From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-630158-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 6FFAF138202
	for <garchives@archives.gentoo.org>; Wed, 25 Sep 2013 09:49:52 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 4E628E0D67;
	Wed, 25 Sep 2013 09:49:47 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id C40EAE0D67
	for <gentoo-commits@lists.gentoo.org>; Wed, 25 Sep 2013 09:49:41 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id B443F33EDF6
	for <gentoo-commits@lists.gentoo.org>; Wed, 25 Sep 2013 09:49:40 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 3665BE5461
	for <gentoo-commits@lists.gentoo.org>; Wed, 25 Sep 2013 09:49:38 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1380102504.0fdabf2b4d8de0a4cbfaa1a6a59611e222a822a2.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/cron.fc policy/modules/contrib/cron.te policy/modules/contrib/devicekit.if policy/modules/contrib/devicekit.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 0fdabf2b4d8de0a4cbfaa1a6a59611e222a822a2
X-VCS-Branch: master
Date: Wed, 25 Sep 2013 09:49:38 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: f5e24d6b-f0a0-4f15-b39d-543b34c8f332
X-Archives-Hash: 117f54fcaab41a04de252c2d43280369

commit:     0fdabf2b4d8de0a4cbfaa1a6a59611e222a822a2
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Sep 23 08:21:34 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Sep 25 09:48:24 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0fdabf2b

Cron: /sbin/runlevel reads /run/utmp cron: anacron (system_cronjob_t) reading, writing inherited random crond tmp files (/tmp/tmpfk1VT2O)

Cron: anacron inheriting/using /dev/null

cron: label anacron init script with cron init script file type
devicekit: allow devicekit power to run all init scripts in the initrc_t
domain

These are pre/post suspend/resume scriptlets running in the devicekit
power domain starting, and stopping all kinds of services on suspect,
and resume respectively

cron: anacron reads /run/pm-utils/locks/pm-powersave.lock

basically devicekit_power runs anacron init script with a domain
transition to initrc_t, and then anacron does its thing related to
suspend/resume, or other power management

cron: anacrom appends to /var/log/pm-powersave.log fd that it inherited
from devicekit_power_t

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/cron.fc      |  2 ++
 policy/modules/contrib/cron.te      | 11 +++++++++-
 policy/modules/contrib/devicekit.if | 40 +++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/devicekit.te |  6 ++----
 4 files changed, 54 insertions(+), 5 deletions(-)

diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
index 62764aa..0e0c1f4 100644
--- a/policy/modules/contrib/cron.fc
+++ b/policy/modules/contrib/cron.fc
@@ -1,6 +1,8 @@
 /etc/cron\.d(/.*)?			gen_context(system_u:object_r:system_cron_spool_t,s0)
 /etc/crontab			--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 
+/etc/rc\.d/init\.d/anacron	--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+
 /usr/bin/(f)?crontab		--	gen_context(system_u:object_r:crontab_exec_t,s0)
 
 /usr/libexec/fcron		--	gen_context(system_u:object_r:crond_exec_t,s0)

diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 7c58f47..3776173 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -422,6 +422,7 @@ optional_policy(`
 
 allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
 allow system_cronjob_t self:process { signal_perms getsched setsched };
+allow system_cronjob_t self:fd use;
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
 
@@ -453,6 +454,8 @@ allow system_cronjob_t crond_t:process sigchld;
 allow system_cronjob_t cron_spool_t:dir list_dir_perms;
 allow system_cronjob_t cron_spool_t:file rw_file_perms;
 
+allow system_cronjob_t crond_tmp_t:file { read write };
+
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
@@ -500,8 +503,9 @@ files_create_boot_flag(system_cronjob_t)
 
 mls_file_read_to_clearance(system_cronjob_t)
 
-init_use_script_fds(system_cronjob_t)
 init_domtrans_script(system_cronjob_t)
+init_read_utmp(system_cronjob_t)
+init_use_script_fds(system_cronjob_t)
 
 auth_use_nsswitch(system_cronjob_t)
 
@@ -554,6 +558,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	devicekit_read_pid_files(system_cronjob_t)
+	devicekit_append_inherited_log_files(system_cronjob_t)
+')
+
+optional_policy(`
 	exim_read_spool_files(system_cronjob_t)
 ')
 

diff --git a/policy/modules/contrib/devicekit.if b/policy/modules/contrib/devicekit.if
index d294865..f1271ae 100644
--- a/policy/modules/contrib/devicekit.if
+++ b/policy/modules/contrib/devicekit.if
@@ -122,6 +122,46 @@ interface(`devicekit_dbus_chat_power',`
 
 ########################################
 ## <summary>
+##	Use and inherit devicekit power
+##	file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_use_fds_power',`
+	gen_require(`
+		type devicekit_power_t;
+	')
+
+	allow $1 devicekit_power_t:fd use;
+')
+
+########################################
+## <summary>
+##	Append inherited devicekit log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_append_inherited_log_files',`
+	gen_require(`
+		type devicekit_var_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 devicekit_log_t:file append;
+
+	devicekit_use_fds_power($1)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	devicekit log files.
 ## </summary>

diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te
index 0e6fbcd..7b1ca51 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -252,6 +252,8 @@ term_use_all_terms(devicekit_power_t)
 
 auth_use_nsswitch(devicekit_power_t)
 
+init_all_labeled_script_domtrans(devicekit_power_t)
+
 miscfiles_read_localization(devicekit_power_t)
 
 sysnet_domtrans_ifconfig(devicekit_power_t)
@@ -268,10 +270,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	cron_initrc_domtrans(devicekit_power_t)
-')
-
-optional_policy(`
 	dbus_system_bus_client(devicekit_power_t)
 
 	allow devicekit_power_t devicekit_t:dbus send_msg;