diff --git a/refpolicy/Changelog b/refpolicy/Changelog index a8d14de..0ceec0a 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -9,6 +9,7 @@ ddcprobe fetchmail irc + lockdev logwatch (Dan Walsh) openct readahead diff --git a/refpolicy/policy/modules/apps/lockdev.fc b/refpolicy/policy/modules/apps/lockdev.fc new file mode 100644 index 0000000..8b5ce03 --- /dev/null +++ b/refpolicy/policy/modules/apps/lockdev.fc @@ -0,0 +1,2 @@ + +/usr/sbin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0) diff --git a/refpolicy/policy/modules/apps/lockdev.if b/refpolicy/policy/modules/apps/lockdev.if new file mode 100644 index 0000000..2e4e8ca --- /dev/null +++ b/refpolicy/policy/modules/apps/lockdev.if @@ -0,0 +1,81 @@ +## device locking policy for lockdev + +####################################### +## +## The per user domain template for the lockdev module. +## +## +##

+## This template creates derived domains which are used +## for lockdev. A derived type is also created to protect +## the user's device locks. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## The type of the user domain. +## +## +## The role associated with the user domain. +## +# +template(`lockdev_per_userdomain_template',` + gen_require(` + type lockdev_exec_t; + ') + + ######################################## + # + # Declarations + # + + type $1_lockdev_t; + domain_type($1_lockdev_t) + domain_entry_file($1_lockdev_t,lockdev_exec_t) + role $3 types $1_lockdev_t; + + type $1_lockdev_lock_t; + files_lock_file($1_lockdev_lock_t) + + ######################################## + # + # Local policy + # + + # Use capabilities. + allow $1_lockdev_t self:capability setgid; + allow $1_lockdev_t $2:process signull; + + # Transition from the user domain to the derived domain. + domain_auto_trans($2, lockdev_exec_t, $1_lockdev_t) + allow $2 $1_lockdev_t:fd use; + allow $1_lockdev_t $2:fd use; + allow $1_lockdev_t $2:fifo_file rw_file_perms; + allow $1_lockdev_t $2:process sigchld; + + allow $1_lockdev_t $1_lockdev_lock_t:file create_file_perms; + files_create_lock($1_lockdev_t,$1_lockdev_lock_t) + + files_read_all_locks($1_lockdev_t) + + fs_getattr_xattr_fs($1_lockdev_t) + + libs_use_ld_so($1_lockdev_t) + libs_use_shared_libs($1_lockdev_t) + + logging_send_syslog_msg($1_lockdev_t) + + userdom_use_user_terminals($1, $1_lockdev_t) + + optional_policy(`logging',` + logging_send_syslog_msg($1_t) + ') +') diff --git a/refpolicy/policy/modules/apps/lockdev.te b/refpolicy/policy/modules/apps/lockdev.te new file mode 100644 index 0000000..06eae58 --- /dev/null +++ b/refpolicy/policy/modules/apps/lockdev.te @@ -0,0 +1,10 @@ + +policy_module(lockdev,1.0.0) + +######################################## +# +# Declarations +# + +type lockdev_exec_t; +files_type(lockdev_exec_t) diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index cafee78..f0ef6a4 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -2880,6 +2880,26 @@ interface(`files_delete_all_locks',` ') ######################################## +## +## Read all lock files. +## +## +## Domain allowed access. +## +# +interface(`files_read_all_locks',` + gen_require(` + attribute lockfile; + type var_t, var_lock_t; + ') + + allow $1 { var_t var_lock_t }:dir search_dir_perms; + allow $1 lockfile:dir r_dir_perms; + allow $1 lockfile:file r_file_perms; + allow $1 lockfile:lnk_file { getattr read }; +') + +######################################## # # files_create_lock(domain,private_type,[object class(es)]) # @@ -3257,4 +3277,4 @@ interface(`files_write_non_security_dir',` ') allow $1 file_type:dir write; -') \ No newline at end of file +')