From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id AD02C139085 for ; Fri, 13 Jan 2017 18:43:39 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 61005234058; Fri, 13 Jan 2017 18:43:18 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 31D1E234058 for ; Fri, 13 Jan 2017 18:43:18 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 1FD043417FD for ; Fri, 13 Jan 2017 18:43:15 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 2C3112643 for ; Fri, 13 Jan 2017 18:43:11 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1484332927.daf2971d9e410585f2bcb9599a40ea969466a060.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/irqbalance.fc policy/modules/contrib/irqbalance.if policy/modules/contrib/irqbalance.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: daf2971d9e410585f2bcb9599a40ea969466a060 X-VCS-Branch: master Date: Fri, 13 Jan 2017 18:43:11 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: eb88e51a-bbb2-4ab8-b7fd-18730c4ec7f4 X-Archives-Hash: 8b30ddbc533e3b8f2d6b4a905583fc00 commit: daf2971d9e410585f2bcb9599a40ea969466a060 Author: cgzones googlemail com> AuthorDate: Thu Jan 5 19:59:37 2017 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Fri Jan 13 18:42:07 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=daf2971d update irqbalance module policy/modules/contrib/irqbalance.fc | 8 +++++--- policy/modules/contrib/irqbalance.if | 7 ++++--- policy/modules/contrib/irqbalance.te | 22 +++++++++------------- 3 files changed, 18 insertions(+), 19 deletions(-) diff --git a/policy/modules/contrib/irqbalance.fc b/policy/modules/contrib/irqbalance.fc index acc75dd..7753008 100644 --- a/policy/modules/contrib/irqbalance.fc +++ b/policy/modules/contrib/irqbalance.fc @@ -1,5 +1,7 @@ -/etc/rc\.d/init\.d/irqbalance -- gen_context(system_u:object_r:irqbalance_initrc_exec_t,s0) +/etc/rc\.d/init\.d/irqbalance -- gen_context(system_u:object_r:irqbalance_initrc_exec_t,s0) -/usr/sbin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0) +/usr/lib/systemd/system/irqbalance\.service -- gen_context(system_u:object_r:irqbalance_unit_t,s0) -/run/irqbalance\.pid -- gen_context(system_u:object_r:irqbalance_var_run_t,s0) +/run/irqbalance\.pid -- gen_context(system_u:object_r:irqbalance_pid_t,s0) + +/usr/sbin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0) diff --git a/policy/modules/contrib/irqbalance.if b/policy/modules/contrib/irqbalance.if index 9e943d3..a8e452f 100644 --- a/policy/modules/contrib/irqbalance.if +++ b/policy/modules/contrib/irqbalance.if @@ -19,14 +19,15 @@ # interface(`irqbalance_admin',` gen_require(` - type irqbalance_t, irqbalance_initrc_exec_t, irqbalance_var_run_t; + type irqbalance_t, irqbalance_initrc_exec_t; + type irqbalance_pid_t, irqbalance_unit_t; ') allow $1 irqbalance_t:process { ptrace signal_perms }; ps_process_pattern($1, irqbalance_t) - init_startstop_service($1, $2, irqbalance_t, irqbalance_initrc_exec_t) + init_startstop_service($1, $2, irqbalance_t, irqbalance_initrc_exec_t, irqbalance_unit_t) files_search_pids($1) - admin_pattern($1, irqbalance_var_run_t) + admin_pattern($1, irqbalance_pid_t) ') diff --git a/policy/modules/contrib/irqbalance.te b/policy/modules/contrib/irqbalance.te index 0a06815..7c8af64 100644 --- a/policy/modules/contrib/irqbalance.te +++ b/policy/modules/contrib/irqbalance.te @@ -12,21 +12,25 @@ init_daemon_domain(irqbalance_t, irqbalance_exec_t) type irqbalance_initrc_exec_t; init_script_file(irqbalance_initrc_exec_t) -type irqbalance_var_run_t; -files_pid_file(irqbalance_var_run_t) +type irqbalance_pid_t; +typealias irqbalance_pid_t alias irqbalance_var_run_t; +files_pid_file(irqbalance_pid_t) + +type irqbalance_unit_t; +init_unit_file(irqbalance_unit_t) ######################################## # # Local policy # -allow irqbalance_t self:capability { setpcap net_admin }; +allow irqbalance_t self:capability { setpcap }; dontaudit irqbalance_t self:capability sys_tty_config; allow irqbalance_t self:process { getcap getsched setcap signal_perms }; allow irqbalance_t self:udp_socket create_socket_perms; -manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t) -files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file) +manage_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t) +files_pid_filetrans(irqbalance_t, irqbalance_pid_t, file) kernel_read_network_state(irqbalance_t) kernel_read_system_state(irqbalance_t) @@ -50,14 +54,6 @@ miscfiles_read_localization(irqbalance_t) userdom_dontaudit_use_unpriv_user_fds(irqbalance_t) userdom_dontaudit_search_user_home_dirs(irqbalance_t) -ifdef(`hide_broken_symptoms',` - dontaudit irqbalance_t self:capability sys_module; -') - -optional_policy(` - seutil_sigchld_newrole(irqbalance_t) -') - optional_policy(` udev_read_db(irqbalance_t) ')