion_t)
getty_use_fds(salt_minion_t)
+init_exec_rc(salt_minion_t)
+
miscfiles_read_localization(salt_minion_t)
+seutil_domtrans_setfiles(salt_minion_t)
+
sysnet_exec_ifconfig(salt_minion_t)
sysnet_read_config(salt_minion_t)
@@ -298,6 +302,11 @@ optional_policy(`
')
optional_policy(`
+ postfix_domtrans_master(salt_minion_t)
+ postfix_run_map(salt_minion_t, salt_minion_roles)
+')
+
+optional_policy(`
shutdown_domtrans(salt_minion_t)
')
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 8965c4d3d3a84629546c3c36e9841cd2f80e2b09 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Sun Aug 31 20:49:57 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8965c4d3 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 681df9189b527624d63cda4e49dc8b9359f2fa87 Author: Sven Vermeulen siphos be> AuthorDate: Fri Aug 29 19:03:29 2014 + Commit: Jason Zaman perfinion com> CommitDate: Fri Aug 29 19:03:29 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=681df918 Allow salt minions to shut down the system --- policy/modules/contrib/salt.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te index b8cc1a4..180305f 100644 --- a/policy/modules/contrib/salt.te +++ b/policy/modules/contrib/salt.te @@ -298,6 +298,10 @@ optional_policy(` ') optional_policy(` + shutdown_domtrans(salt_minion_t) +') + +optional_policy(` usermanage_run_groupadd(salt_minion_t, salt_minion_roles) usermanage_run_passwd(salt_minion_t, salt_minion_roles) usermanage_run_useradd(salt_minion_t, salt_minion_roles)
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 23b20f13777898a3321e4f6dd9935a38efd00181
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Sun Aug 31 20:49:57 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=23b20f13
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 103 ++
3 files changed, 207 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..e325c6f
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: aa318c0ec7e586ed427bb60e1ce5eb9d59b33717 Author: Sven Vermeulen siphos be> AuthorDate: Tue Aug 26 15:26:24 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 26 15:26:24 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=aa318c0e Add read privs to system_dbusd_var_lib_t files for system dbus clients --- policy/modules/contrib/dbus.if | 5 + 1 file changed, 5 insertions(+) diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if index 21e8b5c..077dabc 100644 --- a/policy/modules/contrib/dbus.if +++ b/policy/modules/contrib/dbus.if @@ -126,6 +126,11 @@ interface(`dbus_system_bus_client',` stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) dbus_read_config($1) + + ifdef(`distro_gentoo',` + # The /var/lib/dbus/machine-id file is a link to /etc/machine-id + read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + ') ') ###
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 219313802b9f87e6de804e217aca737973a13d81 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 26 19:36:25 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=21931380 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 2832c52a6650c4adbe3a38a5ae35fd48df97a6f2
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Tue Aug 26 19:36:25 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2832c52a
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 103 ++
3 files changed, 207 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..e325c6f
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 3d46c99b1f404344a6f5c3bdc7419389a650f6d0 Author: Chris PeBenito tresys com> AuthorDate: Tue Aug 26 13:35:26 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 26 14:54:27 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3d46c99b Module version bump for NetworkManager fc fix for ArchLinux from Nicolas Iooss. --- policy/modules/contrib/networkmanager.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te index f70479a..3f69757 100644 --- a/policy/modules/contrib/networkmanager.te +++ b/policy/modules/contrib/networkmanager.te @@ -1,4 +1,4 @@ -policy_module(networkmanager, 1.16.0) +policy_module(networkmanager, 1.16.1) #
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 88f3dbf5838fe740099039c3dd29428442d14d43 Author: Nicolas Iooss m4x org> AuthorDate: Sat Aug 23 11:41:10 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 26 14:54:24 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=88f3dbf5 Label /usr/lib/networkmanager/ like /usr/lib/NetworkManager/ On ArchLinux the directory name of Network Manager in /usr/lib is written in lowercase but not the files in /usr/bin, /var/lib, etc. --- policy/modules/contrib/networkmanager.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc index 7b80c1e..bbf3bba 100644 --- a/policy/modules/contrib/networkmanager.fc +++ b/policy/modules/contrib/networkmanager.fc @@ -14,6 +14,7 @@ /etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) /usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/usr/lib/networkmanager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) /usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 8872be65d073445f6bf62fe2ac1715049f851170
Author: Sven Vermeulen siphos be>
AuthorDate: Fri Aug 22 17:54:41 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Fri Aug 22 17:54:41 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8872be65
Allow admins to interact with vde through vdeterm application (using vde socket)
---
policy/modules/contrib/vde.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/vde.if b/policy/modules/contrib/vde.if
index af85ea3..4a9c208 100644
--- a/policy/modules/contrib/vde.if
+++ b/policy/modules/contrib/vde.if
@@ -26,6 +26,7 @@ interface(`vde_role',`
role $1 types vde_t;
allow $2 vde_t:process { ptrace signal_perms };
+ allow $2 vde_t:unix_stream_socket connectto;
allow vde_t $2:process { sigchld signull };
allow vde_t $2:fd use;
allow vde_t $2:tun_socket { relabelfrom };
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 83085bef6b58a33055ed677dd25bef550a168fca
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Mon Aug 25 17:15:32 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=83085bef
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 103 ++
3 files changed, 207 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..e325c6f
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 6ab581cd2f35bd605f0082c51f5db94c4ba06b20 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Mon Aug 25 17:15:32 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6ab581cd Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 6a025c94f5795d176f4f961fb9a84a43957159ac
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Fri Aug 22 13:14:52 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6a025c94
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 103 ++
3 files changed, 207 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..e325c6f
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: f1962bb74f077a48c5d89233d75adeab29155a16 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Thu Aug 21 20:29:24 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f1962bb7 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: c7f0f8153410b8eb17ccf9101e41498946344896
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Thu Aug 21 20:29:24 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c7f0f815
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 104 ++
3 files changed, 208 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..dc70c31
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,104 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: e87124ea3216ac9d592fafad521076661f62fabb Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Wed Aug 20 17:12:08 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e87124ea Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 2e7d43201fda0a9a6a16f0781d69b8081885e5a3
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Wed Aug 20 17:12:18 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2e7d4320
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 104 ++
3 files changed, 208 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..dc70c31
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,104 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 319c3a79d778755a5519bac88dd056bcb6537057 Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Wed Aug 20 17:05:26 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=319c3a79 Add java_domain_type interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..f4b9444 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_type',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 0335b979cb62f51143112789876baf9c1d1197f3
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Wed Aug 20 17:05:52 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0335b979
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 104 ++
3 files changed, 208 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..dc70c31
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,104 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+java_domain_type(android_java_t)
+android_tools_domtrans(android_java_t)
+can_exec(android_java_t, android_home_t)
+can_exec(android_java_t, android_java_exec_t)
+
+# the android dir ~/.android
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 8536b0d09cab98d71c8efac29e5c0bed93563807 Author: Sven Vermeulen siphos be> AuthorDate: Tue Aug 19 20:16:33 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 19 20:16:33 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8536b0d0 Add filetrans for ~/.pki --- policy/modules/contrib/chromium.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te index 0f72dd7..48a0abd 100644 --- a/policy/modules/contrib/chromium.te +++ b/policy/modules/contrib/chromium.te @@ -157,6 +157,7 @@ miscfiles_manage_user_certs(chromium_t) miscfiles_read_all_certs(chromium_t) miscfiles_read_localization(chromium_t) miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".nss") +miscfiles_user_home_dir_filetrans_cert_home(chromium_t, dir, ".pki") sysnet_dns_name_resolve(chromium_t)
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: e80dbd9f643e80a8cd406919a4a3c83ace838f1c
Author: Chris PeBenito tresys com>
AuthorDate: Tue Aug 19 12:51:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Tue Aug 19 20:05:35 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e80dbd9f
Move irc exec lines.
---
policy/modules/contrib/irc.te | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
index 4899a0d..024c4fd 100644
--- a/policy/modules/contrib/irc.te
+++ b/policy/modules/contrib/irc.te
@@ -50,6 +50,9 @@ allow irc_t self:unix_stream_socket { accept listen };
allow irc_t irc_conf_t:file read_file_perms;
+can_exec(irc_t, irc_exec_t)
+corecmd_search_bin(irc_t)
+
manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
manage_files_pattern(irc_t, irc_home_t, irc_home_t)
manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
@@ -70,9 +73,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file
sock_file fifo_file })
kernel_read_system_state(irc_t)
-can_exec(irc_t, irc_exec_t)
-corecmd_search_bin(irc_t)
-
corenet_all_recvfrom_unlabeled(irc_t)
corenet_all_recvfrom_netlabel(irc_t)
corenet_tcp_sendrecv_generic_if(irc_t)
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: f9e17b18afd02ef369157fb8afb9b1aee0de95cd Author: Jason Zaman perfinion com> AuthorDate: Mon Aug 18 09:51:22 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 19 20:18:24 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f9e17b18 Add java_domain_template interface This interface will enable another domain to use Java without having to domtrans to java_t --- policy/modules/contrib/java.if | 34 ++ policy/modules/contrib/java.te | 3 +++ 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if index acf6a63..a2678cb 100644 --- a/policy/modules/contrib/java.if +++ b/policy/modules/contrib/java.if @@ -327,3 +327,37 @@ template(`java_noatsecure_domtrans',` java_domtrans($1) ') + +### +## +## The template for using java in a domain. +## +## +## +## This template creates a derived domains which are used +## for java applications. +## +## +## +## +## The type of the domain to be given java privs. +## +## +# +template(`java_domain_template',` + gen_require(` + attribute java_domain; + type java_exec_t, java_tmp_t, java_tmpfs_t; + type java_home_t; + ') + + + # + # Policy + # + + typeattribute $1 java_domain; + + # cannot be called on the attribute, so do it now + auth_use_nsswitch($1) +') diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 11e996d..67af775 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -120,6 +120,9 @@ ifdef(`distro_gentoo',` manage_dirs_pattern(java_domain, java_home_t, java_home_t) manage_files_pattern(java_domain, java_home_t, java_home_t) userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea") + + manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t) + files_tmp_filetrans(java_domain, java_tmp_t, lnk_file) ') tunable_policy(`allow_java_execstack',`
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 1b60b7fbeb93d351f8ee41b4666266c52d91b73c Author: Chris PeBenito tresys com> AuthorDate: Tue Aug 19 12:51:43 2014 + Commit: Jason Zaman perfinion com> CommitDate: Tue Aug 19 20:05:36 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1b60b7fb Module version bump for irc re-exec itself patch from Luis Ressel. --- policy/modules/contrib/irc.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te index 024c4fd..de93459 100644 --- a/policy/modules/contrib/irc.te +++ b/policy/modules/contrib/irc.te @@ -1,4 +1,4 @@ -policy_module(irc, 2.4.0) +policy_module(irc, 2.4.1) #
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: cf031f5133b0603f71a8690db53a7afa4a25a1c9
Author: Luis Ressel aixah de>
AuthorDate: Tue Aug 12 12:08:44 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Tue Aug 19 20:05:33 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf031f51
irc.te: Allow irssi to re-execute itself
---
policy/modules/contrib/irc.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
index 070c5c6..4899a0d 100644
--- a/policy/modules/contrib/irc.te
+++ b/policy/modules/contrib/irc.te
@@ -70,6 +70,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file
sock_file fifo_file })
kernel_read_system_state(irc_t)
+can_exec(irc_t, irc_exec_t)
+corecmd_search_bin(irc_t)
+
corenet_all_recvfrom_unlabeled(irc_t)
corenet_all_recvfrom_netlabel(irc_t)
corenet_tcp_sendrecv_generic_if(irc_t)
[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/contrib/
commit: 4d54831b84863a00614fa48e279cc6b6aa007b81
Author: Jason Zaman perfinion com>
AuthorDate: Mon Aug 18 09:54:23 2014 +
Commit: Jason Zaman perfinion com>
CommitDate: Tue Aug 19 20:18:24 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4d54831b
Add policy for Android tools and SDK
---
policy/modules/contrib/android.fc | 5 ++
policy/modules/contrib/android.if | 99
policy/modules/contrib/android.te | 103 ++
3 files changed, 207 insertions(+)
diff --git a/policy/modules/contrib/android.fc
b/policy/modules/contrib/android.fc
new file mode 100644
index 000..1214e57
--- /dev/null
+++ b/policy/modules/contrib/android.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+HOME_DIR/\.android(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
+
+/opt/android-studio/bin/studio.sh
gen_context(system_u:object_r:android_java_exec_t,s0)
+
diff --git a/policy/modules/contrib/android.if
b/policy/modules/contrib/android.if
new file mode 100644
index 000..0c52d31
--- /dev/null
+++ b/policy/modules/contrib/android.if
@@ -0,0 +1,99 @@
+## Android development tools - adb, fastboot, android studio
+
+###
+##
+## The role for using the android tools.
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+##
+##
+## The user domain.
+##
+##
+#
+interface(`android_role',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ type android_home_t;
+ type android_tmp_t;
+ type android_java_t;
+ type android_java_exec_t;
+ ')
+
+ role $1 types android_tools_t;
+ role $1 types android_java_t;
+
+ domtrans_pattern($2, android_tools_exec_t, android_tools_t)
+ domtrans_pattern($2, android_java_exec_t, android_java_t)
+
+ allow $2 android_tools_t:process { ptrace signal_perms };
+ allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh
rlimitinh };
+
+ manage_dirs_pattern($2, android_home_t, android_home_t)
+ manage_files_pattern($2, android_home_t, android_home_t)
+ manage_lnk_files_pattern($2, android_home_t, android_home_t)
+
+ userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudioBeta")
+ userdom_user_home_dir_filetrans($2, android_home_t, dir,
".AndroidStudio")
+
+ manage_dirs_pattern($2, android_tmp_t, android_tmp_t)
+ manage_files_pattern($2, android_tmp_t, android_tmp_t)
+
+ allow $2 android_home_t:dir relabel_dir_perms;
+ allow $2 android_home_t:file relabel_file_perms;
+ allow $2 android_tools_exec_t:file relabel_file_perms;
+
+ ps_process_pattern($2, android_tools_t)
+ ps_process_pattern($2, android_java_t)
+
+ android_dbus_chat($2)
+')
+
+#
+##
+## Execute the android tools commands in the
+## android tools domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+
+interface(`android_tools_domtrans',`
+ gen_require(`
+ type android_tools_t;
+ type android_tools_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, android_tools_exec_t, android_tools_t)
+')
+
+#
+##
+## Send and receive messages from the android java
+## domain over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`android_dbus_chat',`
+ gen_require(`
+ type android_java_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 android_java_t:dbus send_msg;
+ allow android_java_t $1:dbus send_msg;
+')
+
diff --git a/policy/modules/contrib/android.te
b/policy/modules/contrib/android.te
new file mode 100644
index 000..18ba7d7
--- /dev/null
+++ b/policy/modules/contrib/android.te
@@ -0,0 +1,103 @@
+policy_module(android, 1.0.0)
+
+
+#
+# Declarations
+#
+
+# adb needs to be labelled with android_tools_exec_t
+type android_tools_t;
+type android_tools_exec_t; # customizable
+userdom_user_application_domain(android_tools_t, android_tools_exec_t)
+
+# the android dir ~/.android/, ~/.AndroidStudio/
+# this is customizable since the sdk needs to be labelled
+type android_home_t; # customizable
+userdom_user_home_content(android_home_t)
+
+type android_tmp_t;
+userdom_user_tmp_file(android_tmp_t)
+
+# for X server SHM
+type android_tmpfs_t;
+userdom_user_tmpfs_file(android_tmpfs_t)
+
+type android_java_t;
+type android_java_exec_t;
+userdom_user_application_domain(android_java_t, android_java_exec_t)
+
+
