From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1560512-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id D37AE158089
	for <garchives@archives.gentoo.org>; Fri,  6 Oct 2023 16:44:36 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id F32B12BC021;
	Fri,  6 Oct 2023 16:44:35 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 808692BC01D
	for <gentoo-commits@lists.gentoo.org>; Fri,  6 Oct 2023 16:44:35 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 78619335D12
	for <gentoo-commits@lists.gentoo.org>; Fri,  6 Oct 2023 16:44:34 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 25CBF9DF
	for <gentoo-commits@lists.gentoo.org>; Fri,  6 Oct 2023 16:44:33 +0000 (UTC)
From: "Kenton Groombridge" <concord@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" <concord@gentoo.org>
Message-ID: <1696606026.9a761587cf212b96c093e2ea1d9c3ed66ff7c37d.concord@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/xserver.te policy/modules/system/authlogin.fc policy/modules/system/authlogin.if
X-VCS-Directories: policy/modules/services/ policy/modules/system/
X-VCS-Committer: concord
X-VCS-Committer-Name: Kenton Groombridge
X-VCS-Revision: 9a761587cf212b96c093e2ea1d9c3ed66ff7c37d
X-VCS-Branch: master
Date: Fri,  6 Oct 2023 16:44:33 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: dbb10187-8639-4705-a130-13c84c939b63
X-Archives-Hash: 7009b5310df6ad086af38c059a85330f

commit:     9a761587cf212b96c093e2ea1d9c3ed66ff7c37d
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Sep 21 14:21:25 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:27:06 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9a761587

debian motd.d directory (#689)

* policy for Debian motd.d dir

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/xserver.te | 1 +
 policy/modules/system/authlogin.fc | 1 +
 policy/modules/system/authlogin.if | 1 +
 3 files changed, 3 insertions(+)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 68d9bd34b..58cd85626 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -472,6 +472,7 @@ auth_manage_pam_runtime_dirs(xdm_t)
 auth_manage_pam_runtime_files(xdm_t)
 auth_manage_pam_console_data(xdm_t)
 auth_read_shadow_history(xdm_t)
+auth_use_pam_motd_dynamic(xdm_t)
 auth_write_login_records(xdm_t)
 
 # Run telinit->init to shutdown.

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index b47da01a5..adb53a05a 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -59,6 +59,7 @@ ifdef(`distro_suse', `
 /run/motd		--	gen_context(system_u:object_r:pam_motd_runtime_t,s0)
 /run/motd\.dynamic	--	gen_context(system_u:object_r:pam_motd_runtime_t,s0)
 /run/motd\.dynamic\.new	--	gen_context(system_u:object_r:pam_motd_runtime_t,s0)
+/run/motd\.d(/.*)?		gen_context(system_u:object_r:pam_motd_runtime_t,s0)
 /run/pam_mount(/.*)?	gen_context(system_u:object_r:pam_runtime_t,s0)
 /run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 /run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_runtime_t,s0)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 4d11800aa..cd5ab2d7f 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -129,6 +129,7 @@ interface(`auth_use_pam_motd_dynamic',`
 	corecmd_exec_shell($1)
 
 	allow $1 pam_motd_runtime_t:file manage_file_perms;
+	allow $1 pam_motd_runtime_t:dir rw_dir_perms;
 	files_runtime_filetrans($1, pam_motd_runtime_t, file, "motd.dynamic.new")
 ')