From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 0376C139694 for ; Mon, 27 Feb 2017 10:50:58 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6291421C088; Mon, 27 Feb 2017 10:50:57 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4559721C088 for ; Mon, 27 Feb 2017 10:50:57 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 92F9C340BEA for ; Mon, 27 Feb 2017 10:50:56 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 61673564A for ; Mon, 27 Feb 2017 10:50:55 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1488191830.790a26f8e3601f0e6f0fc4e7a480ac7196b34567.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/locallogin.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 790a26f8e3601f0e6f0fc4e7a480ac7196b34567 X-VCS-Branch: master Date: Mon, 27 Feb 2017 10:50:55 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 325b969a-b417-463a-9372-65609cacd9a2 X-Archives-Hash: e59b94a3af833def7e3d54ac908c60f1 commit: 790a26f8e3601f0e6f0fc4e7a480ac7196b34567 Author: cgzones googlemail com> AuthorDate: Thu Jan 5 12:21:10 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 27 10:37:10 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=790a26f8 locallogin: adjustments * do not grant permissions by negativ matching * separate dbus from consolekit block for systemd policy/modules/system/locallogin.te | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 174ba9f4..964239a4 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -33,8 +33,7 @@ role system_r types sulogin_t; # allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; -allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow local_login_t self:process { setrlimit setexec }; +allow local_login_t self:process { setexec setrlimit setsched }; allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_fifo_file_perms; allow local_login_t self:sock_file read_sock_file_perms; @@ -171,7 +170,9 @@ optional_policy(` optional_policy(` dbus_system_bus_client(local_login_t) - consolekit_dbus_chat(local_login_t) + optional_policy(` + consolekit_dbus_chat(local_login_t) + ') ') optional_policy(` @@ -211,7 +212,6 @@ optional_policy(` # allow sulogin_t self:capability dac_override; -allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sulogin_t self:fd use; allow sulogin_t self:fifo_file rw_fifo_file_perms; allow sulogin_t self:unix_dgram_socket create_socket_perms; From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 8B982139695 for ; Mon, 27 Feb 2017 11:40:12 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 829CDE0C33; Mon, 27 Feb 2017 11:40:11 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 609C7E0C30 for ; Mon, 27 Feb 2017 11:40:11 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 0454C340EF6 for ; Mon, 27 Feb 2017 11:40:10 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 9FC51563C for ; Mon, 27 Feb 2017 11:40:07 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1488191830.790a26f8e3601f0e6f0fc4e7a480ac7196b34567.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/locallogin.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 790a26f8e3601f0e6f0fc4e7a480ac7196b34567 X-VCS-Branch: next Date: Mon, 27 Feb 2017 11:40:07 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 8b3a846d-fe84-4666-96c0-e42b2af0fbe3 X-Archives-Hash: 95f8bde4fab4c88431fde7cb6db8a18d Message-ID: <20170227114007.5-lqVR4mWPN57eYqjaUFHOE2qkxrLtCJ1VTuIb6M89Q@z> commit: 790a26f8e3601f0e6f0fc4e7a480ac7196b34567 Author: cgzones googlemail com> AuthorDate: Thu Jan 5 12:21:10 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 27 10:37:10 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=790a26f8 locallogin: adjustments * do not grant permissions by negativ matching * separate dbus from consolekit block for systemd policy/modules/system/locallogin.te | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 174ba9f4..964239a4 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -33,8 +33,7 @@ role system_r types sulogin_t; # allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; -allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow local_login_t self:process { setrlimit setexec }; +allow local_login_t self:process { setexec setrlimit setsched }; allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_fifo_file_perms; allow local_login_t self:sock_file read_sock_file_perms; @@ -171,7 +170,9 @@ optional_policy(` optional_policy(` dbus_system_bus_client(local_login_t) - consolekit_dbus_chat(local_login_t) + optional_policy(` + consolekit_dbus_chat(local_login_t) + ') ') optional_policy(` @@ -211,7 +212,6 @@ optional_policy(` # allow sulogin_t self:capability dac_override; -allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sulogin_t self:fd use; allow sulogin_t self:fifo_file rw_fifo_file_perms; allow sulogin_t self:unix_dgram_socket create_socket_perms;