From 2ce6b04e733addb4006df404d8ebe7255e1c9df6 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 19 Jan 2006 21:04:33 +0000 Subject: [PATCH] login fixes and pieces of xserver --- refpolicy/policy/modules/apps/userhelper.if | 23 +++- .../policy/modules/kernel/corecommands.fc | 2 +- refpolicy/policy/modules/kernel/devices.if | 116 +++++++++++++++--- refpolicy/policy/modules/system/userdomain.if | 74 +++++++++++ 4 files changed, 194 insertions(+), 21 deletions(-) diff --git a/refpolicy/policy/modules/apps/userhelper.if b/refpolicy/policy/modules/apps/userhelper.if index 440bf9ead..0ba786ccb 100644 --- a/refpolicy/policy/modules/apps/userhelper.if +++ b/refpolicy/policy/modules/apps/userhelper.if @@ -202,10 +202,27 @@ template(`userhelper_per_userdomain_template',` ######################################## ## -## Do not audit attempts to search userhelp configuration +## Search the userhelper configuration directory. ## ## -## The type of the process performing this action. +## Domain allowed access. +## +# +interface(`userhelper_search_config',` + gen_require(` + type userhelper_conf_t; + ') + + allow $1 userhelper_conf_t:dir search_dir_perms; +') + +######################################## +## +## Do not audit attempts to search +## the userhelper configuration directory. +## +## +## Domain to not audit. ## # interface(`userhelper_dontaudit_search_config',` @@ -213,5 +230,5 @@ interface(`userhelper_dontaudit_search_config',` type userhelper_conf_t; ') - dontaudit $1 userhelper_conf_t:dir search; + dontaudit $1 userhelper_conf_t:dir search_dir_perms; ') diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc index 5fd8de31f..94c7af68d 100644 --- a/refpolicy/policy/modules/kernel/corecommands.fc +++ b/refpolicy/policy/modules/kernel/corecommands.fc @@ -140,7 +140,7 @@ ifdef(`distro_gentoo',` /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -/usr/X11R6/lib/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) +/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 678ceff64..cbfc9d65c 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -670,6 +670,23 @@ interface(`dev_manage_all_chr_files',` typeattribute $1 memory_raw_read, memory_raw_write; ') +######################################## +## +## Getattr the agp devices. +## +## +## Domain allowed access. +## +# +interface(`dev_getattr_agp_dev',` + gen_require(` + type device_t, dri_device_t; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 agp_device_t:chr_file getattr; +') + ######################################## ## ## Read and write the agp devices. @@ -914,23 +931,6 @@ interface(`dev_rw_crypto',` allow $1 crypt_device_t:chr_file rw_file_perms; ') -######################################## -## -## Getattr the agp devices. -## -## -## Domain allowed access. -## -# -interface(`dev_getattr_agp_dev',` - gen_require(` - type device_t, dri_device_t; - ') - - allow $1 device_t:dir r_dir_perms; - allow $1 dri_device_t:chr_file getattr; -') - ######################################## ## ## Read and write the dri devices. @@ -964,6 +964,24 @@ interface(`dev_dontaudit_rw_dri_dev',` dontaudit $1 dri_device_t:chr_file { getattr read write ioctl }; ') +######################################## +## +## Create, read, write, and delete the dri devices. +## +## +## Domain allowed access. +## +# +interface(`dev_manage_dri_dev',` + gen_require(` + type device_t, dri_device_t; + ') + + allow $1 device_t:dir rw_dir_perms; + allow $1 dri_device_t:chr_file manage_file_perms; + type_transition $1 device_t:chr_file dri_device_t; +') + ######################################## ## ## Read input event devices (/dev/input). @@ -981,6 +999,23 @@ interface(`dev_read_input',` allow $1 event_device_t:chr_file r_file_perms; ') +######################################## +## +## Read input event devices (/dev/input). +## +## +## Domain allowed access. +## +# +interface(`dev_rw_input_dev',` + gen_require(` + type device_t, event_device_t; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 event_device_t:chr_file rw_file_perms; +') + ######################################## ## ## Get the attributes of the framebuffer device node. @@ -1082,6 +1117,23 @@ interface(`dev_write_framebuffer',` allow $1 framebuf_device_t:chr_file { getattr write ioctl }; ') +######################################## +## +## Read and write the framebuffer. +## +## +## Domain allowed access. +## +# +interface(`dev_rw_framebuffer',` + gen_require(` + type device_t, framebuf_device_t; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 framebuf_device_t:chr_file rw_file_perms; +') + ######################################## ## ## Read the lvm comtrol device. @@ -1448,6 +1500,19 @@ interface(`dev_write_mtrr',` allow $1 mtrr_device_t:chr_file { getattr write ioctl }; ') +######################################## +## +## Read and write the mtrr device. +## +## +## Domain allowed access. +## +# +interface(`dev_rw_mtrr',` + dev_read_mtrr($1) + dev_write_mtrr($1) +') + ######################################## ## ## Read and write to the null device (/dev/null). @@ -2227,6 +2292,23 @@ interface(`dev_setattr_xserver_misc_dev',` allow $1 xserver_misc_device_t:chr_file setattr; ') +######################################## +## +## Read and write X server miscellaneous devices. +## +## +## Domain allowed access. +## +# +interface(`dev_rw_xserver_misc_dev',` + gen_require(` + type device_t, xserver_misc_device_t; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 xserver_misc_device_t:chr_file rw_file_perms; +') + ######################################## ## ## Read and write to the zero device (/dev/zero). diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 1a6cbe476..77a415b64 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -2319,6 +2319,72 @@ interface(`userdom_read_all_tmp_untrusted_content',` allow $1 untrusted_content_tmp_type:{ file lnk_file } r_file_perms; ') +######################################## +## +## Set the attributes of a user domain tty. +## +## +##

+## Set the attributes of a user domain tty. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## Domain allowed access. +## +# +template(`userdom_setattr_user_tty',` + ifdef(`targeted_policy',` + term_setattr_unallocated_ttys($2) + ',` + gen_require(` + type $1_tty_device_t; + ') + + allow $2 $1_tty_device_t:chr_file setattr; + ') +') + +######################################## +## +## Read and write a user domain tty. +## +## +##

+## Read and write a user domain tty. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## Domain allowed access. +## +# +template(`userdom_use_user_tty',` + ifdef(`targeted_policy',` + term_use_unallocated_tty($2) + ',` + gen_require(` + type $1_tty_device_t; + ') + + allow $2 $1_tty_device_t:chr_file rw_term_perms; + ') +') + ######################################## ## ## Read and write a user domain tty and pty. @@ -2403,6 +2469,10 @@ interface(`userdom_spec_domtrans_all_users',` ') corecmd_shell_spec_domtrans($1,userdomain) + allow $1 userdomain:fd use; + allow userdomain $1:fd use; + allow userdomain $1:fifo_file rw_file_perms; + allow userdomain $1:process sigchld; ') ######################################## @@ -2421,6 +2491,10 @@ interface(`userdom_spec_domtrans_unpriv_users',` ') corecmd_shell_spec_domtrans($1,unpriv_userdomain) + allow $1 unpriv_userdomain:fd use; + allow unpriv_userdomain $1:fd use; + allow unpriv_userdomain $1:fifo_file rw_file_perms; + allow unpriv_userdomain $1:process sigchld; ') ########################################