diff --git a/policy/modules/services/policykit.fc b/policy/modules/services/policykit.fc new file mode 100644 index 0000000..d726453 --- /dev/null +++ b/policy/modules/services/policykit.fc @@ -0,0 +1,10 @@ +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) +/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) +/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) + +/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) +/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) +/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) + diff --git a/policy/modules/services/policykit.if b/policy/modules/services/policykit.if new file mode 100644 index 0000000..8726eb3 --- /dev/null +++ b/policy/modules/services/policykit.if @@ -0,0 +1,212 @@ +## Policy framework for controlling privileges for system-wide services. + +######################################## +## +## Send and receive messages from +## policykit over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`policykit_dbus_chat',` + gen_require(` + type policykit_t; + class dbus send_msg; + ') + + allow $1 policykit_t:dbus send_msg; + allow policykit_t $1:dbus send_msg; +') + +######################################## +## +## Execute a domain transition to run polkit_auth. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`policykit_domtrans_auth',` + gen_require(` + type policykit_auth_t, policykit_auth_exec_t; + ') + + domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t) +') + +######################################## +## +## Execute a policy_auth in the policy_auth domain, and +## allow the specified role the policy_auth domain, +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the load_policy domain. +## +## +# +interface(`policykit_run_auth',` + gen_require(` + type policykit_auth_t; + ') + + policykit_domtrans_auth($1) + role $2 types policykit_auth_t; +') + +######################################## +## +## Execute a domain transition to run polkit_grant. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`policykit_domtrans_grant',` + gen_require(` + type policykit_grant_t, policykit_grant_exec_t; + ') + + domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t) +') + +######################################## +## +## Execute a policy_grant in the policy_grant domain, and +## allow the specified role the policy_grant domain, +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the load_policy domain. +## +## +## +# +interface(`policykit_run_grant',` + gen_require(` + type policykit_grant_t; + ') + + policykit_domtrans_grant($1) + role $2 types policykit_grant_t; + + allow $1 policykit_grant_t:process signal; + + ps_process_pattern(policykit_grant_t, $1) +') + +######################################## +## +## read policykit reload files +## +## +## +## Domain allowed access. +## +## +# +interface(`policykit_read_reload',` + gen_require(` + type policykit_reload_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, policykit_reload_t, policykit_reload_t) +') + +######################################## +## +## rw policykit reload files +## +## +## +## Domain allowed access. +## +## +# +interface(`policykit_rw_reload',` + gen_require(` + type policykit_reload_t; + ') + + files_search_var_lib($1) + rw_files_pattern($1, policykit_reload_t, policykit_reload_t) +') + +######################################## +## +## Execute a domain transition to run polkit_resolve. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`policykit_domtrans_resolve',` + gen_require(` + type policykit_resolve_t, policykit_resolve_exec_t; + ') + + domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t) + + ps_process_pattern(policykit_resolve_t $1) +') + +######################################## +## +## Search policykit lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`policykit_search_lib',` + gen_require(` + type policykit_var_lib_t; + ') + + allow $1 policykit_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## read policykit lib files +## +## +## +## Domain allowed access. +## +## +# +interface(`policykit_read_lib',` + gen_require(` + type policykit_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) + + # Broken placement + cron_read_system_job_lib_files($1) +') diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te new file mode 100644 index 0000000..9913701 --- /dev/null +++ b/policy/modules/services/policykit.te @@ -0,0 +1,208 @@ + +policy_module(policykit, 1.0.0) + +######################################## +# +# Declarations +# + +type policykit_t alias polkit_t; +type policykit_exec_t alias polkit_exec_t; +init_daemon_domain(policykit_t, policykit_exec_t) + +type policykit_auth_t alias polkit_auth_t; +type policykit_auth_exec_t alias polkit_auth_exec_t; +init_daemon_domain(policykit_auth_t, policykit_auth_exec_t) + +type policykit_grant_t alias polkit_grant_t; +type policykit_grant_exec_t alias polkit_grant_exec_t; +init_system_domain(policykit_grant_t, policykit_grant_exec_t) + +type policykit_resolve_t alias polkit_resolve_t; +type policykit_resolve_exec_t alias polkit_resolve_exec_t; +init_system_domain(policykit_resolve_t, policykit_resolve_exec_t) + +type policykit_reload_t alias polkit_reload_t; +files_type(policykit_reload_t) + +type policykit_var_lib_t alias polkit_var_lib_t; +files_type(policykit_var_lib_t) + +type policykit_var_run_t alias polkit_var_run_t; +files_pid_file(policykit_var_run_t) + +######################################## +# +# policykit local policy +# + +allow policykit_t self:capability { setgid setuid }; +allow policykit_t self:process getattr; +allow policykit_t self:fifo_file rw_file_perms; +allow policykit_t self:unix_dgram_socket create_socket_perms; +allow policykit_t self:unix_stream_socket create_stream_socket_perms; + +policykit_domtrans_auth(policykit_t) + +can_exec(policykit_t, policykit_exec_t) +corecmd_exec_bin(policykit_t) + +rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) + +policykit_domtrans_resolve(policykit_t) + +manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t) + +manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) +manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) +files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) + +kernel_read_kernel_sysctls(policykit_t) + +files_read_etc_files(policykit_t) +files_read_usr_files(policykit_t) + +auth_use_nsswitch(policykit_t) + +logging_send_syslog_msg(policykit_t) + +miscfiles_read_localization(policykit_t) + +userdom_read_all_users_state(policykit_t) + +######################################## +# +# polkit_auth local policy +# + +allow policykit_auth_t self:capability setgid; +allow policykit_auth_t self:process getattr; +allow policykit_auth_t self:fifo_file rw_file_perms; +allow policykit_auth_t self:unix_dgram_socket create_socket_perms; +allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms; + +can_exec(policykit_auth_t, policykit_auth_exec_t) +corecmd_search_bin(policykit_auth_t) + +rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) + +manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t) + +manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) +manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) +files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) + +files_read_etc_files(policykit_auth_t) +files_read_usr_files(policykit_auth_t) + +auth_use_nsswitch(policykit_auth_t) + +logging_send_syslog_msg(policykit_auth_t) + +miscfiles_read_localization(policykit_auth_t) + +userdom_dontaudit_read_user_home_content_files(policykit_auth_t) + +optional_policy(` + dbus_session_bus_client(policykit_auth_t) + + optional_policy(` + consolekit_dbus_chat(policykit_auth_t) + ') +') + +optional_policy(` + kernel_search_proc(policykit_auth_t) + hal_read_state(policykit_auth_t) +') + +######################################## +# +# polkit_grant local policy +# + +allow policykit_grant_t self:capability setuid; +allow policykit_grant_t self:process getattr; +allow policykit_grant_t self:fifo_file rw_file_perms; +allow policykit_grant_t self:unix_dgram_socket create_socket_perms; +allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; + +policykit_domtrans_auth(policykit_grant_t) + +policykit_domtrans_resolve(policykit_grant_t) + +can_exec(policykit_grant_t, policykit_grant_exec_t) +corecmd_search_bin(policykit_grant_t) + +rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) + +manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t) + +manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) + +files_read_etc_files(policykit_grant_t) +files_read_usr_files(policykit_grant_t) + +auth_use_nsswitch(policykit_grant_t) +auth_domtrans_chk_passwd(policykit_grant_t) + +logging_send_syslog_msg(policykit_grant_t) + +miscfiles_read_localization(policykit_grant_t) + +userdom_read_all_users_state(policykit_grant_t) + +optional_policy(` + dbus_system_bus_client(policykit_grant_t) + + optional_policy(` + consolekit_dbus_chat(policykit_grant_t) + ') +') + +######################################## +# +# polkit_resolve local policy +# + +allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; +allow policykit_resolve_t self:process getattr; +allow policykit_resolve_t self:fifo_file rw_file_perms; +allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; +allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; + +policykit_domtrans_auth(policykit_resolve_t) + +read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t) + +read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t) + +can_exec(policykit_resolve_t, policykit_resolve_exec_t) +corecmd_search_bin(policykit_resolve_t) + +files_read_etc_files(policykit_resolve_t) +files_read_usr_files(policykit_resolve_t) + +mcs_ptrace_all(policykit_resolve_t) + +auth_use_nsswitch(policykit_resolve_t) + +logging_send_syslog_msg(policykit_resolve_t) + +miscfiles_read_localization(policykit_resolve_t) + +userdom_read_all_users_state(policykit_resolve_t) + +optional_policy(` + dbus_system_bus_client(policykit_resolve_t) + + optional_policy(` + consolekit_dbus_chat(policykit_resolve_t) + ') +') + +optional_policy(` + kernel_search_proc(policykit_resolve_t) + hal_read_state(policykit_resolve_t) +') +