podsleuth patch from dan.

2009-07-21 10:11:16 -04:00 · 2009-07-21 10:11:16 -04:00 · 5bb5ec1d40
commit 5bb5ec1d40
parent 13306f56b6
3 changed files with 83 additions and 7 deletions
--- a/policy/modules/apps/podsleuth.fc
+++ b/policy/modules/apps/podsleuth.fc
@ -1,2 +1,3 @@
-
 /usr/bin/podsleuth	--	gen_context(system_u:object_r:podsleuth_exec_t,s0)
+/usr/libexec/hal-podsleuth --	gen_context(system_u:object_r:podsleuth_exec_t,s0)
+/var/cache/podsleuth(/.*)?	gen_context(system_u:object_r:podsleuth_cache_t,s0)
--- a/policy/modules/apps/podsleuth.if
+++ b/policy/modules/apps/podsleuth.if
@ -16,4 +16,30 @@ interface(`podsleuth_domtrans',`
 	')

 	domtrans_pattern($1, podsleuth_exec_t, podsleuth_t)
+	allow $1 podsleuth_t:process signal;
+')
+
+########################################
+## <summary>
+##	Execute podsleuth in the podsleuth domain, and
+##	allow the specified role the podsleuth domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the podsleuth domain.
+##	</summary>
+## </param>
+#
+interface(`podsleuth_run',`
+	gen_require(`
+		type podsleuth_t;
+	')
+
+	podsleuth_domtrans($1)
+	role $2 types podsleuth_t;
 ')
--- a/policy/modules/apps/podsleuth.te
+++ b/policy/modules/apps/podsleuth.te
@ -1,5 +1,5 @@

-policy_module(podsleuth, 1.1.0)
+policy_module(podsleuth, 1.1.1)

 ########################################
 #
@ -11,25 +11,74 @@ type podsleuth_exec_t;
 application_domain(podsleuth_t, podsleuth_exec_t)
 role system_r types podsleuth_t;

+type podsleuth_cache_t;
+files_type(podsleuth_cache_t)
+ubac_constrained(podsleuth_cache_t)
+
+type podsleuth_tmp_t;
+files_tmp_file(podsleuth_tmp_t)
+ubac_constrained(podsleuth_tmp_t)
+
+type podsleuth_tmpfs_t;
+files_tmpfs_file(podsleuth_tmpfs_t)
+ubac_constrained(podsleuth_tmpfs_t)
+
 ########################################
 #
 # podsleuth local policy
 #
-
-allow podsleuth_t self:process { signal getsched execheap execmem };
+allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
+allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
 allow podsleuth_t self:fifo_file rw_file_perms;
 allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
+allow podsleuth_t self:sem create_sem_perms;
+allow podsleuth_t self:tcp_socket create_stream_socket_perms;
+allow podsleuth_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir })
+
+allow podsleuth_t podsleuth_tmp_t:dir mounton;
+manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir })
+
+manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file })

 kernel_read_system_state(podsleuth_t)

+corecmd_exec_bin(podsleuth_t)
+
+corenet_tcp_connect_http_port(podsleuth_t)
+
 dev_read_urand(podsleuth_t)

 files_read_etc_files(podsleuth_t)

+fs_mount_dos_fs(podsleuth_t)
+fs_unmount_dos_fs(podsleuth_t)
+fs_getattr_dos_fs(podsleuth_t)
+fs_read_dos_files(podsleuth_t)
+fs_search_dos(podsleuth_t)
+fs_getattr_tmpfs(podsleuth_t)
+fs_list_tmpfs(podsleuth_t)
+
 miscfiles_read_localization(podsleuth_t)

-dbus_system_bus_client(podsleuth_t)
+sysnet_dns_name_resolve(podsleuth_t)

-mono_exec(podsleuth_t)
+optional_policy(`
+	dbus_system_bus_client(podsleuth_t)

-hal_dbus_chat(podsleuth_t)
+	optional_policy(`
+		hal_dbus_chat(podsleuth_t)
+	')
+')
+
+optional_policy(`
+	mono_exec(podsleuth_t)
+')