add kudzu

refpolicy/Changelog

@@ -1,4 +1,6 @@
 - Fix errors uncovered by sediff.
+- Added policies:
+	kudzu
 
 * Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
 - Make logrotate, sendmail, sshd, and rpm policies

refpolicy/policy/modules/admin/kudzu.fc

@@ -0,0 +1,4 @@
+
+/sbin/kmodule	--	context_template(system_u:object_r:kudzu_exec_t,s0)
+
+/usr/sbin/kudzu	--	context_template(system_u:object_r:kudzu_exec_t,s0)

refpolicy/policy/modules/admin/kudzu.if

@@ -0,0 +1,51 @@
+## <summary>Hardware detection and configuration tools</summary>
+
+########################################
+## <summary>
+##	Execute kudzu in the kudzu domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`kudzu_domtrans',`
+	gen_require(`
+		type kudzu_t, kudzu_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	domain_auto_trans($1,kudzu_exec_t,kudzu_t)
+
+	allow $1 kudzu_t:fd use;
+	allow kudzu_t $1:fd use;
+	allow kudzu_t $1:fifo_file rw_file_perms;
+	allow kudzu_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute kudzu in the kudzu domain, and
+##	allow the specified role the kudzu domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the kudzu domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the kudzu domain to use.
+## </param>
+#
+interface(`kudzu_run',`
+	gen_require(`
+		type kudzu_t;
+		class chr_file rw_term_perms;
+	')
+
+	kudzu_domtrans($1)
+	role $2 types kudzu_t;
+	allow kudzu_t $3:chr_file rw_term_perms;
+')

refpolicy/policy/modules/admin/kudzu.te

@@ -0,0 +1,162 @@
+
+policy_module(kudzu,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type kudzu_t;
+type kudzu_exec_t;
+init_system_domain(kudzu_t,kudzu_exec_t)
+
+type kudzu_tmp_t;
+files_tmp_file(kudzu_tmp_t)
+
+type kudzu_var_run_t;
+files_pid_file(kudzu_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
+dontaudit kudzu_t self:capability sys_tty_config;
+allow kudzu_t self:process signal_perms;
+allow kudzu_t self:fifo_file rw_file_perms;
+allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow kudzu_t self:unix_dgram_socket create_socket_perms;
+allow kudzu_t self:udp_socket { create ioctl };
+
+allow kudzu_t kudzu_tmp_t:{ dir } create_file_perms;
+allow kudzu_t kudzu_tmp_t:{ file chr_file } create_file_perms;
+files_create_tmp_files(kudzu_t, kudzu_tmp_t, { file dir chr_file })
+
+allow kudzu_t kudzu_var_run_t:file create_file_perms;
+allow kudzu_t kudzu_var_run_t:dir create_dir_perms;
+files_create_pid(kudzu_t,kudzu_var_run_t)
+
+kernel_change_ring_buffer_level(kudzu_t)
+kernel_list_proc(kudzu_t)
+kernel_read_device_sysctl(kudzu_t)
+kernel_read_kernel_sysctl(kudzu_t)
+kernel_read_proc_symlinks(kudzu_t)
+kernel_read_network_state(kudzu_t)
+kernel_read_system_state(kudzu_t)
+kernel_rw_hotplug_sysctl(kudzu_t)
+kernel_rw_kernel_sysctl(kudzu_t)
+
+bootloader_read_kernel_modules(kudzu_t)
+
+dev_list_sysfs(kudzu_t)
+dev_read_usbfs(kudzu_t)
+dev_read_sysfs(kudzu_t)
+dev_rx_raw_memory(kudzu_t)
+dev_wx_raw_memory(kudzu_t)
+dev_rw_mouse(kudzu_t)
+dev_rwx_zero_dev(kudzu_t)
+
+fs_search_auto_mountpoints(kudzu_t)
+fs_search_ramfs(kudzu_t)
+fs_write_ramfs_socket(kudzu_t)
+
+modutils_read_mods_deps(kudzu_t)
+
+storage_read_scsi_generic(kudzu_t)
+storage_read_tape_device(kudzu_t)
+storage_raw_write_fixed_disk(kudzu_t)
+storage_raw_read_fixed_disk(kudzu_t)
+
+term_search_ptys(kudzu_t)
+term_dontaudit_use_console(kudzu_t)
+# so it can write messages to the console
+term_use_unallocated_tty(kudzu_t)
+
+corecmd_exec_sbin(kudzu_t)
+corecmd_exec_bin(kudzu_t)
+
+domain_exec_all_entry_files(kudzu_t)
+domain_use_wide_inherit_fd(kudzu_t)
+
+files_search_var(kudzu_t)
+files_search_locks(kudzu_t)
+files_exec_etc_files(kudzu_t)
+files_manage_etc_files(kudzu_t)
+files_manage_etc_runtime_files(kudzu_t)
+files_manage_mnt_files(kudzu_t)
+files_manage_mnt_symlinks(kudzu_t)
+files_dontaudit_search_src(kudzu_t)
+# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
+files_read_usr_files(kudzu_t)
+# for /etc/sysconfig/hwconf - probably need a new type
+files_rw_etc_runtime_files(kudzu_t)
+# for file systems that are not yet mounted
+files_dontaudit_search_isid_type_dir(kudzu_t)
+
+init_use_fd(kudzu_t)
+init_use_script_pty(kudzu_t)
+init_unix_connect_script(kudzu_t)
+
+libs_exec_ld_so(kudzu_t)
+libs_exec_lib_files(kudzu_t)
+libs_use_ld_so(kudzu_t)
+libs_use_shared_libs(kudzu_t)
+# Read /usr/lib/gconv/gconv-modules.*
+libs_read_lib(kudzu_t)
+
+logging_send_syslog_msg(kudzu_t)
+
+miscfiles_read_localization(kudzu_t)
+
+modutils_read_module_conf(kudzu_t)
+
+sysnet_read_config(kudzu_t)
+
+userdom_search_sysadm_home_dir(kudzu_t)
+userdom_dontaudit_use_unpriv_user_fd(kudzu_t)
+
+ifdef(`targeted_policy',`
+        term_dontaudit_use_unallocated_tty(kudzu_t)
+        term_dontaudit_use_generic_pty(kudzu_t)
+        files_dontaudit_read_root_file(kudzu_t)
+')
+
+tunable_policy(`allow_execmem',`
+	allow kudzu_t self:process execmem;
+')
+
+optional_policy(`gpm.te',`
+	gpm_getattr_gpmctl(kudzu_t)
+')
+
+optional_policy(`selinuxutil.te',`
+        seutil_sigchld_newrole(kudzu_t)
+')
+
+optional_policy(`udev.te',`
+        udev_read_db(kudzu_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+        rhgb_domain(kudzu_t)
+')
+optional_policy(`anaconda.te', `
+	domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
+')
+optional_policy(`lpd.te',`
+	allow kudzu_t printconf_t:file { getattr read };
+')
+optional_policy(`xserver.te',`
+	allow kudzu_t xserver_exec_t:file getattr;
+')
+optional_policy(`rhgb.te',`
+	allow kudzu_t rhgb_t:unix_stream_socket connectto;
+')
+optional_policy(`userhelper.te',`
+	role system_r types sysadm_userhelper_t;
+	domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
+')
+allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
+')

refpolicy/policy/modules/kernel/devices.if

@@ -1433,6 +1433,23 @@ interface(`dev_read_mouse',`
 	allow $1 mouse_device_t:chr_file r_file_perms;
 ')
 
+########################################
+## <summary>
+##      Read and write to mouse devices.
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+interface(`dev_rw_mouse',`
+	gen_require(`
+		type device_t, mouse_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 mouse_device_t:chr_file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read the mtrr device.

refpolicy/policy/modules/kernel/filesystem.if

@@ -1449,6 +1449,38 @@ interface(`fs_getattr_ramfs',`
 	allow $1 ramfs_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Search directories on a ramfs
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_search_ramfs',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	allow $1 ramfs_t:dir search;
+')
+
+########################################
+## <summary>
+##	Write to named socket on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_write_ramfs_socket',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	allow $1 ramfs_t:sock_file write;
+')
+
 ########################################
 ## <summary>
 ##	Mount a ROM filesystem.

refpolicy/policy/modules/kernel/storage.if

@@ -335,11 +335,10 @@ interface(`storage_read_scsi_generic',`
 	gen_require(`
 		attribute scsi_generic_read;
 		type scsi_generic_device_t;
-		class blk_file r_file_perms;
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 scsi_generic_device_t:blk_file r_file_perms;
+	allow $1 scsi_generic_device_t:chr_file r_file_perms;
 	typeattribute $1 scsi_generic_read;
 ')
 
@@ -554,11 +553,10 @@ interface(`storage_raw_write_removable_device',`
 interface(`storage_read_tape_device',`
 	gen_require(`
 		type tape_device_t;
-		class blk_file r_file_perms;
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 tape_device_t:blk_file r_file_perms;
+	allow $1 tape_device_t:chr_file r_file_perms;
 ')
 
 ########################################

refpolicy/policy/modules/kernel/terminal.if

@@ -15,7 +15,6 @@ interface(`term_pty',`
 	gen_require(`
 		attribute ptynode;
 		type devpts_t;
-		class filesystem associate;
 	')
 
 	allow $1 devpts_t:filesystem associate;
@@ -105,9 +104,6 @@ interface(`term_tty',`
 interface(`term_create_pty',`
 	gen_require(`
 		type bsdpty_device_t, devpts_t, ptmx_t;
-		class filesystem getattr;
-		class dir r_dir_perms;
-		class chr_file rw_file_perms;
 	')
 
 	dev_list_all_dev_nodes($1)
@@ -132,8 +128,6 @@ interface(`term_use_all_terms',`
 	gen_require(`
 		attribute ttynode, ptynode;
 		type console_device_t, devpts_t, tty_device_t;
-		class dir r_dir_perms;
-		class chr_file rw_file_perms;
 	')
 
 	dev_list_all_dev_nodes($1)
@@ -152,7 +146,6 @@ interface(`term_use_all_terms',`
 interface(`term_write_console',`
 	gen_require(`
 		type console_device_t;
-		class chr_file write;
 	')
 
 	dev_list_all_dev_nodes($1)
@@ -170,7 +163,6 @@ interface(`term_write_console',`
 interface(`term_use_console',`
 	gen_require(`
 		type console_device_t;
-		class chr_file rw_file_perms;
 	')
 
 	dev_list_all_dev_nodes($1)
@@ -189,7 +181,6 @@ interface(`term_use_console',`
 interface(`term_dontaudit_use_console',`
 	gen_require(`
 		type console_device_t;
-		class chr_file { read write };
 	')
 
 	dontaudit $1 console_device_t:chr_file { read write };
@@ -207,7 +198,6 @@ interface(`term_dontaudit_use_console',`
 interface(`term_setattr_console',`
 	gen_require(`
 		type console_device_t;
-		class chr_file setattr;
 	')
 
 	dev_list_all_dev_nodes($1)
@@ -232,6 +222,23 @@ interface(`term_dontaudit_getattr_pty_dir',`
 	dontaudit $1 devpts_t:dir getattr;
 ')
 
+########################################
+## <summary>
+##	Search the contents of the /dev/pts directory.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`term_search_ptys',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Read the /dev/pts directory to

refpolicy/policy/modules/services/gpm.if

@@ -36,7 +36,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 gpmctl_t:sock_file getattr;
+	dontaudit $1 gpmctl_t:sock_file getattr;
 ')
 
 ########################################

refpolicy/policy/modules/system/files.if

@@ -1917,6 +1917,19 @@ interface(`files_exec_usr_files',`
 
 ')
 
+########################################
+#
+# files_dontaudit_search_src(domain)
+#
+interface(`files_dontaudit_search_src',`
+        gen_require(`
+                type src_t;
+                class dir search;
+        ')
+
+        allow $1 src_t:dir search;
+')
+
 ########################################
 #
 # files_read_usr_src_files(domain)

refpolicy/policy/modules/system/init.if

@@ -390,6 +390,23 @@ interface(`init_run_daemon',`
 	dontaudit direct_init $3:chr_file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to connect to
+##	init scripts with a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+interface(`init_unix_connect_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:unix_stream_socket connectto;
+')
+
 ########################################
 ## <summary>
 ##	Read init scripts.

refpolicy/policy/modules/system/userdomain.te

@@ -162,16 +162,20 @@ ifdef(`targeted_policy',`
 		lvm_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`logrotate.te',`
+		logrotate_run(sysadm_t,sysadm_r,admin_terminal)
+	')
+
+	optional_policy(`kudzu.te',`
+		kudzu_run(sysadm_t,sysadm_r,admin_terminal)
+	')
+
 	optional_policy(`modutils.te',`
 		modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
 		modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
 		modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
 	')
 
-	optional_policy(`logrotate.te',`
-		logrotate_run(sysadm_t,sysadm_r,admin_terminal)
-	')
-
 	optional_policy(`mount.te',`
 		mount_run(sysadm_t,sysadm_r,admin_terminal)
 	')