Plymouthd policy from Dan Walsh.

This commit is contained in:
Chris PeBenito 2010-05-18 09:54:18 -04:00
parent b0c2cae14a
commit e9e43f04b3
4 changed files with 368 additions and 0 deletions

View File

@ -8,6 +8,7 @@
denyhosts (Dan Walsh) denyhosts (Dan Walsh)
nut (Stefan Schulze Frielinghaus, Miroslav Grepl) nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
likewise (Scott Salley) likewise (Scott Salley)
plymouthd (Dan Walsh)
pyicqt (Stefan Schulze Frielinghaus) pyicqt (Stefan Schulze Frielinghaus)
sectoolm (Miroslav Grepl) sectoolm (Miroslav Grepl)
usbmuxd (Dan Walsh) usbmuxd (Dan Walsh)

View File

@ -0,0 +1,7 @@
/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)

View File

@ -0,0 +1,260 @@
## <summary>Plymouth graphical boot</summary>
########################################
## <summary>
## Execute a domain transition to run plymouthd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`plymouthd_domtrans', `
gen_require(`
type plymouthd_t, plymouthd_exec_t;
')
domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
')
########################################
## <summary>
## Execute the plymoth daemon in the current domain
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_exec', `
gen_require(`
type plymouthd_exec_t;
')
can_exec($1, plymouthd_exec_t)
')
########################################
## <summary>
## Allow domain to Stream socket connect
## to Plymouth daemon.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_stream_connect', `
gen_require(`
type plymouthd_t;
')
allow $1 plymouthd_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Execute the plymoth command in the current domain
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_exec_plymouth', `
gen_require(`
type plymouth_exec_t;
')
can_exec($1, plymouth_exec_t)
')
########################################
## <summary>
## Execute a domain transition to run plymouthd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`plymouthd_domtrans_plymouth', `
gen_require(`
type plymouth_t, plymouth_exec_t;
')
domtrans_pattern($1, plymouth_exec_t, plymouth_t)
')
########################################
## <summary>
## Search plymouthd spool directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_search_spool', `
gen_require(`
type plymouthd_spool_t;
')
allow $1 plymouthd_spool_t:dir search_dir_perms;
files_search_spool($1)
')
########################################
## <summary>
## Read plymouthd spool files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_read_spool_files', `
gen_require(`
type plymouthd_spool_t;
')
files_search_spool($1)
read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
')
########################################
## <summary>
## Create, read, write, and delete
## plymouthd spool files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_manage_spool_files', `
gen_require(`
type plymouthd_spool_t;
')
files_search_spool($1)
manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
')
########################################
## <summary>
## Search plymouthd lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_search_lib', `
gen_require(`
type plymouthd_var_lib_t;
')
allow $1 plymouthd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
## <summary>
## Read plymouthd lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_read_lib_files', `
gen_require(`
type plymouthd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
')
########################################
## <summary>
## Create, read, write, and delete
## plymouthd lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_manage_lib_files', `
gen_require(`
type plymouthd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
')
########################################
## <summary>
## Read plymouthd PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_read_pid_files', `
gen_require(`
type plymouthd_var_run_t;
')
files_search_pids($1)
allow $1 plymouthd_var_run_t:file read_file_perms;
')
########################################
## <summary>
## All of the rules required to administrate
## an plymouthd environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`plymouthd_admin', `
gen_require(`
type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
type plymouthd_var_run_t;
')
allow $1 plymouthd_t:process { ptrace signal_perms getattr };
read_files_pattern($1, plymouthd_t, plymouthd_t)
admin_pattern($1, plymouthd_spool_t)
admin_pattern($1, plymouthd_var_lib_t)
admin_pattern($1, plymouthd_var_run_t)
')

View File

@ -0,0 +1,100 @@
policy_module(plymouthd, 1.0.0)
########################################
#
# Declarations
#
type plymouth_t;
type plymouth_exec_t;
application_domain(plymouth_t, plymouth_exec_t)
type plymouthd_t;
type plymouthd_exec_t;
init_daemon_domain(plymouthd_t, plymouthd_exec_t)
type plymouthd_spool_t;
files_type(plymouthd_spool_t)
type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)
type plymouthd_var_run_t;
files_pid_file(plymouthd_var_run_t)
########################################
#
# Plymouthd private policy
#
allow plymouthd_t self:capability { sys_admin sys_tty_config };
dontaudit plymouthd_t self:capability dac_override;
allow plymouthd_t self:process signal;
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
files_spool_filetrans(plymouthd_t, plymouthd_spool_t, { file dir sock_file })
manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
kernel_read_system_state(plymouthd_t)
kernel_request_load_module(plymouthd_t)
kernel_change_ring_buffer_level(plymouthd_t)
dev_rw_dri(plymouthd_t)
dev_read_sysfs(plymouthd_t)
dev_read_framebuffer(plymouthd_t)
dev_write_framebuffer(plymouthd_t)
domain_use_interactive_fds(plymouthd_t)
files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)
miscfiles_read_localization(plymouthd_t)
miscfiles_read_fonts(plymouthd_t)
miscfiles_manage_fonts_cache(plymouthd_t)
########################################
#
# Plymouth private policy
#
allow plymouth_t self:process signal;
allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(plymouth_t)
domain_use_interactive_fds(plymouth_t)
files_read_etc_files(plymouth_t)
term_use_ptmx(plymouth_t)
miscfiles_read_localization(plymouth_t)
sysnet_read_config(plymouth_t)
plymouthd_stream_connect(plymouth_t)
ifdef(`hide_broken_symptoms', `
optional_policy(`
hal_dontaudit_write_log(plymouth_t)
hal_dontaudit_rw_pipes(plymouth_t)
')
')
optional_policy(`
lvm_domtrans(plymouth_t)
')