[refpolicy] [PATCH 0/3] Small set of contrib updates

[refpolicy] [PATCH 0/3] Small set of contrib updates

[Sven Vermeulen]

A small set of updates on contrib modules

Sven Vermeulen (3):
  Add aide bin /usr/bin and mark /var/lib/aide
  Provide alsa_write_lib interface
  Run dmidecode after newrole or on terminals

 aide.fc      |  3 ++-
 alsa.if      | 19 +++++++++++++++++++
 dmidecode.te |  6 ++++--
 3 files changed, 25 insertions(+), 3 deletions(-)

-- 
1.8.1.5

[refpolicy] [PATCH 1/3] Add aide bin /usr/bin and mark /var/lib/aide

[Sven Vermeulen]

In Gentoo, the aide binary is at /usr/bin/aide.

Also, the /var/lib/aide directory itself is best labeled as aide_db_t as well to
allow aide to handle its contents.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 aide.fc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/aide.fc b/aide.fc
index df6e4d0..6037ccc 100644
--- a/aide.fc
+++ b/aide.fc
@@ -1,6 +1,7 @@
+/usr/bin/aide	--	gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
 /usr/sbin/aide	--	gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
 
-/var/lib/aide(/.*)	gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
+/var/lib/aide(/.*)?	gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
 
 /var/log/aide(/.*)?	gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
 /var/log/aide\.log	--	gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
-- 
1.8.1.5

[refpolicy] [PATCH 2/3] Provide alsa_write_lib interface

[Sven Vermeulen]

The initrc_t domain needs write privileges in the /var/lib/alsa location to
store the asound.state file generated through the alsa init script. To prepare
for this, create the alsa_write_lib interface.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 alsa.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/alsa.if b/alsa.if
index 708b743..ca8d8cf 100644
--- a/alsa.if
+++ b/alsa.if
@@ -256,3 +256,22 @@ interface(`alsa_read_lib',`
 	files_search_var_lib($1)
 	read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
 ')
+
+#########################################
+## <summary>
+##	Write Alsa lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_write_lib',`
+	gen_require(`
+		type alsa_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+')
-- 
1.8.1.5

[refpolicy] [PATCH 3/3] Run dmidecode after newrole or on terminals

[Sven Vermeulen]

The dmidecode application needs to use the file descriptors often owned by the
switching process (like newrole_t after switching roles with newrole), commonly
done by administrators.

Grant this through domain_use_interactive_fds(), allowing output for dmidecode
to be displayed on such terminals.

Also update style a bit to be confirm the coding style for refpolicy.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 dmidecode.te | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/dmidecode.te b/dmidecode.te
index 6396d4b..600b0fc 100644
--- a/dmidecode.te
+++ b/dmidecode.te
@@ -20,13 +20,15 @@ role dmidecode_roles types dmidecode_t;
 
 allow dmidecode_t self:capability sys_rawio;
 
-dev_read_sysfs(dmidecode_t)
 dev_read_raw_memory(dmidecode_t)
+dev_read_sysfs(dmidecode_t)
 
-mls_file_read_all_levels(dmidecode_t)
+domain_use_interactive_fds(dmidecode_t)
 
 files_list_usr(dmidecode_t)
 
+mls_file_read_all_levels(dmidecode_t)
+
 locallogin_use_fds(dmidecode_t)
 
 userdom_use_user_terminals(dmidecode_t)
-- 
1.8.1.5

[refpolicy] [PATCH 0/3] Small set of contrib updates

[Dominick Grift]

On Thu, 2013-08-15 at 20:15 +0200, Sven Vermeulen wrote:
> A small set of updates on contrib modules

Merged, Thanks

> 
> Sven Vermeulen (3):
>   Add aide bin /usr/bin and mark /var/lib/aide
>   Provide alsa_write_lib interface
>   Run dmidecode after newrole or on terminals
> 
>  aide.fc      |  3 ++-
>  alsa.if      | 19 +++++++++++++++++++
>  dmidecode.te |  6 ++++--
>  3 files changed, 25 insertions(+), 3 deletions(-)
>