add loadkeys
This commit is contained in:
parent
8843093607
commit
21468a6076
@ -8,6 +8,7 @@
|
||||
* Misc. cleanups.
|
||||
* Added policies:
|
||||
acct
|
||||
loadkeys
|
||||
mysql
|
||||
quota
|
||||
su
|
||||
|
3
refpolicy/policy/modules/apps/loadkeys.fc
Normal file
3
refpolicy/policy/modules/apps/loadkeys.fc
Normal file
@ -0,0 +1,3 @@
|
||||
|
||||
/bin/loadkeys -- context_template(system_u:object_r:loadkeys_exec_t,s0)
|
||||
/bin/unikeys -- context_template(system_u:object_r:loadkeys_exec_t,s0)
|
67
refpolicy/policy/modules/apps/loadkeys.if
Normal file
67
refpolicy/policy/modules/apps/loadkeys.if
Normal file
@ -0,0 +1,67 @@
|
||||
## <summary>Load keyboard mappings.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the loadkeys program in the loadkeys domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`loadkeys_domtrans',`
|
||||
gen_require(`
|
||||
type loadkeys_t, loadkeys_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domain_auto_trans($1, loadkeys_exec_t, loadkeys_t)
|
||||
|
||||
allow $1 loadkeys_t:fd use;
|
||||
allow loadkeys_t $1:fd use;
|
||||
allow loadkeys_t $1:fifo_file rw_file_perms;
|
||||
allow loadkeys_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the loadkeys program in the loadkeys domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to allow the loadkeys domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the loadkeys domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`loadkeys_run',`
|
||||
gen_require(`
|
||||
type loadkeys_t;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
loadkeys_domtrans($1)
|
||||
role $2 types loadkeys_t;
|
||||
allow loadkeys_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the loadkeys program in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`loadkeys_exec',`
|
||||
gen_require(`
|
||||
type loadkeys_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1,loadkeys_exec_t)
|
||||
')
|
39
refpolicy/policy/modules/apps/loadkeys.te
Normal file
39
refpolicy/policy/modules/apps/loadkeys.te
Normal file
@ -0,0 +1,39 @@
|
||||
|
||||
policy_module(loadkeys,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
# cjp: this should probably be rewritten
|
||||
# per user domain, since it can rw
|
||||
# all user domain ttys
|
||||
|
||||
type loadkeys_t;
|
||||
domain_type(loadkeys_t)
|
||||
|
||||
type loadkeys_exec_t;
|
||||
domain_entry_file(loadkeys_t,loadkeys_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow loadkeys_t self:capability { setuid sys_tty_config };
|
||||
allow loadkeys_t self:fifo_file rw_file_perms;
|
||||
|
||||
kernel_read_system_state(loadkeys_t)
|
||||
|
||||
corecmd_exec_bin(loadkeys_t)
|
||||
corecmd_exec_shell(loadkeys_t)
|
||||
|
||||
files_dontaudit_read_etc_runtime_files(loadkeys_t)
|
||||
|
||||
libs_use_ld_so(loadkeys_t)
|
||||
libs_use_shared_libs(loadkeys_t)
|
||||
|
||||
locallogin_use_fd(loadkeys_t)
|
||||
|
||||
miscfiles_read_localization(loadkeys_t)
|
@ -923,8 +923,53 @@ interface(`files_create_boot_flag',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files in /etc that are dynamically
|
||||
## created on boot, such as mtab.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# files_manage_etc_runtime_files(type)
|
||||
interface(`files_read_etc_runtime_files',`
|
||||
gen_require(`
|
||||
type etc_t, etc_runtime_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 etc_t:dir r_dir_perms;
|
||||
allow $1 etc_runtime_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read files
|
||||
## in /etc that are dynamically
|
||||
## created on boot, such as mtab.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_read_etc_runtime_files',`
|
||||
gen_require(`
|
||||
type etc_runtime_t;
|
||||
class file { getattr read };
|
||||
')
|
||||
|
||||
allow $1 etc_runtime_t:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete files in
|
||||
## /etc that are dynamically created on boot,
|
||||
## such as mtab.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_manage_etc_runtime_files',`
|
||||
gen_require(`
|
||||
@ -938,21 +983,6 @@ interface(`files_manage_etc_runtime_files',`
|
||||
type_transition $1 etc_t:file etc_runtime_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_read_etc_runtime_files(domain)
|
||||
#
|
||||
interface(`files_read_etc_runtime_files',`
|
||||
gen_require(`
|
||||
type etc_t, etc_runtime_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
allow $1 etc_t:dir r_dir_perms;
|
||||
allow $1 etc_runtime_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_create_etc_config(domain,privatetype,[class(es)])
|
||||
|
@ -381,6 +381,10 @@ optional_policy(`kerberos.te',`
|
||||
kerberos_use(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`loadkeys.te',`
|
||||
loadkeys_exec(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`lvm.te',`
|
||||
#allow initrc_t lvm_control_t:chr_file unlink;
|
||||
|
||||
|
@ -543,6 +543,10 @@ template(`unpriv_user_template', `
|
||||
kerberos_use($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`loadkeys.te',`
|
||||
loadkeys_run($1_t,$1_r,$1_tty_device_t)
|
||||
')
|
||||
|
||||
# for running depmod as part of the kernel packaging process
|
||||
optional_policy(`modutils.te',`
|
||||
modutils_read_module_conf($1_t)
|
||||
|
Loading…
Reference in New Issue
Block a user