add loadkeys

This commit is contained in:
Chris PeBenito 2005-08-15 14:46:17 +00:00
parent 8843093607
commit 21468a6076
7 changed files with 164 additions and 16 deletions

View File

@ -8,6 +8,7 @@
* Misc. cleanups.
* Added policies:
acct
loadkeys
mysql
quota
su

View File

@ -0,0 +1,3 @@
/bin/loadkeys -- context_template(system_u:object_r:loadkeys_exec_t,s0)
/bin/unikeys -- context_template(system_u:object_r:loadkeys_exec_t,s0)

View File

@ -0,0 +1,67 @@
## <summary>Load keyboard mappings.</summary>
########################################
## <summary>
## Execute the loadkeys program in the loadkeys domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`loadkeys_domtrans',`
gen_require(`
type loadkeys_t, loadkeys_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
corecmd_search_bin($1)
domain_auto_trans($1, loadkeys_exec_t, loadkeys_t)
allow $1 loadkeys_t:fd use;
allow loadkeys_t $1:fd use;
allow loadkeys_t $1:fifo_file rw_file_perms;
allow loadkeys_t $1:process sigchld;
')
########################################
## <summary>
## Execute the loadkeys program in the loadkeys domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to allow the loadkeys domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the loadkeys domain to use.
## </param>
#
interface(`loadkeys_run',`
gen_require(`
type loadkeys_t;
class chr_file rw_term_perms;
')
loadkeys_domtrans($1)
role $2 types loadkeys_t;
allow loadkeys_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Execute the loadkeys program in the caller domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`loadkeys_exec',`
gen_require(`
type loadkeys_exec_t;
')
can_exec($1,loadkeys_exec_t)
')

View File

@ -0,0 +1,39 @@
policy_module(loadkeys,1.0)
########################################
#
# Declarations
#
# cjp: this should probably be rewritten
# per user domain, since it can rw
# all user domain ttys
type loadkeys_t;
domain_type(loadkeys_t)
type loadkeys_exec_t;
domain_entry_file(loadkeys_t,loadkeys_exec_t)
########################################
#
# Local policy
#
allow loadkeys_t self:capability { setuid sys_tty_config };
allow loadkeys_t self:fifo_file rw_file_perms;
kernel_read_system_state(loadkeys_t)
corecmd_exec_bin(loadkeys_t)
corecmd_exec_shell(loadkeys_t)
files_dontaudit_read_etc_runtime_files(loadkeys_t)
libs_use_ld_so(loadkeys_t)
libs_use_shared_libs(loadkeys_t)
locallogin_use_fd(loadkeys_t)
miscfiles_read_localization(loadkeys_t)

View File

@ -923,8 +923,53 @@ interface(`files_create_boot_flag',`
')
########################################
## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
# files_manage_etc_runtime_files(type)
interface(`files_read_etc_runtime_files',`
gen_require(`
type etc_t, etc_runtime_t;
class dir r_dir_perms;
class file r_file_perms;
')
allow $1 etc_t:dir r_dir_perms;
allow $1 etc_runtime_t:file r_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`files_dontaudit_read_etc_runtime_files',`
gen_require(`
type etc_runtime_t;
class file { getattr read };
')
allow $1 etc_runtime_t:file { getattr read };
')
########################################
## <summary>
## Create, read, write, and delete files in
## /etc that are dynamically created on boot,
## such as mtab.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_manage_etc_runtime_files',`
gen_require(`
@ -938,21 +983,6 @@ interface(`files_manage_etc_runtime_files',`
type_transition $1 etc_t:file etc_runtime_t;
')
########################################
#
# files_read_etc_runtime_files(domain)
#
interface(`files_read_etc_runtime_files',`
gen_require(`
type etc_t, etc_runtime_t;
class dir r_dir_perms;
class file r_file_perms;
')
allow $1 etc_t:dir r_dir_perms;
allow $1 etc_runtime_t:file r_file_perms;
')
########################################
#
# files_create_etc_config(domain,privatetype,[class(es)])

View File

@ -381,6 +381,10 @@ optional_policy(`kerberos.te',`
kerberos_use(initrc_t)
')
optional_policy(`loadkeys.te',`
loadkeys_exec(initrc_t)
')
optional_policy(`lvm.te',`
#allow initrc_t lvm_control_t:chr_file unlink;

View File

@ -543,6 +543,10 @@ template(`unpriv_user_template', `
kerberos_use($1_t)
')
optional_policy(`loadkeys.te',`
loadkeys_run($1_t,$1_r,$1_tty_device_t)
')
# for running depmod as part of the kernel packaging process
optional_policy(`modutils.te',`
modutils_read_module_conf($1_t)