From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id EF88A138010 for ; Fri, 28 Sep 2012 17:51:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7ECD4E0716; Fri, 28 Sep 2012 17:50:39 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 3FD6AE0716 for ; Fri, 28 Sep 2012 17:50:39 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7188233D73D for ; Fri, 28 Sep 2012 17:50:38 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 1BEB9E5450 for ; Fri, 28 Sep 2012 17:50:36 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1348854100.9f11ca3f1aec7fb3723a2a1a3bc7bf58ffd69877.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/devicekit.fc policy/modules/contrib/devicekit.if policy/modules/contrib/devicekit.te policy/modules/contrib/hal.fc policy/modules/contrib/hal.if policy/modules/contrib/hal.te policy/modules/contrib/readahead.if policy/modules/contrib/readahead.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 9f11ca3f1aec7fb3723a2a1a3bc7bf58ffd69877 X-VCS-Branch: master Date: Fri, 28 Sep 2012 17:50:36 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: d2674e5f-b806-46de-a064-493a1484fff3 X-Archives-Hash: dcddfcbf8d06a36dd6dd01de971b9e1c commit: 9f11ca3f1aec7fb3723a2a1a3bc7bf58ffd69877 Author: Dominick Grift gmail com> AuthorDate: Fri Sep 28 09:28:10 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Fri Sep 28 17:41:40 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9f11ca3f Changes to the devicekit policy module and relevant dependencies Ported from Fedora with changes Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/devicekit.fc | 32 ++++++---- policy/modules/contrib/devicekit.if | 41 ++++++------- policy/modules/contrib/devicekit.te | 109 +++++++++++++++++++++++++++-------- policy/modules/contrib/hal.fc | 2 - policy/modules/contrib/hal.if | 1 - policy/modules/contrib/hal.te | 2 +- policy/modules/contrib/readahead.if | 22 +++++++- policy/modules/contrib/readahead.te | 2 +- 8 files changed, 144 insertions(+), 67 deletions(-) diff --git a/policy/modules/contrib/devicekit.fc b/policy/modules/contrib/devicekit.fc index 9af85c8..ae49c9d 100644 --- a/policy/modules/contrib/devicekit.fc +++ b/policy/modules/contrib/devicekit.fc @@ -1,20 +1,26 @@ +/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) + +/usr/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) /usr/lib/udisks/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/lib/upower/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) -/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) -/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) +/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) /usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) -/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) +/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) -ifdef(`distro_debian',` -/usr/lib/upower/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) -') +/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) +/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) +/var/lib/udisks.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) -/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) -/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) -/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) +/var/log/pm-powersave\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0) +/var/log/pm-suspend\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0) -/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/udisks.* gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/contrib/devicekit.if b/policy/modules/contrib/devicekit.if index aac2e84..d294865 100644 --- a/policy/modules/contrib/devicekit.if +++ b/policy/modules/contrib/devicekit.if @@ -1,4 +1,4 @@ -## Devicekit modular hardware abstraction layer +## Devicekit modular hardware abstraction layer. ######################################## ## @@ -15,6 +15,7 @@ interface(`devicekit_domtrans',` type devicekit_t, devicekit_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, devicekit_exec_t, devicekit_t) ') @@ -31,10 +32,11 @@ interface(`devicekit_domtrans',` # interface(`devicekit_dgram_send',` gen_require(` - type devicekit_t; + type devicekit_t, devicekit_var_run_t; ') - allow $1 devicekit_t:unix_dgram_socket sendto; + files_search_pids($1) + dgram_send_pattern($1, devicekit_var_run_t, devicekit_var_run_t, devicekit_t) ') ######################################## @@ -81,7 +83,7 @@ interface(`devicekit_dbus_chat_disk',` ######################################## ## -## Send signal devicekit power +## Send generic signals to devicekit power. ## ## ## @@ -198,8 +200,8 @@ interface(`devicekit_manage_pid_files',` ######################################## ## -## All of the rules required to administrate -## an devicekit environment +## All of the rules required to +## administrate an devicekit environment. ## ## ## @@ -208,12 +210,7 @@ interface(`devicekit_manage_pid_files',` ## ## ## -## The role to be allowed to manage the devicekit domain. -## -## -## -## -## The type of the user terminal. +## Role allowed access. ## ## ## @@ -222,23 +219,21 @@ interface(`devicekit_admin',` gen_require(` type devicekit_t, devicekit_disk_t, devicekit_power_t; type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; + type devicekit_var_log_t; ') - allow $1 devicekit_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, devicekit_t) - - allow $1 devicekit_disk_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, devicekit_disk_t) - - allow $1 devicekit_power_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, devicekit_power_t) + allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t }) - admin_pattern($1, devicekit_tmp_t) files_search_tmp($1) + admin_pattern($1, devicekit_tmp_t) - admin_pattern($1, devicekit_var_lib_t) files_search_var_lib($1) + admin_pattern($1, devicekit_var_lib_t) + + logging_search_logs($1) + admin_pattern($1, devicekit_var_log_t) - admin_pattern($1, devicekit_var_run_t) files_search_pids($1) + admin_pattern($1, devicekit_var_run_t) ') diff --git a/policy/modules/contrib/devicekit.te b/policy/modules/contrib/devicekit.te index 1819518..ff933af 100644 --- a/policy/modules/contrib/devicekit.te +++ b/policy/modules/contrib/devicekit.te @@ -1,4 +1,4 @@ -policy_module(devicekit, 1.2.0) +policy_module(devicekit, 1.2.1) ######################################## # @@ -26,16 +26,19 @@ files_pid_file(devicekit_var_run_t) type devicekit_var_lib_t; files_type(devicekit_var_lib_t) +type devicekit_var_log_t; +logging_log_file(devicekit_var_log_t) + ######################################## # -# DeviceKit local policy +# Local policy # allow devicekit_t self:unix_dgram_socket create_socket_perms; manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) -files_pid_filetrans(devicekit_t, devicekit_var_run_t, { file dir }) +files_pid_filetrans(devicekit_t, devicekit_var_run_t, { dir file }) kernel_read_system_state(devicekit_t) @@ -49,8 +52,7 @@ miscfiles_read_localization(devicekit_t) optional_policy(` dbus_system_bus_client(devicekit_t) - allow devicekit_t devicekit_disk_t:dbus send_msg; - allow devicekit_t devicekit_power_t:dbus send_msg; + allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg; ') optional_policy(` @@ -59,7 +61,7 @@ optional_policy(` ######################################## # -# DeviceKit disk local policy +# Disk local policy # allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; @@ -69,17 +71,20 @@ allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) -files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir }) +files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { dir file }) manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) +allow devicekit_disk_t devicekit_var_run_t:dir mounton; manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) -files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir }) +files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file }) kernel_getattr_message_if(devicekit_disk_t) +kernel_list_unlabeled(devicekit_disk_t) +kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t) kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_network_state(devicekit_disk_t) kernel_read_software_raid_state(devicekit_disk_t) @@ -91,12 +96,12 @@ corecmd_exec_bin(devicekit_disk_t) corecmd_exec_shell(devicekit_disk_t) corecmd_getattr_all_executables(devicekit_disk_t) -dev_rw_sysfs(devicekit_disk_t) -dev_read_urand(devicekit_disk_t) -dev_getattr_usbfs_dirs(devicekit_disk_t) -dev_manage_generic_files(devicekit_disk_t) dev_getattr_all_chr_files(devicekit_disk_t) dev_getattr_mtrr_dev(devicekit_disk_t) +dev_getattr_usbfs_dirs(devicekit_disk_t) +dev_manage_generic_files(devicekit_disk_t) +dev_read_urand(devicekit_disk_t) +dev_rw_sysfs(devicekit_disk_t) domain_getattr_all_pipes(devicekit_disk_t) domain_getattr_all_sockets(devicekit_disk_t) @@ -105,14 +110,16 @@ domain_read_all_domains_state(devicekit_disk_t) files_dontaudit_read_all_symlinks(devicekit_disk_t) files_getattr_all_sockets(devicekit_disk_t) -files_getattr_all_mountpoints(devicekit_disk_t) +files_getattr_all_dirs(devicekit_disk_t) files_getattr_all_files(devicekit_disk_t) +files_getattr_all_pipes(devicekit_disk_t) +files_manage_boot_dirs(devicekit_disk_t) files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) -files_read_etc_files(devicekit_disk_t) files_read_etc_runtime_files(devicekit_disk_t) files_read_usr_files(devicekit_disk_t) +fs_getattr_all_fs(devicekit_disk_t) fs_list_inotifyfs(devicekit_disk_t) fs_manage_fusefs_dirs(devicekit_disk_t) fs_mount_all_fs(devicekit_disk_t) @@ -144,6 +151,10 @@ optional_policy(` optional_policy(` consolekit_dbus_chat(devicekit_disk_t) ') + + optional_policy(` + policykit_dbus_chat(devicekit_disk_t) + ') ') optional_policy(` @@ -159,7 +170,6 @@ optional_policy(` ') optional_policy(` - policykit_dbus_chat(devicekit_disk_t) policykit_domtrans_auth(devicekit_disk_t) policykit_read_lib(devicekit_disk_t) policykit_read_reload(devicekit_disk_t) @@ -180,43 +190,62 @@ optional_policy(` ######################################## # -# DeviceKit-Power local policy +# Power local policy # allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; -allow devicekit_power_t self:process getsched; +allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; +manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) +manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) +files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir }) + manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) +allow devicekit_power_t devicekit_var_log_t:file append_file_perms; +allow devicekit_power_t devicekit_var_log_t:file create_file_perms; +allow devicekit_power_t devicekit_var_log_t:file setattr_file_perms; +logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) + +manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) +manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) +files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file }) + +kernel_read_fs_sysctls(devicekit_power_t) kernel_read_network_state(devicekit_power_t) kernel_read_system_state(devicekit_power_t) kernel_rw_hotplug_sysctls(devicekit_power_t) kernel_rw_kernel_sysctl(devicekit_power_t) +kernel_rw_vm_sysctls(devicekit_power_t) kernel_search_debugfs(devicekit_power_t) kernel_write_proc_files(devicekit_power_t) +kernel_setsched(devicekit_power_t) corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -consoletype_exec(devicekit_power_t) - -domain_read_all_domains_state(devicekit_power_t) - dev_read_input(devicekit_power_t) +dev_read_urand(devicekit_power_t) dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_generic_chr_files(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) +dev_read_rand(devicekit_power_t) +dev_getattr_all_chr_files(devicekit_power_t) + +domain_read_all_domains_state(devicekit_power_t) files_read_kernel_img(devicekit_power_t) -files_read_etc_files(devicekit_power_t) +files_read_etc_runtime_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) +files_dontaudit_list_mnt(devicekit_power_t) +fs_getattr_all_fs(devicekit_power_t) fs_list_inotifyfs(devicekit_power_t) term_use_all_terms(devicekit_power_t) @@ -225,8 +254,8 @@ auth_use_nsswitch(devicekit_power_t) miscfiles_read_localization(devicekit_power_t) -sysnet_read_config(devicekit_power_t) sysnet_domtrans_ifconfig(devicekit_power_t) +sysnet_domtrans_dhcpc(devicekit_power_t) userdom_read_all_users_state(devicekit_power_t) @@ -235,6 +264,10 @@ optional_policy(` ') optional_policy(` + consoletype_exec(devicekit_power_t) +') + +optional_policy(` cron_initrc_domtrans(devicekit_power_t) ') @@ -248,10 +281,18 @@ optional_policy(` ') optional_policy(` + hal_dbus_chat(devicekit_power_t) + ') + + optional_policy(` networkmanager_dbus_chat(devicekit_power_t) ') optional_policy(` + policykit_dbus_chat(devicekit_power_t) + ') + + optional_policy(` rpm_dbus_chat(devicekit_power_t) ') ') @@ -265,20 +306,38 @@ optional_policy(` hal_manage_log(devicekit_power_t) hal_manage_pid_dirs(devicekit_power_t) hal_manage_pid_files(devicekit_power_t) - hal_dbus_chat(devicekit_power_t) ') optional_policy(` - policykit_dbus_chat(devicekit_power_t) + modutils_domtrans_insmod(devicekit_power_t) +') + +optional_policy(` + mount_domtrans(devicekit_power_t) +') + +optional_policy(` + networkmanager_domtrans(devicekit_power_t) +') + +optional_policy(` policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) policykit_read_reload(devicekit_power_t) ') optional_policy(` + readahead_domtrans(devicekit_power_t) +') + +optional_policy(` udev_read_db(devicekit_power_t) ') optional_policy(` + usbmuxd_stream_connect(devicekit_power_t) +') + +optional_policy(` vbetool_domtrans(devicekit_power_t) ') diff --git a/policy/modules/contrib/hal.fc b/policy/modules/contrib/hal.fc index 2b6e3a9..8747ff6 100644 --- a/policy/modules/contrib/hal.fc +++ b/policy/modules/contrib/hal.fc @@ -19,12 +19,10 @@ /var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) /var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) -/var/log/pm-.*\.log.* gen_context(system_u:object_r:hald_log_t,s0) /var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) /var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) /var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) /var/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0) /var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0) diff --git a/policy/modules/contrib/hal.if b/policy/modules/contrib/hal.if index 7cf6763..0428ba4 100644 --- a/policy/modules/contrib/hal.if +++ b/policy/modules/contrib/hal.if @@ -316,7 +316,6 @@ interface(`hal_manage_log',` # log files for hald manage_files_pattern($1, hald_log_t, hald_log_t) - logging_log_filetrans($1, hald_log_t, file) ') ######################################## diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te index e0476cb..667783c 100644 --- a/policy/modules/contrib/hal.te +++ b/policy/modules/contrib/hal.te @@ -1,4 +1,4 @@ -policy_module(hal, 1.14.0) +policy_module(hal, 1.14.1) ######################################## # diff --git a/policy/modules/contrib/readahead.if b/policy/modules/contrib/readahead.if index 47c4723..5bd316b 100644 --- a/policy/modules/contrib/readahead.if +++ b/policy/modules/contrib/readahead.if @@ -1 +1,21 @@ -## Readahead, read files into page cache for improved performance +## Readahead, read files into page cache for improved performance. + +######################################## +## +## Execute a domain transition +## to run readahead. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`readahead_domtrans',` + gen_require(` + type readahead_t, readahead_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, readahead_exec_t, readahead_t) +') diff --git a/policy/modules/contrib/readahead.te b/policy/modules/contrib/readahead.te index b4ac57e..34baa30 100644 --- a/policy/modules/contrib/readahead.te +++ b/policy/modules/contrib/readahead.te @@ -1,4 +1,4 @@ -policy_module(readahead, 1.12.0) +policy_module(readahead, 1.12.1) ######################################## #