From da3ed0667f1d5cf9a702e0bc3de03a36ae81ca35 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 6 May 2009 15:09:46 +0000
Subject: [PATCH] trunk: lircd from miroslav grepl

---
 Changelog                        |  1 +
 policy/modules/services/lircd.fc |  8 +++
 policy/modules/services/lircd.if | 99 ++++++++++++++++++++++++++++++++
 policy/modules/services/lircd.te | 48 ++++++++++++++++
 4 files changed, 156 insertions(+)
 create mode 100644 policy/modules/services/lircd.fc
 create mode 100644 policy/modules/services/lircd.if
 create mode 100644 policy/modules/services/lircd.te

diff --git a/Changelog b/Changelog
index fef189c0..0d9046d8 100644
--- a/Changelog
+++ b/Changelog
@@ -17,6 +17,7 @@
 	git (Dan Walsh)
 	guest (Dan Walsh)
 	ifplugd (Dan Walsh)
+	lircd (Miroslav Grepl)
 	logadm (Dan Walsh)
 	pingd (Dan Walsh)
 	psad (Dan Walsh)
diff --git a/policy/modules/services/lircd.fc b/policy/modules/services/lircd.fc
new file mode 100644
index 00000000..cc43e40a
--- /dev/null
+++ b/policy/modules/services/lircd.fc
@@ -0,0 +1,8 @@
+/dev/lircd		-s	gen_context(system_u:object_r:lircd_sock_t,s0)
+
+/etc/rc\.d/init\.d/lirc	--	gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
+/etc/lircd\.conf	--	gen_context(system_u:object_r:lircd_etc_t,s0)
+
+/usr/sbin/lircd		--	gen_context(system_u:object_r:lircd_exec_t,s0)
+
+/var/run/lircd\.pid		gen_context(system_u:object_r:lircd_var_run_t,s0)
diff --git a/policy/modules/services/lircd.if b/policy/modules/services/lircd.if
new file mode 100644
index 00000000..a24b7cd6
--- /dev/null
+++ b/policy/modules/services/lircd.if
@@ -0,0 +1,99 @@
+## <summary>Linux infared remote control daemon</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run lircd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lircd_domtrans',`
+	gen_require(`
+		type lircd_t, lircd_exec_t;
+	')
+
+	domain_auto_trans($1, lircd_exec_t, lircd_t)
+
+')
+
+######################################
+## <summary>
+##      Connect to lircd over a unix domain
+##      stream socket.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`lircd_stream_connect',`
+        gen_require(`
+                type lircd_sock_t, lircd_t;
+        ')
+
+        allow $1 lircd_t:unix_stream_socket connectto;
+        allow $1 lircd_sock_t:sock_file write_sock_file_perms;
+        files_search_pids($1)
+')
+
+#######################################
+## <summary>
+##      Read lircd etc file
+## </summary>
+## <param name="domain">
+## <summary>
+##      The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`lircd_read_config',`
+	gen_require(`
+		type lircd_etc_t;
+        ')
+
+	read_files_pattern($1, lircd_etc_t, lircd_etc_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	a lircd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`lircd_admin',`
+	gen_require(`
+		type lircd_t, lircd_var_run_t, lircd_sock_t;
+		type lircd_initrc_exec_t, lircd_etc_t;
+	')
+
+	allow $1 lircd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, lircd_t)
+
+	init_labeled_script_domtrans($1, lircd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 lircd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, lircd_etc_t)
+
+	files_search_pids($1)
+	admin_pattern($1, lircd_var_run_t)
+
+	admin_pattern($1, lircd_sock_t)
+')
diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
new file mode 100644
index 00000000..db3079e9
--- /dev/null
+++ b/policy/modules/services/lircd.te
@@ -0,0 +1,48 @@
+
+policy_module(lircd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type lircd_t;
+type lircd_exec_t;
+init_daemon_domain(lircd_t, lircd_exec_t)
+
+type lircd_initrc_exec_t;
+init_script_file(lircd_initrc_exec_t)
+
+type lircd_etc_t;
+files_type(lircd_etc_t)
+
+type lircd_var_run_t;
+files_pid_file(lircd_var_run_t)
+
+# type for lircd /dev/ sock file
+type lircd_sock_t;
+files_type(lircd_sock_t)
+
+########################################
+#
+# lircd local policy
+#
+
+allow lircd_t self:process signal;
+allow lircd_t self:unix_dgram_socket create_socket_perms;
+
+# etc file
+read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
+
+# pid file
+manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
+
+# /dev/lircd socket
+manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
+dev_filetrans(lircd_t, lircd_sock_t, sock_file )
+
+logging_send_syslog_msg(lircd_t)
+
+miscfiles_read_localization(lircd_t)