From 731e693460a4b9d4c033459453a5d75255ce7d81 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Feb 01 2011 21:45:17 +0000 Subject: - Add tcsd policy --- diff --git a/modules-mls.conf b/modules-mls.conf index 2ecea15..ec38586 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1525,6 +1525,13 @@ sysstat = module tcpd = module # Layer: services +# Module: tcsd +# +# tcsd - daemon that manages Trusted Computing resources +# +tcsd = module + +# Layer: services # Module: tgtd # # Linux Target Framework Daemon. diff --git a/modules-targeted.conf b/modules-targeted.conf index 44b5b28..6ed801c 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1742,6 +1742,13 @@ sysstat = module tcpd = module # Layer: services +# Module: tcsd +# +# tcsd - daemon that manages Trusted Computing resources +# +tcsd = module + +# Layer: services # Module: tgtd # # Linux Target Framework Daemon. diff --git a/policy-F15.patch b/policy-F15.patch index eac1b70..ed163bf 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -8869,7 +8869,7 @@ index 5a07a43..e97e47f 100644 ## ## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index f12e087..71e46ab 100644 +index f12e087..791a227 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -16,6 +16,7 @@ attribute rpc_port_type; @@ -9023,7 +9023,7 @@ index f12e087..71e46ab 100644 network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -177,43 +213,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) +@@ -177,25 +213,30 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -9054,12 +9054,11 @@ index f12e087..71e46ab 100644 network_port(swat, tcp,901,s0) +network_port(sype, tcp,9911,s0, udp,9911,s0) network_port(syslogd, udp,514,s0) ++network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) - network_port(traceroute, udp,64000-64010,s0) - network_port(transproxy, tcp,8081,s0) -+network_port(tscd, tcp,30003,s0) +@@ -204,16 +245,17 @@ network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -9125,7 +9124,7 @@ index 3b2da10..7c29e17 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 15a7bef..6d68113 100644 +index 15a7bef..eddb8dc 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,8 +146,8 @@ interface(`dev_relabel_all_dev_nodes',` @@ -9407,7 +9406,7 @@ index 15a7bef..6d68113 100644 ## Get the attributes of sysfs directories. ## ## -@@ -3773,6 +3935,42 @@ interface(`dev_rw_sysfs',` +@@ -3773,6 +3935,60 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -9447,10 +9446,28 @@ index 15a7bef..6d68113 100644 + +######################################## +## ++## Read and write the TPM device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_tpm',` ++ gen_require(` ++ type device_t, tpm_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, tpm_device_t) ++') ++ ++######################################## ++## ## Read from pseudo random number generator devices (e.g., /dev/urandom). ## ## -@@ -3942,6 +4140,24 @@ interface(`dev_read_usbmon_dev',` +@@ -3942,6 +4158,24 @@ interface(`dev_read_usbmon_dev',` ######################################## ## @@ -9475,7 +9492,7 @@ index 15a7bef..6d68113 100644 ## Mount a usbfs filesystem. ## ## -@@ -4252,11 +4468,10 @@ interface(`dev_write_video_dev',` +@@ -4252,11 +4486,10 @@ interface(`dev_write_video_dev',` # interface(`dev_rw_vhost',` gen_require(` @@ -38454,6 +38471,234 @@ index 7038b55..4e84f23 100644 type tcpd_tmp_t; files_tmp_file(tcpd_tmp_t) +diff --git a/policy/modules/services/tcsd.fc b/policy/modules/services/tcsd.fc +new file mode 100644 +index 0000000..7fdda14 +--- /dev/null ++++ b/policy/modules/services/tcsd.fc +@@ -0,0 +1,6 @@ ++/etc/rc\.d/init\.d/tcsd -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0) ++ ++/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0) ++ ++/var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0) ++ +diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if +new file mode 100644 +index 0000000..41ebccf +--- /dev/null ++++ b/policy/modules/services/tcsd.if +@@ -0,0 +1,153 @@ ++## policy for tcsd ++ ++######################################## ++## ++## Execute a domain transition to run tcsd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tcsd_domtrans',` ++ gen_require(` ++ type tcsd_t, tcsd_exec_t; ++ ') ++ ++ domtrans_pattern($1, tcsd_exec_t, tcsd_t) ++') ++ ++ ++######################################## ++## ++## Execute tcsd server in the tcsd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`tcsd_initrc_domtrans',` ++ gen_require(` ++ type tcsd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, tcsd_initrc_exec_t) ++') ++ ++######################################## ++## ++## Search tcsd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tcsd_search_lib',` ++ gen_require(` ++ type tcsd_var_lib_t; ++ ') ++ ++ allow $1 tcsd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read tcsd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tcsd_read_lib_files',` ++ gen_require(` ++ type tcsd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## tcsd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tcsd_manage_lib_files',` ++ gen_require(` ++ type tcsd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage tcsd lib dirs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tcsd_manage_lib_dirs',` ++ gen_require(` ++ type tcsd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an tcsd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`tcsd_admin',` ++ gen_require(` ++ type tcsd_t; ++ type tcsd_initrc_exec_t; ++ type tcsd_var_lib_t; ++ ') ++ ++ allow $1 tcsd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, tcsd_t) ++ ++ tcsd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 tcsd_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_search_var_lib($1) ++ admin_pattern($1, tcsd_var_lib_t) ++ ++') +diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te +new file mode 100644 +index 0000000..7b74540 +--- /dev/null ++++ b/policy/modules/services/tcsd.te +@@ -0,0 +1,51 @@ ++policy_module(tcsd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type tcsd_t; ++type tcsd_exec_t; ++init_daemon_domain(tcsd_t, tcsd_exec_t) ++ ++permissive tcsd_t; ++ ++type tcsd_initrc_exec_t; ++init_script_file(tcsd_initrc_exec_t) ++ ++type tcsd_var_lib_t; ++files_type(tcsd_var_lib_t) ++ ++######################################## ++# ++# tcsd local policy ++# ++ ++allow tcsd_t self:capability { dac_override setuid }; ++allow tcsd_t self:process { signal sigkill }; ++allow tcsd_t self:tcp_socket create_stream_socket_perms; ++ ++# Access /dev/tpm0. ++dev_rw_tpm(tcsd_t) ++ ++manage_dirs_pattern(tcsd_t,tcsd_var_lib_t,tcsd_var_lib_t) ++manage_files_pattern(tcsd_t,tcsd_var_lib_t,tcsd_var_lib_t) ++files_var_lib_filetrans(tcsd_t,tcsd_var_lib_t,{ file dir }) ++ ++corenet_all_recvfrom_unlabeled(tcsd_t) ++corenet_tcp_bind_generic_node(tcsd_t) ++corenet_tcp_bind_tcs_port(tcsd_t) ++ ++dev_read_urand(tcsd_t) ++ ++files_read_etc_files(tcsd_t) ++files_read_usr_files(tcsd_t) ++ ++auth_use_nsswitch(tcsd_t) ++ ++logging_send_syslog_msg(tcsd_t) ++ ++miscfiles_read_localization(tcsd_t) ++ ++sysnet_dns_name_resolve(tcsd_t) diff --git a/policy/modules/services/telnet.if b/policy/modules/services/telnet.if index 58e7ec0..cf4cc85 100644 --- a/policy/modules/services/telnet.if diff --git a/selinux-policy.spec b/selinux-policy.spec index f4c17bd..fb7a949 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.13 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,9 @@ exit 0 %endif %changelog +* Tue Feb 1 2011 Dan Walsh 3.9.13-8 +- Add tcsd policy + * Tue Feb 1 2011 Miroslav Grepl 3.9.13-7 - ricci_modclusterd_t needs to bind to rpc ports 500-1023 - Allow dbus to use setrlimit to increase resoueces