commit: e5076b8b2c52d8eba12c4b552a9e491c94305c57
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Feb 20 15:33:05 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:08:44 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e5076b8b
fetchmail, mysql, tor: Misc fixes from Russell Coker.
policy/modules/contrib/fetchmail.te | 3 ++-
policy/modules/contrib/mysql.te | 9 +++++----
policy/modules/contrib/tor.te | 6 ++++--
3 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/fetchmail.te
b/policy/modules/contrib/fetchmail.te
index 4a078b1a..a15bc538 100644
--- a/policy/modules/contrib/fetchmail.te
+++ b/policy/modules/contrib/fetchmail.te
@@ -1,4 +1,4 @@
-policy_module(fetchmail, 1.16.0)
+policy_module(fetchmail, 1.16.1)
########################################
#
@@ -47,6 +47,7 @@ create_files_pattern(fetchmail_t, fetchmail_log_t,
fetchmail_log_t)
setattr_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
+allow fetchmail_t fetchmail_uidl_cache_t:dir manage_dir_perms;
allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 571f9ce0..6fe1ce56 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -1,4 +1,4 @@
-policy_module(mysql, 1.19.0)
+policy_module(mysql, 1.19.1)
########################################
#
@@ -70,7 +70,7 @@ dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms
rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
allow mysqld_t self:shm create_shm_perms;
-allow mysqld_t self:unix_stream_socket { accept listen };
+allow mysqld_t self:unix_stream_socket { connectto accept listen };
allow mysqld_t self:tcp_socket { accept listen };
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -101,6 +101,7 @@ files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file
sock_file })
kernel_read_kernel_sysctls(mysqld_t)
kernel_read_network_state(mysqld_t)
kernel_read_system_state(mysqld_t)
+kernel_read_vm_sysctls(mysqld_t)
corenet_all_recvfrom_unlabeled(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
@@ -165,7 +166,7 @@ allow mysqld_safe_t self:capability { chown dac_override
fowner kill };
allow mysqld_safe_t self:process { setsched getsched setrlimit };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
-allow mysqld_safe_t mysqld_t:process signull;
+allow mysqld_safe_t mysqld_t:process { signull sigkill };
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
@@ -190,7 +191,7 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
-dev_list_sysfs(mysqld_safe_t)
+dev_read_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 098154fe..a68e5d9e 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.13.0)
+policy_module(tor, 1.13.1)
########################################
#
@@ -41,7 +41,7 @@ init_daemon_pid_file(tor_var_run_t, dir, "tor")
# Local policy
#
-allow tor_t self:capability { setgid setuid sys_tty_config };
+allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid
setgid setuid sys_tty_config };
allow tor_t self:process signal;
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket { accept listen };
@@ -103,6 +103,8 @@ domain_use_interactive_fds(tor_t)
files_read_etc_runtime_files(tor_t)
files_read_usr_files(tor_t)
+fs_search_tmpfs(tor_t)
+
auth_use_nsswitch(tor_t)
logging_send_syslog_msg(tor_t)
