From 3f41889daed837496e6c7e1d738fa3f8155e2bce Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 25 Nov 2005 19:09:08 +0000 Subject: [PATCH] add xfs --- refpolicy/Changelog | 1 + refpolicy/policy/modules/services/nis.te | 15 ++-- refpolicy/policy/modules/services/xfs.fc | 7 ++ refpolicy/policy/modules/services/xfs.if | 19 ++++ refpolicy/policy/modules/services/xfs.te | 92 ++++++++++++++++++++ refpolicy/policy/modules/services/zebra.te | 4 +- refpolicy/policy/modules/system/init.if | 31 +++++++ refpolicy/policy/modules/system/init.te | 7 ++ refpolicy/policy/modules/system/miscfiles.if | 24 ++++- 9 files changed, 189 insertions(+), 11 deletions(-) create mode 100644 refpolicy/policy/modules/services/xfs.fc create mode 100644 refpolicy/policy/modules/services/xfs.if create mode 100644 refpolicy/policy/modules/services/xfs.te diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 3aabd64d..3b9500b6 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -27,6 +27,7 @@ rpc spamassassin xdm + xfs * Wed Oct 19 2005 Chris PeBenito - 20051019 - Many fixes to make loadable modules build. diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te index 282ab382..93da74e6 100644 --- a/refpolicy/policy/modules/services/nis.te +++ b/refpolicy/policy/modules/services/nis.te @@ -1,5 +1,5 @@ -policy_module(nis,1.0) +policy_module(nis,1.0.1) ######################################## # @@ -38,13 +38,11 @@ files_pid_file(ypserv_var_run_t) dontaudit ypbind_t self:capability { net_admin sys_tty_config }; allow ypbind_t self:fifo_file rw_file_perms; +allow ypbind_t self:process signal_perms; allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; - -allow ypbind_t self:tcp_socket { listen accept }; -allow ypbind_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; -allow ypbind_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown }; -allow ypserv_t self:udp_socket { ioctl read write create getattr setattr append bind getopt setopt shutdown connect }; +allow ypbind_t self:tcp_socket create_stream_socket_perms; +allow ypbind_t self:udp_socket create_socket_perms; allow ypbind_t ypbind_tmp_t:dir create_dir_perms; allow ypbind_t ypbind_tmp_t:file create_file_perms; @@ -137,10 +135,11 @@ optional_policy(`udev',` dontaudit ypserv_t self:capability sys_tty_config; allow ypserv_t self:fifo_file rw_file_perms; +allow ypserv_t self:process signal_perms; allow ypserv_t self:unix_dgram_socket create_socket_perms; allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; - -allow ypserv_t self:tcp_socket { listen accept connected_socket_perms }; +allow ypserv_t self:tcp_socket connected_stream_socket_perms; +allow ypserv_t self:udp_socket create_socket_perms; allow ypserv_t var_yp_t:dir rw_dir_perms; allow ypserv_t var_yp_t:file create_file_perms; diff --git a/refpolicy/policy/modules/services/xfs.fc b/refpolicy/policy/modules/services/xfs.fc new file mode 100644 index 00000000..e5d320e4 --- /dev/null +++ b/refpolicy/policy/modules/services/xfs.fc @@ -0,0 +1,7 @@ + +/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:xfs_tmp_t,s0) + +/usr/bin/xfstt -- gen_context(system_u:object_r:xfs_exec_t,s0) + +/usr/X11R6/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) +/usr/X11R6/bin/xfs-xtt -- gen_context(system_u:object_r:xfs_exec_t,s0) diff --git a/refpolicy/policy/modules/services/xfs.if b/refpolicy/policy/modules/services/xfs.if new file mode 100644 index 00000000..676a628c --- /dev/null +++ b/refpolicy/policy/modules/services/xfs.if @@ -0,0 +1,19 @@ +## X Windows Font Server + +######################################## +## +## Read a X font server named socket. +## +## +## Domain allowed access. +## +# +interface(`xfs_read_socket',` + gen_require(` + type xfs_tmp_t; + ') + + files_search_tmp($1) + allow $1 xfs_tmp_t:dir search; + allow $1 xfs_tmp_t:sock_file { getattr read }; +') diff --git a/refpolicy/policy/modules/services/xfs.te b/refpolicy/policy/modules/services/xfs.te new file mode 100644 index 00000000..0ee64e1f --- /dev/null +++ b/refpolicy/policy/modules/services/xfs.te @@ -0,0 +1,92 @@ + +policy_module(xfs,1.0.0) + +######################################## +# +# Declarations +# + +type xfs_t; +type xfs_exec_t; +init_daemon_domain(xfs_t,xfs_exec_t) + +type xfs_tmp_t; +files_tmp_file(xfs_tmp_t) + +type xfs_var_run_t; +files_pid_file(xfs_var_run_t) + +######################################## +# +# Local policy +# + +allow xfs_t self:capability { setgid setuid }; +dontaudit xfs_t self:capability sys_tty_config; +allow xfs_t self:process { signal_perms setpgid }; +allow xfs_t self:unix_stream_socket create_stream_socket_perms; +allow xfs_t self:unix_dgram_socket create_socket_perms; + +allow xfs_t xfs_tmp_t:dir create_dir_perms; +allow xfs_t xfs_tmp_t:sock_file create_file_perms; +files_create_tmp_files(xfs_t, xfs_tmp_t, { sock_file dir }) + +allow xfs_t xfs_var_run_t:file create_file_perms; +allow xfs_t xfs_var_run_t:dir rw_dir_perms; +files_create_pid(xfs_t,xfs_var_run_t) + +# Bind to /tmp/.font-unix/fs-1. +# cjp: I do not believe this has an effect. +allow xfs_t xfs_tmp_t:unix_stream_socket name_bind; + +kernel_read_kernel_sysctl(xfs_t) +kernel_read_system_state(xfs_t) + +dev_read_sysfs(xfs_t) + +fs_getattr_all_fs(xfs_t) +fs_search_auto_mountpoints(xfs_t) + +term_dontaudit_use_console(xfs_t) + +domain_use_wide_inherit_fd(xfs_t) + +files_read_etc_files(xfs_t) +files_read_etc_runtime_files(xfs_t) + +init_use_fd(xfs_t) +init_use_script_pty(xfs_t) + +libs_use_ld_so(xfs_t) +libs_use_shared_libs(xfs_t) + +logging_send_syslog_msg(xfs_t) + +miscfiles_read_localization(xfs_t) +miscfiles_read_fonts(xfs_t) + +userdom_dontaudit_use_unpriv_user_fd(xfs_t) +userdom_dontaudit_search_sysadm_home_dir(xfs_t) + +ifdef(`distro_debian',` + # for /tmp/.font-unix/fs7100 + init_create_script_tmp(xfs_t,xfs_tmp_t,sock_file) +') + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_tty(xfs_t) + term_dontaudit_use_generic_pty(xfs_t) + files_dontaudit_read_root_file(xfs_t) +') + +optional_policy(`nis',` + nis_use_ypbind(xfs_t) +') + +optional_policy(`selinuxutil',` + seutil_sigchld_newrole(xfs_t) +') + +optional_policy(`udev',` + udev_read_db(xfs_t) +') diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te index 7a5b4bed..f08ecdf4 100644 --- a/refpolicy/policy/modules/services/zebra.te +++ b/refpolicy/policy/modules/services/zebra.te @@ -1,5 +1,5 @@ -policy_module(zebra,1.0) +policy_module(zebra,1.0.1) ######################################## # @@ -33,7 +33,7 @@ allow zebra_t self:process { signal_perms setcap }; allow zebra_t self:file { ioctl read write getattr lock append }; allow zebra_t self:unix_dgram_socket create_socket_perms; allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow zebra_t self:netlink_route_socket r_netlink_socket_perms; +allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; allow zebra_t self:tcp_socket connected_stream_socket_perms; allow zebra_t self:udp_socket create_socket_perms; allow zebra_t self:rawip_socket create_socket_perms; diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index be74a654..54749bd2 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -752,6 +752,37 @@ interface(`init_rw_script_tmp_files',` allow $1 initrc_tmp_t:file rw_file_perms; ') +######################################## +## +## Create files in a init script +## temporary data directory. +## +## +## Domain allowed access. +## +## +## The type of the object to be created +## +## +## The object class. If not specified, file is used. +## +# +interface(`init_create_script_tmp',` + gen_require(` + type initrc_tmp_t; + ') + + files_search_tmp($1) + + allow $1 initrc_tmp_t:dir rw_dir_perms; + + ifelse(`$3',`',` + type_transition $1 initrc_tmp_t:file $2; + ',` + type_transition $1 initrc_tmp_t:$3 $2; + ') +') + ######################################## ## ## Get the attributes of init script process id files. diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 2f3e7854..ec04db5a 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -655,6 +655,13 @@ optional_policy(`sysnetwork',` sysnet_read_dhcpc_state(initrc_t) ') +optional_policy(`xfs',` + miscfiles_manage_fonts(initrc_t) + + # cjp: is this really needed? + xfs_read_socket(initrc_t) +') + optional_policy(`zebra',` zebra_read_config(initrc_t) ') diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if index b5eec254..964d0fd7 100644 --- a/refpolicy/policy/modules/system/miscfiles.if +++ b/refpolicy/policy/modules/system/miscfiles.if @@ -31,15 +31,37 @@ interface(`miscfiles_read_fonts',` type fonts_t; ') + # cjp: fonts can be in either of these dirs files_search_usr($1) libs_search_lib($1) - # cjp: fonts can be in either of the above dirs allow $1 fonts_t:dir r_dir_perms; allow $1 fonts_t:file r_file_perms; allow $1 fonts_t:lnk_file { getattr read }; ') +######################################## +## +## Create, read, write, and delete fonts. +## +## +## Domain allowed access. +## +# +interface(`miscfiles_manage_fonts',` + gen_require(` + type fonts_t; + ') + + # cjp: fonts can be in either of these dirs + files_search_usr($1) + libs_search_lib($1) + + allow $1 fonts_t:dir create_dir_perms; + allow $1 fonts_t:file create_file_perms; + allow $1 fonts_t:lnk_file create_lnk_perms; +') + ######################################## ## ## Read hardware identification data.