diff --git a/Changelog b/Changelog index 336e867..bfe3d71 100644 --- a/Changelog +++ b/Changelog @@ -13,6 +13,7 @@ - Added modules: kerneloops (Dan Walsh) kismet (Dan Walsh) + podsleuth (Dan Walsh) prelude (Dan Walsh) qemu (Dan Walsh) virt (Dan Walsh) diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if index 2468754..3e34268 100644 --- a/policy/modules/apps/mono.if +++ b/policy/modules/apps/mono.if @@ -18,3 +18,22 @@ interface(`mono_domtrans',` corecmd_search_bin($1) domtrans_pattern($1, mono_exec_t, mono_t) ') + +######################################## +## +## Execute the mono program in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`mono_exec',` + gen_require(` + type mono_t, mono_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, mono_exec_t) +') diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te index ee29a1f..843a5cb 100644 --- a/policy/modules/apps/mono.te +++ b/policy/modules/apps/mono.te @@ -1,5 +1,5 @@ -policy_module(mono,1.4.1) +policy_module(mono,1.4.2) ######################################## # diff --git a/policy/modules/apps/podsleuth.fc b/policy/modules/apps/podsleuth.fc new file mode 100644 index 0000000..91397a3 --- /dev/null +++ b/policy/modules/apps/podsleuth.fc @@ -0,0 +1,2 @@ + +/usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) diff --git a/policy/modules/apps/podsleuth.if b/policy/modules/apps/podsleuth.if new file mode 100644 index 0000000..c35702d --- /dev/null +++ b/policy/modules/apps/podsleuth.if @@ -0,0 +1,19 @@ +## Podsleuth is a tool to get information about an Apple (TM) iPod (TM) + +######################################## +## +## Execute a domain transition to run podsleuth. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`podsleuth_domtrans',` + gen_require(` + type podsleuth_t, podsleuth_exec_t; + ') + + domtrans_pattern($1, podsleuth_exec_t, podsleuth_t) +') diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te new file mode 100644 index 0000000..67d52ed --- /dev/null +++ b/policy/modules/apps/podsleuth.te @@ -0,0 +1,38 @@ + +policy_module(podsleuth, 1.0.0) + +######################################## +# +# Declarations +# + +type podsleuth_t; +type podsleuth_exec_t; +application_domain(podsleuth_t, podsleuth_exec_t) +role system_r types podsleuth_t; + +######################################## +# +# podsleuth local policy +# + +allow podsleuth_t self:process { signal getsched execheap execmem }; +allow podsleuth_t self:fifo_file rw_file_perms; +allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; + +kernel_read_system_state(podsleuth_t) + +dev_read_urand(podsleuth_t) + +files_read_etc_files(podsleuth_t) + +libs_use_ld_so(podsleuth_t) +libs_use_shared_libs(podsleuth_t) + +miscfiles_read_localization(podsleuth_t) + +dbus_system_bus_client_template(podsleuth, podsleuth_t) + +mono_exec(podsleuth_t) + +hal_dbus_chat(podsleuth_t) diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc index afdf511..130c317 100644 --- a/policy/modules/services/hal.fc +++ b/policy/modules/services/hal.fc @@ -8,6 +8,7 @@ /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) +/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) /usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0) @@ -15,10 +16,14 @@ /var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) +/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) /var/log/pm-suspend\.log gen_context(system_u:object_r:hald_log_t,s0) +/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) /var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) -/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0) +/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) +/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) +/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0) ifdef(`distro_gentoo',` /var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index bb0da44..e24de94 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.9.2) +policy_module(hal,1.9.3) ######################################## # @@ -57,7 +57,7 @@ files_type(hald_var_lib_t) # execute openvt which needs setuid allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; dontaudit hald_t self:capability {sys_ptrace sys_tty_config }; -allow hald_t self:process signal_perms; +allow hald_t self:process { getattr signal_perms }; allow hald_t self:fifo_file rw_fifo_file_perms; allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow hald_t self:unix_dgram_socket create_socket_perms; @@ -70,7 +70,7 @@ allow hald_t self:netlink_socket create_socket_perms; manage_files_pattern(hald_t,hald_cache_t,hald_cache_t) # log files for hald -allow hald_t hald_log_t:file manage_file_perms; +manage_files_pattern(hald_t, hald_log_t, hald_log_t) logging_log_filetrans(hald_t,hald_log_t,file) manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t) @@ -82,8 +82,9 @@ manage_dirs_pattern(hald_t,hald_var_lib_t,hald_var_lib_t) manage_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t) manage_sock_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t) +manage_dirs_pattern(hald_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_t,hald_var_run_t,hald_var_run_t) -files_pid_filetrans(hald_t,hald_var_run_t,file) +files_pid_filetrans(hald_t, hald_var_run_t, { dir file }) kernel_read_system_state(hald_t) kernel_read_network_state(hald_t) @@ -93,6 +94,7 @@ kernel_read_fs_sysctls(hald_t) kernel_rw_irq_sysctls(hald_t) kernel_rw_vm_sysctls(hald_t) kernel_write_proc_files(hald_t) +kernel_setsched(hald_t) auth_read_pam_console_data(hald_t) @@ -119,8 +121,10 @@ dev_rw_generic_usb_dev(hald_t) dev_setattr_generic_usb_dev(hald_t) dev_setattr_usbfs_files(hald_t) dev_rw_power_management(hald_t) +dev_read_raw_memory(hald_t) # hal is now execing pm-suspend dev_rw_sysfs(hald_t) +dev_read_video_dev(hald_t) domain_use_interactive_fds(hald_t) domain_read_all_domains_state(hald_t) @@ -166,6 +170,8 @@ term_dontaudit_use_unallocated_ttys(hald_t) auth_use_nsswitch(hald_t) +fstools_getattr_swap_files(hald_t) + init_domtrans_script(hald_t) init_read_utmp(hald_t) #hal runs shutdown, probably need a shutdown domain @@ -245,6 +251,10 @@ optional_policy(` ') optional_policy(` + gpm_dontaudit_getattr_gpmctl(hald_t) +') + +optional_policy(` hotplug_read_config(hald_t) ') @@ -266,6 +276,10 @@ optional_policy(` ') optional_policy(` + podsleuth_domtrans(hald_t) +') + +optional_policy(` rpc_search_nfs_state_data(hald_t) ') @@ -292,7 +306,8 @@ optional_policy(` # allow hald_acl_t self:capability { dac_override fowner }; -allow hald_acl_t self:fifo_file read_fifo_file_perms; +allow hald_acl_t self:process { getattr signal }; +allow hald_acl_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t) allow hald_t hald_acl_t:process signal; @@ -302,9 +317,14 @@ manage_dirs_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t) manage_files_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t) files_search_var_lib(hald_acl_t) +manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) +manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) +files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) + corecmd_exec_bin(hald_acl_t) dev_getattr_all_chr_files(hald_acl_t) +dev_setattr_all_chr_files(hald_acl_t) dev_getattr_generic_usb_dev(hald_acl_t) dev_getattr_video_dev(hald_acl_t) dev_setattr_video_dev(hald_acl_t) @@ -339,7 +359,11 @@ manage_dirs_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t) manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t) files_search_var_lib(hald_mac_t) +kernel_read_system_state(hald_mac_t) + +dev_read_raw_memory(hald_mac_t) dev_write_raw_memory(hald_mac_t) +dev_read_sysfs(hald_mac_t) files_read_usr_files(hald_mac_t) @@ -392,3 +416,7 @@ libs_use_ld_so(hald_keymap_t) libs_use_shared_libs(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) + +# This is caused by a bug in hald and PolicyKit. +# Should be removed when this is fixed +#cron_read_system_job_lib_files(hald_t)