From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 5D70913835A for ; Mon, 1 Feb 2021 02:10:12 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 762EFE09A5; Mon, 1 Feb 2021 02:10:11 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4C228E09A5 for ; Mon, 1 Feb 2021 02:10:11 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id F3214340E9D for ; Mon, 1 Feb 2021 02:10:09 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 799BC4AF for ; Mon, 1 Feb 2021 02:10:08 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1612142502.44c7994f453c43349074368972d58e465e1f5d27.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/apache.if policy/modules/services/apache.te policy/modules/services/mysql.te policy/modules/services/postgrey.te policy/modules/services/samba.te policy/modules/services/squid.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 44c7994f453c43349074368972d58e465e1f5d27 X-VCS-Branch: master Date: Mon, 1 Feb 2021 02:10:08 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: e07ccb12-7b26-48b0-99cb-5f295ea97d68 X-Archives-Hash: 9ab5a2d4b1f52716280aa9f5bbbc2014 commit: 44c7994f453c43349074368972d58e465e1f5d27 Author: Chris PeBenito ieee org> AuthorDate: Thu Jan 28 15:53:04 2021 +0000 Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 1 01:21:42 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44c7994f apache, mysql, postgrey, samba, squid: Apply new mmap_manage_files_pattern(). Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/apache.if | 6 ++---- policy/modules/services/apache.te | 15 +++++---------- policy/modules/services/mysql.te | 6 ++---- policy/modules/services/postgrey.te | 3 +-- policy/modules/services/samba.te | 15 +++++---------- policy/modules/services/squid.te | 3 +-- 6 files changed, 16 insertions(+), 32 deletions(-) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 44767359..1695af75 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -70,8 +70,7 @@ template(`apache_content_template',` allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms; manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - allow httpd_$1_script_t httpd_$1_rw_content_t:file map; + mmap_manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) @@ -1025,8 +1024,7 @@ interface(`apache_manage_sys_rw_content',` apache_search_sys_content($1) manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) - manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) - allow $1 httpd_sys_rw_content_t:file map; + mmap_manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index da43a1d8..35fafe56 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -378,10 +378,9 @@ allow httpd_t self:unix_stream_socket { accept connectto listen }; allow httpd_t self:tcp_socket { accept listen }; manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) -manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) +mmap_manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) files_var_filetrans(httpd_t, httpd_cache_t, dir) -allow httpd_t httpd_cache_t:file map; allow httpd_t httpd_config_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) @@ -415,9 +414,8 @@ read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) allow httpd_t httpd_rotatelogs_t:process signal_perms; manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) -manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) +mmap_manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) -allow httpd_t httpd_squirrelmail_t:file map; allow httpd_t httpd_suexec_exec_t:file read_file_perms; @@ -441,8 +439,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) -manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) -allow httpd_t httpd_var_lib_t:file map; +mmap_manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) @@ -622,8 +619,7 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) - manage_files_pattern(httpd_t, httpdcontent, httpdcontent) - allow httpd_t httpdcontent:file map; + mmap_manage_files_pattern(httpd_t, httpdcontent, httpdcontent) manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent) manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent) @@ -908,8 +904,7 @@ optional_policy(` # Helper local policy # -read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t) -allow httpd_t httpd_config_t:file map; +mmap_read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t) append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index 5a264e2f..84a49b16 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -74,8 +74,7 @@ allow mysqld_t self:unix_stream_socket { connectto accept listen }; allow mysqld_t self:tcp_socket { accept listen }; manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) -manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) -allow mysqld_t mysqld_db_t:file map; +mmap_manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) @@ -91,8 +90,7 @@ manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file }) manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) -manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) -allow mysqld_t mysqld_tmp_t:file map; +mmap_manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t) diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te index a96e9dd9..da47d1e0 100644 --- a/policy/modules/services/postgrey.te +++ b/policy/modules/services/postgrey.te @@ -46,8 +46,7 @@ manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) -manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) -allow postgrey_t postgrey_var_lib_t:file map; +mmap_manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t) diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 855d846d..40b6684c 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -217,8 +217,7 @@ manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t) files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) -manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) -allow samba_net_t samba_var_t:file map; +mmap_manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") @@ -303,8 +302,7 @@ manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) allow smbd_t samba_share_t:filesystem { getattr quotaget }; manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) -manage_files_pattern(smbd_t, samba_var_t, samba_var_t) -allow smbd_t samba_var_t:file map; +mmap_manage_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) files_var_filetrans(smbd_t, samba_var_t, dir, "samba") @@ -314,8 +312,7 @@ manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t) -manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t) -allow smbd_t samba_runtime_t:file map; +mmap_manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t) manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t) files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file }) @@ -530,8 +527,7 @@ allow nmbd_t self:unix_dgram_socket sendto; allow nmbd_t self:unix_stream_socket { accept connectto listen }; manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) -manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) -allow nmbd_t samba_runtime_t:file map; +mmap_manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file }) @@ -543,8 +539,7 @@ append_files_pattern(nmbd_t, samba_log_t, samba_log_t) create_files_pattern(nmbd_t, samba_log_t, samba_log_t) setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t) -manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) -allow nmbd_t samba_var_t:file map; +mmap_manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t) manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t) files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd") diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te index f9890df1..263574f5 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -91,8 +91,7 @@ manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t) manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t) files_tmp_filetrans(squid_t, squid_tmp_t, { file dir }) -manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) -allow squid_t squid_tmpfs_t:file map; +mmap_manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t)