Bulk addition of new selinux policies.

Package-Manager: portage-2.1.9.25/cvs/Linux x86_64

4 files changed, 110 insertions, 0 deletions

diff --git a/sec-policy/selinux-networkmanager/ChangeLog b/sec-policy/selinux-networkmanager/ChangeLog
new file mode 100644
index 000000000000..6dd49c3ba62b
--- /dev/null
+++ b/sec-policy/selinux-networkmanager/ChangeLog
@@ -0,0 +1,7 @@
+# ChangeLog for sec-policy/selinux-networkmanager
+# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-networkmanager/ChangeLog,v 1.1 2011/02/05 20:41:05 blueness Exp $
+
+  05 Feb 2011; Anthony G. Basile <blueness@gentoo.org> ChangeLog:
+  Initial commit to portage.
+
diff --git a/sec-policy/selinux-networkmanager/files/fix-networkmanager.patch b/sec-policy/selinux-networkmanager/files/fix-networkmanager.patch
new file mode 100644
index 000000000000..8c38757d1b44
--- /dev/null
+++ b/sec-policy/selinux-networkmanager/files/fix-networkmanager.patch
@@ -0,0 +1,75 @@
+--- services/networkmanager.te	2010-09-10 17:05:45.000000000 +0200
++++ ../../../refpolicy/policy/modules/services/networkmanager.te	2011-01-02 15:40:48.781999979 +0100
+@@ -28,6 +28,9 @@
+ type wpa_cli_exec_t;
+ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+ 
++type wpa_cli_var_run_t;
++files_pid_file(wpa_cli_var_run_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -68,6 +71,11 @@
+ manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+ files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
+ 
++manage_dirs_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
++manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
++manage_sock_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
++files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, { dir file sock_file })
++
+ kernel_read_system_state(NetworkManager_t)
+ kernel_read_network_state(NetworkManager_t)
+ kernel_read_kernel_sysctls(NetworkManager_t)
+@@ -125,10 +133,12 @@
+ init_read_utmp(NetworkManager_t)
+ init_dontaudit_write_utmp(NetworkManager_t)
+ init_domtrans_script(NetworkManager_t)
++init_domtrans_script(wpa_cli_t)
+ 
+ auth_use_nsswitch(NetworkManager_t)
+ 
+ logging_send_syslog_msg(NetworkManager_t)
++logging_send_syslog_msg(wpa_cli_t)
+ 
+ miscfiles_read_localization(NetworkManager_t)
+ miscfiles_read_generic_certs(NetworkManager_t)
+@@ -149,6 +159,7 @@
+ 
+ userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
+ userdom_dontaudit_use_user_ttys(NetworkManager_t)
++userdom_use_user_ttys(wpa_cli_t)
+ # Read gnome-keyring
+ userdom_read_user_home_content_files(NetworkManager_t)
+ 
+@@ -287,3 +298,20 @@
+ miscfiles_read_localization(wpa_cli_t)
+ 
+ term_dontaudit_use_console(wpa_cli_t)
++
++fs_search_tmpfs(wpa_cli_t)
++fs_search_tmpfs(NetworkManager_t)
++fs_rw_tmpfs_files(wpa_cli_t)
++fs_rw_tmpfs_files(NetworkManager_t)
++fs_manage_tmpfs_dirs(wpa_cli_t)
++fs_manage_tmpfs_sockets(wpa_cli_t)
++fs_manage_tmpfs_sockets(NetworkManager_t)
++getty_use_fds(wpa_cli_t)
++files_search_pids(wpa_cli_t)
++corecmd_exec_shell(wpa_cli_t)
++corecmd_exec_bin(wpa_cli_t)
++
++ifdef(`distro_gentoo',`
++	sysnet_domtrans_dhcpc(wpa_cli_t)
++	allow wpa_cli_t etc_t:file { getattr };
++')
+--- services/networkmanager.fc	2010-08-03 15:11:06.000000000 +0200
++++ ../../../refpolicy/policy/modules/services/networkmanager.fc	2011-01-02 17:30:48.448999997 +0100
+@@ -24,3 +24,6 @@
+ /var/run/nm-dhclient.*			gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/wpa_cli-.*		--	gen_context(system_u:object_r:wpa_cli_var_run_t,s0)
++/etc/wpa_supplicant/wpa_cli.sh	--	gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/wpa_cli		--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
diff --git a/sec-policy/selinux-networkmanager/metadata.xml b/sec-policy/selinux-networkmanager/metadata.xml
new file mode 100644
index 000000000000..1323c5ca543a
--- /dev/null
+++ b/sec-policy/selinux-networkmanager/metadata.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<herd>hardened</herd>
+<longdescription>Gentoo SELinux policy for networkmanager</longdescription>
+</pkgmetadata>
diff --git a/sec-policy/selinux-networkmanager/selinux-networkmanager-2.20101213.ebuild b/sec-policy/selinux-networkmanager/selinux-networkmanager-2.20101213.ebuild
new file mode 100644
index 000000000000..4a59b6060946
--- /dev/null
+++ b/sec-policy/selinux-networkmanager/selinux-networkmanager-2.20101213.ebuild
@@ -0,0 +1,22 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-networkmanager/selinux-networkmanager-2.20101213.ebuild,v 1.1 2011/02/05 20:41:05 blueness Exp $
+
+IUSE=""
+
+MODS="networkmanager"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for general applications"
+
+KEYWORDS="~amd64 ~x86"
+
+MODDEPEND=">=sec-policy/selinux-base-policy-2.20101213-r1"
+
+# Patch "fix-networkmanager.patch" contains:
+# - Support for wpa_cli. Gentoo's init scripts use wpa_cli to run the init
+#   scripts when wpa_supplicant has associated.
+# - Support running wpa_cli from commandline (requires
+#   selinux-base-policy-2.20101213-r1) due to patch to sysadm_t domain
+POLICY_PATCH="${FILESDIR}/fix-networkmanager.patch"