From fdae8e755e1ca17e35cf5d801217394bbfb08456 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 2 Sep 2005 20:29:52 +0000 Subject: [PATCH] add hal --- refpolicy/Changelog | 1 + refpolicy/policy/modules/kernel/devices.if | 19 +++ refpolicy/policy/modules/services/dbus.if | 18 +++ refpolicy/policy/modules/services/hal.fc | 9 ++ refpolicy/policy/modules/services/hal.if | 1 + refpolicy/policy/modules/services/hal.te | 150 +++++++++++++++++++++ refpolicy/policy/modules/system/files.if | 20 +++ 7 files changed, 218 insertions(+) create mode 100644 refpolicy/policy/modules/services/hal.fc create mode 100644 refpolicy/policy/modules/services/hal.if create mode 100644 refpolicy/policy/modules/services/hal.te diff --git a/refpolicy/Changelog b/refpolicy/Changelog index b9f6f1981..7d7956596 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -4,6 +4,7 @@ comsat dbus dhcp + hal squid * Fri Aug 26 2005 Chris PeBenito - 20050826 diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 3fdbba4ac..2c306caf0 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -1440,6 +1440,25 @@ interface(`dev_setattr_printer',` allow $1 printer_device_t:chr_file setattr; ') +######################################## +## +## Read and write the printer device. +## +## +## Domain allowed access. +## +# +interface(`dev_rw_printer',` + gen_require(` + type device_t, printer_device_t; + class dir search; + class chr_file rw_file_perms; + ') + + allow $1 device_t:dir search; + allow $1 printer_device_t:chr_file rw_file_perms; +') + ######################################## ## ## Read from random devices (e.g., /dev/random) diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if index 4003f020a..c4f6c5386 100644 --- a/refpolicy/policy/modules/services/dbus.if +++ b/refpolicy/policy/modules/services/dbus.if @@ -179,6 +179,24 @@ template(`dbus_system_bus_client_template',` allow $2 system_dbusd_t:unix_stream_socket connectto; ') +######################################## +## +## Connect to the the system DBUS +## for service (acquire_svc). +## +## +## Domain allowed access. +## +# +interface(`dbus_connect_system_bus',` + gen_require(` + type system_dbusd_t; + class dbus acquire_svc; + ') + + allow $1 system_dbusd_t:dbus acquire_svc; +') + ######################################## ## ## Send a message on the system DBUS. diff --git a/refpolicy/policy/modules/services/hal.fc b/refpolicy/policy/modules/services/hal.fc new file mode 100644 index 000000000..554007643 --- /dev/null +++ b/refpolicy/policy/modules/services/hal.fc @@ -0,0 +1,9 @@ + +/etc/hal/device\.d/printer_remove\.hal -- context_template(system_u:object_r:hald_exec_t,s0) +/etc/hal/capability\.d/printer_update\.hal -- context_template(system_u:object_r:hald_exec_t,s0) + +/usr/libexec/hal-hotplug-map -- context_template(system_u:object_r:hald_exec_t,s0) + +/usr/sbin/hald -- context_template(system_u:object_r:hald_exec_t,s0) + +/usr/share/hal/device-manager/hal-device-manager -- context_template(system_u:object_r:bin_t,s0) diff --git a/refpolicy/policy/modules/services/hal.if b/refpolicy/policy/modules/services/hal.if new file mode 100644 index 000000000..f363b35b9 --- /dev/null +++ b/refpolicy/policy/modules/services/hal.if @@ -0,0 +1 @@ +## Hardware abstraction layer diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te new file mode 100644 index 000000000..9b2e9eb4e --- /dev/null +++ b/refpolicy/policy/modules/services/hal.te @@ -0,0 +1,150 @@ + +policy_module(hal,1.0) + +######################################## +# +# Declarations +# + +type hald_t; +type hald_exec_t; +init_daemon_domain(hald_t,hald_exec_t) + +type hald_tmp_t; +files_tmp_file(hald_tmp_t) + +type hald_var_run_t; +files_pid_file(hald_var_run_t) + +allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod }; +dontaudit hald_t self:capability sys_tty_config; +allow hald_t self:fifo_file rw_file_perms; +allow hald_t self:unix_stream_socket create_stream_socket_perms; +allow hald_t self:unix_dgram_socket create_socket_perms; +allow hald_t self:netlink_route_socket r_netlink_socket_perms; +allow hald_t self:tcp_socket create_stream_socket_perms; + +allow hald_t hald_tmp_t:dir create_dir_perms; +allow hald_t hald_tmp_t:file create_file_perms; +files_create_tmp_files(hald_t, hald_tmp_t, { file dir }) + +allow hald_t hald_var_run_t:file create_file_perms; +files_create_pid(hald_t,hald_var_run_t) + +kernel_read_system_state(hald_t) +kernel_read_network_state(hald_t) +kernel_read_kernel_sysctl(hald_t) + +corenet_tcp_sendrecv_all_if(hald_t) +corenet_raw_sendrecv_all_if(hald_t) +corenet_tcp_sendrecv_all_nodes(hald_t) +corenet_raw_sendrecv_all_nodes(hald_t) +corenet_tcp_sendrecv_all_ports(hald_t) +corenet_tcp_bind_all_nodes(hald_t) + +dev_read_sysfs(hald_t) +dev_read_usbfs(hald_t) +dev_read_urand(hald_t) +dev_read_input(hald_t) +dev_rw_printer(hald_t) +dev_manage_generic_chr_file(hald_t) + +fs_getattr_all_fs(hald_t) +fs_search_auto_mountpoints(hald_t) + +storage_raw_read_removable_device(hald_t) +storage_raw_read_fixed_disk(hald_t) +storage_raw_write_fixed_disk(hald_t) + +term_dontaudit_use_console(hald_t) + +corecmd_exec_bin(hald_t) +corecmd_exec_sbin(hald_t) + +domain_use_wide_inherit_fd(hald_t) +domain_exec_all_entry_files(hald_t) + +files_exec_etc_files(hald_t) +files_read_etc_files(hald_t) +files_rw_etc_runtime_files(hald_t) +files_search_mnt(hald_t) +files_search_var_lib(hald_t) +files_read_usr_files(hald_t) + +init_use_fd(hald_t) +init_use_script_pty(hald_t) + +libs_use_ld_so(hald_t) +libs_use_shared_libs(hald_t) +libs_exec_ld_so(hald_t) +libs_exec_lib_files(hald_t) + +logging_send_syslog_msg(hald_t) + +miscfiles_read_localization(hald_t) + +seutil_read_config(hald_t) +seutil_read_default_contexts(hald_t) + +sysnet_read_config(hald_t) + +userdom_dontaudit_use_unpriv_user_fd(hald_t) +userdom_dontaudit_search_sysadm_home_dir(hald_t) + +ifdef(`targeted_policy', ` + term_dontaudit_use_unallocated_tty(hald_t) + term_dontaudit_use_generic_pty(hald_t) + files_dontaudit_read_root_file(hald_t) +') + +optional_policy(`dbus.te',` + allow hald_t self:dbus send_msg; + dbus_system_bus_client_template(hald,hald_t) + dbus_send_system_bus_msg(hald_t) + dbus_connect_system_bus(hald_t) +') + +optional_policy(`hotplug.te',` + hotplug_read_config(hald_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(hald_t) +') + +optional_policy(`nscd.te',` + nscd_use_socket(hald_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(hald_t) +') + +optional_policy(`udev.te', ` + udev_domtrans(hald_t) + udev_read_db(hald_t) +') + +optional_policy(`updfstab.te',` + updfstab_domtrans(hald_t) +') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(hald_t) +') + +allow hald_t device_t:dir create_dir_perms; + +optional_policy(`updfstab.te',` +allow updfstab_t hald_t:dbus send_msg; +allow hald_t updfstab_t:dbus send_msg; +') + +optional_policy(`hald.te',` +allow udev_t hald_t:unix_dgram_socket sendto; +') + +allow hald_t initrc_t:dbus send_msg; +allow initrc_t hald_t:dbus send_msg; +') dnl end TODO diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index bf0e5b4c8..e328537bc 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -955,6 +955,26 @@ interface(`files_dontaudit_read_etc_runtime_files',` dontaudit $1 etc_runtime_t:file { getattr read }; ') +######################################## +## +## Read and write files in /etc that are dynamically +## created on boot, such as mtab. +## +## +## Domain allowed access. +## +# +interface(`files_rw_etc_runtime_files',` + gen_require(` + type etc_t, etc_runtime_t; + class dir r_dir_perms; + class file rw_file_perms; + ') + + allow $1 etc_t:dir r_dir_perms; + allow $1 etc_runtime_t:file rw_file_perms; +') + ######################################## ## ## Create, read, write, and delete files in