From 50aca6d2f9c99e15b4d59ce8bf29c4d95c92fb87 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 15 Jul 2005 20:45:26 +0000
Subject: [PATCH] add raid (mdadm)

---
 refpolicy/Changelog                           |  1 +
 refpolicy/policy/modules/admin/dmesg.if       |  8 +-
 refpolicy/policy/modules/kernel/kernel.if     | 19 ++++
 refpolicy/policy/modules/system/raid.fc       |  5 ++
 refpolicy/policy/modules/system/raid.if       | 26 ++++++
 refpolicy/policy/modules/system/raid.te       | 89 +++++++++++++++++++
 refpolicy/policy/modules/system/userdomain.if | 25 +++++-
 7 files changed, 167 insertions(+), 6 deletions(-)
 create mode 100644 refpolicy/policy/modules/system/raid.fc
 create mode 100644 refpolicy/policy/modules/system/raid.if
 create mode 100644 refpolicy/policy/modules/system/raid.te

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 3aa268c9..bc02f2f6 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -6,6 +6,7 @@
 		ipsec
 		nscd
 		pcmcia
+		raid
 
 20050707 (7 Jul 2005)
 	* Changed xml to have modules encapsulated by layer tags, rather
diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if
index eebda7b2..baa77690 100644
--- a/refpolicy/policy/modules/admin/dmesg.if
+++ b/refpolicy/policy/modules/admin/dmesg.if
@@ -1,9 +1,9 @@
 ## <summary>Policy for dmesg.</summary>
 
 ########################################
-## <desc>
+## <summary>
 ##	Execute dmesg in the dmesg domain.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -26,9 +26,9 @@ interface(`dmesg_domtrans',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Execute dmesg in the caller domain.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 39521c1e..789a9107 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -403,6 +403,25 @@ interface(`kernel_read_software_raid_state',`
 	allow $1 proc_mdstat_t:file r_file_perms;
 ')
 
+#######################################
+## <summary>
+##	Allow caller to read and set the state information for software raid.
+## </summary>
+## <param name="domain">
+##	The process type reading software raid state.
+## </param>
+#
+interface(`kernel_rw_software_raid_state',`
+	gen_require(`
+		type proc_t, proc_mdstat_t;
+		class dir r_dir_perms;
+		class file rw_file_perms;
+	')
+
+	allow $1 proc_t:dir r_dir_perms;
+	allow $1 proc_mdstat_t:file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allows caller to get attribues of core kernel interface.
diff --git a/refpolicy/policy/modules/system/raid.fc b/refpolicy/policy/modules/system/raid.fc
new file mode 100644
index 00000000..c6126ed8
--- /dev/null
+++ b/refpolicy/policy/modules/system/raid.fc
@@ -0,0 +1,5 @@
+
+/sbin/mdadm		--	system_u:object_r:mdadm_exec_t
+/sbin/mdmpd		--	system_u:object_r:mdadm_exec_t
+
+/var/run/mdadm(/.*)?            system_u:object_r:mdadm_var_run_t 
diff --git a/refpolicy/policy/modules/system/raid.if b/refpolicy/policy/modules/system/raid.if
new file mode 100644
index 00000000..434ac36e
--- /dev/null
+++ b/refpolicy/policy/modules/system/raid.if
@@ -0,0 +1,26 @@
+## <summary>RAID array management tools</summary>
+
+########################################
+## <summary>
+##	Execute software raid tools in the mdadm domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`raid_domtrans_mdadm',`
+	gen_require(`
+		type mdadm_t, mdadm_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,mdadm_exec_t,mdadm_t)
+
+	allow $1 mdadm_t:fd use;
+	allow mdadm_t $1:fd use;
+	allow mdadm_t $1:fifo_file rw_file_perms;
+	allow mdadm_t $1:process sigchld;
+')
diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te
new file mode 100644
index 00000000..43bb0aa8
--- /dev/null
+++ b/refpolicy/policy/modules/system/raid.te
@@ -0,0 +1,89 @@
+#DESC mdadm - Linux RAID tool
+#
+# Author: Colin Walters <walters@redhat.com>
+#
+
+type mdadm_t;
+type mdadm_exec_t;
+init_daemon_domain(mdadm_t,mdadm_exec_t)
+role system_r types mdadm_t;
+
+type mdadm_var_run_t;
+files_pid_file(mdadm_var_run_t)
+
+allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+dontaudit mdadm_t self:capability sys_tty_config;
+allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
+
+allow mdadm_t mdadm_var_run_t:file create_file_perms;
+files_create_pid(mdadm_t,mdadm_var_run_t)
+
+kernel_read_system_state(mdadm_t)
+kernel_read_kernel_sysctl(mdadm_t)
+kernel_rw_software_raid_state(mdadm_t)
+
+dev_read_sysfs(mdadm_t)
+# Ignore attempts to read every device file
+dev_dontaudit_getattr_all_blk_files(mdadm_t)
+dev_dontaudit_getattr_all_chr_files(mdadm_t)
+
+fs_search_auto_mountpoints(mdadm_t)
+
+# RAID block device access
+storage_manage_fixed_disk(mdadm_t)
+
+term_dontaudit_use_console(mdadm_t)
+term_dontaudit_list_ptys(mdadm_t)
+
+# Helper program access
+corecmd_exec_bin(mdadm_t)
+corecmd_exec_sbin(mdadm_t)
+
+domain_use_wide_inherit_fd(mdadm_t)
+
+files_read_etc_files(mdadm_t)
+files_read_etc_runtime_files(mdadm_t)
+
+init_use_fd(mdadm_t)
+init_use_script_pty(mdadm_t)
+init_dontaudit_getattr_initctl(mdadm_t)
+
+libs_use_ld_so(mdadm_t)
+libs_use_shared_libs(mdadm_t)
+
+logging_send_syslog_msg(mdadm_t)
+
+miscfiles_read_localization(mdadm_t)
+
+userdom_dontaudit_use_unpriv_user_fd(mdadm_t)
+userdom_dontaudit_use_sysadm_tty(mdadm_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(mdadm_t)
+	term_dontaudit_use_generic_pty(mdadm_t)
+	files_dontaudit_read_root_file(mdadm_t)
+')
+
+optional_policy(`rhgb.te',`
+	rhgb_domain(mdadm_t)
+')
+
+optional_policy(`selinux.te',`
+	seutil_sigchld_newrole(mdadm_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(mdadm_t)
+')
+
+ifdef(`TODO',`
+allow initrc_t mdadm_var_run_t:file create_file_perms;
+
+# Ignore attempts to read every device file
+dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr };
+
+# Other random ignores
+dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
+
+allow mdadm_t var_t:dir getattr;
+') dnl TODO
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index cdedb608..5a25579a 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1015,6 +1015,27 @@ interface(`userdom_use_sysadm_tty',`
 	')
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to use sysadm ttys.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`userdom_dontaudit_use_sysadm_tty',`
+	ifdef(`targeted_policy',`
+		term_dontaudit_use_unallocated_tty($1)
+	',`
+		gen_require(`
+			attribute sysadm_tty_device_t;
+			class chr_file { read write };
+		')
+
+		dontaudit $1 sysadm_tty_device_t:chr_file { read write };
+	')
+')
+
 ########################################
 ## <summary>
 ##	Read and write sysadm ptys.
@@ -1053,10 +1074,10 @@ interface(`userdom_use_sysadm_terms',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to use admin ttys and ptys.
+##	Do not audit attempts to use sysadm ttys and ptys.
 ## </summary>
 ## <param name="domain">
-##	The type of the process performing this action.
+##	Domain to not audit.
 ## </param>
 #
 interface(`userdom_dontaudit_use_sysadm_terms',`