diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 81420bd..fc0c904 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -16,6 +16,7 @@ slrnpull smartmon sysstat + usbmodules vbetool (Dan Walsh) * Wed Dec 07 2005 Chris PeBenito - 20051207 diff --git a/refpolicy/policy/modules/admin/usbmodules.fc b/refpolicy/policy/modules/admin/usbmodules.fc new file mode 100644 index 0000000..a008efb --- /dev/null +++ b/refpolicy/policy/modules/admin/usbmodules.fc @@ -0,0 +1,9 @@ +# +# /sbin +# +/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0) + +# +# /usr +# +/usr/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0) diff --git a/refpolicy/policy/modules/admin/usbmodules.if b/refpolicy/policy/modules/admin/usbmodules.if new file mode 100644 index 0000000..394d990 --- /dev/null +++ b/refpolicy/policy/modules/admin/usbmodules.if @@ -0,0 +1,49 @@ +## List kernel modules of USB devices + +######################################## +## +## Execute usbmodules in the usbmodules domain. +## +## +## Domain allowed access. +## +# +interface(`usbmodules_domtrans',` + gen_require(` + type usbmodules_t, usbmodules_exec_t; + ') + + domain_auto_trans($1, usbmodules_exec_t, usbmodules_t) + + allow $1 usbmodules_t:fd use; + allow usbmodules_t $1:fd use; + allow usbmodules_t $1:fifo_file rw_file_perms; + allow usbmodules_t $1:process sigchld; + +') + +######################################## +## +## Execute usbmodules in the usbmodules domain, and +## allow the specified role the usbmodules domain, +## and use the caller's terminal. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the usbmodules domain. +## +## +## The type of the terminal allow the usbmodules domain to use. +## +# +interface(`usbmodules_run',` + gen_require(` + type usbmodules_t; + ') + + usbmodules_domtrans($1) + role $2 types usbmodules_t; + allow usbmodules_t $3:chr_file rw_term_perms; +') diff --git a/refpolicy/policy/modules/admin/usbmodules.te b/refpolicy/policy/modules/admin/usbmodules.te new file mode 100644 index 0000000..d4c8a9a --- /dev/null +++ b/refpolicy/policy/modules/admin/usbmodules.te @@ -0,0 +1,48 @@ + +policy_module(usbmodules,1.0.0) + +######################################## +# +# Declarations +# + +type usbmodules_t; +type usbmodules_exec_t; +init_system_domain(usbmodules_t,usbmodules_exec_t) +role system_r types usbmodules_t; + +######################################## +# +# Local policy +# + + +kernel_list_proc(usbmodules_t) + +bootloader_list_kernel_modules(usbmodules_t) + +dev_list_usbfs(usbmodules_t) +# allow usb device access +dev_rw_usbfs(usbmodules_t) + +files_list_etc(usbmodules_t) +# needs etc_t read access for the hotplug config, maybe should have a new type +files_read_etc_files(usbmodules_t) + +term_read_console(usbmodules_t) +term_write_console(usbmodules_t) + +init_use_fd(usbmodules_t) + +libs_use_ld_so(usbmodules_t) +libs_use_shared_libs(usbmodules_t) + +modutils_read_mods_deps(usbmodules_t) + +optional_policy(`hotplug',` + hotplug_read_config(usbmodules_t) +') + +optional_policy(`logging',` + logging_send_syslog_msg(usbmodules_t) +') diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index f5be174..d01fb75 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -205,3 +205,7 @@ optional_policy(`udev',` optional_policy(`updfstab',` updfstab_domtrans(hotplug_t) ') + +optional_policy(`usbmodules',` + usbmodules_domtrans(hotplug_t) +') diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index f0d78d9..321064d 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.1.4) +policy_module(userdomain,1.1.5) gen_require(` role sysadm_r, staff_r, user_r, secadm_r; @@ -315,6 +315,10 @@ ifdef(`targeted_policy',` unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal) ') + optional_policy(`usbmodules',` + usbmodules_run(sysadm_t,sysadm_r,admin_terminal) + ') + optional_policy(`usermanage',` usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal) usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)