change dmesg and loadkeys behavior to aliasing, and enable modules

refpolicy/policy/modules.conf

@@ -175,7 +175,7 @@ quota = off
 #
 # Policy for dmesg.
 # 
-dmesg = off
+dmesg = base
 
 # Layer: admin
 # Module: logrotate
@@ -231,7 +231,7 @@ webalizer = base
 #
 # Load keyboard mappings.
 # 
-loadkeys = off
+loadkeys = base
 
 # Layer: apps
 # Module: gpg

refpolicy/policy/modules/admin/dmesg.if

@@ -9,20 +9,22 @@
 ## </param>
 #
 interface(`dmesg_domtrans',`
-	gen_require(`
+	ifdef(`targeted_policy',`
-		type dmesg_t, dmesg_exec_t;
+		# $0(): disabled in targeted policy as there
-		class process sigchld;
+		# is no dmesg domain.
-		class fd use;
+	',`
-		class fifo_file rw_file_perms;
+		gen_require(`
+			type dmesg_t, dmesg_exec_t;
+		')
+
+		corecmd_search_sbin($1)
+		domain_auto_trans($1,dmesg_exec_t,dmesg_t)
+
+		allow $1 dmesg_t:fd use;
+		allow dmesg_t $1:fd use;
+		allow dmesg_t $1:fifo_file rw_file_perms;
+		allow dmesg_t $1:process sigchld;
 	')
-
-	corecmd_search_sbin($1)
-	domain_auto_trans($1,dmesg_exec_t,dmesg_t)
-
-	allow $1 dmesg_t:fd use;
-	allow dmesg_t $1:fd use;
-	allow dmesg_t $1:fifo_file rw_file_perms;
-	allow dmesg_t $1:process sigchld;
 ')
 
 ########################################
@@ -34,11 +36,17 @@ interface(`dmesg_domtrans',`
 ## </param>
 #
 interface(`dmesg_exec',`
-	gen_require(`
+	ifdef(`targeted_policy',`
-		type dmesg_exec_t;
+		# $0(): the dmesg program is an alias
-	')
+		# of generic bin programs.
+		corecmd_exec_bin($1)
+	',`
+		gen_require(`
+			type dmesg_exec_t;
+		')
 
-	corecmd_search_sbin($1)
+		corecmd_search_sbin($1)
-	can_exec($1,dmesg_exec_t)
+		can_exec($1,dmesg_exec_t)
+	')
 ')
 

refpolicy/policy/modules/admin/dmesg.te

@@ -6,70 +6,73 @@ policy_module(dmesg, 1.0)
 # Declarations
 #
 
-type dmesg_t;
+ifdef(`targeted_policy',`
-type dmesg_exec_t;
+	# for compatibility with strict:
-init_system_domain(dmesg_t,dmesg_exec_t)
+	corecmd_bin_alias(dmesg_exec_t)
-role system_r types dmesg_t;
+',`
+	type dmesg_t;
+	type dmesg_exec_t;
+	init_system_domain(dmesg_t,dmesg_exec_t)
+	role system_r types dmesg_t;
+')
 
 ########################################
 #
 # Local policy
 #
 
-allow dmesg_t self:capability sys_admin;
+ifdef(`targeted_policy',`
-dontaudit dmesg_t self:capability sys_tty_config;
+	# dmesg domain disabled in targeted policy
+',`
+	allow dmesg_t self:capability sys_admin;
+	dontaudit dmesg_t self:capability sys_tty_config;
 
-allow dmesg_t self:process signal_perms;
+	allow dmesg_t self:process signal_perms;
 
-kernel_read_kernel_sysctl(dmesg_t)
+	kernel_read_kernel_sysctl(dmesg_t)
-kernel_read_ring_buffer(dmesg_t)
+	kernel_read_ring_buffer(dmesg_t)
-kernel_clear_ring_buffer(dmesg_t)
+	kernel_clear_ring_buffer(dmesg_t)
-kernel_change_ring_buffer_level(dmesg_t)
+	kernel_change_ring_buffer_level(dmesg_t)
-kernel_list_proc(dmesg_t)
+	kernel_list_proc(dmesg_t)
-kernel_read_proc_symlinks(dmesg_t)
+	kernel_read_proc_symlinks(dmesg_t)
 
-dev_read_sysfs(dmesg_t)
+	dev_read_sysfs(dmesg_t)
 
-fs_search_auto_mountpoints(dmesg_t)
+	fs_search_auto_mountpoints(dmesg_t)
 
-term_dontaudit_use_console(dmesg_t)
+	term_dontaudit_use_console(dmesg_t)
 
-domain_use_wide_inherit_fd(dmesg_t)
+	domain_use_wide_inherit_fd(dmesg_t)
 
-files_list_etc(dmesg_t)
+	files_list_etc(dmesg_t)
-# for when /usr is not mounted:
+	# for when /usr is not mounted:
-files_dontaudit_search_isid_type_dir(dmesg_t)
+	files_dontaudit_search_isid_type_dir(dmesg_t)
 
-init_use_fd(dmesg_t)
+	init_use_fd(dmesg_t)
-init_use_script_pty(dmesg_t)
+	init_use_script_pty(dmesg_t)
 
-libs_use_ld_so(dmesg_t)
+	libs_use_ld_so(dmesg_t)
-libs_use_shared_libs(dmesg_t)
+	libs_use_shared_libs(dmesg_t)
 
-logging_send_syslog_msg(dmesg_t)
+	logging_send_syslog_msg(dmesg_t)
-logging_write_generic_logs(dmesg_t)
+	logging_write_generic_logs(dmesg_t)
 
-miscfiles_read_localization(dmesg_t)
+	miscfiles_read_localization(dmesg_t)
 
-userdom_use_sysadm_terms(dmesg_t)
+	userdom_use_sysadm_terms(dmesg_t)
-userdom_dontaudit_use_unpriv_user_fd(dmesg_t)
+	userdom_dontaudit_use_unpriv_user_fd(dmesg_t)
 
-ifdef(`targeted_policy', `
+	optional_policy(`selinuxutil.te',`
-	term_dontaudit_use_unallocated_tty(dmesg_t)
+		seutil_sigchld_newrole(dmesg_t)
-	term_dontaudit_use_generic_pty(dmesg_t)
+	')
-	files_dontaudit_read_root_file(dmesg_t)
+
+	optional_policy(`udev.te', `
+		udev_read_db(dmesg_t)
+	')
+
+	ifdef(`TODO',`
+	optional_policy(`rhgb.te',`
+	rhgb_domain(dmesg_t)
+	')
+	') dnl endif TODO
 ')
-
-optional_policy(`selinuxutil.te',`
-	seutil_sigchld_newrole(dmesg_t)
-')
-
-optional_policy(`udev.te', `
-	udev_read_db(dmesg_t)
-')
-
-ifdef(`TODO',`
-optional_policy(`rhgb.te',`
-rhgb_domain(dmesg_t)
-')
-') dnl endif TODO

refpolicy/policy/modules/apps/loadkeys.if

@@ -9,20 +9,22 @@
 ## </param>
 #
 interface(`loadkeys_domtrans',`
-	gen_require(`
+	ifdef(`targeted_policy',`
-		type loadkeys_t, loadkeys_exec_t;
+		# $0(): disabled in targeted policy as there
-		class process sigchld;
+		# is no loadkeys domain.
-		class fd use;
+	',`
-		class fifo_file rw_file_perms;
+		gen_require(`
+			type loadkeys_t, loadkeys_exec_t;
+		')
+
+		corecmd_search_bin($1)
+		domain_auto_trans($1, loadkeys_exec_t, loadkeys_t)
+
+		allow $1 loadkeys_t:fd use;
+		allow loadkeys_t $1:fd use;
+		allow loadkeys_t $1:fifo_file rw_file_perms;
+		allow loadkeys_t $1:process sigchld;
 	')
-
-	corecmd_search_bin($1)
-	domain_auto_trans($1, loadkeys_exec_t, loadkeys_t)
-
-	allow $1 loadkeys_t:fd use;
-	allow loadkeys_t $1:fd use;
-	allow loadkeys_t $1:fifo_file rw_file_perms;
-	allow loadkeys_t $1:process sigchld;
 ')
 
 ########################################
@@ -40,14 +42,18 @@ interface(`loadkeys_domtrans',`
 ## </param>
 #
 interface(`loadkeys_run',`
-	gen_require(`
+	ifdef(`targeted_policy',`
-		type loadkeys_t;
+		# $0(): disabled in targeted policy as there
-		class chr_file rw_term_perms;
+		# is no loadkeys domain.
-	')
+	',`
+		gen_require(`
+			type loadkeys_t;
+		')
 
-	loadkeys_domtrans($1)
+		loadkeys_domtrans($1)
-	role $2 types loadkeys_t;
+		role $2 types loadkeys_t;
-	allow loadkeys_t $3:chr_file rw_term_perms;
+		allow loadkeys_t $3:chr_file rw_term_perms;
+	')
 ')
 
 ########################################
@@ -59,9 +65,15 @@ interface(`loadkeys_run',`
 ## </param>
 #
 interface(`loadkeys_exec',`
-	gen_require(`
+	ifdef(`targeted_policy',`
-		type loadkeys_exec_t;
+		# $0(): the loadkeys program is an alias
-	')
+		# of generic bin programs.
+		corecmd_exec_bin($1)
+	',`
+		gen_require(`
+			type loadkeys_exec_t;
+		')
 
-	can_exec($1,loadkeys_exec_t)
+		can_exec($1,loadkeys_exec_t)
+	')
 ')

refpolicy/policy/modules/apps/loadkeys.te

@@ -6,34 +6,43 @@ policy_module(loadkeys,1.0)
 # Declarations
 #
 
-# cjp: this should probably be rewritten
+ifdef(`targeted_policy',`
-# per user domain, since it can rw
+	# for compatibility with strict:
-# all user domain ttys
+	corecmd_bin_alias(loadkeys_exec_t)
+',`
+	# cjp: this should probably be rewritten
+	# per user domain, since it can rw
+	# all user domain ttys
 
-type loadkeys_t;
+	type loadkeys_t;
-domain_type(loadkeys_t)
+	domain_type(loadkeys_t)
 
-type loadkeys_exec_t;
+	type loadkeys_exec_t;
-domain_entry_file(loadkeys_t,loadkeys_exec_t)
+	domain_entry_file(loadkeys_t,loadkeys_exec_t)
+')
 
 ########################################
 #
 # Local policy
 #
 
-allow loadkeys_t self:capability { setuid sys_tty_config };
+ifdef(`targeted_policy',`
-allow loadkeys_t self:fifo_file rw_file_perms;
+	# loadkeys domain disabled in targeted policy
+',`
+	allow loadkeys_t self:capability { setuid sys_tty_config };
+	allow loadkeys_t self:fifo_file rw_file_perms;
 
-kernel_read_system_state(loadkeys_t)
+	kernel_read_system_state(loadkeys_t)
 
-corecmd_exec_bin(loadkeys_t)
+	corecmd_exec_bin(loadkeys_t)
-corecmd_exec_shell(loadkeys_t)
+	corecmd_exec_shell(loadkeys_t)
 
-files_dontaudit_read_etc_runtime_files(loadkeys_t)
+	files_dontaudit_read_etc_runtime_files(loadkeys_t)
 
-libs_use_ld_so(loadkeys_t)
+	libs_use_ld_so(loadkeys_t)
-libs_use_shared_libs(loadkeys_t)
+	libs_use_shared_libs(loadkeys_t)
 
-locallogin_use_fd(loadkeys_t)
+	locallogin_use_fd(loadkeys_t)
 
-miscfiles_read_localization(loadkeys_t)
+	miscfiles_read_localization(loadkeys_t)
+')

refpolicy/policy/modules/system/corecommands.if

@@ -8,6 +8,21 @@
 ##	run init.
 ## </required>
 
+########################################
+## <summary>
+##	Create a aliased type to bin_t.
+## </summary>
+## <param name="domain">
+##	Alias type for bin_t.
+## </param>
+interface(`corecmd_bin_alias',`
+	gen_require(`
+		type bin_t;
+	')
+
+	typealias bin_t alias $1;
+')
+
 ########################################
 ## <summary>
 ##	Make the shell an entrypoint for the specified domain.

refpolicy/policy/modules/system/corecommands.te

@@ -13,7 +13,8 @@ type bin_t;
 files_type(bin_t)
 
 ifdef(`targeted_policy',`
-	typealias bin_t alias { procmail_exec_t dmesg_exec_t loadkeys_exec_t };
+	# cjp: temporary until procmail is added
+	typealias bin_t alias procmail_exec_t;
 ')
 
 #