Plymouthd policy from Dan Walsh.
This commit is contained in:
parent
b0c2cae14a
commit
e9e43f04b3
@ -8,6 +8,7 @@
|
|||||||
denyhosts (Dan Walsh)
|
denyhosts (Dan Walsh)
|
||||||
nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
|
nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
|
||||||
likewise (Scott Salley)
|
likewise (Scott Salley)
|
||||||
|
plymouthd (Dan Walsh)
|
||||||
pyicqt (Stefan Schulze Frielinghaus)
|
pyicqt (Stefan Schulze Frielinghaus)
|
||||||
sectoolm (Miroslav Grepl)
|
sectoolm (Miroslav Grepl)
|
||||||
usbmuxd (Dan Walsh)
|
usbmuxd (Dan Walsh)
|
||||||
|
7
policy/modules/services/plymouthd.fc
Normal file
7
policy/modules/services/plymouthd.fc
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
|
||||||
|
|
||||||
|
/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
|
||||||
|
|
||||||
|
/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
|
||||||
|
/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
|
||||||
|
/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
|
260
policy/modules/services/plymouthd.if
Normal file
260
policy/modules/services/plymouthd.if
Normal file
@ -0,0 +1,260 @@
|
|||||||
|
## <summary>Plymouth graphical boot</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute a domain transition to run plymouthd.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed to transition.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`plymouthd_domtrans', `
|
||||||
|
gen_require(`
|
||||||
|
type plymouthd_t, plymouthd_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute the plymoth daemon in the current domain
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`plymouthd_exec', `
|
||||||
|
gen_require(`
|
||||||
|
type plymouthd_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
can_exec($1, plymouthd_exec_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow domain to Stream socket connect
|
||||||
|
## to Plymouth daemon.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`plymouthd_stream_connect', `
|
||||||
|
gen_require(`
|
||||||
|
type plymouthd_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 plymouthd_t:unix_stream_socket connectto;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute the plymoth command in the current domain
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`plymouthd_exec_plymouth', `
|
||||||
|
gen_require(`
|
||||||
|
type plymouth_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
can_exec($1, plymouth_exec_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute a domain transition to run plymouthd.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed to transition.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`plymouthd_domtrans_plymouth', `
|
||||||
|
gen_require(`
|
||||||
|
type plymouth_t, plymouth_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
domtrans_pattern($1, plymouth_exec_t, plymouth_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Search plymouthd spool directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`plymouthd_search_spool', `
|
||||||
|
gen_require(`
|
||||||
|
type plymouthd_spool_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 plymouthd_spool_t:dir search_dir_perms;
|
||||||
|
files_search_spool($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read plymouthd spool files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`plymouthd_read_spool_files', `
|
||||||
|
gen_require(`
|
||||||
|
type plymouthd_spool_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_spool($1)
|
||||||
|
read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete
|
||||||
|
## plymouthd spool files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`plymouthd_manage_spool_files', `
|
||||||
|
gen_require(`
|
||||||
|
type plymouthd_spool_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_spool($1)
|
||||||
|
manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Search plymouthd lib directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`plymouthd_search_lib', `
|
||||||
|
gen_require(`
|
||||||
|
type plymouthd_var_lib_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 plymouthd_var_lib_t:dir search_dir_perms;
|
||||||
|
files_search_var_lib($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read plymouthd lib files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`plymouthd_read_lib_files', `
|
||||||
|
gen_require(`
|
||||||
|
type plymouthd_var_lib_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_var_lib($1)
|
||||||
|
read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete
|
||||||
|
## plymouthd lib files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`plymouthd_manage_lib_files', `
|
||||||
|
gen_require(`
|
||||||
|
type plymouthd_var_lib_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_var_lib($1)
|
||||||
|
manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read plymouthd PID files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`plymouthd_read_pid_files', `
|
||||||
|
gen_require(`
|
||||||
|
type plymouthd_var_run_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_pids($1)
|
||||||
|
allow $1 plymouthd_var_run_t:file read_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## All of the rules required to administrate
|
||||||
|
## an plymouthd environment
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## Role allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`plymouthd_admin', `
|
||||||
|
gen_require(`
|
||||||
|
type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
|
||||||
|
type plymouthd_var_run_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 plymouthd_t:process { ptrace signal_perms getattr };
|
||||||
|
read_files_pattern($1, plymouthd_t, plymouthd_t)
|
||||||
|
|
||||||
|
admin_pattern($1, plymouthd_spool_t)
|
||||||
|
|
||||||
|
admin_pattern($1, plymouthd_var_lib_t)
|
||||||
|
|
||||||
|
admin_pattern($1, plymouthd_var_run_t)
|
||||||
|
')
|
100
policy/modules/services/plymouthd.te
Normal file
100
policy/modules/services/plymouthd.te
Normal file
@ -0,0 +1,100 @@
|
|||||||
|
|
||||||
|
policy_module(plymouthd, 1.0.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
type plymouth_t;
|
||||||
|
type plymouth_exec_t;
|
||||||
|
application_domain(plymouth_t, plymouth_exec_t)
|
||||||
|
|
||||||
|
type plymouthd_t;
|
||||||
|
type plymouthd_exec_t;
|
||||||
|
init_daemon_domain(plymouthd_t, plymouthd_exec_t)
|
||||||
|
|
||||||
|
type plymouthd_spool_t;
|
||||||
|
files_type(plymouthd_spool_t)
|
||||||
|
|
||||||
|
type plymouthd_var_lib_t;
|
||||||
|
files_type(plymouthd_var_lib_t)
|
||||||
|
|
||||||
|
type plymouthd_var_run_t;
|
||||||
|
files_pid_file(plymouthd_var_run_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Plymouthd private policy
|
||||||
|
#
|
||||||
|
|
||||||
|
allow plymouthd_t self:capability { sys_admin sys_tty_config };
|
||||||
|
dontaudit plymouthd_t self:capability dac_override;
|
||||||
|
allow plymouthd_t self:process signal;
|
||||||
|
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
|
||||||
|
manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
|
||||||
|
manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
|
||||||
|
files_spool_filetrans(plymouthd_t, plymouthd_spool_t, { file dir sock_file })
|
||||||
|
|
||||||
|
manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
|
||||||
|
manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
|
||||||
|
files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
|
||||||
|
|
||||||
|
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
|
||||||
|
manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
|
||||||
|
files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
|
||||||
|
|
||||||
|
kernel_read_system_state(plymouthd_t)
|
||||||
|
kernel_request_load_module(plymouthd_t)
|
||||||
|
kernel_change_ring_buffer_level(plymouthd_t)
|
||||||
|
|
||||||
|
dev_rw_dri(plymouthd_t)
|
||||||
|
dev_read_sysfs(plymouthd_t)
|
||||||
|
dev_read_framebuffer(plymouthd_t)
|
||||||
|
dev_write_framebuffer(plymouthd_t)
|
||||||
|
|
||||||
|
domain_use_interactive_fds(plymouthd_t)
|
||||||
|
|
||||||
|
files_read_etc_files(plymouthd_t)
|
||||||
|
files_read_usr_files(plymouthd_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(plymouthd_t)
|
||||||
|
miscfiles_read_fonts(plymouthd_t)
|
||||||
|
miscfiles_manage_fonts_cache(plymouthd_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Plymouth private policy
|
||||||
|
#
|
||||||
|
|
||||||
|
allow plymouth_t self:process signal;
|
||||||
|
allow plymouth_t self:fifo_file rw_file_perms;
|
||||||
|
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
kernel_read_system_state(plymouth_t)
|
||||||
|
|
||||||
|
domain_use_interactive_fds(plymouth_t)
|
||||||
|
|
||||||
|
files_read_etc_files(plymouth_t)
|
||||||
|
|
||||||
|
term_use_ptmx(plymouth_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(plymouth_t)
|
||||||
|
|
||||||
|
sysnet_read_config(plymouth_t)
|
||||||
|
|
||||||
|
plymouthd_stream_connect(plymouth_t)
|
||||||
|
|
||||||
|
ifdef(`hide_broken_symptoms', `
|
||||||
|
optional_policy(`
|
||||||
|
hal_dontaudit_write_log(plymouth_t)
|
||||||
|
hal_dontaudit_rw_pipes(plymouth_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
lvm_domtrans(plymouth_t)
|
||||||
|
')
|
Loading…
Reference in New Issue
Block a user