* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/admin/
@ 2019-03-26 10:17 Jason Zaman
0 siblings, 0 replies; 5+ messages in thread
From: Jason Zaman @ 2019-03-26 10:17 UTC (permalink / raw
To: gentoo-commits
commit: 2fb3549ad45a9cd9a1869b06b5cc0b6c5071ec77
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb 27 03:21:27 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2fb3549a
aide, clamav: Module version bump.
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/admin/aide.te | 2 +-
policy/modules/services/clamav.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
index fe52a280..30deba09 100644
--- a/policy/modules/admin/aide.te
+++ b/policy/modules/admin/aide.te
@@ -1,4 +1,4 @@
-policy_module(aide, 1.8.0)
+policy_module(aide, 1.8.1)
########################################
#
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 5b0a43de..417e3808 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.16.0)
+policy_module(clamav, 1.16.1)
## <desc>
## <p>
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/admin/
@ 2019-07-13 7:01 Jason Zaman
0 siblings, 0 replies; 5+ messages in thread
From: Jason Zaman @ 2019-07-13 7:01 UTC (permalink / raw
To: gentoo-commits
commit: cd598ab341ceb068258b35b16149860cbe878400
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat May 4 00:39:36 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cd598ab3
dovecot, logrotate: Module version bump.
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/admin/logrotate.te | 2 +-
policy/modules/services/dovecot.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index e6e2a97b..52cb35a5 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.22.0)
+policy_module(logrotate, 1.22.1)
########################################
#
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 4f2c38bf..77fafc97 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.22.0)
+policy_module(dovecot, 1.22.1)
########################################
#
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/admin/
@ 2021-02-01 2:10 Jason Zaman
0 siblings, 0 replies; 5+ messages in thread
From: Jason Zaman @ 2021-02-01 2:10 UTC (permalink / raw
To: gentoo-commits
commit: 79df140f318c01af4a7c976194cf72b6a01fd87d
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 28 20:27:03 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 1 01:21:42 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79df140f
sudo, spamassassin: Module version bump.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/sudo.te | 2 +-
policy/modules/services/spamassassin.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index 2ac111d6..418af9ad 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -1,4 +1,4 @@
-policy_module(sudo, 1.15.0)
+policy_module(sudo, 1.15.1)
## <desc>
## <p>
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 9f0ebb41..4738375f 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.14.1)
+policy_module(spamassassin, 2.14.2)
########################################
#
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/admin/
@ 2025-07-15 7:54 Jason Zaman
0 siblings, 0 replies; 5+ messages in thread
From: Jason Zaman @ 2025-07-15 7:54 UTC (permalink / raw
To: gentoo-commits
commit: c2817e17d2f7bad5c05f30a1a6dd5ea12574b927
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Tue Jun 17 12:41:05 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 07:52:23 2025 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c2817e17
apt and aptcacher changes
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/apt.te | 3 +++
policy/modules/services/aptcacher.te | 13 ++++++++++++-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index 5327f3ed8..7aea9c951 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -106,6 +106,8 @@ files_read_etc_runtime_files(apt_t)
fs_getattr_all_fs(apt_t)
+init_get_system_status(apt_t)
+
term_create_pty(apt_t, apt_devpts_t)
term_list_ptys(apt_t)
term_use_all_terms(apt_t)
@@ -156,6 +158,7 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(apt_t)
+ networkmanager_status(apt_t)
')
optional_policy(`
diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te
index 10a0e54e1..6131d48e8 100644
--- a/policy/modules/services/aptcacher.te
+++ b/policy/modules/services/aptcacher.te
@@ -36,7 +36,7 @@ files_runtime_file(aptcacher_runtime_t)
# Local policy
#
-allow aptcacher_t self:process signal;
+allow aptcacher_t self:process { signal getsched };
allow aptcacher_t self:fifo_file rw_inherited_fifo_file_perms;
allow aptcacher_t self:tcp_socket create_stream_socket_perms;
@@ -64,6 +64,8 @@ manage_files_pattern(aptcacher_t, aptcacher_log_t, aptcacher_log_t)
manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
+kernel_read_kernel_sysctls(aptcacher_t)
+kernel_read_system_state(aptcacher_t)
kernel_read_vm_overcommit_sysctl(aptcacher_t)
# Calls system()
@@ -75,7 +77,11 @@ corenet_tcp_connect_http_port(aptcacher_t)
auth_use_nsswitch(aptcacher_t)
+dev_read_rand(aptcacher_t)
+dev_read_urand(aptcacher_t)
+
files_read_etc_files(aptcacher_t)
+files_read_usr_files(aptcacher_t)
# Uses sd_notify() to inform systemd it has properly started
init_dgram_send(aptcacher_t)
@@ -93,14 +99,19 @@ sysnet_mmap_config_files(aptcacher_t)
# acngtool local policy
#
+allow acngtool_t self:capability dac_override;
allow acngtool_t self:tcp_socket create_stream_socket_perms;
allow acngtool_t self:unix_stream_socket create_socket_perms;
allow acngtool_t aptcacher_conf_t:dir list_dir_perms;
allow acngtool_t aptcacher_conf_t:file mmap_read_file_perms;
+kernel_read_kernel_sysctls(acngtool_t)
+
aptcacher_stream_connect(acngtool_t)
+dev_read_rand(acngtool_t)
+dev_read_urand(acngtool_t)
corenet_tcp_connect_aptcacher_port(acngtool_t)
auth_use_nsswitch(acngtool_t)
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/admin/
@ 2025-07-15 8:05 Jason Zaman
0 siblings, 0 replies; 5+ messages in thread
From: Jason Zaman @ 2025-07-15 8:05 UTC (permalink / raw
To: gentoo-commits
commit: 4afddae14c3488c1b3a960c76f1ce6a906074032
Author: Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Wed Jul 9 14:30:58 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 08:04:54 2025 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4afddae1
cloudinit: Add container engine admin access.
Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/cloudinit.te | 20 ++++++++++++++++++++
policy/modules/services/crio.if | 2 ++
policy/modules/services/kubernetes.if | 6 ------
policy/modules/services/rootlesskit.if | 21 +++++++++++++++++++++
4 files changed, 43 insertions(+), 6 deletions(-)
diff --git a/policy/modules/admin/cloudinit.te b/policy/modules/admin/cloudinit.te
index ccc1d1a0f..110d5f60b 100644
--- a/policy/modules/admin/cloudinit.te
+++ b/policy/modules/admin/cloudinit.te
@@ -321,6 +321,10 @@ optional_policy(`
corosync_admin(cloud_init_t, system_r)
')
+optional_policy(`
+ crio_admin(cloud_init_t, system_r)
+')
+
optional_policy(`
couchdb_admin(cloud_init_t, system_r)
')
@@ -394,6 +398,10 @@ optional_policy(`
dnsmasq_admin(cloud_init_t, system_r)
')
+optional_policy(`
+ docker_admin(cloud_init_t, system_r)
+')
+
optional_policy(`
dovecot_admin(cloud_init_t, system_r)
')
@@ -553,6 +561,10 @@ optional_policy(`
ksmtuned_admin(cloud_init_t, system_r)
')
+optional_policy(`
+ kubernetes_admin(cloud_init_t, system_r)
+')
+
optional_policy(`
l2tp_admin(cloud_init_t, system_r)
')
@@ -762,6 +774,10 @@ optional_policy(`
plymouthd_admin(cloud_init_t, system_r)
')
+optional_policy(`
+ podman_admin(cloud_init_t, system_r)
+')
+
optional_policy(`
portage_run(cloud_init_t, system_r)
portage_run_fetch(cloud_init_t, system_r)
@@ -867,6 +883,10 @@ optional_policy(`
rngd_admin(cloud_init_t, system_r)
')
+optional_policy(`
+ rootlesskit_admin(cloud_init_t, system_r)
+')
+
optional_policy(`
rpc_admin(cloud_init_t, system_r)
rpc_domtrans_nfsd(cloud_init_t)
diff --git a/policy/modules/services/crio.if b/policy/modules/services/crio.if
index bdcf6dad7..48e65475d 100644
--- a/policy/modules/services/crio.if
+++ b/policy/modules/services/crio.if
@@ -94,6 +94,8 @@ interface(`crio_admin',`
allow $1 crio_conmon_t:process { ptrace signal_perms };
ps_process_pattern($1, crio_conmon_t)
+ crio_run($1, $2)
+
# no private type for crictl, so connect directly
container_stream_connect_system_engine($1)
')
diff --git a/policy/modules/services/kubernetes.if b/policy/modules/services/kubernetes.if
index 2af5b64b3..7451fda6f 100644
--- a/policy/modules/services/kubernetes.if
+++ b/policy/modules/services/kubernetes.if
@@ -1042,12 +1042,6 @@ interface(`kubernetes_admin',`
role $2 types kubectl_t;
domtrans_pattern($1, kubectl_exec_t, kubectl_t)
- # kubectl executes an editor when editing files
- # transition back to the user domain when running them
- corecmd_bin_domtrans(kubectl_t, $1)
- allow $1 kubectl_t:fd use;
- allow $1 kubectl_t:fifo_file rw_inherited_fifo_file_perms;
-
allow $1 kubeadm_t:process { ptrace signal_perms };
ps_process_pattern($1, kubeadm_t)
diff --git a/policy/modules/services/rootlesskit.if b/policy/modules/services/rootlesskit.if
index 2be598d70..e42fef622 100644
--- a/policy/modules/services/rootlesskit.if
+++ b/policy/modules/services/rootlesskit.if
@@ -104,3 +104,24 @@ template(`rootlesskit_role',`
')
')
+########################################
+## <summary>
+## All of the rules required to
+## administrate a rootlesskit
+## environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rootlesskit_admin',`
+ rootlesskit_run($1, $2)
+')
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-07-15 8:05 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-15 7:54 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/admin/ Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2025-07-15 8:05 Jason Zaman
2021-02-01 2:10 Jason Zaman
2019-07-13 7:01 Jason Zaman
2019-03-26 10:17 Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox