From 052c953ae59f98e2fe4cc0d7ddc6bcb4aa04da13 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 11 Aug 2005 14:49:58 +0000
Subject: [PATCH] add quota

---
 refpolicy/Changelog                           |  1 +
 refpolicy/policy/modules/admin/quota.fc       | 14 +++
 refpolicy/policy/modules/admin/quota.if       | 81 +++++++++++++++++
 refpolicy/policy/modules/admin/quota.te       | 89 +++++++++++++++++++
 refpolicy/policy/modules/kernel/filesystem.if | 36 ++++++++
 refpolicy/policy/modules/system/files.if      | 65 +++++++++++++-
 refpolicy/policy/modules/system/init.te       |  4 +
 refpolicy/policy/modules/system/userdomain.if |  4 +
 refpolicy/policy/modules/system/userdomain.te |  4 +
 9 files changed, 297 insertions(+), 1 deletion(-)
 create mode 100644 refpolicy/policy/modules/admin/quota.fc
 create mode 100644 refpolicy/policy/modules/admin/quota.if
 create mode 100644 refpolicy/policy/modules/admin/quota.te

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index d3265f14..5306a991 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -8,6 +8,7 @@
 	* Added policies:
 		acct
 		mysql
+		quota
 		su
 		sudo
 		tmpreaper
diff --git a/refpolicy/policy/modules/admin/quota.fc b/refpolicy/policy/modules/admin/quota.fc
new file mode 100644
index 00000000..3e367f0c
--- /dev/null
+++ b/refpolicy/policy/modules/admin/quota.fc
@@ -0,0 +1,14 @@
+
+/sbin/quota(check|on)		--	context_template(system_u:object_r:quota_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/sbin/convertquota		--	context_template(system_u:object_r:quota_exec_t,s0)
+',`
+/sbin/convertquota		--	context_template(system_u:object_r:quota_exec_t,s0)
+')
+
+HOME_ROOT/a?quota\.(user|group)	--	context_template(system_u:object_r:quota_db_t,s0)
+
+/var/a?quota\.(user|group)	--	context_template(system_u:object_r:quota_db_t,s0)
+
+/var/lib/quota(/.*)?			context_template(system_u:object_r:quota_flag_t,s0)
diff --git a/refpolicy/policy/modules/admin/quota.if b/refpolicy/policy/modules/admin/quota.if
new file mode 100644
index 00000000..ed0e6378
--- /dev/null
+++ b/refpolicy/policy/modules/admin/quota.if
@@ -0,0 +1,81 @@
+## <summary>File system quota management</summary>
+
+########################################
+## <summary>
+##	Execute quota management tools in the quota domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`quota_domtrans',`
+	gen_require(`
+		type quota_t, quota_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	domain_auto_trans($1,quota_exec_t,quota_t)
+
+	allow $1 quota_t:fd use;
+	allow quota_t $1:fd use;
+	allow quota_t $1:fifo_file rw_file_perms;
+	allow quota_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute quota management tools in the quota domain, and
+##	allow the specified role the quota domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the quota domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the quota domain to use.
+## </param>
+#
+interface(`quota_run',`
+	gen_require(`
+		type quota_t;
+		class chr_file rw_term_perms;
+	')
+
+	quota_domtrans($1)
+	role $2 types quota_t;
+	allow quota_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of filesystem quota data files.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`quota_dontaudit_getattr_db',`
+	gen_require(`
+		type quota_db_t;
+		class file getattr;
+	')
+
+	dontaudit $1 quota_db_t:file getattr;
+')
+
+interface(`quota_manage_flags',`
+	gen_require(`
+		type quota_flag_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	files_search_var_lib($1)
+	allow $1 quota_flag_t:dir rw_dir_perms;
+	allow $1 quota_flag_t:file create_file_perms;
+')
diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te
new file mode 100644
index 00000000..4005a807
--- /dev/null
+++ b/refpolicy/policy/modules/admin/quota.te
@@ -0,0 +1,89 @@
+
+policy_module(quota,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type quota_t;
+type quota_exec_t;
+init_system_domain(quota_t,quota_exec_t)
+
+type quota_db_t;
+files_type(quota_db_t)
+
+type quota_flag_t;
+files_type(quota_flag_t)
+
+allow quota_t self:capability { sys_admin dac_override };
+dontaudit quota_t self:capability sys_tty_config;
+allow quota_t self:process signal_perms;
+
+# for /quota.*
+allow quota_t quota_db_t:file { read write quotaon };
+
+kernel_list_proc(quota_t)
+kernel_read_proc_symlinks(quota_t)
+kernel_read_kernel_sysctl(quota_t)
+
+dev_read_sysfs(quota_t)
+dev_getattr_all_blk_files(quota_t)
+dev_getattr_all_chr_files(quota_t)
+
+fs_get_xattr_fs_quota(quota_t)
+fs_set_xattr_fs_quota(quota_t)
+fs_getattr_xattr_fs(quota_t)
+fs_remount_xattr_fs(quota_t)
+fs_search_auto_mountpoints(quota_t)
+
+storage_raw_read_fixed_disk(quota_t)
+
+term_dontaudit_use_console(quota_t)
+
+domain_use_wide_inherit_fd(quota_t)
+
+files_list_all_dirs(quota_t)
+files_read_all_files(quota_t)
+files_read_all_symlinks(quota_t)
+files_getattr_all_pipes(quota_t)
+files_getattr_all_sockets(quota_t)
+# Read /etc/mtab.
+files_read_etc_runtime_files(quota_t)
+
+init_use_fd(quota_t)
+init_use_script_pty(quota_t)
+
+libs_use_ld_so(quota_t)
+libs_use_shared_libs(quota_t)
+
+logging_send_syslog_msg(quota_t)
+
+userdom_dontaudit_use_unpriv_user_fd(quota_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(quota_t)
+	term_dontaudit_use_generic_pty(quota_t)
+	files_dontaudit_read_root_file(quota_t)
+')
+
+optional_policy(`rhgb.te',`
+	rhgb_domain(quota_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(quota_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(quota_t)
+')
+
+ifdef(`TODO',`
+# quotacheck creates new quota_db_t files
+file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file)
+
+allow quota_t file_t:file quotaon;
+
+allow quota_t proc_t:file getattr;
+') dnl end TODO
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 09e1c6bd..a9bb42f2 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -214,6 +214,42 @@ interface(`fs_relabelfrom_xattr_fs',`
 	allow $1 fs_t:filesystem relabelfrom;
 ')
 
+########################################
+## <summary>
+##	Get the filesystem quotas of a filesystem
+##	with extended attributes.
+## </summary>
+## <param name="domain">
+##	The type of the domain mounting the filesystem.
+## </param>
+#
+interface(`fs_get_xattr_fs_quota',`
+	gen_require(`
+		type fs_t;
+		class filesystem quotaget;
+	')
+
+	allow $1 fs_t:filesystem quotaget;
+')
+
+########################################
+## <summary>
+##	Set the filesystem quotas of a filesystem
+##	with extended attributes.
+## </summary>
+## <param name="domain">
+##	The type of the domain mounting the filesystem.
+## </param>
+#
+interface(`fs_set_xattr_fs_quota',`
+	gen_require(`
+		type fs_t;
+		class filesystem quotamod;
+	')
+
+	allow $1 fs_t:filesystem quotamod;
+')
+
 ########################################
 ## <summary>
 ##	Mount an automount pseudo filesystem.
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index d62a4ad6..ecfc8dd3 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -140,8 +140,29 @@ interface(`files_dontaudit_getattr_all_dirs',`
 ')
 
 ########################################
+## <summary>
+##	List the contents of all directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
 #
-# files_getattr_all_files(domain)
+interface(`files_list_all_dirs',`
+	gen_require(`
+		attribute file_type;
+		class dir r_dir_perms;
+	')
+
+	allow $1 file_type:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
 #
 interface(`files_getattr_all_files',`
 	gen_require(`
@@ -172,6 +193,29 @@ interface(`files_dontaudit_getattr_all_files',`
 	dontaudit $1 file_type:file getattr;
 ')
 
+########################################
+## <summary>
+##	Read all files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_all_files',`
+	gen_require(`
+		attribute file_type;
+		class dir search;
+		class file r_file_perms;
+	')
+
+	allow $1 file_type:dir search;
+	allow $1 file_type:file r_file_perms;
+
+	optional_policy(`authlogin.te',`
+		auth_read_shadow($1)
+	')
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of all symbolic links.
@@ -209,6 +253,25 @@ interface(`files_dontaudit_getattr_all_symlinks',`
 	dontaudit $1 file_type:lnk_file getattr;
 ')
 
+########################################
+## <summary>
+##	Read all symbolic links.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_all_symlinks',`
+	gen_require(`
+		attribute file_type;
+		class dir search;
+		class lnk_file { getattr read };
+	')
+
+	allow $1 file_type:dir search;
+	allow $1 file_type:lnk_file { getattr read };
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of all named pipes.
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 41e33cad..129b41c9 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -410,6 +410,10 @@ optional_policy(`raid.te',`
 	raid_manage_mdadm_pid(initrc_t)
 ')
 
+optional_policy(`quota.te',`
+	quota_manage_flags(initrc_t)
+')
+
 optional_policy(`rhgb.te',`
 	corecmd_shell_entry_type(initrc_t)
 ')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 3ba5898a..cc1a1b45 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -265,6 +265,10 @@ template(`base_user_template',`
 		pcmcia_read_pid($1_t)
 	')
 
+	optional_policy(`quota.te',`
+		quota_dontaudit_getattr_db($1_t)
+	')
+
 	optional_policy(`rpm.te',`
 		files_getattr_var_lib_dir($1_t)
 		files_search_var_lib($1_t)
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 55d73219..b32e8913 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -175,6 +175,10 @@ ifdef(`targeted_policy',`
 		pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`quota.te',`
+		quota_run(sysadm_t,sysadm_r,admin_terminal)
+	')
+
 	optional_policy(`rpm.te',`
 		rpm_run(sysadm_t,sysadm_r,admin_terminal)
 	')