diff --git a/Changelog b/Changelog index 7a6d2b8..40bb755 100644 --- a/Changelog +++ b/Changelog @@ -22,6 +22,7 @@ - Added modules: certmaster (Dan Walsh) cpufreqselector (Dan Walsh) + devicekit (Dan Walsh) git (Dan Walsh) gpsd (Miroslav Grepl) guest (Dan Walsh) diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc new file mode 100644 index 0000000..73a06f7 --- /dev/null +++ b/policy/modules/services/devicekit.fc @@ -0,0 +1,8 @@ +/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) +/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) + +/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) + +/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if new file mode 100644 index 0000000..5be015a --- /dev/null +++ b/policy/modules/services/devicekit.if @@ -0,0 +1,185 @@ +## Devicekit modular hardware abstraction layer + +######################################## +## +## Execute a domain transition to run devicekit. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`devicekit_domtrans',` + gen_require(` + type devicekit_t, devicekit_exec_t; + ') + + domtrans_pattern($1, devicekit_exec_t, devicekit_t) +') + +######################################## +## +## Send to devicekit over a unix domain +## datagram socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`devicekit_dgram_send',` + gen_require(` + type devicekit_t; + ') + + allow $1 devicekit_t:unix_dgram_socket sendto; +') + +######################################## +## +## Send and receive messages from +## devicekit over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`devicekit_dbus_chat',` + gen_require(` + type devicekit_t; + class dbus send_msg; + ') + + allow $1 devicekit_t:dbus send_msg; + allow devicekit_t $1:dbus send_msg; +') + +######################################## +## +## Send and receive messages from +## devicekit disk over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`devicekit_dbus_chat_disk',` + gen_require(` + type devicekit_disk_t; + class dbus send_msg; + ') + + allow $1 devicekit_disk_t:dbus send_msg; + allow devicekit_disk_t $1:dbus send_msg; +') + +######################################## +## +## Send signal devicekit power +## +## +## +## Domain allowed access. +## +## +# +interface(`devicekit_signal_power',` + gen_require(` + type devicekit_power_t; + ') + + allow $1 devicekit_power_t:process signal; +') + +######################################## +## +## Send and receive messages from +## devicekit power over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`devicekit_dbus_chat_power',` + gen_require(` + type devicekit_power_t; + class dbus send_msg; + ') + + allow $1 devicekit_power_t:dbus send_msg; + allow devicekit_power_t $1:dbus send_msg; +') + +######################################## +## +## Read devicekit PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`devicekit_read_pid_files',` + gen_require(` + type devicekit_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) +') + +######################################## +## +## All of the rules required to administrate +## an devicekit environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the devicekit domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`devicekit_admin',` + gen_require(` + type devicekit_t, devicekit_disk_t, devicekit_power_t; + type devicekit_var_run_t; + ') + + allow $1 devicekit_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, devicekit_t) + + allow $1 devicekit_disk_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, devicekit_disk_t) + + allow $1 devicekit_power_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, devicekit_power_t) + + admin_pattern($1, devicekit_tmp_t) + files_search_tmp($1) + + admin_pattern($1, devicekit_var_lib_t) + files_search_var_lib($1) + + admin_pattern($1, devicekit_var_run_t) + files_search_pids($1) +') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te new file mode 100644 index 0000000..5d673bc --- /dev/null +++ b/policy/modules/services/devicekit.te @@ -0,0 +1,219 @@ +policy_module(devicekit, 1.0.0) + +######################################## +# +# Declarations +# + +type devicekit_t; +type devicekit_exec_t; +dbus_system_domain(devicekit_t, devicekit_exec_t) + +type devicekit_power_t; +type devicekit_power_exec_t; +dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) + +type devicekit_disk_t; +type devicekit_disk_exec_t; +dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) + +type devicekit_tmp_t; +files_tmp_file(devicekit_tmp_t) + +type devicekit_var_run_t; +files_pid_file(devicekit_var_run_t) + +type devicekit_var_lib_t; +files_type(devicekit_var_lib_t) + +######################################## +# +# DeviceKit local policy +# + +allow devicekit_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) +manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) +files_pid_filetrans(devicekit_t, devicekit_var_run_t, { file dir }) + +dev_read_sysfs(devicekit_t) +dev_read_urand(devicekit_t) + +files_read_etc_files(devicekit_t) + +miscfiles_read_localization(devicekit_t) + +optional_policy(` + dbus_system_bus_client(devicekit_t) + + allow devicekit_t devicekit_disk_t:dbus send_msg; + allow devicekit_t devicekit_power_t:dbus send_msg; +') + +optional_policy(` + udev_read_db(devicekit_t) +') + +######################################## +# +# DeviceKit disk local policy +# + +allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) +manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) +files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir }) + +manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) +manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) +files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) + +kernel_read_software_raid_state(devicekit_disk_t) +kernel_setsched(devicekit_disk_t) + +corecmd_exec_bin(devicekit_disk_t) + +dev_rw_sysfs(devicekit_disk_t) +dev_read_urand(devicekit_disk_t) +dev_getattr_usbfs_dirs(devicekit_disk_t) + +files_manage_mnt_dirs(devicekit_disk_t) +files_read_etc_files(devicekit_disk_t) +files_read_etc_runtime_files(devicekit_disk_t) +files_read_usr_files(devicekit_disk_t) + +fs_mount_all_fs(devicekit_disk_t) +fs_unmount_all_fs(devicekit_disk_t) +fs_manage_fusefs_dirs(devicekit_disk_t) + +storage_raw_read_fixed_disk(devicekit_disk_t) +storage_raw_write_fixed_disk(devicekit_disk_t) +storage_raw_read_removable_device(devicekit_disk_t) +storage_raw_write_removable_device(devicekit_disk_t) + +auth_use_nsswitch(devicekit_disk_t) + +miscfiles_read_localization(devicekit_disk_t) + +userdom_read_all_users_state(devicekit_disk_t) +userdom_search_user_home_dirs(devicekit_disk_t) + +optional_policy(` + fstools_domtrans(devicekit_disk_t) +') + +optional_policy(` + lvm_domtrans(devicekit_disk_t) +') + +optional_policy(` + policykit_domtrans_auth(devicekit_disk_t) + policykit_read_lib(devicekit_disk_t) + policykit_read_reload(devicekit_disk_t) +') + +optional_policy(` + mount_domtrans(devicekit_disk_t) +') + +optional_policy(` + dbus_system_bus_client(devicekit_disk_t) + + allow devicekit_disk_t devicekit_t:dbus send_msg; + + optional_policy(` + consolekit_dbus_chat(devicekit_disk_t) + ') +') + +optional_policy(` + udev_domtrans(devicekit_disk_t) + udev_read_db(devicekit_disk_t) +') + +######################################## +# +# DeviceKit-Power local policy +# + +allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace }; +allow devicekit_power_t self:fifo_file rw_fifo_file_perms; +allow devicekit_power_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) +manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) +files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) + +kernel_read_network_state(devicekit_power_t) +kernel_read_system_state(devicekit_power_t) +kernel_rw_hotplug_sysctls(devicekit_power_t) +kernel_rw_kernel_sysctl(devicekit_power_t) + +corecmd_exec_bin(devicekit_power_t) +corecmd_exec_shell(devicekit_power_t) + +consoletype_exec(devicekit_power_t) + +domain_read_all_domains_state(devicekit_power_t) + +dev_rw_generic_usb_dev(devicekit_power_t) +dev_rw_netcontrol(devicekit_power_t) +dev_rw_sysfs(devicekit_power_t) + +files_read_kernel_img(devicekit_power_t) +files_read_etc_files(devicekit_power_t) +files_read_usr_files(devicekit_power_t) + +term_use_all_terms(devicekit_power_t) + +auth_use_nsswitch(devicekit_power_t) + +miscfiles_read_localization(devicekit_power_t) + +userdom_read_all_users_state(devicekit_power_t) + +optional_policy(` + bootloader_domtrans(devicekit_power_t) +') + +optional_policy(` + dbus_system_bus_client(devicekit_power_t) + + allow devicekit_power_t devicekit_t:dbus send_msg; + + optional_policy(` + consolekit_dbus_chat(devicekit_power_t) + ') + + optional_policy(` + networkmanager_dbus_chat(devicekit_power_t) + ') + + optional_policy(` + rpm_dbus_chat(devicekit_power_t) + ') +') + +optional_policy(` + fstools_domtrans(devicekit_power_t) +') + +optional_policy(` + hal_domtrans_mac(devicekit_power_t) + hal_manage_pid_dirs(devicekit_power_t) + hal_manage_pid_files(devicekit_power_t) + hal_dbus_chat(devicekit_power_t) +') + +optional_policy(` + policykit_domtrans_auth(devicekit_power_t) + policykit_read_lib(devicekit_power_t) + policykit_read_reload(devicekit_power_t) +') + +optional_policy(` + vbetool_domtrans(devicekit_power_t) +')