diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 91dc82e..4fca63c 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -28,6 +28,7 @@ mono (Dan Walsh) mrtg portage + tvtime userhelper usernetctl wine (Dan Walsh) diff --git a/refpolicy/policy/modules/apps/tvtime.fc b/refpolicy/policy/modules/apps/tvtime.fc new file mode 100644 index 0000000..8698a61 --- /dev/null +++ b/refpolicy/policy/modules/apps/tvtime.fc @@ -0,0 +1,5 @@ +# +# /usr +# +/usr/bin/tvtime -- gen_context(system_u:object_r:tvtime_exec_t,s0) + diff --git a/refpolicy/policy/modules/apps/tvtime.if b/refpolicy/policy/modules/apps/tvtime.if new file mode 100644 index 0000000..6cca6d7 --- /dev/null +++ b/refpolicy/policy/modules/apps/tvtime.if @@ -0,0 +1,133 @@ +## tvtime - a high quality television application + +####################################### +## +## The per user domain template for the tvtime module. +## +## +##

+## This template creates a derived domains which are used +## for tvtime. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## The type of the user domain. +## +## +## The role associated with the user domain. +## +# +template(`tvtime_per_userdomain_template',` + + ######################################## + # + # Declarations + # + + type $1_tvtime_t; + domain_type($1_tvtime_t) + domain_entry_file($1_tvtime_t,tvtime_exec_t) + role $3 types $1_tvtime_t; + + type $1_tvtime_home_t alias $1_tvtime_rw_t; + userdom_home_file($1,$1_tvtime_home_t) + files_poly_member($1_tvtime_home_t) + + type $1_tvtime_tmp_t; + files_tmp_file($1_tvtime_tmp_t) + + ######################################## + # + # Local policy + # + + allow $1_tvtime_t self:capability { setuid sys_nice sys_resource }; + allow $1_tvtime_t self:process setsched; + allow $1_tvtime_t self:unix_dgram_socket rw_socket_perms; + allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms; + + # X access, Home files + allow $1_tvtime_t $1_tvtime_home_t:dir manage_dir_perms; + allow $1_tvtime_t $1_tvtime_home_t:file manage_file_perms; + allow $1_tvtime_t $1_tvtime_home_t:lnk_file create_lnk_perms; + type_transition $1_tvtime_t $1_home_dir_t:dir $1_tvtime_home_t; + userdom_filetrans_user_home_dir($1,$1_tvtime_t,$1_tvtime_home_t,dir) + + allow $1_tvtime_t $1_tvtime_tmp_t:dir create_dir_perms; + allow $1_tvtime_t $1_tvtime_tmp_t:file create_file_perms; + files_filetrans_tmp($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file }) + fs_filetrans_tmpfs($1_tvtime_t,$1_tvtime_tmp_t,{file dir lnk_file fifo_file sock_file }) + + # Type transition + domain_auto_trans($2, tvtime_exec_t, $1_tvtime_t) + allow $2 $1_tvtime_t:fd use; + allow $1_tvtime_t $2:fd use; + allow $1_tvtime_t $2:fifo_file rw_file_perms; + allow $1_tvtime_t $2:process sigchld; + + # X access, Home files + allow $2 $1_tvtime_home_t:dir manage_dir_perms; + allow $2 $1_tvtime_home_t:file manage_file_perms; + allow $2 $1_tvtime_home_t:lnk_file create_lnk_perms; + allow $2 $1_tvtime_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + + # Allow the user domain to signal/ps. + allow $2 $1_tvtime_t:dir { search getattr read }; + allow $2 $1_tvtime_t:{ file lnk_file } { read getattr }; + allow $2 $1_tvtime_t:process getattr; + # We need to suppress this denial because procps tries to access + # /proc/pid/environ and this now triggers a ptrace check in recent kernels + # (2.4 and 2.6). Might want to change procps to not do this, or only if + # running in a privileged domain. + dontaudit $2 $1_tvtime_t:process ptrace; + allow $2 $1_tvtime_t:process signal_perms; + + kernel_read_all_sysctl($1_tvtime_t) + kernel_get_sysvipc_info($1_tvtime_t) + + dev_read_urand($1_tvtime_t) + dev_read_realtime_clock($1_tvtime_t) + dev_read_snd_dev($1_tvtime_t) + + files_read_usr_files($1_tvtime_t) + files_search_pids($1_tvtime_t) + # Read /etc/tvtime + files_read_etc_files($1_tvtime_t) + + # X access, Home files + fs_search_auto_mountpoints($1_tvtime_t) + + libs_use_ld_so($1_tvtime_t) + libs_use_shared_libs($1_tvtime_t) + + miscfiles_read_localization($1_tvtime_t) + miscfiles_read_fonts($1_tvtime_t) + + userdom_use_user_terminals($1,$1_tvtime_t) + userdom_read_user_home_files($1,$1_tvtime_t) + + # X access, Home files + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs($1_tvtime_t) + fs_manage_nfs_files($1_tvtime_t) + fs_manage_nfs_symlinks($1_tvtime_t) + ') + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs($1_tvtime_t) + fs_manage_cifs_files($1_tvtime_t) + fs_manage_cifs_symlinks($1_tvtime_t) + ') + + ifdef(`TODO',` + x_client_domain($1_tvtime, $1) + ') +') diff --git a/refpolicy/policy/modules/apps/tvtime.te b/refpolicy/policy/modules/apps/tvtime.te new file mode 100644 index 0000000..0f557d2 --- /dev/null +++ b/refpolicy/policy/modules/apps/tvtime.te @@ -0,0 +1,13 @@ + +policy_module(tvtime,1.0.0) + +######################################## +# +# Declarations +# + +type tvtime_exec_t; +files_type(tvtime_exec_t) + +type tvtime_dir_t; +files_pid_file(tvtime_dir_t)