From 21468a60766f0a03781a23818933f05078927ba3 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Aug 15 2005 14:46:17 +0000 Subject: add loadkeys --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index f11c1c4..f91ce4a 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -8,6 +8,7 @@ * Misc. cleanups. * Added policies: acct + loadkeys mysql quota su diff --git a/refpolicy/policy/modules/apps/loadkeys.fc b/refpolicy/policy/modules/apps/loadkeys.fc new file mode 100644 index 0000000..040d261 --- /dev/null +++ b/refpolicy/policy/modules/apps/loadkeys.fc @@ -0,0 +1,3 @@ + +/bin/loadkeys -- context_template(system_u:object_r:loadkeys_exec_t,s0) +/bin/unikeys -- context_template(system_u:object_r:loadkeys_exec_t,s0) diff --git a/refpolicy/policy/modules/apps/loadkeys.if b/refpolicy/policy/modules/apps/loadkeys.if new file mode 100644 index 0000000..cf97b11 --- /dev/null +++ b/refpolicy/policy/modules/apps/loadkeys.if @@ -0,0 +1,67 @@ +## Load keyboard mappings. + +######################################## +## +## Execute the loadkeys program in the loadkeys domain. +## +## +## The type of the process performing this action. +## +# +interface(`loadkeys_domtrans',` + gen_require(` + type loadkeys_t, loadkeys_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + corecmd_search_bin($1) + domain_auto_trans($1, loadkeys_exec_t, loadkeys_t) + + allow $1 loadkeys_t:fd use; + allow loadkeys_t $1:fd use; + allow loadkeys_t $1:fifo_file rw_file_perms; + allow loadkeys_t $1:process sigchld; +') + +######################################## +## +## Execute the loadkeys program in the loadkeys domain. +## +## +## The type of the process performing this action. +## +## +## The role to allow the loadkeys domain. +## +## +## The type of the terminal allow the loadkeys domain to use. +## +# +interface(`loadkeys_run',` + gen_require(` + type loadkeys_t; + class chr_file rw_term_perms; + ') + + loadkeys_domtrans($1) + role $2 types loadkeys_t; + allow loadkeys_t $3:chr_file rw_term_perms; +') + +######################################## +## +## Execute the loadkeys program in the caller domain. +## +## +## The type of the process performing this action. +## +# +interface(`loadkeys_exec',` + gen_require(` + type loadkeys_exec_t; + ') + + can_exec($1,loadkeys_exec_t) +') diff --git a/refpolicy/policy/modules/apps/loadkeys.te b/refpolicy/policy/modules/apps/loadkeys.te new file mode 100644 index 0000000..7e58c33 --- /dev/null +++ b/refpolicy/policy/modules/apps/loadkeys.te @@ -0,0 +1,39 @@ + +policy_module(loadkeys,1.0) + +######################################## +# +# Declarations +# + +# cjp: this should probably be rewritten +# per user domain, since it can rw +# all user domain ttys + +type loadkeys_t; +domain_type(loadkeys_t) + +type loadkeys_exec_t; +domain_entry_file(loadkeys_t,loadkeys_exec_t) + +######################################## +# +# Local policy +# + +allow loadkeys_t self:capability { setuid sys_tty_config }; +allow loadkeys_t self:fifo_file rw_file_perms; + +kernel_read_system_state(loadkeys_t) + +corecmd_exec_bin(loadkeys_t) +corecmd_exec_shell(loadkeys_t) + +files_dontaudit_read_etc_runtime_files(loadkeys_t) + +libs_use_ld_so(loadkeys_t) +libs_use_shared_libs(loadkeys_t) + +locallogin_use_fd(loadkeys_t) + +miscfiles_read_localization(loadkeys_t) diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index ecfc8dd..576dfde 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -923,34 +923,64 @@ interface(`files_create_boot_flag',` ') ######################################## +## +## Read files in /etc that are dynamically +## created on boot, such as mtab. +## +## +## Domain allowed access. +## # -# files_manage_etc_runtime_files(type) -# -interface(`files_manage_etc_runtime_files',` +interface(`files_read_etc_runtime_files',` gen_require(` type etc_t, etc_runtime_t; - class dir rw_dir_perms; - class file create_file_perms; + class dir r_dir_perms; + class file r_file_perms; ') - allow $1 etc_t:dir rw_dir_perms; - allow $1 etc_runtime_t:file create_file_perms; - type_transition $1 etc_t:file etc_runtime_t; + allow $1 etc_t:dir r_dir_perms; + allow $1 etc_runtime_t:file r_file_perms; ') ######################################## +## +## Do not audit attempts to read files +## in /etc that are dynamically +## created on boot, such as mtab. +## +## +## Domain to not audit. +## # -# files_read_etc_runtime_files(domain) +interface(`files_dontaudit_read_etc_runtime_files',` + gen_require(` + type etc_runtime_t; + class file { getattr read }; + ') + + allow $1 etc_runtime_t:file { getattr read }; +') + +######################################## +## +## Create, read, write, and delete files in +## /etc that are dynamically created on boot, +## such as mtab. +## +## +## Domain allowed access. +## # -interface(`files_read_etc_runtime_files',` +interface(`files_manage_etc_runtime_files',` gen_require(` type etc_t, etc_runtime_t; - class dir r_dir_perms; - class file r_file_perms; + class dir rw_dir_perms; + class file create_file_perms; ') - allow $1 etc_t:dir r_dir_perms; - allow $1 etc_runtime_t:file r_file_perms; + allow $1 etc_t:dir rw_dir_perms; + allow $1 etc_runtime_t:file create_file_perms; + type_transition $1 etc_t:file etc_runtime_t; ') ######################################## diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 129b41c..6c39e70 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -381,6 +381,10 @@ optional_policy(`kerberos.te',` kerberos_use(initrc_t) ') +optional_policy(`loadkeys.te',` + loadkeys_exec(initrc_t) +') + optional_policy(`lvm.te',` #allow initrc_t lvm_control_t:chr_file unlink; diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index cc1a1b4..d3809ef 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -543,6 +543,10 @@ template(`unpriv_user_template', ` kerberos_use($1_t) ') + optional_policy(`loadkeys.te',` + loadkeys_run($1_t,$1_r,$1_tty_device_t) + ') + # for running depmod as part of the kernel packaging process optional_policy(`modutils.te',` modutils_read_module_conf($1_t)