From b841dffda16da196695aba6d5c4cbdb94ed9a919 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 7 Jul 2010 10:28:25 -0400
Subject: [PATCH] Add livecd from Dan Walsh.

---
 Changelog                     |   1 +
 policy/modules/apps/livecd.fc |   1 +
 policy/modules/apps/livecd.if | 104 ++++++++++++++++++++++++++++++++++
 policy/modules/apps/livecd.te |  35 ++++++++++++
 4 files changed, 141 insertions(+)
 create mode 100644 policy/modules/apps/livecd.fc
 create mode 100644 policy/modules/apps/livecd.if
 create mode 100644 policy/modules/apps/livecd.te

diff --git a/Changelog b/Changelog
index 9ebdae9d..e647b761 100644
--- a/Changelog
+++ b/Changelog
@@ -3,6 +3,7 @@
 - Increased default number of categories to 1024, from Russell Coker.
 - Added modules:
 	cgroup (Dominick Grift)
+	livecd (Dan Walsh)
 
 * Mon May 24 2010 Chris PeBenito <selinux@tresys.com> - 2.20100524
 - Merged a significant portion of Fedora policy.
diff --git a/policy/modules/apps/livecd.fc b/policy/modules/apps/livecd.fc
new file mode 100644
index 00000000..34937fcf
--- /dev/null
+++ b/policy/modules/apps/livecd.fc
@@ -0,0 +1 @@
+/usr/bin/livecd-creator	--	gen_context(system_u:object_r:livecd_exec_t,s0)
diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if
new file mode 100644
index 00000000..272e97a2
--- /dev/null
+++ b/policy/modules/apps/livecd.if
@@ -0,0 +1,104 @@
+## <summary>Livecd tool for building alternate livecd for different os and policy versions.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run livecd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`livecd_domtrans',`
+	gen_require(`
+		type livecd_t, livecd_exec_t;
+	')
+
+	domtrans_pattern($1, livecd_exec_t, livecd_t)
+')
+
+########################################
+## <summary>
+##	Execute livecd in the livecd domain, and
+##	allow the specified role the livecd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`livecd_run',`
+	gen_require(`
+		type livecd_t;
+	')
+
+	livecd_domtrans($1)
+	role $2 types livecd_t;
+
+	optional_policy(`
+		mount_run(livecd_t, $2)
+	')
+')
+
+########################################
+## <summary>
+##	Read livecd temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`livecd_read_tmp_files',`
+	gen_require(`
+		type livecd_tmp_t;
+	')
+
+	files_search_tmp($1)
+	read_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
+')
+
+########################################
+## <summary>
+##	Read and write livecd temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`livecd_rw_tmp_files',`
+	gen_require(`
+		type livecd_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 livecd_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow read and write access to livecd semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`livecd_rw_semaphores',`
+	gen_require(`
+		type livecd_t;
+	')
+
+	allow $1 livecd_t:sem { unix_read unix_write associate read write };
+')
diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te
new file mode 100644
index 00000000..49abe8e2
--- /dev/null
+++ b/policy/modules/apps/livecd.te
@@ -0,0 +1,35 @@
+policy_module(livecd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type livecd_t;
+type livecd_exec_t;
+application_domain(livecd_t, livecd_exec_t)
+role system_r types livecd_t;
+
+type livecd_tmp_t;
+files_tmp_file(livecd_tmp_t)
+
+########################################
+#
+# livecd local policy
+#
+
+dontaudit livecd_t self:capability2 mac_admin;
+
+domain_ptrace_all_domains(livecd_t)
+
+manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
+
+optional_policy(`
+	unconfined_domain(livecd_t)
+')
+
+optional_policy(`
+	hal_dbus_chat(livecd_t)
+')