trunk: 5 patches from dan.

This commit is contained in:
Chris PeBenito 2008-11-19 15:24:10 +00:00
parent 01e9e7dbf5
commit fcee22ad0d
13 changed files with 280 additions and 55 deletions

View File

@ -2,3 +2,5 @@
# /usr
#
/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(audio_entropy, 1.4.1)
policy_module(audio_entropy, 1.4.2)
########################################
#
@ -35,6 +35,10 @@ dev_write_urand(entropyd_t)
dev_read_rand(entropyd_t)
dev_write_rand(entropyd_t)
dev_read_sound(entropyd_t)
# set sound card parameters such as
# sample format, number of channels
# and sample rate.
dev_write_sound(entropyd_t)
fs_getattr_all_fs(entropyd_t)
fs_search_auto_mountpoints(entropyd_t)

View File

@ -1,5 +1,9 @@
/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)

View File

@ -1,5 +1,60 @@
## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary>
########################################
## <summary>
## Execute avahi server in the avahi domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`avahi_domtrans',`
gen_require(`
type avahi_exec_t, avahi_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, avahi_exec_t, avahi_t)
')
########################################
## <summary>
## Send avahi a signal
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`avahi_signal',`
gen_require(`
type avahi_t;
')
allow $1 avahi_t:process signal;
')
########################################
## <summary>
## Send avahi a kill signal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`avahi_kill',`
gen_require(`
type avahi_t;
')
allow $1 avahi_t:process sigkill;
')
########################################
## <summary>
## Send and receive messages from
@ -57,3 +112,38 @@ interface(`avahi_dontaudit_search_pid',`
dontaudit $1 avahi_var_run_t:dir search_dir_perms;
')
########################################
## <summary>
## All of the rules required to administrate
## an avahi environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the avahi domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`avahi_admin',`
gen_require(`
type avahi_t, avahi_var_run_t;
type avahi_initrc_exec_t;
')
allow $1 avahi_t:process { ptrace signal_perms };
ps_process_pattern($1, avahi_t)
init_labeled_script_domtrans($1, avahi_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 avahi_initrc_exec_t system_r;
allow $2 system_r;
files_list_pids($1)
admin_pattern($1, avahi_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(avahi, 1.9.1)
policy_module(avahi, 1.9.2)
########################################
#
@ -10,6 +10,12 @@ type avahi_t;
type avahi_exec_t;
init_daemon_domain(avahi_t, avahi_exec_t)
type avahi_initrc_exec_t;
init_script_file(avahi_initrc_exec_t)
type avahi_var_lib_t;
files_pid_file(avahi_var_lib_t)
type avahi_var_run_t;
files_pid_file(avahi_var_run_t)
@ -20,13 +26,17 @@ files_pid_file(avahi_var_run_t)
allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
dontaudit avahi_t self:capability sys_tty_config;
allow avahi_t self:process { setrlimit signal_perms setcap };
allow avahi_t self:process { setrlimit signal_perms getcap setcap };
allow avahi_t self:fifo_file rw_fifo_file_perms;
allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow avahi_t self:unix_dgram_socket create_socket_perms;
allow avahi_t self:tcp_socket create_stream_socket_perms;
allow avahi_t self:udp_socket create_socket_perms;
manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
allow avahi_t avahi_var_run_t:dir setattr;
@ -73,6 +83,7 @@ init_signull_script(avahi_t)
logging_send_syslog_msg(avahi_t)
miscfiles_read_localization(avahi_t)
miscfiles_read_certs(avahi_t)
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_user_home_dirs(avahi_t)

View File

@ -3,6 +3,9 @@
#
/etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0)
/etc/bluetooth/link_key gen_context(system_u:object_r:bluetooth_conf_rw_t,s0)
/etc/rc\.d/init\.d/bluetooth -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
#
# /usr
@ -21,4 +24,6 @@
# /var
#
/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0)
/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)

View File

@ -152,3 +152,56 @@ interface(`bluetooth_dontaudit_read_helper_state',`
dontaudit $1 bluetooth_helper_t:dir search;
dontaudit $1 bluetooth_helper_t:file { read getattr };
')
########################################
## <summary>
## All of the rules required to administrate
## an bluetooth environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the bluetooth domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`bluetooth_admin',`
gen_require(`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
type bluetooth_conf_t, bluetooth_conf_rw_t;
type bluetooth_initrc_exec_t;
')
allow $1 bluetooth_t:process { ptrace signal_perms };
ps_process_pattern($1, bluetooth_t)
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bluetooth_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, bluetooth_tmp_t)
files_list_var($1)
admin_pattern($1, bluetooth_lock_t)
files_list_etc($1)
admin_pattern($1, bluetooth_conf_t)
admin_pattern($1, bluetooth_conf_rw_t)
files_list_spool($1)
admin_pattern($1, bluetooth_spool_t)
files_list_var_lib($1)
admin_pattern($1, bluetooth_var_lib_t)
files_list_pids($1)
admin_pattern($1, bluetooth_var_run_t)
')

View File

@ -1,5 +1,5 @@
policy_module(bluetooth, 3.0.0)
policy_module(bluetooth, 3.0.1)
########################################
#
@ -34,6 +34,9 @@ typealias bluetooth_helper_tmpfs_t alias { auditadm_bluetooth_helper_tmpfs_t sec
files_tmpfs_file(bluetooth_helper_tmpfs_t)
ubac_constrained(bluetooth_helper_tmpfs_t)
type bluetooth_initrc_exec_t;
init_script_file(bluetooth_initrc_exec_t)
type bluetooth_lock_t;
files_lock_file(bluetooth_lock_t)
@ -51,14 +54,14 @@ files_pid_file(bluetooth_var_run_t)
# Bluetooth services local policy
#
allow bluetooth_t self:capability { net_bind_service net_admin net_raw sys_tty_config ipc_lock };
allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock };
dontaudit bluetooth_t self:capability sys_tty_config;
allow bluetooth_t self:process { getsched signal_perms };
allow bluetooth_t self:fifo_file rw_fifo_file_perms;
allow bluetooth_t self:shm create_shm_perms;
allow bluetooth_t self:socket create_stream_socket_perms;
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
allow bluetooth_t self:udp_socket create_socket_perms;
@ -106,6 +109,7 @@ dev_read_sysfs(bluetooth_t)
dev_rw_usbfs(bluetooth_t)
dev_rw_generic_usb_dev(bluetooth_t)
dev_read_urand(bluetooth_t)
dev_rw_input_dev(bluetooth_t)
fs_getattr_all_fs(bluetooth_t)
fs_search_auto_mountpoints(bluetooth_t)
@ -124,12 +128,13 @@ files_read_etc_files(bluetooth_t)
files_read_etc_runtime_files(bluetooth_t)
files_read_usr_files(bluetooth_t)
auth_use_nsswitch(bluetooth_t)
logging_send_syslog_msg(bluetooth_t)
miscfiles_read_localization(bluetooth_t)
miscfiles_read_fonts(bluetooth_t)
sysnet_read_config(bluetooth_t)
miscfiles_read_hwdata(bluetooth_t)
userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
userdom_dontaudit_use_user_terminals(bluetooth_t)
@ -138,6 +143,10 @@ userdom_dontaudit_search_user_home_dirs(bluetooth_t)
optional_policy(`
dbus_system_bus_client(bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
optional_policy(`
cups_dbus_chat(bluetooth_t)
')
')
optional_policy(`

View File

@ -64,6 +64,24 @@ interface(`dcc_domtrans_client',`
domtrans_pattern($1, dcc_client_exec_t, dcc_client_t)
')
########################################
## <summary>
## Send a signal to the dcc_client.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dcc_signal_client',`
gen_require(`
type dcc_client_t;
')
allow $1 dcc_client_t:process signal;
')
########################################
## <summary>
## Execute dcc_client in the dcc_client domain, and

View File

@ -1,5 +1,5 @@
policy_module(dcc, 1.6.1)
policy_module(dcc, 1.6.2)
########################################
#
@ -105,25 +105,20 @@ corenet_udp_sendrecv_all_ports(cdcc_t)
files_read_etc_files(cdcc_t)
files_read_etc_runtime_files(cdcc_t)
auth_use_nsswitch(cdcc_t)
logging_send_syslog_msg(cdcc_t)
miscfiles_read_localization(cdcc_t)
sysnet_read_config(cdcc_t)
sysnet_dns_name_resolve(cdcc_t)
userdom_use_user_terminals(cdcc_t)
optional_policy(`
nscd_socket_use(cdcc_t)
')
########################################
#
# dcc procmail interface local policy
#
allow dcc_client_t self:capability setuid;
allow dcc_client_t self:capability { setuid setgid };
allow dcc_client_t self:unix_dgram_socket create_socket_perms;
allow dcc_client_t self:udp_socket create_socket_perms;
@ -138,6 +133,8 @@ allow dcc_client_t dcc_var_t:dir list_dir_perms;
read_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
kernel_read_system_state(dcc_client_t)
corenet_all_recvfrom_unlabeled(dcc_client_t)
corenet_all_recvfrom_netlabel(dcc_client_t)
corenet_udp_sendrecv_generic_if(dcc_client_t)
@ -147,17 +144,16 @@ corenet_udp_sendrecv_all_ports(dcc_client_t)
files_read_etc_files(dcc_client_t)
files_read_etc_runtime_files(dcc_client_t)
auth_use_nsswitch(dcc_client_t)
logging_send_syslog_msg(dcc_client_t)
miscfiles_read_localization(dcc_client_t)
sysnet_read_config(dcc_client_t)
sysnet_dns_name_resolve(dcc_client_t)
userdom_use_user_terminals(dcc_client_t)
optional_policy(`
nscd_socket_use(dcc_client_t)
spamassassin_read_spamd_tmp_files(dcc_client_t)
')
########################################
@ -189,19 +185,14 @@ corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
files_read_etc_files(dcc_dbclean_t)
files_read_etc_runtime_files(dcc_dbclean_t)
auth_use_nsswitch(dcc_dbclean_t)
logging_send_syslog_msg(dcc_dbclean_t)
miscfiles_read_localization(dcc_dbclean_t)
sysnet_read_config(dcc_dbclean_t)
sysnet_dns_name_resolve(dcc_dbclean_t)
userdom_use_user_terminals(dcc_dbclean_t)
optional_policy(`
nscd_socket_use(dcc_dbclean_t)
')
########################################
#
# Server daemon local policy
@ -259,20 +250,15 @@ files_read_etc_runtime_files(dccd_t)
fs_getattr_all_fs(dccd_t)
fs_search_auto_mountpoints(dccd_t)
auth_use_nsswitch(dccd_t)
logging_send_syslog_msg(dccd_t)
miscfiles_read_localization(dccd_t)
sysnet_read_config(dccd_t)
sysnet_dns_name_resolve(dccd_t)
userdom_dontaudit_use_unpriv_user_fds(dccd_t)
userdom_dontaudit_search_user_home_dirs(dccd_t)
optional_policy(`
nscd_socket_use(dccd_t)
')
optional_policy(`
seutil_sigchld_newrole(dccd_t)
')
@ -329,20 +315,15 @@ files_read_etc_runtime_files(dccifd_t)
fs_getattr_all_fs(dccifd_t)
fs_search_auto_mountpoints(dccifd_t)
auth_use_nsswitch(dccifd_t)
logging_send_syslog_msg(dccifd_t)
miscfiles_read_localization(dccifd_t)
sysnet_read_config(dccifd_t)
sysnet_dns_name_resolve(dccifd_t)
userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
userdom_dontaudit_search_user_home_dirs(dccifd_t)
optional_policy(`
nscd_socket_use(dccifd_t)
')
optional_policy(`
seutil_sigchld_newrole(dccifd_t)
')
@ -398,20 +379,15 @@ files_read_etc_runtime_files(dccm_t)
fs_getattr_all_fs(dccm_t)
fs_search_auto_mountpoints(dccm_t)
auth_use_nsswitch(dccm_t)
logging_send_syslog_msg(dccm_t)
miscfiles_read_localization(dccm_t)
sysnet_read_config(dccm_t)
sysnet_dns_name_resolve(dccm_t)
userdom_dontaudit_use_unpriv_user_fds(dccm_t)
userdom_dontaudit_search_user_home_dirs(dccm_t)
optional_policy(`
nscd_socket_use(dccm_t)
')
optional_policy(`
seutil_sigchld_newrole(dccm_t)
')

View File

@ -9,6 +9,7 @@
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
@ -17,7 +18,7 @@
/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
/var/log/pm-suspend\.log gen_context(system_u:object_r:hald_log_t,s0)
/var/log/pm-.*\.log gen_context(system_u:object_r:hald_log_t,s0)
/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)

View File

@ -18,6 +18,45 @@ interface(`hal_domtrans',`
domtrans_pattern($1, hald_exec_t, hald_t)
')
########################################
## <summary>
## Get the attributes of a hal process.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`hal_getattr',`
gen_require(`
type hald_t;
')
allow $1 hald_t:process getattr;
')
########################################
## <summary>
## Read hal system state
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`hal_read_state',`
gen_require(`
type hald_t;
')
allow $1 hald_t:dir list_dir_perms;
read_files_pattern($1, hald_t, hald_t)
read_lnk_files_pattern($1, hald_t, hald_t)
dontaudit $1 hald_t:process ptrace;
')
########################################
## <summary>
## Allow ptrace of hal domain

View File

@ -1,5 +1,5 @@
policy_module(hal, 1.10.1)
policy_module(hal, 1.10.2)
########################################
#
@ -297,6 +297,10 @@ optional_policy(`
vbetool_domtrans(hald_t)
')
optional_policy(`
virt_manage_images(hald_t)
')
########################################
#
# Hal acl local policy
@ -338,6 +342,8 @@ storage_setattr_removable_dev(hald_acl_t)
auth_use_nsswitch(hald_acl_t)
logging_send_syslog_msg(hald_acl_t)
miscfiles_read_localization(hald_acl_t)
########################################
@ -345,6 +351,8 @@ miscfiles_read_localization(hald_acl_t)
# Local hald mac policy
#
allow hald_mac_t self:capability { setgid setuid };
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
allow hald_t hald_mac_t:process signal;
allow hald_mac_t hald_t:unix_stream_socket connectto;
@ -353,6 +361,8 @@ manage_dirs_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_mac_t)
write_files_pattern(hald_mac_t, hald_log_t, hald_log_t)
kernel_read_system_state(hald_mac_t)
dev_read_raw_memory(hald_mac_t)
@ -360,6 +370,9 @@ dev_write_raw_memory(hald_mac_t)
dev_read_sysfs(hald_mac_t)
files_read_usr_files(hald_mac_t)
files_read_etc_files(hald_mac_t)
auth_use_nsswitch(hald_mac_t)
miscfiles_read_localization(hald_mac_t)
@ -379,6 +392,8 @@ manage_dirs_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_sonypic_t)
write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t)
files_read_usr_files(hald_sonypic_t)
miscfiles_read_localization(hald_sonypic_t)
@ -396,12 +411,10 @@ manage_dirs_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_keymap_t)
write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
dev_rw_input_dev(hald_keymap_t)
files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
# This is caused by a bug in hald and PolicyKit.
# Should be removed when this is fixed
#cron_read_system_job_lib_files(hald_t)