add xfs

refpolicy/Changelog

@@ -27,6 +27,7 @@
 	rpc
 	spamassassin
 	xdm
+	xfs
 
 * Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
 - Many fixes to make loadable modules build.

refpolicy/policy/modules/services/nis.te

@@ -1,5 +1,5 @@
 
-policy_module(nis,1.0)
+policy_module(nis,1.0.1)
 
 ########################################
 #
@@ -38,13 +38,11 @@ files_pid_file(ypserv_var_run_t)
 
 dontaudit ypbind_t self:capability { net_admin sys_tty_config };
 allow ypbind_t self:fifo_file rw_file_perms;
+allow ypbind_t self:process signal_perms;
 allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
 allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
-
-allow ypbind_t self:tcp_socket { listen accept };
-allow ypbind_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow ypbind_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow ypserv_t self:udp_socket { ioctl read write create getattr setattr append bind getopt setopt shutdown connect };
+allow ypbind_t self:tcp_socket create_stream_socket_perms;
+allow ypbind_t self:udp_socket create_socket_perms;
 
 allow ypbind_t ypbind_tmp_t:dir create_dir_perms;
 allow ypbind_t ypbind_tmp_t:file create_file_perms;
@@ -137,10 +135,11 @@ optional_policy(`udev',`
 
 dontaudit ypserv_t self:capability sys_tty_config;
 allow ypserv_t self:fifo_file rw_file_perms;
+allow ypserv_t self:process signal_perms;
 allow ypserv_t self:unix_dgram_socket create_socket_perms;
 allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
-
-allow ypserv_t self:tcp_socket { listen accept connected_socket_perms };
+allow ypserv_t self:tcp_socket connected_stream_socket_perms;
+allow ypserv_t self:udp_socket create_socket_perms;
 
 allow ypserv_t var_yp_t:dir rw_dir_perms;
 allow ypserv_t var_yp_t:file create_file_perms;

refpolicy/policy/modules/services/xfs.fc

@@ -0,0 +1,7 @@
+
+/tmp/\.font-unix(/.*)?		gen_context(system_u:object_r:xfs_tmp_t,s0)
+
+/usr/bin/xfstt		--	gen_context(system_u:object_r:xfs_exec_t,s0)
+
+/usr/X11R6/bin/xfs	--	gen_context(system_u:object_r:xfs_exec_t,s0)
+/usr/X11R6/bin/xfs-xtt	--	gen_context(system_u:object_r:xfs_exec_t,s0)

refpolicy/policy/modules/services/xfs.if

@@ -0,0 +1,19 @@
+## <summary>X Windows Font Server </summary>
+
+########################################
+## <summary>
+##	Read a X font server named socket.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`xfs_read_socket',`
+	gen_require(`
+		type xfs_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 xfs_tmp_t:dir search;
+	allow $1 xfs_tmp_t:sock_file { getattr read };
+')

refpolicy/policy/modules/services/xfs.te

@@ -0,0 +1,92 @@
+
+policy_module(xfs,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type xfs_t;
+type xfs_exec_t;
+init_daemon_domain(xfs_t,xfs_exec_t)
+
+type xfs_tmp_t;
+files_tmp_file(xfs_tmp_t)
+
+type xfs_var_run_t;
+files_pid_file(xfs_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow xfs_t self:capability { setgid setuid };
+dontaudit xfs_t self:capability sys_tty_config;
+allow xfs_t self:process { signal_perms setpgid };
+allow xfs_t self:unix_stream_socket create_stream_socket_perms;
+allow xfs_t self:unix_dgram_socket create_socket_perms;
+
+allow xfs_t xfs_tmp_t:dir create_dir_perms;
+allow xfs_t xfs_tmp_t:sock_file create_file_perms;
+files_create_tmp_files(xfs_t, xfs_tmp_t, { sock_file dir })
+
+allow xfs_t xfs_var_run_t:file create_file_perms;
+allow xfs_t xfs_var_run_t:dir rw_dir_perms;
+files_create_pid(xfs_t,xfs_var_run_t)
+
+# Bind to /tmp/.font-unix/fs-1.
+# cjp: I do not believe this has an effect.
+allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
+
+kernel_read_kernel_sysctl(xfs_t)
+kernel_read_system_state(xfs_t)
+
+dev_read_sysfs(xfs_t)
+
+fs_getattr_all_fs(xfs_t)
+fs_search_auto_mountpoints(xfs_t)
+
+term_dontaudit_use_console(xfs_t)
+
+domain_use_wide_inherit_fd(xfs_t)
+
+files_read_etc_files(xfs_t)
+files_read_etc_runtime_files(xfs_t)
+
+init_use_fd(xfs_t)
+init_use_script_pty(xfs_t)
+
+libs_use_ld_so(xfs_t)
+libs_use_shared_libs(xfs_t)
+
+logging_send_syslog_msg(xfs_t)
+
+miscfiles_read_localization(xfs_t)
+miscfiles_read_fonts(xfs_t)
+
+userdom_dontaudit_use_unpriv_user_fd(xfs_t)
+userdom_dontaudit_search_sysadm_home_dir(xfs_t)
+
+ifdef(`distro_debian',`
+	# for /tmp/.font-unix/fs7100
+	init_create_script_tmp(xfs_t,xfs_tmp_t,sock_file)
+')
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(xfs_t)
+	term_dontaudit_use_generic_pty(xfs_t)
+	files_dontaudit_read_root_file(xfs_t)
+')
+
+optional_policy(`nis',`
+	nis_use_ypbind(xfs_t)
+')
+
+optional_policy(`selinuxutil',`
+	seutil_sigchld_newrole(xfs_t)
+')
+
+optional_policy(`udev',`
+	udev_read_db(xfs_t)
+')

refpolicy/policy/modules/services/zebra.te

@@ -1,5 +1,5 @@
 
-policy_module(zebra,1.0)
+policy_module(zebra,1.0.1)
 
 ########################################
 #
@@ -33,7 +33,7 @@ allow zebra_t self:process { signal_perms setcap };
 allow zebra_t self:file { ioctl read write getattr lock append };
 allow zebra_t self:unix_dgram_socket create_socket_perms;
 allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow zebra_t self:netlink_route_socket r_netlink_socket_perms;
+allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
 allow zebra_t self:tcp_socket connected_stream_socket_perms;
 allow zebra_t self:udp_socket create_socket_perms;
 allow zebra_t self:rawip_socket create_socket_perms;

refpolicy/policy/modules/system/init.if

@@ -752,6 +752,37 @@ interface(`init_rw_script_tmp_files',`
 	allow $1 initrc_tmp_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Create files in a init script
+##	temporary data directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="file_type">
+##	The type of the object to be created
+## </param>
+## <param name="object_class" optional="true">
+##	The object class.  If not specified, file is used.
+## </param>
+#
+interface(`init_create_script_tmp',`
+	gen_require(`
+		type initrc_tmp_t;
+	')
+
+	files_search_tmp($1)
+
+	allow $1 initrc_tmp_t:dir rw_dir_perms;
+
+	ifelse(`$3',`',`
+		type_transition $1 initrc_tmp_t:file $2;
+	',`
+		type_transition $1 initrc_tmp_t:$3 $2;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of init script process id files.

refpolicy/policy/modules/system/init.te

@@ -655,6 +655,13 @@ optional_policy(`sysnetwork',`
 	sysnet_read_dhcpc_state(initrc_t)
 ')
 
+optional_policy(`xfs',`
+	miscfiles_manage_fonts(initrc_t)
+
+	# cjp: is this really needed?
+	xfs_read_socket(initrc_t)
+')
+
 optional_policy(`zebra',`
 	zebra_read_config(initrc_t)
 ')

refpolicy/policy/modules/system/miscfiles.if

@@ -31,15 +31,37 @@ interface(`miscfiles_read_fonts',`
 		type fonts_t;
 	')
 
+	# cjp: fonts can be in either of these dirs
 	files_search_usr($1)
 	libs_search_lib($1)
 
-	# cjp: fonts can be in either of the above dirs
 	allow $1 fonts_t:dir r_dir_perms;
 	allow $1 fonts_t:file r_file_perms;
 	allow $1 fonts_t:lnk_file { getattr read };
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete fonts.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`miscfiles_manage_fonts',`
+	gen_require(`
+		type fonts_t;
+	')
+
+	# cjp: fonts can be in either of these dirs
+	files_search_usr($1)
+	libs_search_lib($1)
+
+	allow $1 fonts_t:dir create_dir_perms;
+	allow $1 fonts_t:file create_file_perms;
+	allow $1 fonts_t:lnk_file create_lnk_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read hardware identification data.