diff --git a/refpolicy/policy/modules/system/pcmcia.fc b/refpolicy/policy/modules/system/pcmcia.fc new file mode 100644 index 0000000..9dac1a2 --- /dev/null +++ b/refpolicy/policy/modules/system/pcmcia.fc @@ -0,0 +1,10 @@ + +/etc/apm/event\.d/pcmcia -- system_u:object_r:cardmgr_exec_t + +/sbin/cardctl -- system_u:object_r:cardctl_exec_t +/sbin/cardmgr -- system_u:object_r:cardmgr_exec_t + +/var/lib/pcmcia(/.*)? system_u:object_r:cardmgr_var_run_t + +/var/run/cardmgr\.pid -- system_u:object_r:cardmgr_var_run_t +/var/run/stab -- system_u:object_r:cardmgr_var_run_t diff --git a/refpolicy/policy/modules/system/pcmcia.if b/refpolicy/policy/modules/system/pcmcia.if new file mode 100644 index 0000000..c99b813 --- /dev/null +++ b/refpolicy/policy/modules/system/pcmcia.if @@ -0,0 +1,51 @@ +## PCMCIA card management services + +######################################## +## +## Execute cardctl in the cardmgr domain. +## +## +## The type of the process performing this action. +## +# +interface(`pcmcia_domtrans_cardctl',` + gen_require(` + type cardmgr_t, cardctl_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + domain_auto_trans($1,cardctl_exec_t,cardmgr_t) + + allow $1 cardmgr_t:fd use; + allow cardmgr_t $1:fd use; + allow cardmgr_t $1:fifo_file rw_file_perms; + allow cardmgr_t $1:process sigchld; +') + +######################################## +## +## Execute cardmgr in the cardctl domain, and +## allow the specified role the cardmgr domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the cardmgr domain. +## +## +## The type of the terminal allow the cardmgr domain to use. +## +# +interface(`pcmcia_run_cardctl',` + gen_require(` + type cardmgr_t; + class chr_file rw_term_perms; + ') + + pcmcia_domtrans_cardctl($1) + role $2 types cardmgr_t; + allow cardmgr_t $3:chr_file rw_term_perms; +') diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te new file mode 100644 index 0000000..48327fe --- /dev/null +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -0,0 +1,138 @@ + +policy_module(pcmcia,1.0) + +######################################## +# +# Declarations +# + +type cardmgr_t; +type cardmgr_exec_t; +init_daemon_domain(cardmgr_t,cardmgr_exec_t) + +# Create symbolic links in /dev. +# cjp: this should probably be eliminated +type cardmgr_lnk_t; +files_type(cardmgr_lnk_t) + +type cardmgr_var_run_t; +files_pid_file(cardmgr_var_run_t) + +type cardctl_exec_t; +domain_entry_file(cardmgr_t,cardctl_exec_t) + +######################################## +# +# Local policy +# + +# Use capabilities (net_admin for route), setuid for cardctl +allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod }; +dontaudit cardmgr_t self:capability sys_tty_config; +allow cardmgr_t self:unix_dgram_socket create_socket_perms; +allow cardmgr_t self:unix_stream_socket create_socket_perms; +allow cardmgr_t self:fifo_file rw_file_perms; + +allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms; +dev_create_dev_node(cardmgr_t,cardmgr_lnk_t,lnk_file) + +allow cardmgr_t cardmgr_var_run_t:file create_file_perms; +files_create_pid(cardmgr_t,cardmgr_var_run_t) + +kernel_read_system_state(cardmgr_t) +kernel_read_kernel_sysctl(cardmgr_t) +kernel_list_proc(cardmgr_t) +kernel_read_proc_symlinks(cardmgr_t) + +dev_read_sysfs(cardmgr_t) +# for SSP +dev_read_urand(cardmgr_t) + +fs_getattr_all_fs(cardmgr_t) +fs_search_auto_mountpoints(cardmgr_t) + +term_use_unallocated_tty(cardmgr_t) +term_dontaudit_use_console(cardmgr_t) + +corecmd_exec_bin(cardmgr_t) +corecmd_exec_sbin(cardmgr_t) + +domain_use_wide_inherit_fd(cardmgr_t) +domain_exec_all_entry_files(cardmgr_t) + +files_search_home(cardmgr_t) +files_read_etc_runtime_files(cardmgr_t) +files_exec_etc_files(cardmgr_t) + +init_use_fd(cardmgr_t) +init_use_script_pty(cardmgr_t) + +libs_use_ld_so(cardmgr_t) +libs_use_shared_libs(cardmgr_t) +libs_exec_ld_so(cardmgr_t) +libs_exec_lib_files(cardmgr_t) + +logging_send_syslog_msg(cardmgr_t) + +miscfiles_read_localization(cardmgr_t) + +sysnet_domtrans_ifconfig(cardmgr_t) +# for /etc/resolv.conf +sysnet_manage_config(cardmgr_t) + +userdom_dontaudit_use_unpriv_user_fd(cardmgr_t) +userdom_dontaudit_search_sysadm_home_dir(cardmgr_t) + +ifdef(`targeted_policy', ` + term_dontaudit_use_unallocated_tty(cardmgr_t) + term_dontaudit_use_generic_pty(cardmgr_t) + files_dontaudit_read_root_file(cardmgr_t) +') + +optional_policy(`rhgb.te',` + rhgb_domain(cardmgr_t) +') + +optional_policy(`selinuxutils.te',` + seutil_sigchld_newrole(cardmgr_t) +') + +optional_policy(`udev.te', ` + udev_read_db(cardmgr_t) +') + +ifdef(`TODO',` +allow cardmgr_t modules_object_t:dir search; + +# Create stab file +var_lib_domain(cardmgr) + +# for /var/lib/misc/pcmcia-scheme +# would be better to have it in a different type if I knew how it was created.. +allow cardmgr_t var_lib_t:file { getattr read }; + +# Create device files in /tmp. +file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file }) + +# Read /proc/PID directories for all domains (for fuser). +can_ps(cardmgr_t, domain) +allow cardmgr_t device_type:{ chr_file blk_file } getattr; +allow cardmgr_t ttyfile:chr_file getattr; +dontaudit cardmgr_t ptyfile:chr_file getattr; +dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr; +dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr; +dontaudit cardmgr_t proc_kmsg_t:file getattr; + +ifdef(`apmd.te', ` +domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t) +') + +ifdef(`hide_broken_symptoms', ` +dontaudit insmod_t cardmgr_dev_t:chr_file { read write }; +dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write }; +') +ifdef(`hald.te', ` +rw_dir_file(hald_t, cardmgr_var_run_t) +allow hald_t cardmgr_var_run_t:chr_file create_file_perms; +') +') dnl end TODO diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 373dcc2..4008974 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -165,6 +165,24 @@ interface(`sysnet_read_config',` ####################################### ## +## Create, read, write, and delete network config files. +## +## +## The type of the process performing this action. +## +# +interface(`sysnet_manage_config',` + gen_require(` + type net_conf_t; + class file create_file_perms; + ') + + allow $1 net_conf_t:file r_file_perms; + files_create_etc_config($1,net_conf_t,file) +') + +####################################### +## ## Read the dhcp client pid file. ## ## diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index abbe1d8..dbada2c 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -154,6 +154,10 @@ ifdef(`targeted_policy',` netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal) ') + optional_policy(`pcmcia.te',` + pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal) + ') + optional_policy(`rpm.te',` rpm_run(sysadm_t,sysadm_r,admin_terminal) ')