add watchdog, bug 1662

2006-04-28 20:20:40 +00:00 · 2006-04-28 20:20:40 +00:00 · d592b69e87
parent 050f364c01
commit d592b69e87
9 changed files with 192 additions and 2 deletions
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@ -80,6 +80,7 @@
 	uptime
 	uwimap
 	vmware
+	watchdog
 	xen (Dan Walsh)
 	xprint
 	yam
--- a/refpolicy/policy/modules/kernel/devices.fc
+++ b/refpolicy/policy/modules/kernel/devices.fc
@ -64,6 +64,7 @@ ifdef(`distro_suse', `
 /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/watchdog		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
 /dev/winradio.		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/z90crypt		-c	gen_context(system_u:object_r:crypt_device_t,s0)
 /dev/zero		-c	gen_context(system_u:object_r:zero_device_t,s0)
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@ -2342,6 +2342,25 @@ interface(`dev_read_urand',`
 	allow $1 urandom_device_t:chr_file r_file_perms;
 ')

+########################################
+## <summary>
+##	Do not audit attempts to read from pseudo
+##	random devices (e.g., /dev/urandom)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_read_urand',`
+	gen_require(`
+		type urandom_device_t;
+	')
+
+	dontaudit $1 urandom_device_t:chr_file { getattr read };
+')
+
 ########################################
 ## <summary>
 ##	Write to the pseudo random device (e.g., /dev/urandom). This
@ -2723,6 +2742,25 @@ interface(`dev_rwx_vmware',`
 	allow $1 vmware_device_t:chr_file { rw_file_perms execute };
 ')

+########################################
+## <summary>
+##	Write to watchdog devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_watchdog',`
+	gen_require(`
+		type device_t, watchdog_device_t;
+	')
+
+	allow $1 device_t:dir list_dir_perms;
+	allow $1 watchdog_device_t:chr_file { getattr write };
+')
+
 ########################################
 ## <summary>
 ##	Read and write Xen devices.
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@ -1,5 +1,5 @@

-policy_module(devices,1.1.12)
+policy_module(devices,1.1.13)

 ########################################
 #
@ -173,6 +173,9 @@ dev_node(v4l_device_t)
 type vmware_device_t;
 dev_node(vmware_device_t)

+type watchdog_device_t;
+dev_node(vmware_device_t)
+
 type xen_device_t;
 dev_node(xen_device_t)

--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@ -496,6 +496,24 @@ interface(`kernel_read_debugfs',`
 	allow $1 debugfs_t:lnk_file { getattr read };
 ')

+########################################
+## <summary>
+##	Unmount the proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the domain unmounting the filesystem.
+##	</summary>
+## </param>
+#
+interface(`kernel_unmount_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:filesystem unmount;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the proc filesystem.
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@ -1,5 +1,5 @@

-policy_module(kernel,1.3.5)
+policy_module(kernel,1.3.6)

 ########################################
 #
--- a/refpolicy/policy/modules/services/watchdog.fc
+++ b/refpolicy/policy/modules/services/watchdog.fc
@ -0,0 +1,5 @@
+/usr/sbin/watchdog	--	gen_context(system_u:object_r:watchdog_exec_t,s0)
+
+/var/log/watchdog(/.*)?		gen_context(system_u:object_r:watchdog_log_t,s0)
+
+/var/run/watchdog\.pid	--	gen_context(system_u:object_r:watchdog_var_run_t,s0)
--- a/refpolicy/policy/modules/services/watchdog.if
+++ b/refpolicy/policy/modules/services/watchdog.if
@ -0,0 +1 @@
+## <summary>Software watchdog</summary>
--- a/refpolicy/policy/modules/services/watchdog.te
+++ b/refpolicy/policy/modules/services/watchdog.te
@ -0,0 +1,123 @@
+
+policy_module(watchdog,1.0.0)
+
+#################################
+#
+# Rules for the watchdog_t domain.
+#
+
+type watchdog_t;
+type watchdog_exec_t;
+init_daemon_domain(watchdog_t,watchdog_exec_t)
+
+type watchdog_log_t;
+logging_log_file(watchdog_log_t)
+
+type watchdog_var_run_t;
+files_pid_file(watchdog_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
+dontaudit watchdog_t self:capability sys_tty_config;
+allow watchdog_t self:process { setsched signal_perms };
+allow watchdog_t self:fifo_file rw_file_perms;
+allow watchdog_t self:unix_stream_socket create_socket_perms;
+allow watchdog_t self:tcp_socket create_stream_socket_perms;
+allow watchdog_t self:udp_socket create_socket_perms;
+
+allow watchdog_t watchdog_log_t:file create_file_perms;
+logging_log_filetrans(watchdog_t,watchdog_log_t,file)
+
+allow watchdog_t watchdog_var_run_t:file create_file_perms;
+allow watchdog_t watchdog_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(watchdog_t,watchdog_var_run_t,file)
+
+kernel_read_system_state(watchdog_t)
+kernel_read_kernel_sysctls(watchdog_t)
+kernel_unmount_proc(watchdog_t)
+
+corecmd_search_sbin(watchdog_t)
+# for orderly shutdown
+corecmd_exec_shell(watchdog_t)
+
+# cjp: why networking?
+corenet_non_ipsec_sendrecv(watchdog_t)
+corenet_tcp_sendrecv_generic_if(watchdog_t)
+corenet_udp_sendrecv_generic_if(watchdog_t)
+corenet_raw_sendrecv_generic_if(watchdog_t)
+corenet_tcp_sendrecv_all_nodes(watchdog_t)
+corenet_udp_sendrecv_all_nodes(watchdog_t)
+corenet_raw_sendrecv_all_nodes(watchdog_t)
+corenet_tcp_sendrecv_all_ports(watchdog_t)
+corenet_udp_sendrecv_all_ports(watchdog_t)
+corenet_tcp_bind_all_nodes(watchdog_t)
+corenet_udp_bind_all_nodes(watchdog_t)
+corenet_tcp_connect_all_ports(watchdog_t)
+
+dev_read_sysfs(watchdog_t)
+dev_write_watchdog(watchdog_t)
+# do not care about saving the random seed
+dev_dontaudit_read_rand(watchdog_t)
+dev_dontaudit_read_urand(watchdog_t)
+
+domain_use_interactive_fds(watchdog_t)
+domain_getsession_all_domains(watchdog_t)
+domain_sigchld_all_domains(watchdog_t)
+domain_sigstop_all_domains(watchdog_t)
+domain_signull_all_domains(watchdog_t)
+domain_signal_all_domains(watchdog_t)
+domain_kill_all_domains(watchdog_t)
+
+files_read_etc_files(watchdog_t)
+# for updating mtab on umount
+files_manage_etc_runtime_files(watchdog_t)
+
+fs_unmount_xattr_fs(watchdog_t)
+fs_getattr_all_fs(watchdog_t)
+fs_search_auto_mountpoints(watchdog_t)
+
+term_dontaudit_use_console(watchdog_t)
+
+# record the fact that we are going down
+auth_append_login_records(watchdog_t)
+
+init_use_fds(watchdog_t)
+init_use_script_ptys(watchdog_t)
+
+libs_use_ld_so(watchdog_t)
+libs_use_shared_libs(watchdog_t)
+
+logging_send_syslog_msg(watchdog_t)
+
+miscfiles_read_localization(watchdog_t)
+
+sysnet_read_config(watchdog_t)
+
+userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
+userdom_dontaudit_search_sysadm_home_dirs(watchdog_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(watchdog_t)
+	term_dontaudit_use_generic_ptys(watchdog_t)
+	files_dontaudit_read_root_files(watchdog_t)
+')
+
+optional_policy(`
+	mta_send_mail(watchdog_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(watchdog_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(watchdog_t)
+')
+
+optional_policy(`
+	udev_read_db(watchdog_t)
+')