From a00fc1c317884096ce129ac703e5cd8c23d1e895 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Wed, 23 Jun 2010 12:00:27 +0200 Subject: [PATCH] hddtemp fixes. Clean up network control section. Implement hddtemp_etc_t for /etc/sysconfig/hddtemp. The advantages are: - hddtemp_t no longer needs access to read all generic etc_t files. - allows us to implement a meaningful hddtemp_admin() Signed-off-by: Dominick Grift Signed-off-by: Chris PeBenito --- policy/modules/services/hddtemp.fc | 4 ++- policy/modules/services/hddtemp.if | 50 +++++++++++++++++++++++++++--- policy/modules/services/hddtemp.te | 18 +++++++++-- 3 files changed, 63 insertions(+), 9 deletions(-) diff --git a/policy/modules/services/hddtemp.fc b/policy/modules/services/hddtemp.fc index 67ea7b63d..d81eb3704 100644 --- a/policy/modules/services/hddtemp.fc +++ b/policy/modules/services/hddtemp.fc @@ -1,3 +1,5 @@ /etc/rc\.d/init\.d/hddtemp -- gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0) -/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0) +/etc/sysconfig/hddtemp -- gen_context(system_u:object_r:hddtemp_etc_t,s0) + +/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0) diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if index af2513445..fde2c3d6f 100644 --- a/policy/modules/services/hddtemp.if +++ b/policy/modules/services/hddtemp.if @@ -1,12 +1,13 @@ -## hddtemp hard disk temperature tool running as a daemon +## hddtemp hard disk temperature tool running as a daemon. ####################################### ## -## Execute hddtemp in the hddtemp domain. +## Execute a domain transition to run +## hddtemp. ## ## ## -## Domain allowed access. +## Domain allowed to transition. ## ## # @@ -15,13 +16,13 @@ interface(`hddtemp_domtrans',` type hddtemp_t, hddtemp_exec_t; ') - corecmd_search_bin($1) domtrans_pattern($1, hddtemp_exec_t, hddtemp_t) + corecmd_search_bin($1) ') ###################################### ## -## Execute hddtemp +## Execute hddtemp. ## ## ## @@ -35,4 +36,43 @@ interface(`hddtemp_exec',` ') can_exec($1, hddtemp_exec_t) + corecmd_search_bin($1) +') + +######################################## +## +## All of the rules required to +## administrate an hddtemp environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`hddtemp_admin',` + gen_require(` + type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; + ') + + allow $1 hddtemp_t:process { ptrace signal_perms }; + ps_process_pattern($1, hddtemp_t) + + init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 hddtemp_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, hddtemp_etc_t) + files_search_etc($1) + + allow $1 hddtemp_t:dir list_dir_perms; + read_lnk_files_pattern($1, hddtemp_t, hddtemp_t) + kernel_search_proc($1) ') diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te index 49c095cca..d67a8a7e9 100644 --- a/policy/modules/services/hddtemp.te +++ b/policy/modules/services/hddtemp.te @@ -12,6 +12,9 @@ init_daemon_domain(hddtemp_t, hddtemp_exec_t) type hddtemp_initrc_exec_t; init_script_file(hddtemp_initrc_exec_t) +type hddtemp_etc_t; +files_config_file(hddtemp_etc_t) + ######################################## # # hddtemp local policy @@ -23,10 +26,19 @@ allow hddtemp_t self:netlink_route_socket r_netlink_socket_perms; allow hddtemp_t self:tcp_socket create_stream_socket_perms; allow hddtemp_t self:udp_socket create_socket_perms; -corenet_tcp_bind_all_nodes(hddtemp_t) -corenet_tcp_bind_hddtemp_port(hddtemp_t) +allow hddtemp_t hddtemp_etc_t:file read_file_perms; -# read hddtemp db file +corenet_all_recvfrom_unlabeled(hddtemp_t) +corenet_all_recvfrom_netlabel(hddtemp_t) +corenet_tcp_sendrecv_generic_if(hddtemp_t) +corenet_tcp_sendrecv_generic_node(hddtemp_t) +corenet_tcp_bind_generic_node(hddtemp_t) +corenet_tcp_sendrecv_all_ports(hddtemp_t) +corenet_tcp_bind_hddtemp_port(hddtemp_t) +corenet_sendrecv_hddtemp_server_packets(hddtemp_t) +corenet_tcp_sendrecv_hddtemp_port(hddtemp_t) + +files_search_etc(hddtemp_t) files_read_usr_files(hddtemp_t) storage_raw_read_fixed_disk(hddtemp_t)