add games, bug 1386
This commit is contained in:
Chris PeBenito
parent
b67fafc20c
commit
fbc0a2728d
@ -15,6 +15,7 @@
|
||||
dpkg (Erich Schubert)
|
||||
ethereal
|
||||
evolution
|
||||
games
|
||||
mozilla
|
||||
mplayer
|
||||
rhgb
|
||||
|
||||
@ -388,6 +388,14 @@ gen_tunable(cdrecord_read_content,false)
|
||||
## </desc>
|
||||
gen_tunable(cron_can_relabel,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## force to games to run in user_t
|
||||
## mapping executable (text relocation).
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(disable_games_trans,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Disable transitions to evolution domains.
|
||||
|
||||
67
refpolicy/policy/modules/apps/games.fc
Normal file
67
refpolicy/policy/modules/apps/games.fc
Normal file
@ -0,0 +1,67 @@
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0)
|
||||
|
||||
#
|
||||
# /var
|
||||
#
|
||||
/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
|
||||
', `
|
||||
/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/gnibbles -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/gnobots2 -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/gnome-stones -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/gnomine -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/gnotravex -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/gnotski -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kasteroids -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/katomic -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kbackgammon -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kbattleship -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kblackbox -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kbounce -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kenolaba -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kfouleggs -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kgoldrunner -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kjumpingcube -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/klickety -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kmahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/konquest -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kreversi -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kshisen -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/ksirtet -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/ksmiletris -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/ksokoban -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kspaceduel -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/ktuberling -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/kwin4proc -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/lskatproc -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/Maelstrom -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0)
|
||||
')dnl end non-Debian section
|
||||
174
refpolicy/policy/modules/apps/games.if
Normal file
174
refpolicy/policy/modules/apps/games.if
Normal file
@ -0,0 +1,174 @@
|
||||
## <summary>Games</summary>
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## The per user domain template for the games module.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This template creates a derived domains which are used
|
||||
## for games.
|
||||
## </p>
|
||||
## <p>
|
||||
## This template is invoked automatically for each user, and
|
||||
## generally does not need to be invoked directly
|
||||
## by policy writers.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## The type of the user domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_role">
|
||||
## <summary>
|
||||
## The role associated with the user domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`games_per_userdomain_template',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type $1_games_t;
|
||||
domain_type($1_games_t)
|
||||
role $3 types $1_games_t;
|
||||
|
||||
type $1_games_devpts_t;
|
||||
term_pty($1_games_devpts_t)
|
||||
|
||||
type $1_games_tmpfs_t;
|
||||
files_tmpfs_file($1_games_tmpfs_t)
|
||||
|
||||
type $1_games_tmp_t;
|
||||
files_tmp_file($1_games_tmp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow $1_games_t self:sem create_sem_perms;
|
||||
allow $1_games_t self:tcp_socket create_stream_socket_perms;
|
||||
allow $1_games_t self:udp_socket create_socket_perms;
|
||||
allow $1_games_t self:tcp_socket { connectto sendto recvfrom };
|
||||
allow $1_games_t self:tcp_socket { acceptfrom recvfrom };
|
||||
|
||||
allow $1_games_t $1_games_tmpfs_t:dir rw_dir_perms;
|
||||
allow $1_games_t $1_games_tmpfs_t:file manage_file_perms;
|
||||
allow $1_games_t $1_games_tmpfs_t:lnk_file create_lnk_perms;
|
||||
allow $1_games_t $1_games_tmpfs_t:sock_file manage_file_perms;
|
||||
allow $1_games_t $1_games_tmpfs_t:fifo_file manage_file_perms;
|
||||
fs_tmpfs_filetrans($1_games_t,$1_games_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow $1_games_t $1_games_tmp_t:dir manage_dir_perms;
|
||||
allow $1_games_t $1_games_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir })
|
||||
|
||||
allow $1_games_t $1_games_devpts_t:chr_file { rw_file_perms setattr };
|
||||
term_create_pty($1_games_t,$1_games_devpts_t)
|
||||
|
||||
allow $1_games_t games_data_t:dir rw_dir_perms;
|
||||
allow $1_games_t games_data_t:file manage_file_perms;
|
||||
allow $1_games_t games_data_t:lnk_file create_lnk_perms;
|
||||
|
||||
can_exec($1_games_t, games_exec_t)
|
||||
|
||||
allow $2 $1_games_t:unix_stream_socket connectto;
|
||||
allow $1_games_t $2:unix_stream_socket connectto;
|
||||
|
||||
kernel_tcp_recvfrom($1_games_t)
|
||||
kernel_tcp_recvfrom($1_games_t)
|
||||
kernel_read_system_state($1_games_t)
|
||||
|
||||
corecmd_exec_bin($1_games_t)
|
||||
corecmd_exec_sbin($1_games_t)
|
||||
|
||||
corenet_tcp_sendrecv_generic_if($1_games_t)
|
||||
corenet_udp_sendrecv_generic_if($1_games_t)
|
||||
corenet_raw_sendrecv_generic_if($1_games_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_games_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_games_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_games_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_games_t)
|
||||
corenet_udp_sendrecv_all_ports($1_games_t)
|
||||
corenet_non_ipsec_sendrecv($1_games_t)
|
||||
corenet_tcp_bind_all_nodes($1_games_t)
|
||||
corenet_udp_bind_all_nodes($1_games_t)
|
||||
corenet_tcp_bind_generic_port($1_games_t)
|
||||
corenet_tcp_connect_generic_port($1_games_t)
|
||||
|
||||
dev_read_sound($1_games_t)
|
||||
dev_write_sound($1_games_t)
|
||||
dev_read_input($1_games_t)
|
||||
dev_read_mouse($1_games_t)
|
||||
dev_read_urand($1_games_t)
|
||||
|
||||
files_list_var($1_games_t)
|
||||
files_search_var_lib($1_games_t)
|
||||
files_dontaudit_search_var($1_games_t)
|
||||
files_read_etc_files($1_games_t)
|
||||
files_read_usr_files($1_games_t)
|
||||
files_read_var_files($1_games_t)
|
||||
|
||||
init_dontaudit_rw_utmp($1_games_t)
|
||||
|
||||
logging_dontaudit_search_logs($1_games_t)
|
||||
|
||||
libs_use_shared_libs($1_games_t)
|
||||
libs_use_ld_so($1_games_t)
|
||||
|
||||
miscfiles_read_man_pages($1_games_t)
|
||||
miscfiles_read_localization($1_games_t)
|
||||
|
||||
sysnet_read_config($1_games_t)
|
||||
|
||||
userdom_manage_user_tmp_dirs($1,$1_games_t)
|
||||
userdom_manage_user_tmp_files($1,$1_games_t)
|
||||
userdom_manage_user_tmp_symlinks($1,$1_games_t)
|
||||
userdom_manage_user_tmp_sockets($1,$1_games_t)
|
||||
# Suppress .icons denial until properly implemented
|
||||
userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
|
||||
|
||||
# Type transition
|
||||
tunable_policy(`!disable_games_trans',`
|
||||
domain_auto_trans($2, games_exec_t, $1_games_t)
|
||||
')
|
||||
|
||||
tunable_policy(`allow_execmem',`
|
||||
allow $1_games_t self:process execmem;
|
||||
')
|
||||
|
||||
optional_policy(`nscd',`
|
||||
nscd_socket_use($1_games_t)
|
||||
')
|
||||
|
||||
optional_policy(`xserver',`
|
||||
xserver_user_client_template($1,$1_games_t,$1_games_tmpfs_t)
|
||||
xserver_create_xdm_tmp_sockets($1_games_t)
|
||||
xserver_read_xdm_lib_files($1_games_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
gnome_application($1_games, $1)
|
||||
gnome_file_dialog($1_games, $1)
|
||||
# Access /home/user/.gnome2
|
||||
# FIXME: Change to use per app types
|
||||
allow $1_games_t $1_gnome_settings_t:dir create_dir_perms;
|
||||
allow $1_games_t $1_gnome_settings_t:file create_file_perms;
|
||||
allow $1_games_t $1_gnome_settings_t:lnk_file create_lnk_perms;
|
||||
#missing policy
|
||||
optional_policy(`mozilla', `
|
||||
dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
|
||||
')
|
||||
')
|
||||
')
|
||||
84
refpolicy/policy/modules/apps/games.te
Normal file
84
refpolicy/policy/modules/apps/games.te
Normal file
@ -0,0 +1,84 @@
|
||||
|
||||
policy_module(games,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type games_data_t;
|
||||
files_type(games_data_t)
|
||||
|
||||
# games_t is for system operation of games, generic games daemons and
|
||||
# games recovery scripts
|
||||
type games_t;
|
||||
type games_exec_t;
|
||||
init_system_domain(games_t,games_exec_t)
|
||||
|
||||
type games_var_run_t;
|
||||
files_pid_file(games_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
dontaudit games_t self:capability sys_tty_config;
|
||||
allow games_t self:process signal_perms;
|
||||
|
||||
allow games_t games_data_t:dir rw_dir_perms;
|
||||
allow games_t games_data_t:file manage_file_perms;
|
||||
allow games_t games_data_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow games_t games_var_run_t:file manage_file_perms;
|
||||
allow games_t games_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(games_t,games_var_run_t,file)
|
||||
|
||||
can_exec(games_t,games_exec_t)
|
||||
|
||||
kernel_read_kernel_sysctls(games_t)
|
||||
kernel_list_proc(games_t)
|
||||
kernel_read_proc_symlinks(games_t)
|
||||
|
||||
dev_read_sysfs(games_t)
|
||||
|
||||
fs_getattr_all_fs(games_t)
|
||||
fs_search_auto_mountpoints(games_t)
|
||||
|
||||
term_dontaudit_use_console(games_t)
|
||||
|
||||
domain_use_interactive_fds(games_t)
|
||||
|
||||
init_use_fds(games_t)
|
||||
init_use_script_ptys(games_t)
|
||||
|
||||
libs_use_ld_so(games_t)
|
||||
libs_use_shared_libs(games_t)
|
||||
|
||||
logging_send_syslog_msg(games_t)
|
||||
|
||||
miscfiles_read_localization(games_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(games_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(games_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(games_t)
|
||||
term_dontaudit_use_generic_ptys(games_t)
|
||||
files_dontaudit_read_root_files(games_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil',`
|
||||
seutil_sigchld_newrole(games_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(games_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
#WHY!!!
|
||||
#allow initrc_t games_data_t:dir r_dir_perms;
|
||||
#allow initrc_t games_data_t:file r_file_perms;
|
||||
#allow initrc_t games_data_t:lnk_file { getattr read };
|
||||
')
|
||||
@ -711,6 +711,24 @@ interface(`xserver_read_xdm_pid',`
|
||||
allow $1 xdm_var_run_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read XDM var lib files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`xserver_read_xdm_lib_files',`
|
||||
gen_require(`
|
||||
type xdm_var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 xdm_var_lib_t:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the X server in the XDM X server domain.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(xserver,1.1.0)
|
||||
policy_module(xserver,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -165,6 +165,24 @@ interface(`logging_search_logs',`
|
||||
allow $1 var_log_t:dir search;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search the var log directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain not to audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_dontaudit_search_logs',`
|
||||
gen_require(`
|
||||
type var_log_t;
|
||||
')
|
||||
|
||||
dontaudit $1 var_log_t:dir search;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## List the contents of the generic log directory (/var/log).
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(logging,1.3.0)
|
||||
policy_module(logging,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user