[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Jason Zaman Sun, 24 Jun 2018 01:47:57 -0700

commit:     3f70983f816e464b3071a17ca690115c61c35fba
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 25 11:57:14 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jun 14 12:56:53 2018 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3f70983f


Switch syncthing to XDG config types and make user content access optional

The syncthing application can, but does not have to, be used for
synchronizing end user data. Hence, the user data access is made
optional through the support of the syncthing_*_user_content booleans.

Also, the syncthing_config_home_t type is renamed to
syncthing_xdg_config_t to be aligned with the XDG setup. An alias
is put in place to allow for a transitional period before
syncthing_config_home_t is completely phaded out.

Changes since v2:
 - Fix typo in call to userdom_user_content_access_template
Changes since v1:
 - Move tunable definition inside template

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

 policy/modules/contrib/syncthing.fc |  2 +-
 policy/modules/contrib/syncthing.if |  8 ++++----
 policy/modules/contrib/syncthing.te | 19 ++++++++-----------
 3 files changed, 13 insertions(+), 16 deletions(-)

diff --git a/policy/modules/contrib/syncthing.fc 
b/policy/modules/contrib/syncthing.fc
index 4f7f53ed..e95b451e 100644
--- a/policy/modules/contrib/syncthing.fc
+++ b/policy/modules/contrib/syncthing.fc
@@ -1,3 +1,3 @@
 /usr/bin/syncthing                      -- 
gen_context(system_u:object_r:syncthing_exec_t,s0)
 
-HOME_DIR/\.config/syncthing(/.*)?          
gen_context(system_u:object_r:syncthing_config_home_t,s0)
+HOME_DIR/\.config/syncthing(/.*)?          
gen_context(system_u:object_r:syncthing_xdg_config_t,s0)

diff --git a/policy/modules/contrib/syncthing.if 
b/policy/modules/contrib/syncthing.if
index 065800a3..2c0eb24c 100644
--- a/policy/modules/contrib/syncthing.if
+++ b/policy/modules/contrib/syncthing.if
@@ -18,14 +18,14 @@
 interface(`syncthing_role', `
        gen_require(`
                attribute_role syncthing_roles;
-               type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
+               type syncthing_t, syncthing_exec_t, syncthing_xdg_config_t;
        ')
 
        roleattribute $1 syncthing_roles;
 
        domtrans_pattern($2, syncthing_exec_t, syncthing_t)
 
-       allow $2 syncthing_config_home_t:file { manage_file_perms 
relabel_file_perms };
-       allow $2 syncthing_config_home_t:dir { manage_dir_perms 
relabel_dir_perms };
-       allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms 
relabel_lnk_file_perms };
+       allow $2 syncthing_xdg_config_t:file { manage_file_perms 
relabel_file_perms };
+       allow $2 syncthing_xdg_config_t:dir { manage_dir_perms 
relabel_dir_perms };
+       allow $2 syncthing_xdg_config_t:lnk_file { manage_lnk_file_perms 
relabel_lnk_file_perms };
 ')

diff --git a/policy/modules/contrib/syncthing.te 
b/policy/modules/contrib/syncthing.te
index 92d0bf51..de3b9791 100644
--- a/policy/modules/contrib/syncthing.te
+++ b/policy/modules/contrib/syncthing.te
@@ -13,8 +13,8 @@ type syncthing_exec_t;
 init_daemon_domain(syncthing_t, syncthing_exec_t)
 userdom_user_application_domain(syncthing_t, syncthing_exec_t)
 
-type syncthing_config_home_t;
-userdom_user_home_content(syncthing_config_home_t)
+type syncthing_xdg_config_t alias syncthing_config_home_t;
+xdg_config_content(syncthing_xdg_config_t)
 
 ########################################
 #
@@ -27,9 +27,10 @@ allow syncthing_t self:tcp_socket { listen accept };
 
 can_exec(syncthing_t, syncthing_exec_t)
 
-manage_dirs_pattern(syncthing_t, syncthing_config_home_t, 
syncthing_config_home_t)
-manage_files_pattern(syncthing_t, syncthing_config_home_t, 
syncthing_config_home_t)
-manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, 
syncthing_config_home_t)
+manage_dirs_pattern(syncthing_t, syncthing_xdg_config_t, 
syncthing_xdg_config_t)
+manage_files_pattern(syncthing_t, syncthing_xdg_config_t, 
syncthing_xdg_config_t)
+manage_lnk_files_pattern(syncthing_t, syncthing_xdg_config_t, 
syncthing_xdg_config_t)
+xdg_config_filetrans(syncthing_t, syncthing_xdg_config_t, dir)
 
 kernel_read_kernel_sysctls(syncthing_t)
 kernel_read_net_sysctls(syncthing_t)
@@ -58,13 +59,9 @@ auth_use_nsswitch(syncthing_t)
 miscfiles_read_generic_certs(syncthing_t)
 miscfiles_read_localization(syncthing_t)
 
-userdom_manage_user_home_content_files(syncthing_t)
-userdom_manage_user_home_content_dirs(syncthing_t)
-userdom_manage_user_home_content_symlinks(syncthing_t)
-userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
+userdom_user_content_access_template(syncthing, syncthing_t)
+
 userdom_use_user_terminals(syncthing_t)
-# newly created files in ~/.config/syncthing/ will transition to 
syncthing_config_home_t
-userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, 
"syncthing")
 
 optional_policy(`
        # temporary hack for /run/NetworkManager/resolv.conf until we make this 
part of sysnet_dns_name_resolve()

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Reply via email to