From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-792786-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id B5076138CA3
	for <garchives@archives.gentoo.org>; Mon, 13 Apr 2015 20:28:00 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 13B70E07FA;
	Mon, 13 Apr 2015 20:27:58 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 7381AE07E8
	for <gentoo-commits@lists.gentoo.org>; Mon, 13 Apr 2015 20:27:57 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 2CD98340B1E
	for <gentoo-commits@lists.gentoo.org>; Mon, 13 Apr 2015 20:27:56 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 733F515DB0
	for <gentoo-commits@lists.gentoo.org>; Mon, 13 Apr 2015 20:27:52 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1428955305.a98daba3644f9e84e81c784fa1b8773dbbba9681.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/cachefilesd.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: a98daba3644f9e84e81c784fa1b8773dbbba9681
X-VCS-Branch: master
Date: Mon, 13 Apr 2015 20:27:52 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 77da0d43-b1f4-4535-b67e-e67639d086c7
X-Archives-Hash: 088b273e1cc837e414ef568ed2d93b5c

commit:     a98daba3644f9e84e81c784fa1b8773dbbba9681
Author:     Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Tue Mar 31 16:17:46 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Apr 13 20:01:45 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a98daba3

Cachefilesd module updates

The module was incomplete because I was not confident about various rules implemented in the Fedora policy.

The files_create_all_files_as_is(cachefilesd_t) interface call was a bad idea. Instead it just needs to
maintain files in the cache with the cachefiles_cache_t type.

The process associated with cachefiles_kernel_t is a kernel thread (kworker)

 policy/modules/contrib/cachefilesd.te | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te
index a3760bc..1d78e00 100644
--- a/policy/modules/contrib/cachefilesd.te
+++ b/policy/modules/contrib/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.1.0)
+policy_module(cachefilesd, 1.1.1)
 
 ########################################
 #
@@ -18,22 +18,28 @@ files_type(cachefilesd_cache_t)
 type cachefilesd_var_run_t;
 files_pid_file(cachefilesd_var_run_t)
 
+type cachefiles_kernel_t;
+domain_type(cachefiles_kernel_t)
+role system_r types cachefiles_kernel_t;
+
 ########################################
 #
-# Local policy
+# Cachefilesd local policy
 #
 
 allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
 
+allow cachefilesd_t cachefiles_kernel_t:kernel_service use_as_override;
+
 manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
 files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
 
+allow cachefilesd_t cachefiles_cache_t:kernel_service create_files_as;
 manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
 manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
 
 dev_rw_cachefiles(cachefilesd_t)
 
-files_create_all_files_as(cachefilesd_t)
 files_read_etc_files(cachefilesd_t)
 
 fs_getattr_xattr_fs(cachefilesd_t)
@@ -50,3 +56,21 @@ init_dontaudit_use_script_ptys(cachefilesd_t)
 optional_policy(`
 	rpm_use_script_fds(cachefilesd_t)
 ')
+
+########################################
+#
+# Cachefiles_kernel local policy
+#
+
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
+
+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_cache_t, cachefiles_cache_t)
+manage_files_pattern(cachefiles_kernel_t, cachefiles_cache_t, cachefiles_cache_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
+
+domain_obj_id_change_exemption(cachefiles_kernel_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)