From cca4a215fe46cbf81d75b773a01c23620073f31c Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 2 Jun 2009 14:28:40 +0000
Subject: [PATCH] trunk: add gpsd from miroslav grepl

---
 Changelog                               |  1 +
 policy/modules/kernel/corenetwork.te.in |  1 +
 policy/modules/services/gpsd.fc         |  1 +
 policy/modules/services/gpsd.if         | 72 +++++++++++++++++++++++++
 policy/modules/services/gpsd.te         | 55 +++++++++++++++++++
 policy/modules/services/ntp.if          | 22 ++++++++
 policy/modules/services/ntp.te          | 11 ++++
 7 files changed, 163 insertions(+)
 create mode 100644 policy/modules/services/gpsd.fc
 create mode 100644 policy/modules/services/gpsd.if
 create mode 100644 policy/modules/services/gpsd.te

diff --git a/Changelog b/Changelog
index 2b2316b1..48f96f8a 100644
--- a/Changelog
+++ b/Changelog
@@ -16,6 +16,7 @@
 - Added modules:
 	certmaster (Dan Walsh)
 	git (Dan Walsh)
+	gpsd (Miroslav Grepl)
 	guest (Dan Walsh)
 	ifplugd (Dan Walsh)
 	lircd (Miroslav Grepl)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 5b0672aa..78e96ba4 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -100,6 +100,7 @@ network_port(ftp, tcp,21,s0)
 network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
 network_port(giftd, tcp,1213,s0)
 network_port(gopher, tcp,70,s0, udp,70,s0)
+network_port(gpsd, tcp,2947,s0)
 network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
 network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
 network_port(howl, tcp,5335,s0, udp,5353,s0)
diff --git a/policy/modules/services/gpsd.fc b/policy/modules/services/gpsd.fc
new file mode 100644
index 00000000..200f834a
--- /dev/null
+++ b/policy/modules/services/gpsd.fc
@@ -0,0 +1 @@
+/usr/sbin/gpsd                 --      gen_context(system_u:object_r:gpsd_exec_t,s0)
diff --git a/policy/modules/services/gpsd.if b/policy/modules/services/gpsd.if
new file mode 100644
index 00000000..96018c79
--- /dev/null
+++ b/policy/modules/services/gpsd.if
@@ -0,0 +1,72 @@
+## <summary>gpsd monitor daemon</summary>
+
+########################################
+## <summary>
+##      Execute a domain transition to run gpsd.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gpsd_domtrans',`
+        gen_require(`
+                type gpsd_t, gpsd_exec_t;
+        ')
+
+        domtrans_pattern($1, gpsd_exec_t, gpsd_t)
+')
+
+########################################
+## <summary>
+##      Execute gpsd in the gpsd domain, and
+##      allow the specified role the gpsd domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      The role to be allowed the gpsd domain.
+##      </summary>
+## </param>
+## <param name="terminal">
+##      <summary>
+##      The type of the role's terminal.
+##      </summary>
+## </param>
+#
+interface(`gpsd_run',`
+        gen_require(`
+                type gpsd_t;
+        ')
+
+        gpsd_domtrans($1)
+        role $2 types gpsd_t;
+        allow gpsd_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>    
+##      Read and write gpsd shared memory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gpsd_rw_shm',`
+        gen_require(`
+                type gpsd_t, gpsd_tmpfs_t;
+        ')
+
+        allow $1 gpsd_t:shm rw_shm_perms;
+        allow $1 gpsd_tmpfs_t:dir list_dir_perms;
+        rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+        read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+        fs_search_tmpfs($1)
+')
diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
new file mode 100644
index 00000000..2095e495
--- /dev/null
+++ b/policy/modules/services/gpsd.te
@@ -0,0 +1,55 @@
+
+policy_module(gpsd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gpsd_t;
+type gpsd_exec_t;
+application_domain(gpsd_t, gpsd_exec_t)
+init_daemon_domain(gpsd_t, gpsd_exec_t)
+
+type gpsd_tmpfs_t;
+files_tmpfs_file(gpsd_tmpfs_t)
+
+########################################
+#
+# gpsd local policy
+#
+
+allow gpsd_t self:capability { setuid sys_nice setgid fowner };
+allow gpsd_t self:process setsched;
+allow gpsd_t self:shm create_shm_perms;
+allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow gpsd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file })
+
+corenet_all_recvfrom_unlabeled(gpsd_t)
+corenet_all_recvfrom_netlabel(gpsd_t)
+corenet_tcp_sendrecv_generic_if(gpsd_t)
+corenet_tcp_sendrecv_generic_node(gpsd_t)
+corenet_tcp_sendrecv_all_ports(gpsd_t)
+corenet_tcp_bind_all_nodes(gpsd_t)
+corenet_tcp_bind_gpsd_port(gpsd_t)
+
+term_use_unallocated_ttys(gpsd_t)
+term_setattr_unallocated_ttys(gpsd_t)
+
+auth_use_nsswitch(gpsd_t)
+
+logging_send_syslog_msg(gpsd_t)
+
+miscfiles_read_localization(gpsd_t)
+
+optional_policy(`
+        dbus_system_bus_client(gpsd_t)
+')
+
+optional_policy(`
+	ntpd_rw_shm(gpsd_t)
+')
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index d47ebff4..3a546a81 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -54,6 +54,28 @@ interface(`ntp_domtrans_ntpdate',`
 	domtrans_pattern($1, ntpdate_exec_t, ntpd_t)
 ')
 
+########################################
+## <summary>    
+##      Read and write ntpd shared memory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The type of the process performing this action.
+##      </summary>
+## </param>
+#
+interface(`ntpd_rw_shm',`
+        gen_require(`
+                type ntpd_t, ntpd_tmpfs_t;
+        ')
+
+        allow $1 ntpd_t:shm rw_shm_perms;
+        list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
+        rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
+        read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
+        fs_search_tmpfs($1)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index cb49868d..56066706 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -25,6 +25,9 @@ logging_log_file(ntpd_log_t)
 type ntpd_tmp_t;
 files_tmp_file(ntpd_tmp_t)
 
+type ntpd_tmpfs_t;
+files_tmpfs_file(ntpd_tmpfs_t)
+
 type ntpd_var_run_t;
 files_pid_file(ntpd_var_run_t)
 
@@ -62,6 +65,10 @@ manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
 manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
 files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
 
+manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
+manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
+fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
+
 manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
 files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
 
@@ -120,6 +127,10 @@ optional_policy(`
 	cron_system_entry(ntpd_t, ntpdate_exec_t)
 ')
 
+optional_policy(`
+	gpsd_rw_shm(ntpd_t)
+')
+
 optional_policy(`
 	firstboot_dontaudit_use_fds(ntpd_t)
 	firstboot_dontaudit_rw_pipes(ntpd_t)