From d4dca58511db9c590ac3b15cff3d0b031f89d9e0 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 7 Oct 2005 21:45:04 +0000
Subject: [PATCH] add finger and bluetooth

---
 refpolicy/Changelog                           |   2 +
 .../policy/modules/services/bluetooth.fc      |  19 +++
 .../policy/modules/services/bluetooth.if      |   1 +
 .../policy/modules/services/bluetooth.te      | 122 ++++++++++++++++
 refpolicy/policy/modules/services/finger.fc   |  19 +++
 refpolicy/policy/modules/services/finger.if   |  40 ++++++
 refpolicy/policy/modules/services/finger.te   | 134 ++++++++++++++++++
 refpolicy/policy/modules/services/tcpd.te     |   4 +
 refpolicy/policy/modules/system/authlogin.if  |  24 +++-
 refpolicy/policy/modules/system/init.te       |   4 +
 refpolicy/policy/modules/system/userdomain.if |  59 ++++++++
 11 files changed, 426 insertions(+), 2 deletions(-)
 create mode 100644 refpolicy/policy/modules/services/bluetooth.fc
 create mode 100644 refpolicy/policy/modules/services/bluetooth.if
 create mode 100644 refpolicy/policy/modules/services/bluetooth.te
 create mode 100644 refpolicy/policy/modules/services/finger.fc
 create mode 100644 refpolicy/policy/modules/services/finger.if
 create mode 100644 refpolicy/policy/modules/services/finger.te

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index efd171c2..7125eb10 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -13,7 +13,9 @@
 - Fix errors uncovered by sediff.
 - Added policies:
 	anaconda
+	bluetooth
 	dmidecode
+	finger
 	ftp
 	kudzu
 	radvd
diff --git a/refpolicy/policy/modules/services/bluetooth.fc b/refpolicy/policy/modules/services/bluetooth.fc
new file mode 100644
index 00000000..f61784d6
--- /dev/null
+++ b/refpolicy/policy/modules/services/bluetooth.fc
@@ -0,0 +1,19 @@
+#
+# /etc
+#
+/etc/bluetooth(/.*)?		gen_context(system_u:object_r:bluetooth_conf_t,s0)
+
+#
+# /usr
+#
+/usr/bin/rfcomm		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+
+/usr/sbin/hciattach	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/hcid		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/hid2hci	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/sdpd		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+
+#
+# /var
+#
+/var/run/sdp		-s	gen_context(system_u:object_r:bluetooth_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/bluetooth.if b/refpolicy/policy/modules/services/bluetooth.if
new file mode 100644
index 00000000..d61362ab
--- /dev/null
+++ b/refpolicy/policy/modules/services/bluetooth.if
@@ -0,0 +1 @@
+## <summary>Bluetooth tools and system services.</summary>
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
new file mode 100644
index 00000000..0c237cc0
--- /dev/null
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -0,0 +1,122 @@
+
+policy_module(bluetooth,1.0)
+
+########################################
+#
+# Declarations
+#
+type bluetooth_t;
+type bluetooth_exec_t;
+init_daemon_domain(bluetooth_t,bluetooth_exec_t)
+
+type bluetooth_conf_t;
+files_type(bluetooth_conf_t)
+
+type bluetooth_lock_t;
+files_lock_file(bluetooth_lock_t)
+
+type bluetooth_tmp_t;
+files_tmp_file(bluetooth_tmp_t)
+
+type bluetooth_var_run_t;
+files_pid_file(bluetooth_var_run_t)
+
+########################################
+#
+# Local policy
+#
+allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
+dontaudit bluetooth_t self:capability sys_tty_config;
+allow bluetooth_t self:process signal_perms;
+allow bluetooth_t self:socket create_stream_socket_perms;
+allow bluetooth_t self:unix_dgram_socket create_socket_perms;
+allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
+allow bluetooth_t self:tcp_socket { create_stream_socket_perms connect };
+allow bluetooth_t self:udp_socket create_socket_perms;
+
+allow bluetooth_t bluetooth_conf_t:dir search;
+allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
+
+allow bluetooth_t bluetooth_lock_t:file create_file_perms;
+files_create_lock(bluetooth_t,bluetooth_lock_t)
+
+allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms;
+allow bluetooth_t bluetooth_tmp_t:file create_file_perms;
+files_create_tmp_files(bluetooth_t, bluetooth_tmp_t, { file dir })
+
+allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms;
+allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
+allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms;
+files_create_pid(bluetooth_t, bluetooth_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctl(bluetooth_t)
+kernel_list_proc(bluetooth_t)
+kernel_read_proc_symlinks(bluetooth_t)
+
+corenet_tcp_sendrecv_all_if(bluetooth_t)
+corenet_udp_sendrecv_all_if(bluetooth_t)
+corenet_raw_sendrecv_all_if(bluetooth_t)
+corenet_tcp_sendrecv_all_nodes(bluetooth_t)
+corenet_udp_sendrecv_all_nodes(bluetooth_t)
+corenet_raw_sendrecv_all_nodes(bluetooth_t)
+corenet_tcp_bind_all_nodes(bluetooth_t)
+corenet_udp_bind_all_nodes(bluetooth_t)
+corenet_tcp_sendrecv_all_ports(bluetooth_t)
+corenet_udp_sendrecv_all_ports(bluetooth_t)
+
+dev_read_sysfs(bluetooth_t)
+dev_rw_usbfs(bluetooth_t)
+
+fs_getattr_all_fs(bluetooth_t)
+fs_search_auto_mountpoints(bluetooth_t)
+
+term_dontaudit_use_console(bluetooth_t)
+
+corecmd_exec_bin(bluetooth_t)
+
+domain_use_wide_inherit_fd(bluetooth_t)
+
+init_use_fd(bluetooth_t)
+init_use_script_pty(bluetooth_t)
+
+libs_use_ld_so(bluetooth_t)
+libs_use_shared_libs(bluetooth_t)
+
+logging_send_syslog_msg(bluetooth_t)
+
+miscfiles_read_localization(bluetooth_t)
+
+sysnet_read_config(bluetooth_t)
+
+userdom_dontaudit_use_unpriv_user_fd(bluetooth_t)
+userdom_dontaudit_use_sysadm_pty(bluetooth_t)
+userdom_dontaudit_search_sysadm_home_dir(bluetooth_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(bluetooth_t)
+	term_dontaudit_use_generic_pty(bluetooth_t)
+	files_dontaudit_read_root_file(bluetooth_t)
+')
+
+optional_policy(`dbus.te',`
+	dbus_system_bus_client_template(bluetooth,bluetooth_t)
+	dbus_send_system_bus_msg(bluetooth_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(bluetooth_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(bluetooth_t)
+')
+
+optional_policy(`udev.te',`
+	udev_read_db(bluetooth_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(bluetooth_t)
+')
+')
diff --git a/refpolicy/policy/modules/services/finger.fc b/refpolicy/policy/modules/services/finger.fc
new file mode 100644
index 00000000..c8611923
--- /dev/null
+++ b/refpolicy/policy/modules/services/finger.fc
@@ -0,0 +1,19 @@
+# fingerd
+
+#
+# /etc
+#
+/etc/cfingerd(/.*)?		gen_context(system_u:object_r:fingerd_etc_t,s0)
+
+/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/in\.fingerd	--	gen_context(system_u:object_r:fingerd_exec_t,s0)
+/usr/sbin/[cef]fingerd	--	gen_context(system_u:object_r:fingerd_exec_t,s0)
+
+#
+# /var
+#
+/var/log/cfingerd\.log.* --	gen_context(system_u:object_r:fingerd_log_t,s0)
diff --git a/refpolicy/policy/modules/services/finger.if b/refpolicy/policy/modules/services/finger.if
new file mode 100644
index 00000000..41fbe1f9
--- /dev/null
+++ b/refpolicy/policy/modules/services/finger.if
@@ -0,0 +1,40 @@
+## <summary>Finger user information service.</summary>
+
+########################################
+## <summary>
+##	Execute fingerd in the fingerd domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`finger_domtrans',`
+	gen_require(`
+		type fingerd_t, fingerd_exec_t;
+	')
+
+	domain_auto_trans($1,fingerd_exec_t,fingerd_t)
+
+	allow $1 fingerd_t:fd use;
+	allow fingerd_t $1:fd use;
+	allow fingerd_t $1:fifo_file rw_file_perms;
+	allow fingerd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to fingerd with a tcp socket.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`finger_tcp_connect',`
+	gen_require(`
+		type fingerd_t;
+	')
+
+	kernel_tcp_recvfrom($1)
+	allow $1 fingerd_t:tcp_socket { connectto recvfrom };
+	allow fingerd_t $1:tcp_socket { acceptfrom recvfrom };
+')
diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te
new file mode 100644
index 00000000..33213fe4
--- /dev/null
+++ b/refpolicy/policy/modules/services/finger.te
@@ -0,0 +1,134 @@
+
+policy_module(finger,1.0)
+
+########################################
+#
+# Declarations
+#
+type fingerd_t;
+type fingerd_exec_t;
+init_daemon_domain(fingerd_t,fingerd_exec_t)
+inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
+
+type fingerd_etc_t; #, usercanread;
+files_type(fingerd_etc_t)
+
+type fingerd_log_t;
+logging_log_file(fingerd_log_t)
+
+type fingerd_var_run_t;
+files_pid_file(fingerd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+allow fingerd_t self:capability { setgid setuid };
+dontaudit fingerd_t self:capability { sys_tty_config fsetid };
+allow fingerd_t self:process signal_perms;
+allow fingerd_t self:fifo_file { read write getattr };
+allow fingerd_t self:tcp_socket connected_stream_socket_perms;
+allow fingerd_t self:udp_socket create_socket_perms;
+allow fingerd_t self:unix_dgram_socket create_socket_perms;
+allow fingerd_t self:unix_stream_socket create_socket_perms;
+
+allow fingerd_t fingerd_var_run_t:file create_file_perms;
+allow fingerd_t fingerd_var_run_t:dir rw_dir_perms;
+files_create_pid(fingerd_t,fingerd_var_run_t)
+
+allow fingerd_t fingerd_etc_t:file r_file_perms;
+allow fingerd_t fingerd_etc_t:dir r_dir_perms;
+allow fingerd_t fingerd_etc_t:lnk_file { getattr read };
+
+allow fingerd_t fingerd_log_t:file create_file_perms;
+logging_create_log(fingerd_t,fingerd_log_t)
+
+kernel_read_kernel_sysctl(fingerd_t)
+kernel_read_system_state(fingerd_t)
+kernel_tcp_recvfrom(fingerd_t)
+
+corenet_tcp_sendrecv_all_if(fingerd_t)
+corenet_udp_sendrecv_all_if(fingerd_t)
+corenet_raw_sendrecv_all_if(fingerd_t)
+corenet_tcp_sendrecv_all_nodes(fingerd_t)
+corenet_udp_sendrecv_all_nodes(fingerd_t)
+corenet_raw_sendrecv_all_nodes(fingerd_t)
+corenet_tcp_sendrecv_all_ports(fingerd_t)
+corenet_udp_sendrecv_all_ports(fingerd_t)
+corenet_tcp_bind_all_nodes(fingerd_t)
+corenet_udp_bind_all_nodes(fingerd_t)
+corenet_tcp_bind_fingerd_port(fingerd_t)
+
+dev_read_sysfs(fingerd_t)
+
+fs_getattr_all_fs(fingerd_t)
+fs_search_auto_mountpoints(fingerd_t)
+
+term_search_ptys(fingerd_t)
+term_dontaudit_use_console(fingerd_t)
+term_getattr_all_user_ttys(fingerd_t)
+term_getattr_all_user_ptys(fingerd_t)
+
+auth_read_lastlog(fingerd_t)
+
+corecmd_exec_bin(fingerd_t)
+corecmd_exec_sbin(fingerd_t)
+corecmd_exec_shell(fingerd_t)
+
+domain_use_wide_inherit_fd(fingerd_t)
+
+files_getattr_home_dir(fingerd_t)
+files_read_etc_files(fingerd_t)
+files_read_etc_runtime_files(fingerd_t)
+
+init_read_script_pid(fingerd_t)
+init_dontaudit_write_script_pid(fingerd_t)
+init_use_fd(fingerd_t)
+init_use_script_pty(fingerd_t)
+
+libs_use_ld_so(fingerd_t)
+libs_use_shared_libs(fingerd_t)
+
+logging_send_syslog_msg(fingerd_t)
+
+mta_getattr_spool(fingerd_t)
+
+sysnet_read_config(fingerd_t)
+
+miscfiles_read_localization(fingerd_t)
+
+userdom_read_unpriv_user_home_files(fingerd_t)
+userdom_dontaudit_use_unpriv_user_fd(fingerd_t)
+userdom_dontaudit_search_sysadm_home_dir(fingerd_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(fingerd_t)
+	term_dontaudit_use_generic_pty(fingerd_t)
+	files_dontaudit_read_root_file(fingerd_t)
+')
+
+optional_policy(`cron.te',`
+	cron_system_entry(fingerd_t,fingerd_exec_t)
+')
+
+optional_policy(`logrotate.te',`
+	logrotate_exec(fingerd_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(fingerd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(fingerd_t)
+')
+
+optional_policy(`udev.te',`
+	udev_read_db(fingerd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(fingerd_t)
+')
+')
diff --git a/refpolicy/policy/modules/services/tcpd.te b/refpolicy/policy/modules/services/tcpd.te
index d3f4e1e8..e53da04f 100644
--- a/refpolicy/policy/modules/services/tcpd.te
+++ b/refpolicy/policy/modules/services/tcpd.te
@@ -51,6 +51,10 @@ sysnet_read_config(tcpd_t)
 
 inetd_domtrans_child(tcpd_t)
 
+optional_policy(`finger.te',`
+	finger_domtrans(tcpd_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(tcpd_t)
 ')
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index c0c50952..59469f2f 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -407,13 +407,33 @@ interface(`auth_rw_faillog',`
 ')
 
 #######################################
+## <summary>
+##	Read the last logins log.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
 #
-# auth_rw_lastlog(domain)
+interface(`auth_read_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 lastlog_t:file { getattr read };
+')
+
+#######################################
+## <summary>
+##	Read and write to the last logins log.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
 #
 interface(`auth_rw_lastlog',`
 	gen_require(`
 		type lastlog_t;
-		class file { getattr read write setattr };
 	')
 
 	logging_search_logs($1)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 9abd2aeb..8f1ce3d9 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -429,6 +429,10 @@ optional_policy(`bind.te',`
 
 ')
 
+optional_policy(`bluetooth.te',`
+	dev_read_usbfs(initrc_t)
+')
+
 optional_policy(`cpucontrol.te',`
 	cpucontrol_stub()
 	dev_getattr_cpu(initrc_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index bcfde858..912c027f 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -318,6 +318,10 @@ template(`base_user_template',`
 		')
 	')
 
+	optional_policy(`finger.te',`
+		finger_tcp_connect($1_t)
+	')
+
 	optional_policy(`inetd.te',`
 		inetd_tcp_connect($1_t)
 	')
@@ -1642,6 +1646,26 @@ interface(`userdom_use_sysadm_pty',`
 	')
 ')
 
+########################################
+## <summary>
+##	Dont audit attempts to read and write sysadm ptys.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`userdom_dontaudit_use_sysadm_pty',`
+	ifdef(`targeted_policy',`
+		term_dontaudit_use_generic_pty($1)
+	',`
+		gen_require(`
+			type sysadm_devpts_t;
+		')
+
+		dontaudit $1 sysadm_devpts_t:chr_file { read write };
+	')
+')
+
 ########################################
 ## <summary>
 ##	Read and write sysadm ttys and ptys.
@@ -2020,6 +2044,23 @@ interface(`userdom_create_user_home',`
 	')
 ')
 
+########################################
+## <summary>
+##	Don't audit search on the user home subdirectory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_dontaudit_search_user_home_dirs',`
+	gen_require(`
+		type user_home_t;
+		class dir search;
+	')
+
+	dontaudit $1 user_home_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
@@ -2119,6 +2160,24 @@ interface(`userdom_manage_user_home_sockets',`
 	allow $1 user_home_t:sock_file create_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read all unprivileged users home directory
+##	files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_read_unpriv_user_home_files',`
+	gen_require(`
+		type user_home_dir_type, user_home_type;
+	')
+
+	allow $1 user_home_dir_type:dir search;
+	allow $1 user_home_type:file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Write all unprivileged users files in /tmp