From e9e43f04b3acb365d9e9a30054b1a39fd964ff9f Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 18 May 2010 09:54:18 -0400
Subject: [PATCH] Plymouthd policy from Dan Walsh.

---
 Changelog                            |   1 +
 policy/modules/services/plymouthd.fc |   7 +
 policy/modules/services/plymouthd.if | 260 +++++++++++++++++++++++++++
 policy/modules/services/plymouthd.te | 100 +++++++++++
 4 files changed, 368 insertions(+)
 create mode 100644 policy/modules/services/plymouthd.fc
 create mode 100644 policy/modules/services/plymouthd.if
 create mode 100644 policy/modules/services/plymouthd.te

diff --git a/Changelog b/Changelog
index 677e699b..561911e9 100644
--- a/Changelog
+++ b/Changelog
@@ -8,6 +8,7 @@
 	denyhosts (Dan Walsh)
 	nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
 	likewise (Scott Salley)
+	plymouthd (Dan Walsh)
 	pyicqt (Stefan Schulze Frielinghaus)
 	sectoolm (Miroslav Grepl)
 	usbmuxd (Dan Walsh)
diff --git a/policy/modules/services/plymouthd.fc b/policy/modules/services/plymouthd.fc
new file mode 100644
index 00000000..5702ca42
--- /dev/null
+++ b/policy/modules/services/plymouthd.fc
@@ -0,0 +1,7 @@
+/bin/plymouth			--	gen_context(system_u:object_r:plymouth_exec_t,s0)
+
+/sbin/plymouthd			--	gen_context(system_u:object_r:plymouthd_exec_t,s0)
+
+/var/lib/plymouth(/.*)?			gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
+/var/run/plymouth(/.*)?			gen_context(system_u:object_r:plymouthd_var_run_t,s0)
+/var/spool/plymouth(/.*)?		gen_context(system_u:object_r:plymouthd_spool_t,s0)
diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if
new file mode 100644
index 00000000..9759ed80
--- /dev/null
+++ b/policy/modules/services/plymouthd.if
@@ -0,0 +1,260 @@
+## <summary>Plymouth graphical boot</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run plymouthd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouthd_domtrans', `
+	gen_require(`
+		type plymouthd_t, plymouthd_exec_t;
+	')
+
+	domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
+')
+
+########################################
+## <summary>
+##	Execute the plymoth daemon in the current domain
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_exec', `
+	gen_require(`
+		type plymouthd_exec_t;
+	')
+
+	can_exec($1, plymouthd_exec_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to Stream socket connect
+##	to Plymouth daemon.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_stream_connect', `
+	gen_require(`
+		type plymouthd_t;
+	')
+
+	allow $1 plymouthd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Execute the plymoth command in the current domain
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_exec_plymouth', `
+	gen_require(`
+		type plymouth_exec_t;
+	')
+
+	can_exec($1, plymouth_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run plymouthd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouthd_domtrans_plymouth', `
+	gen_require(`
+		type plymouth_t, plymouth_exec_t;
+	')
+
+	domtrans_pattern($1, plymouth_exec_t, plymouth_t)
+')
+
+########################################
+## <summary>
+##	Search plymouthd spool directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_search_spool', `
+	gen_require(`
+		type plymouthd_spool_t;
+	')
+
+	allow $1 plymouthd_spool_t:dir search_dir_perms;
+	files_search_spool($1)
+')
+
+########################################
+## <summary>
+##	Read plymouthd spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_read_spool_files', `
+	gen_require(`
+		type plymouthd_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	plymouthd spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_manage_spool_files', `
+	gen_require(`
+		type plymouthd_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+##	Search plymouthd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_search_lib', `
+	gen_require(`
+		type plymouthd_var_lib_t;
+	')
+
+	allow $1 plymouthd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read plymouthd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_read_lib_files', `
+	gen_require(`
+		type plymouthd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	plymouthd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_manage_lib_files', `
+	gen_require(`
+		type plymouthd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read plymouthd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_read_pid_files', `
+	gen_require(`
+		type plymouthd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 plymouthd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an plymouthd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`plymouthd_admin', `
+	gen_require(`
+		type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
+		type plymouthd_var_run_t;
+	')
+
+	allow $1 plymouthd_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, plymouthd_t, plymouthd_t)
+
+	admin_pattern($1, plymouthd_spool_t)
+
+	admin_pattern($1, plymouthd_var_lib_t)
+
+	admin_pattern($1, plymouthd_var_run_t)
+')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
new file mode 100644
index 00000000..52bc9696
--- /dev/null
+++ b/policy/modules/services/plymouthd.te
@@ -0,0 +1,100 @@
+
+policy_module(plymouthd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type plymouth_t;
+type plymouth_exec_t;
+application_domain(plymouth_t, plymouth_exec_t)
+
+type plymouthd_t;
+type plymouthd_exec_t;
+init_daemon_domain(plymouthd_t, plymouthd_exec_t)
+
+type plymouthd_spool_t;
+files_type(plymouthd_spool_t)
+
+type plymouthd_var_lib_t;
+files_type(plymouthd_var_lib_t)
+
+type plymouthd_var_run_t;
+files_pid_file(plymouthd_var_run_t)
+
+########################################
+#
+# Plymouthd private policy
+#
+
+allow plymouthd_t self:capability { sys_admin sys_tty_config };
+dontaudit plymouthd_t self:capability dac_override;
+allow plymouthd_t self:process signal;
+allow plymouthd_t self:fifo_file rw_fifo_file_perms;
+allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+files_spool_filetrans(plymouthd_t, plymouthd_spool_t, { file dir sock_file })
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
+
+kernel_read_system_state(plymouthd_t)
+kernel_request_load_module(plymouthd_t)
+kernel_change_ring_buffer_level(plymouthd_t)
+
+dev_rw_dri(plymouthd_t)
+dev_read_sysfs(plymouthd_t)
+dev_read_framebuffer(plymouthd_t)
+dev_write_framebuffer(plymouthd_t)
+
+domain_use_interactive_fds(plymouthd_t)
+
+files_read_etc_files(plymouthd_t)
+files_read_usr_files(plymouthd_t)
+
+miscfiles_read_localization(plymouthd_t)
+miscfiles_read_fonts(plymouthd_t)
+miscfiles_manage_fonts_cache(plymouthd_t)
+
+########################################
+#
+# Plymouth private policy
+#
+
+allow plymouth_t self:process signal;
+allow plymouth_t self:fifo_file rw_file_perms;
+allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(plymouth_t)
+
+domain_use_interactive_fds(plymouth_t)
+
+files_read_etc_files(plymouth_t)
+
+term_use_ptmx(plymouth_t)
+
+miscfiles_read_localization(plymouth_t)
+
+sysnet_read_config(plymouth_t)
+
+plymouthd_stream_connect(plymouth_t)
+
+ifdef(`hide_broken_symptoms', `
+	optional_policy(`
+		hal_dontaudit_write_log(plymouth_t)
+		hal_dontaudit_rw_pipes(plymouth_t)
+	')
+')
+
+optional_policy(`
+	lvm_domtrans(plymouth_t)
+')