From b84d6ec491555e8fe877e18f4cdf1f71c0e06d35 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 18 Dec 2009 10:33:50 -0500 Subject: [PATCH] smartmon patch from Dan Walsh. --- policy/modules/kernel/devices.if | 18 ++++++++++++++ policy/modules/kernel/devices.te | 2 +- policy/modules/kernel/storage.if | 38 +++++++++++++++++++++++++++++ policy/modules/kernel/storage.te | 2 +- policy/modules/services/smartmon.te | 37 ++++++++++++++++++++++------ 5 files changed, 88 insertions(+), 9 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 2b7ad830..fe31e1f2 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -145,6 +145,24 @@ interface(`dev_add_entry_generic_dirs',` allow $1 device_t:dir add_entry_dir_perms; ') +######################################## +## +## Add entries to directories in /dev. +## +## +## +## Domain allowed to add entries. +## +## +# +interface(`dev_remove_entry_generic_dirs',` + gen_require(` + type device_t; + ') + + allow $1 device_t:dir del_entry_dir_perms; +') + ######################################## ## ## Create a directory in the device directory. diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 1b536ec2..b3107fa3 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices, 1.9.1) +policy_module(devices, 1.9.2) ######################################## # diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index a388e63b..f37c6589 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -188,6 +188,44 @@ interface(`storage_raw_rw_fixed_disk',` storage_raw_write_fixed_disk($1) ') +######################################## +## +## Allow the caller to create fixed disk device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_create_fixed_disk_dev',` + gen_require(` + type fixed_disk_device_t; + ') + + allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; + dev_add_entry_generic_dirs($1) +') + +######################################## +## +## Allow the caller to create fixed disk device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_delete_fixed_disk_dev',` + gen_require(` + type fixed_disk_device_t; + ') + + allow $1 fixed_disk_device_t:blk_file delete_blk_file_perms; + dev_remove_entry_generic_dirs($1) +') + ######################################## ## ## Create, read, write, and delete fixed disk device nodes. diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te index fc46c28e..c9266118 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -1,5 +1,5 @@ -policy_module(storage, 1.7.1) +policy_module(storage, 1.7.2) ######################################## # diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te index 44564d2a..ebdc899c 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te @@ -1,11 +1,19 @@ -policy_module(smartmon, 1.9.0) +policy_module(smartmon, 1.9.1) ######################################## # # Declarations # +## +##

+## Enable additional permissions needed to support +## devices on 3ware controllers. +##

+##
+gen_tunable(smartmon_3ware, false) + type fsdaemon_t; type fsdaemon_exec_t; init_daemon_domain(fsdaemon_t, fsdaemon_exec_t) @@ -19,14 +27,18 @@ files_pid_file(fsdaemon_var_run_t) type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) +ifdef(`enable_mls',` + init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh) +') + ######################################## # # Local policy # -allow fsdaemon_t self:capability { setgid sys_rawio sys_admin }; +allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin }; dontaudit fsdaemon_t self:capability sys_tty_config; -allow fsdaemon_t self:process signal_perms; +allow fsdaemon_t self:process { getcap setcap signal_perms }; allow fsdaemon_t self:fifo_file rw_fifo_file_perms; allow fsdaemon_t self:unix_dgram_socket create_socket_perms; allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms; @@ -66,6 +78,7 @@ fs_getattr_all_fs(fsdaemon_t) fs_search_auto_mountpoints(fsdaemon_t) mls_file_read_all_levels(fsdaemon_t) +#mls_rangetrans_target(fsdaemon_t) storage_raw_read_fixed_disk(fsdaemon_t) storage_raw_write_fixed_disk(fsdaemon_t) @@ -80,19 +93,29 @@ logging_send_syslog_msg(fsdaemon_t) miscfiles_read_localization(fsdaemon_t) +seutil_sigchld_newrole(fsdaemon_t) + sysnet_dns_name_resolve(fsdaemon_t) userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) userdom_dontaudit_search_user_home_dirs(fsdaemon_t) +tunable_policy(`smartmon_3ware',` + allow fsdaemon_t self:process setfscreate; + + storage_create_fixed_disk_dev(fsdaemon_t) + storage_delete_fixed_disk_dev(fsdaemon_t) + storage_dev_filetrans_fixed_disk(fsdaemon_t) + + selinux_validate_context(fsdaemon_t) + + seutil_read_file_contexts(fsdaemon_t) +') + optional_policy(` mta_send_mail(fsdaemon_t) ') -optional_policy(` - seutil_sigchld_newrole(fsdaemon_t) -') - optional_policy(` udev_read_db(fsdaemon_t) ')