add watchdog, bug 1662

This commit is contained in:
Chris PeBenito 2006-04-28 20:20:40 +00:00
parent 050f364c01
commit d592b69e87
9 changed files with 192 additions and 2 deletions

View File

@ -80,6 +80,7 @@
uptime uptime
uwimap uwimap
vmware vmware
watchdog
xen (Dan Walsh) xen (Dan Walsh)
xprint xprint
yam yam

View File

@ -64,6 +64,7 @@ ifdef(`distro_suse', `
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0)
/dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0) /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)

View File

@ -2342,6 +2342,25 @@ interface(`dev_read_urand',`
allow $1 urandom_device_t:chr_file r_file_perms; allow $1 urandom_device_t:chr_file r_file_perms;
') ')
########################################
## <summary>
## Do not audit attempts to read from pseudo
## random devices (e.g., /dev/urandom)
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_read_urand',`
gen_require(`
type urandom_device_t;
')
dontaudit $1 urandom_device_t:chr_file { getattr read };
')
######################################## ########################################
## <summary> ## <summary>
## Write to the pseudo random device (e.g., /dev/urandom). This ## Write to the pseudo random device (e.g., /dev/urandom). This
@ -2723,6 +2742,25 @@ interface(`dev_rwx_vmware',`
allow $1 vmware_device_t:chr_file { rw_file_perms execute }; allow $1 vmware_device_t:chr_file { rw_file_perms execute };
') ')
########################################
## <summary>
## Write to watchdog devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_watchdog',`
gen_require(`
type device_t, watchdog_device_t;
')
allow $1 device_t:dir list_dir_perms;
allow $1 watchdog_device_t:chr_file { getattr write };
')
######################################## ########################################
## <summary> ## <summary>
## Read and write Xen devices. ## Read and write Xen devices.

View File

@ -1,5 +1,5 @@
policy_module(devices,1.1.12) policy_module(devices,1.1.13)
######################################## ########################################
# #
@ -173,6 +173,9 @@ dev_node(v4l_device_t)
type vmware_device_t; type vmware_device_t;
dev_node(vmware_device_t) dev_node(vmware_device_t)
type watchdog_device_t;
dev_node(vmware_device_t)
type xen_device_t; type xen_device_t;
dev_node(xen_device_t) dev_node(xen_device_t)

View File

@ -496,6 +496,24 @@ interface(`kernel_read_debugfs',`
allow $1 debugfs_t:lnk_file { getattr read }; allow $1 debugfs_t:lnk_file { getattr read };
') ')
########################################
## <summary>
## Unmount the proc filesystem.
## </summary>
## <param name="domain">
## <summary>
## The type of the domain unmounting the filesystem.
## </summary>
## </param>
#
interface(`kernel_unmount_proc',`
gen_require(`
type proc_t;
')
allow $1 proc_t:filesystem unmount;
')
######################################## ########################################
## <summary> ## <summary>
## Get the attributes of the proc filesystem. ## Get the attributes of the proc filesystem.

View File

@ -1,5 +1,5 @@
policy_module(kernel,1.3.5) policy_module(kernel,1.3.6)
######################################## ########################################
# #

View File

@ -0,0 +1,5 @@
/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
/var/log/watchdog(/.*)? gen_context(system_u:object_r:watchdog_log_t,s0)
/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)

View File

@ -0,0 +1 @@
## <summary>Software watchdog</summary>

View File

@ -0,0 +1,123 @@
policy_module(watchdog,1.0.0)
#################################
#
# Rules for the watchdog_t domain.
#
type watchdog_t;
type watchdog_exec_t;
init_daemon_domain(watchdog_t,watchdog_exec_t)
type watchdog_log_t;
logging_log_file(watchdog_log_t)
type watchdog_var_run_t;
files_pid_file(watchdog_var_run_t)
########################################
#
# Declarations
#
allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
dontaudit watchdog_t self:capability sys_tty_config;
allow watchdog_t self:process { setsched signal_perms };
allow watchdog_t self:fifo_file rw_file_perms;
allow watchdog_t self:unix_stream_socket create_socket_perms;
allow watchdog_t self:tcp_socket create_stream_socket_perms;
allow watchdog_t self:udp_socket create_socket_perms;
allow watchdog_t watchdog_log_t:file create_file_perms;
logging_log_filetrans(watchdog_t,watchdog_log_t,file)
allow watchdog_t watchdog_var_run_t:file create_file_perms;
allow watchdog_t watchdog_var_run_t:dir rw_dir_perms;
files_pid_filetrans(watchdog_t,watchdog_var_run_t,file)
kernel_read_system_state(watchdog_t)
kernel_read_kernel_sysctls(watchdog_t)
kernel_unmount_proc(watchdog_t)
corecmd_search_sbin(watchdog_t)
# for orderly shutdown
corecmd_exec_shell(watchdog_t)
# cjp: why networking?
corenet_non_ipsec_sendrecv(watchdog_t)
corenet_tcp_sendrecv_generic_if(watchdog_t)
corenet_udp_sendrecv_generic_if(watchdog_t)
corenet_raw_sendrecv_generic_if(watchdog_t)
corenet_tcp_sendrecv_all_nodes(watchdog_t)
corenet_udp_sendrecv_all_nodes(watchdog_t)
corenet_raw_sendrecv_all_nodes(watchdog_t)
corenet_tcp_sendrecv_all_ports(watchdog_t)
corenet_udp_sendrecv_all_ports(watchdog_t)
corenet_tcp_bind_all_nodes(watchdog_t)
corenet_udp_bind_all_nodes(watchdog_t)
corenet_tcp_connect_all_ports(watchdog_t)
dev_read_sysfs(watchdog_t)
dev_write_watchdog(watchdog_t)
# do not care about saving the random seed
dev_dontaudit_read_rand(watchdog_t)
dev_dontaudit_read_urand(watchdog_t)
domain_use_interactive_fds(watchdog_t)
domain_getsession_all_domains(watchdog_t)
domain_sigchld_all_domains(watchdog_t)
domain_sigstop_all_domains(watchdog_t)
domain_signull_all_domains(watchdog_t)
domain_signal_all_domains(watchdog_t)
domain_kill_all_domains(watchdog_t)
files_read_etc_files(watchdog_t)
# for updating mtab on umount
files_manage_etc_runtime_files(watchdog_t)
fs_unmount_xattr_fs(watchdog_t)
fs_getattr_all_fs(watchdog_t)
fs_search_auto_mountpoints(watchdog_t)
term_dontaudit_use_console(watchdog_t)
# record the fact that we are going down
auth_append_login_records(watchdog_t)
init_use_fds(watchdog_t)
init_use_script_ptys(watchdog_t)
libs_use_ld_so(watchdog_t)
libs_use_shared_libs(watchdog_t)
logging_send_syslog_msg(watchdog_t)
miscfiles_read_localization(watchdog_t)
sysnet_read_config(watchdog_t)
userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
userdom_dontaudit_search_sysadm_home_dirs(watchdog_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(watchdog_t)
term_dontaudit_use_generic_ptys(watchdog_t)
files_dontaudit_read_root_files(watchdog_t)
')
optional_policy(`
mta_send_mail(watchdog_t)
')
optional_policy(`
nis_use_ypbind(watchdog_t)
')
optional_policy(`
seutil_sigchld_newrole(watchdog_t)
')
optional_policy(`
udev_read_db(watchdog_t)
')