add policykit from dan.
This commit is contained in:
Chris PeBenito
parent
b67201eae7
commit
9e90ce33db
|
|
@ -0,0 +1,10 @@
|
|||
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
||||
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
|
||||
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
|
||||
/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
||||
|
||||
/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
|
||||
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
|
||||
/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
|
||||
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
|
||||
|
||||
|
|
@ -0,0 +1,212 @@
|
|||
## <summary>Policy framework for controlling privileges for system-wide services.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## policykit over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`policykit_dbus_chat',`
|
||||
gen_require(`
|
||||
type policykit_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $1 policykit_t:dbus send_msg;
|
||||
allow policykit_t $1:dbus send_msg;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run polkit_auth.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`policykit_domtrans_auth',`
|
||||
gen_require(`
|
||||
type policykit_auth_t, policykit_auth_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a policy_auth in the policy_auth domain, and
|
||||
## allow the specified role the policy_auth domain,
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the load_policy domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`policykit_run_auth',`
|
||||
gen_require(`
|
||||
type policykit_auth_t;
|
||||
')
|
||||
|
||||
policykit_domtrans_auth($1)
|
||||
role $2 types policykit_auth_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run polkit_grant.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`policykit_domtrans_grant',`
|
||||
gen_require(`
|
||||
type policykit_grant_t, policykit_grant_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a policy_grant in the policy_grant domain, and
|
||||
## allow the specified role the policy_grant domain,
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the load_policy domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`policykit_run_grant',`
|
||||
gen_require(`
|
||||
type policykit_grant_t;
|
||||
')
|
||||
|
||||
policykit_domtrans_grant($1)
|
||||
role $2 types policykit_grant_t;
|
||||
|
||||
allow $1 policykit_grant_t:process signal;
|
||||
|
||||
ps_process_pattern(policykit_grant_t, $1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## read policykit reload files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`policykit_read_reload',`
|
||||
gen_require(`
|
||||
type policykit_reload_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
read_files_pattern($1, policykit_reload_t, policykit_reload_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## rw policykit reload files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`policykit_rw_reload',`
|
||||
gen_require(`
|
||||
type policykit_reload_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
rw_files_pattern($1, policykit_reload_t, policykit_reload_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run polkit_resolve.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`policykit_domtrans_resolve',`
|
||||
gen_require(`
|
||||
type policykit_resolve_t, policykit_resolve_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
|
||||
|
||||
ps_process_pattern(policykit_resolve_t $1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search policykit lib directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`policykit_search_lib',`
|
||||
gen_require(`
|
||||
type policykit_var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 policykit_var_lib_t:dir search_dir_perms;
|
||||
files_search_var_lib($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## read policykit lib files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`policykit_read_lib',`
|
||||
gen_require(`
|
||||
type policykit_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
|
||||
|
||||
# Broken placement
|
||||
cron_read_system_job_lib_files($1)
|
||||
')
|
||||
|
|
@ -0,0 +1,208 @@
|
|||
|
||||
policy_module(policykit, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type policykit_t alias polkit_t;
|
||||
type policykit_exec_t alias polkit_exec_t;
|
||||
init_daemon_domain(policykit_t, policykit_exec_t)
|
||||
|
||||
type policykit_auth_t alias polkit_auth_t;
|
||||
type policykit_auth_exec_t alias polkit_auth_exec_t;
|
||||
init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
|
||||
|
||||
type policykit_grant_t alias polkit_grant_t;
|
||||
type policykit_grant_exec_t alias polkit_grant_exec_t;
|
||||
init_system_domain(policykit_grant_t, policykit_grant_exec_t)
|
||||
|
||||
type policykit_resolve_t alias polkit_resolve_t;
|
||||
type policykit_resolve_exec_t alias polkit_resolve_exec_t;
|
||||
init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
|
||||
|
||||
type policykit_reload_t alias polkit_reload_t;
|
||||
files_type(policykit_reload_t)
|
||||
|
||||
type policykit_var_lib_t alias polkit_var_lib_t;
|
||||
files_type(policykit_var_lib_t)
|
||||
|
||||
type policykit_var_run_t alias polkit_var_run_t;
|
||||
files_pid_file(policykit_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# policykit local policy
|
||||
#
|
||||
|
||||
allow policykit_t self:capability { setgid setuid };
|
||||
allow policykit_t self:process getattr;
|
||||
allow policykit_t self:fifo_file rw_file_perms;
|
||||
allow policykit_t self:unix_dgram_socket create_socket_perms;
|
||||
allow policykit_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
policykit_domtrans_auth(policykit_t)
|
||||
|
||||
can_exec(policykit_t, policykit_exec_t)
|
||||
corecmd_exec_bin(policykit_t)
|
||||
|
||||
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
|
||||
|
||||
policykit_domtrans_resolve(policykit_t)
|
||||
|
||||
manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
|
||||
|
||||
manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
|
||||
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
|
||||
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
|
||||
|
||||
kernel_read_kernel_sysctls(policykit_t)
|
||||
|
||||
files_read_etc_files(policykit_t)
|
||||
files_read_usr_files(policykit_t)
|
||||
|
||||
auth_use_nsswitch(policykit_t)
|
||||
|
||||
logging_send_syslog_msg(policykit_t)
|
||||
|
||||
miscfiles_read_localization(policykit_t)
|
||||
|
||||
userdom_read_all_users_state(policykit_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# polkit_auth local policy
|
||||
#
|
||||
|
||||
allow policykit_auth_t self:capability setgid;
|
||||
allow policykit_auth_t self:process getattr;
|
||||
allow policykit_auth_t self:fifo_file rw_file_perms;
|
||||
allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
|
||||
allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
can_exec(policykit_auth_t, policykit_auth_exec_t)
|
||||
corecmd_search_bin(policykit_auth_t)
|
||||
|
||||
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
|
||||
|
||||
manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t)
|
||||
|
||||
manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
|
||||
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
|
||||
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
|
||||
|
||||
files_read_etc_files(policykit_auth_t)
|
||||
files_read_usr_files(policykit_auth_t)
|
||||
|
||||
auth_use_nsswitch(policykit_auth_t)
|
||||
|
||||
logging_send_syslog_msg(policykit_auth_t)
|
||||
|
||||
miscfiles_read_localization(policykit_auth_t)
|
||||
|
||||
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_session_bus_client(policykit_auth_t)
|
||||
|
||||
optional_policy(`
|
||||
consolekit_dbus_chat(policykit_auth_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kernel_search_proc(policykit_auth_t)
|
||||
hal_read_state(policykit_auth_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# polkit_grant local policy
|
||||
#
|
||||
|
||||
allow policykit_grant_t self:capability setuid;
|
||||
allow policykit_grant_t self:process getattr;
|
||||
allow policykit_grant_t self:fifo_file rw_file_perms;
|
||||
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
|
||||
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
policykit_domtrans_auth(policykit_grant_t)
|
||||
|
||||
policykit_domtrans_resolve(policykit_grant_t)
|
||||
|
||||
can_exec(policykit_grant_t, policykit_grant_exec_t)
|
||||
corecmd_search_bin(policykit_grant_t)
|
||||
|
||||
rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
|
||||
|
||||
manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t)
|
||||
|
||||
manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
|
||||
|
||||
files_read_etc_files(policykit_grant_t)
|
||||
files_read_usr_files(policykit_grant_t)
|
||||
|
||||
auth_use_nsswitch(policykit_grant_t)
|
||||
auth_domtrans_chk_passwd(policykit_grant_t)
|
||||
|
||||
logging_send_syslog_msg(policykit_grant_t)
|
||||
|
||||
miscfiles_read_localization(policykit_grant_t)
|
||||
|
||||
userdom_read_all_users_state(policykit_grant_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(policykit_grant_t)
|
||||
|
||||
optional_policy(`
|
||||
consolekit_dbus_chat(policykit_grant_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# polkit_resolve local policy
|
||||
#
|
||||
|
||||
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
|
||||
allow policykit_resolve_t self:process getattr;
|
||||
allow policykit_resolve_t self:fifo_file rw_file_perms;
|
||||
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
|
||||
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
policykit_domtrans_auth(policykit_resolve_t)
|
||||
|
||||
read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t)
|
||||
|
||||
read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t)
|
||||
|
||||
can_exec(policykit_resolve_t, policykit_resolve_exec_t)
|
||||
corecmd_search_bin(policykit_resolve_t)
|
||||
|
||||
files_read_etc_files(policykit_resolve_t)
|
||||
files_read_usr_files(policykit_resolve_t)
|
||||
|
||||
mcs_ptrace_all(policykit_resolve_t)
|
||||
|
||||
auth_use_nsswitch(policykit_resolve_t)
|
||||
|
||||
logging_send_syslog_msg(policykit_resolve_t)
|
||||
|
||||
miscfiles_read_localization(policykit_resolve_t)
|
||||
|
||||
userdom_read_all_users_state(policykit_resolve_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(policykit_resolve_t)
|
||||
|
||||
optional_policy(`
|
||||
consolekit_dbus_chat(policykit_resolve_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kernel_search_proc(policykit_resolve_t)
|
||||
hal_read_state(policykit_resolve_t)
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue