add loadkeys

refpolicy/Changelog

@@ -8,6 +8,7 @@
 	* Misc. cleanups.
 	* Added policies:
 		acct
+		loadkeys
 		mysql
 		quota
 		su

refpolicy/policy/modules/apps/loadkeys.fc

@@ -0,0 +1,3 @@
+
+/bin/loadkeys		--	context_template(system_u:object_r:loadkeys_exec_t,s0)
+/bin/unikeys		--	context_template(system_u:object_r:loadkeys_exec_t,s0)

refpolicy/policy/modules/apps/loadkeys.if

@@ -0,0 +1,67 @@
+## <summary>Load keyboard mappings.</summary>
+
+########################################
+## <summary>
+##	Execute the loadkeys program in the loadkeys domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`loadkeys_domtrans',`
+	gen_require(`
+		type loadkeys_t, loadkeys_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1, loadkeys_exec_t, loadkeys_t)
+
+	allow $1 loadkeys_t:fd use;
+	allow loadkeys_t $1:fd use;
+	allow loadkeys_t $1:fifo_file rw_file_perms;
+	allow loadkeys_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute the loadkeys program in the loadkeys domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to allow the loadkeys domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the loadkeys domain to use.
+## </param>
+#
+interface(`loadkeys_run',`
+	gen_require(`
+		type loadkeys_t;
+		class chr_file rw_term_perms;
+	')
+
+	loadkeys_domtrans($1)
+	role $2 types loadkeys_t;
+	allow loadkeys_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Execute the loadkeys program in the caller domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`loadkeys_exec',`
+	gen_require(`
+		type loadkeys_exec_t;
+	')
+
+	can_exec($1,loadkeys_exec_t)
+')

refpolicy/policy/modules/apps/loadkeys.te

@@ -0,0 +1,39 @@
+
+policy_module(loadkeys,1.0)
+
+########################################
+#
+# Declarations
+#
+
+# cjp: this should probably be rewritten
+# per user domain, since it can rw
+# all user domain ttys
+
+type loadkeys_t;
+domain_type(loadkeys_t)
+
+type loadkeys_exec_t;
+domain_entry_file(loadkeys_t,loadkeys_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow loadkeys_t self:capability { setuid sys_tty_config };
+allow loadkeys_t self:fifo_file rw_file_perms;
+
+kernel_read_system_state(loadkeys_t)
+
+corecmd_exec_bin(loadkeys_t)
+corecmd_exec_shell(loadkeys_t)
+
+files_dontaudit_read_etc_runtime_files(loadkeys_t)
+
+libs_use_ld_so(loadkeys_t)
+libs_use_shared_libs(loadkeys_t)
+
+locallogin_use_fd(loadkeys_t)
+
+miscfiles_read_localization(loadkeys_t)

refpolicy/policy/modules/system/files.if

@@ -923,8 +923,53 @@ interface(`files_create_boot_flag',`
 ')
 
 ########################################
+## <summary>
+##	Read files in /etc that are dynamically
+##	created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
 #
-# files_manage_etc_runtime_files(type)
+interface(`files_read_etc_runtime_files',`
+	gen_require(`
+		type etc_t, etc_runtime_t;
+		class dir r_dir_perms;
+		class file r_file_perms;
+	')
+
+	allow $1 etc_t:dir r_dir_perms;
+	allow $1 etc_runtime_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read files
+##	in /etc that are dynamically
+##	created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_read_etc_runtime_files',`
+	gen_require(`
+		type etc_runtime_t;
+		class file { getattr read };
+	')
+
+	allow $1 etc_runtime_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files in
+##	/etc that are dynamically created on boot,
+##	such as mtab.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
 #
 interface(`files_manage_etc_runtime_files',`
 	gen_require(`
@@ -938,21 +983,6 @@ interface(`files_manage_etc_runtime_files',`
 	type_transition $1 etc_t:file etc_runtime_t;
 ')
 
-########################################
-#
-# files_read_etc_runtime_files(domain)
-#
-interface(`files_read_etc_runtime_files',`
-	gen_require(`
-		type etc_t, etc_runtime_t;
-		class dir r_dir_perms;
-		class file r_file_perms;
-	')
-
-	allow $1 etc_t:dir r_dir_perms;
-	allow $1 etc_runtime_t:file r_file_perms;
-')
-
 ########################################
 #
 # files_create_etc_config(domain,privatetype,[class(es)])

refpolicy/policy/modules/system/init.te

@@ -381,6 +381,10 @@ optional_policy(`kerberos.te',`
 	kerberos_use(initrc_t)
 ')
 
+optional_policy(`loadkeys.te',`
+	loadkeys_exec(initrc_t)
+')
+
 optional_policy(`lvm.te',`
 	#allow initrc_t lvm_control_t:chr_file unlink;
 

refpolicy/policy/modules/system/userdomain.if

@@ -543,6 +543,10 @@ template(`unpriv_user_template', `
 		kerberos_use($1_t)
 	')
 
+	optional_policy(`loadkeys.te',`
+		loadkeys_run($1_t,$1_r,$1_tty_device_t)
+	')
+
 	# for running depmod as part of the kernel packaging process
 	optional_policy(`modutils.te',`
 		modutils_read_module_conf($1_t)