add games, bug 1386

This commit is contained in:
Chris PeBenito 2006-03-21 18:07:53 +00:00
parent b67fafc20c
commit fbc0a2728d
9 changed files with 372 additions and 2 deletions

View File

@ -15,6 +15,7 @@
dpkg (Erich Schubert) dpkg (Erich Schubert)
ethereal ethereal
evolution evolution
games
mozilla mozilla
mplayer mplayer
rhgb rhgb

View File

@ -388,6 +388,14 @@ gen_tunable(cdrecord_read_content,false)
## </desc> ## </desc>
gen_tunable(cron_can_relabel,false) gen_tunable(cron_can_relabel,false)
## <desc>
## <p>
## force to games to run in user_t
## mapping executable (text relocation).
## </p>
## </desc>
gen_tunable(disable_games_trans,false)
## <desc> ## <desc>
## <p> ## <p>
## Disable transitions to evolution domains. ## Disable transitions to evolution domains.

View File

@ -0,0 +1,67 @@
#
# /usr
#
/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0)
#
# /var
#
/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
ifdef(`distro_debian', `
/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0)
/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
', `
/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/gnibbles -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/gnobots2 -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/gnome-stones -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/gnomine -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/gnotravex -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/gnotski -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kasteroids -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/katomic -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kbackgammon -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kbattleship -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kblackbox -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kbounce -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kenolaba -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kfouleggs -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kgoldrunner -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kjumpingcube -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/klickety -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kmahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/konquest -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kreversi -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kshisen -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/ksirtet -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/ksmiletris -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/ksokoban -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kspaceduel -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/ktuberling -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/kwin4proc -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/lskatproc -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/Maelstrom -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0)
')dnl end non-Debian section

View File

@ -0,0 +1,174 @@
## <summary>Games</summary>
#######################################
## <summary>
## The per user domain template for the games module.
## </summary>
## <desc>
## <p>
## This template creates a derived domains which are used
## for games.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
#
template(`games_per_userdomain_template',`
########################################
#
# Declarations
#
type $1_games_t;
domain_type($1_games_t)
role $3 types $1_games_t;
type $1_games_devpts_t;
term_pty($1_games_devpts_t)
type $1_games_tmpfs_t;
files_tmpfs_file($1_games_tmpfs_t)
type $1_games_tmp_t;
files_tmp_file($1_games_tmp_t)
########################################
#
# Local policy
#
allow $1_games_t self:sem create_sem_perms;
allow $1_games_t self:tcp_socket create_stream_socket_perms;
allow $1_games_t self:udp_socket create_socket_perms;
allow $1_games_t self:tcp_socket { connectto sendto recvfrom };
allow $1_games_t self:tcp_socket { acceptfrom recvfrom };
allow $1_games_t $1_games_tmpfs_t:dir rw_dir_perms;
allow $1_games_t $1_games_tmpfs_t:file manage_file_perms;
allow $1_games_t $1_games_tmpfs_t:lnk_file create_lnk_perms;
allow $1_games_t $1_games_tmpfs_t:sock_file manage_file_perms;
allow $1_games_t $1_games_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1_games_t,$1_games_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow $1_games_t $1_games_tmp_t:dir manage_dir_perms;
allow $1_games_t $1_games_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir })
allow $1_games_t $1_games_devpts_t:chr_file { rw_file_perms setattr };
term_create_pty($1_games_t,$1_games_devpts_t)
allow $1_games_t games_data_t:dir rw_dir_perms;
allow $1_games_t games_data_t:file manage_file_perms;
allow $1_games_t games_data_t:lnk_file create_lnk_perms;
can_exec($1_games_t, games_exec_t)
allow $2 $1_games_t:unix_stream_socket connectto;
allow $1_games_t $2:unix_stream_socket connectto;
kernel_tcp_recvfrom($1_games_t)
kernel_tcp_recvfrom($1_games_t)
kernel_read_system_state($1_games_t)
corecmd_exec_bin($1_games_t)
corecmd_exec_sbin($1_games_t)
corenet_tcp_sendrecv_generic_if($1_games_t)
corenet_udp_sendrecv_generic_if($1_games_t)
corenet_raw_sendrecv_generic_if($1_games_t)
corenet_tcp_sendrecv_all_nodes($1_games_t)
corenet_udp_sendrecv_all_nodes($1_games_t)
corenet_raw_sendrecv_all_nodes($1_games_t)
corenet_tcp_sendrecv_all_ports($1_games_t)
corenet_udp_sendrecv_all_ports($1_games_t)
corenet_non_ipsec_sendrecv($1_games_t)
corenet_tcp_bind_all_nodes($1_games_t)
corenet_udp_bind_all_nodes($1_games_t)
corenet_tcp_bind_generic_port($1_games_t)
corenet_tcp_connect_generic_port($1_games_t)
dev_read_sound($1_games_t)
dev_write_sound($1_games_t)
dev_read_input($1_games_t)
dev_read_mouse($1_games_t)
dev_read_urand($1_games_t)
files_list_var($1_games_t)
files_search_var_lib($1_games_t)
files_dontaudit_search_var($1_games_t)
files_read_etc_files($1_games_t)
files_read_usr_files($1_games_t)
files_read_var_files($1_games_t)
init_dontaudit_rw_utmp($1_games_t)
logging_dontaudit_search_logs($1_games_t)
libs_use_shared_libs($1_games_t)
libs_use_ld_so($1_games_t)
miscfiles_read_man_pages($1_games_t)
miscfiles_read_localization($1_games_t)
sysnet_read_config($1_games_t)
userdom_manage_user_tmp_dirs($1,$1_games_t)
userdom_manage_user_tmp_files($1,$1_games_t)
userdom_manage_user_tmp_symlinks($1,$1_games_t)
userdom_manage_user_tmp_sockets($1,$1_games_t)
# Suppress .icons denial until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
# Type transition
tunable_policy(`!disable_games_trans',`
domain_auto_trans($2, games_exec_t, $1_games_t)
')
tunable_policy(`allow_execmem',`
allow $1_games_t self:process execmem;
')
optional_policy(`nscd',`
nscd_socket_use($1_games_t)
')
optional_policy(`xserver',`
xserver_user_client_template($1,$1_games_t,$1_games_tmpfs_t)
xserver_create_xdm_tmp_sockets($1_games_t)
xserver_read_xdm_lib_files($1_games_t)
')
ifdef(`TODO',`
gnome_application($1_games, $1)
gnome_file_dialog($1_games, $1)
# Access /home/user/.gnome2
# FIXME: Change to use per app types
allow $1_games_t $1_gnome_settings_t:dir create_dir_perms;
allow $1_games_t $1_gnome_settings_t:file create_file_perms;
allow $1_games_t $1_gnome_settings_t:lnk_file create_lnk_perms;
#missing policy
optional_policy(`mozilla', `
dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
')
')
')

View File

@ -0,0 +1,84 @@
policy_module(games,1.0.0)
########################################
#
# Declarations
#
type games_data_t;
files_type(games_data_t)
# games_t is for system operation of games, generic games daemons and
# games recovery scripts
type games_t;
type games_exec_t;
init_system_domain(games_t,games_exec_t)
type games_var_run_t;
files_pid_file(games_var_run_t)
########################################
#
# Local policy
#
dontaudit games_t self:capability sys_tty_config;
allow games_t self:process signal_perms;
allow games_t games_data_t:dir rw_dir_perms;
allow games_t games_data_t:file manage_file_perms;
allow games_t games_data_t:lnk_file create_lnk_perms;
allow games_t games_var_run_t:file manage_file_perms;
allow games_t games_var_run_t:dir rw_dir_perms;
files_pid_filetrans(games_t,games_var_run_t,file)
can_exec(games_t,games_exec_t)
kernel_read_kernel_sysctls(games_t)
kernel_list_proc(games_t)
kernel_read_proc_symlinks(games_t)
dev_read_sysfs(games_t)
fs_getattr_all_fs(games_t)
fs_search_auto_mountpoints(games_t)
term_dontaudit_use_console(games_t)
domain_use_interactive_fds(games_t)
init_use_fds(games_t)
init_use_script_ptys(games_t)
libs_use_ld_so(games_t)
libs_use_shared_libs(games_t)
logging_send_syslog_msg(games_t)
miscfiles_read_localization(games_t)
userdom_dontaudit_use_unpriv_user_fds(games_t)
userdom_dontaudit_search_sysadm_home_dirs(games_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_ttys(games_t)
term_dontaudit_use_generic_ptys(games_t)
files_dontaudit_read_root_files(games_t)
')
optional_policy(`selinuxutil',`
seutil_sigchld_newrole(games_t)
')
optional_policy(`udev',`
udev_read_db(games_t)
')
ifdef(`TODO',`
#WHY!!!
#allow initrc_t games_data_t:dir r_dir_perms;
#allow initrc_t games_data_t:file r_file_perms;
#allow initrc_t games_data_t:lnk_file { getattr read };
')

View File

@ -711,6 +711,24 @@ interface(`xserver_read_xdm_pid',`
allow $1 xdm_var_run_t:file r_file_perms; allow $1 xdm_var_run_t:file r_file_perms;
') ')
########################################
## <summary>
## Read XDM var lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xserver_read_xdm_lib_files',`
gen_require(`
type xdm_var_lib_t;
')
allow $1 xdm_var_lib_t:file { getattr read };
')
######################################## ########################################
## <summary> ## <summary>
## Execute the X server in the XDM X server domain. ## Execute the X server in the XDM X server domain.

View File

@ -1,5 +1,5 @@
policy_module(xserver,1.1.0) policy_module(xserver,1.1.1)
######################################## ########################################
# #

View File

@ -165,6 +165,24 @@ interface(`logging_search_logs',`
allow $1 var_log_t:dir search; allow $1 var_log_t:dir search;
') ')
#######################################
## <summary>
## Do not audit attempts to search the var log directory.
## </summary>
## <param name="domain">
## <summary>
## Domain not to audit.
## </summary>
## </param>
#
interface(`logging_dontaudit_search_logs',`
gen_require(`
type var_log_t;
')
dontaudit $1 var_log_t:dir search;
')
####################################### #######################################
## <summary> ## <summary>
## List the contents of the generic log directory (/var/log). ## List the contents of the generic log directory (/var/log).

View File

@ -1,5 +1,5 @@
policy_module(logging,1.3.0) policy_module(logging,1.3.1)
######################################## ########################################
# #