add resmgr, bug 1543

refpolicy/Changelog

@@ -53,6 +53,7 @@
 	postgrey
 	pxe
 	qmail (Petre Rodan)
+	resmgr
 	rhgb
 	snort
 	speedtouch

refpolicy/policy/modules/apps/cdrecord.if

@@ -197,7 +197,7 @@ template(`cdrecord_per_userdomain_template', `
 		fs_read_nfs_symlinks($1_cdrecord_t)
 	')
 	
-	ifdef(`TODO',`
+	optional_policy(`
-		can_resmgrd_connect($1_cdrecord_t)
+		resmgr_stream_connect($1_cdrecord_t)
 	')
 ')

refpolicy/policy/modules/apps/cdrecord.te

@@ -1,5 +1,5 @@
 
-policy_module(cdrecord,1.0.0)
+policy_module(cdrecord,1.0.1)
 
 ########################################
 #

refpolicy/policy/modules/services/resmgr.fc

@@ -0,0 +1,7 @@
+
+/etc/resmgr\.conf	--	gen_context(system_u:object_r:resmgrd_etc_t,s0)
+
+/sbin/resmgrd		--	gen_context(system_u:object_r:resmgrd_exec_t,s0)
+
+/var/run/\.resmgr_socket -s	gen_context(system_u:object_r:resmgrd_var_run_t,s0)
+/var/run/resmgr\.pid	--	gen_context(system_u:object_r:resmgrd_var_run_t,s0)

refpolicy/policy/modules/services/resmgr.if

@@ -0,0 +1,22 @@
+## <summary>Resource management daemon</summary>
+
+########################################
+## <summary>
+##	Connect to resmgrd over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`resmgr_stream_connect',`
+	gen_require(`
+		type resmgrd_var_run_t, resmgrd_t;
+	')
+
+	allow $1 resmgrd_t:unix_stream_socket connectto;
+	allow $1 resmgrd_var_run_t:sock_file { getattr write };
+	files_search_pids($1)
+')

refpolicy/policy/modules/services/resmgr.te

@@ -0,0 +1,81 @@
+
+policy_module(resmgr,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type resmgrd_t;
+type resmgrd_exec_t;
+init_daemon_domain(resmgrd_t,resmgrd_exec_t)
+
+type resmgrd_etc_t;
+files_config_file(resmgrd_etc_t)
+
+type resmgrd_var_run_t;
+files_pid_file(resmgrd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow resmgrd_t self:capability { dac_override sys_admin sys_rawio };
+dontaudit resmgrd_t self:capability sys_tty_config;
+allow resmgrd_t self:process signal_perms;
+
+allow resmgrd_t resmgrd_etc_t:file { getattr read };
+files_search_etc(resmgrd_t)
+
+allow resmgrd_t resmgrd_var_run_t:file manage_file_perms;
+allow resmgrd_t resmgrd_var_run_t:sock_file manage_file_perms;
+files_pid_filetrans(resmgrd_t,resmgrd_var_run_t,{ file sock_file })
+
+kernel_list_proc(resmgrd_t)
+kernel_read_proc_symlinks(resmgrd_t)
+kernel_read_kernel_sysctls(resmgrd_t)
+
+dev_read_sysfs(resmgrd_t)
+dev_getattr_scanner_dev(resmgrd_t)
+
+domain_use_interactive_fds(resmgrd_t)
+
+files_read_etc_files(resmgrd_t)
+
+fs_search_auto_mountpoints(resmgrd_t)
+
+storage_dontaudit_read_fixed_disk(resmgrd_t)
+storage_read_scsi_generic(resmgrd_t)
+storage_raw_read_removable_device(resmgrd_t)
+# not sure if it needs write access, needs to be investigated further...
+storage_write_scsi_generic(resmgrd_t)
+storage_raw_write_removable_device(resmgrd_t)
+
+term_dontaudit_use_console(resmgrd_t)
+
+init_use_fds(resmgrd_t)
+init_use_script_ptys(resmgrd_t)
+
+libs_use_ld_so(resmgrd_t)
+libs_use_shared_libs(resmgrd_t)
+
+logging_send_syslog_msg(resmgrd_t)
+
+miscfiles_read_localization(resmgrd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(resmgrd_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(resmgrd_t)
+	term_dontaudit_use_generic_ptys(resmgrd_t)
+	files_dontaudit_read_root_files(resmgrd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(resmgrd_t)
+')
+
+optional_policy(`
+	udev_read_db(resmgrd_t)
+')

refpolicy/policy/modules/services/xserver.te

@@ -1,5 +1,5 @@
 
-policy_module(xserver,1.1.4)
+policy_module(xserver,1.1.5)
 
 ########################################
 #
@@ -440,14 +440,16 @@ ifdef(`targeted_policy',`
 	unconfined_domtrans(xdm_xserver_t)
 ')
 
+optional_policy(`
+	resmgr_stream_connect(xdm_t)
+')
+
 optional_policy(`
 	rhgb_rw_shm(xdm_xserver_t)
 	rhgb_rw_tmpfs_files(xdm_xserver_t)
 ')
 
 ifdef(`TODO',`
-can_resmgrd_connect(xdm_t)
-
 # Need to further investigate these permissions and
 # perhaps define derived types.
 allow xdm_t var_lib_t:dir { write search add_name remove_name  create unlink };

refpolicy/policy/modules/system/userdomain.if

@@ -419,6 +419,10 @@ template(`base_user_template',`
 		quota_dontaudit_getattr_db($1_t)
 	')
 
+	optional_policy(`
+		resmgr_stream_connect($1_t)
+	')
+
 	optional_policy(`
 		rpc_dontaudit_getattr_exports($1_t)
 		rpc_manage_nfs_rw_content($1_t)
@@ -487,8 +491,6 @@ template(`base_user_template',`
 
 	allow $1_t usbtty_device_t:chr_file read;
 
-	can_resmgrd_connect($1_t)
-
 	ifdef(`xdm.te', `
 		allow $1_t xdm_var_lib_t:file r_file_perms;
 	')

refpolicy/policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.13)
+policy_module(userdomain,1.3.14)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;