From 87107917f3c1e6097c284811516ca5d70a064fea Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 4 Jan 2006 16:29:11 +0000
Subject: [PATCH] add ddcprobe

---
 refpolicy/Changelog                           |  1 +
 refpolicy/policy/modules/admin/ddcprobe.fc    |  4 ++
 refpolicy/policy/modules/admin/ddcprobe.if    | 47 ++++++++++++++++
 refpolicy/policy/modules/admin/ddcprobe.te    | 55 +++++++++++++++++++
 refpolicy/policy/modules/admin/kudzu.if       | 17 ++++++
 refpolicy/policy/modules/system/userdomain.te |  4 ++
 6 files changed, 128 insertions(+)
 create mode 100644 refpolicy/policy/modules/admin/ddcprobe.fc
 create mode 100644 refpolicy/policy/modules/admin/ddcprobe.if
 create mode 100644 refpolicy/policy/modules/admin/ddcprobe.te

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 561f12ce..9d1ca783 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -4,6 +4,7 @@
 - Miscellaneous fixes from Dan Walsh.
 - Added modules:
 	automount
+	ddcprobe
 	fetchmail
 	smartmon
 	sysstat
diff --git a/refpolicy/policy/modules/admin/ddcprobe.fc b/refpolicy/policy/modules/admin/ddcprobe.fc
new file mode 100644
index 00000000..a38ca339
--- /dev/null
+++ b/refpolicy/policy/modules/admin/ddcprobe.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/sbin/ddcprobe      --		gen_context(system_u:object_r:ddcprobe_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/ddcprobe.if b/refpolicy/policy/modules/admin/ddcprobe.if
new file mode 100644
index 00000000..dd008d72
--- /dev/null
+++ b/refpolicy/policy/modules/admin/ddcprobe.if
@@ -0,0 +1,47 @@
+## <summary>ddcprobe retrieves monitor and graphics card information</summary>
+
+########################################
+## <summary>
+##	Execute ddcprobe in the ddcprobe domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`ddcprobe_domtrans',`
+	gen_require(`
+		type ddcprobe_t, ddcprobe_exec_t;
+	')
+
+	domain_auto_trans($1,ddcprobe_exec_t,ddcprobe_t)
+
+	allow $1 ddcprobe_t:fd use;
+	allow ddcprobe_t $1:fd use;
+	allow ddcprobe_t $1:fifo_file rw_file_perms;
+	allow ddcprobe_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute ddcprobe in the ddcprobe domain, and
+##	allow the specified role the ddcprobe domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	Role to be authenticated for ddcprobe domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the clock domain to use.
+## </param>
+#
+interface(`ddcprobe_run',`
+	gen_require(`
+		type ddcprobe_t;
+	')
+
+	ddcprobe_domtrans($1)
+	role $2 types ddcprobe_t;
+	allow ddcprobe_t $3:chr_file rw_term_perms;
+')
diff --git a/refpolicy/policy/modules/admin/ddcprobe.te b/refpolicy/policy/modules/admin/ddcprobe.te
new file mode 100644
index 00000000..80b47665
--- /dev/null
+++ b/refpolicy/policy/modules/admin/ddcprobe.te
@@ -0,0 +1,55 @@
+
+policy_module(ddcprobe,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ddcprobe_t;
+type ddcprobe_exec_t;
+domain_type(ddcprobe_t)
+domain_entry_file(ddcprobe_t,ddcprobe_exec_t)
+role system_r types ddcprobe_t;
+
+########################################
+#
+# Local policy
+#
+
+allow ddcprobe_t self:capability { sys_rawio sys_admin };
+allow ddcprobe_t self:process execmem;
+
+kernel_read_system_state(ddcprobe_t)
+kernel_read_kernel_sysctl(ddcprobe_t)
+kernel_change_ring_buffer_level(ddcprobe_t)
+
+bootloader_search_kernel_modules(ddcprobe_t)
+
+corecmd_list_sbin(ddcprobe_t)
+corecmd_list_bin(ddcprobe_t)
+corecmd_exec_sbin(ddcprobe_t)
+
+dev_read_urand(ddcprobe_t)
+dev_read_raw_memory(ddcprobe_t)
+dev_wx_raw_memory(ddcprobe_t)
+
+files_read_etc_files(ddcprobe_t)
+files_read_etc_runtime_files(ddcprobe_t)
+files_read_usr_files(ddcprobe_t)
+
+term_use_all_user_ttys(ddcprobe_t)
+term_use_all_user_ptys(ddcprobe_t)
+
+libs_read_lib(ddcprobe_t)
+libs_use_ld_so(ddcprobe_t)
+libs_use_shared_libs(ddcprobe_t)
+
+miscfiles_read_localization(ddcprobe_t)
+
+modutils_read_mods_deps(ddcprobe_t)
+
+userdom_use_all_user_fd(ddcprobe_t)
+
+#reh why? this does not seem even necessary to function properly
+kudzu_getattr_exec_file(ddcprobe_t)
diff --git a/refpolicy/policy/modules/admin/kudzu.if b/refpolicy/policy/modules/admin/kudzu.if
index 16cb3a3d..f40c5f3c 100644
--- a/refpolicy/policy/modules/admin/kudzu.if
+++ b/refpolicy/policy/modules/admin/kudzu.if
@@ -49,3 +49,20 @@ interface(`kudzu_run',`
 	role $2 types kudzu_t;
 	allow kudzu_t $3:chr_file rw_term_perms;
 ')
+
+########################################
+## <summary>
+##	Get attributes of kudzu executable.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+# cjp: added for ddcprobe
+interface(`kudzu_getattr_exec_file',`
+	gen_require(`
+		type kudzu_exec_t;
+	')
+
+	allow $1 kudzu_exec_t:file getattr;
+')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index a8a62ba5..2c8bab21 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -174,6 +174,10 @@ ifdef(`targeted_policy',`
 		clock_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`ddcprobe',`
+		ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
+	')
+
 	optional_policy(`dmidecode',`
 		dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
 	')