[selinux-policy: 563/3172] add loadkeys

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:53:16 UTC 2010 

commit 21468a60766f0a03781a23818933f05078927ba3
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Aug 15 14:46:17 2005 +0000

    add loadkeys

 refpolicy/Changelog                           |    1 +
 refpolicy/policy/modules/apps/loadkeys.fc     |    3 +
 refpolicy/policy/modules/apps/loadkeys.if     |   67 +++++++++++++++++++++++++
 refpolicy/policy/modules/apps/loadkeys.te     |   39 ++++++++++++++
 refpolicy/policy/modules/system/files.if      |   58 ++++++++++++++++-----
 refpolicy/policy/modules/system/init.te       |    4 ++
 refpolicy/policy/modules/system/userdomain.if |    4 ++
 7 files changed, 162 insertions(+), 14 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index f11c1c4..f91ce4a 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -8,6 +8,7 @@
 	* Misc. cleanups.
 	* Added policies:
 		acct
+		loadkeys
 		mysql
 		quota
 		su
diff --git a/refpolicy/policy/modules/apps/loadkeys.fc b/refpolicy/policy/modules/apps/loadkeys.fc
new file mode 100644
index 0000000..040d261
--- /dev/null
+++ b/refpolicy/policy/modules/apps/loadkeys.fc
@@ -0,0 +1,3 @@
+
+/bin/loadkeys		--	context_template(system_u:object_r:loadkeys_exec_t,s0)
+/bin/unikeys		--	context_template(system_u:object_r:loadkeys_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/loadkeys.if b/refpolicy/policy/modules/apps/loadkeys.if
new file mode 100644
index 0000000..cf97b11
--- /dev/null
+++ b/refpolicy/policy/modules/apps/loadkeys.if
@@ -0,0 +1,67 @@
+## <summary>Load keyboard mappings.</summary>
+
+########################################
+## <summary>
+##	Execute the loadkeys program in the loadkeys domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`loadkeys_domtrans',`
+	gen_require(`
+		type loadkeys_t, loadkeys_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1, loadkeys_exec_t, loadkeys_t)
+
+	allow $1 loadkeys_t:fd use;
+	allow loadkeys_t $1:fd use;
+	allow loadkeys_t $1:fifo_file rw_file_perms;
+	allow loadkeys_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute the loadkeys program in the loadkeys domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to allow the loadkeys domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the loadkeys domain to use.
+## </param>
+#
+interface(`loadkeys_run',`
+	gen_require(`
+		type loadkeys_t;
+		class chr_file rw_term_perms;
+	')
+
+	loadkeys_domtrans($1)
+	role $2 types loadkeys_t;
+	allow loadkeys_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Execute the loadkeys program in the caller domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`loadkeys_exec',`
+	gen_require(`
+		type loadkeys_exec_t;
+	')
+
+	can_exec($1,loadkeys_exec_t)
+')
diff --git a/refpolicy/policy/modules/apps/loadkeys.te b/refpolicy/policy/modules/apps/loadkeys.te
new file mode 100644
index 0000000..7e58c33
--- /dev/null
+++ b/refpolicy/policy/modules/apps/loadkeys.te
@@ -0,0 +1,39 @@
+
+policy_module(loadkeys,1.0)
+
+########################################
+#
+# Declarations
+#
+
+# cjp: this should probably be rewritten
+# per user domain, since it can rw
+# all user domain ttys
+
+type loadkeys_t;
+domain_type(loadkeys_t)
+
+type loadkeys_exec_t;
+domain_entry_file(loadkeys_t,loadkeys_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow loadkeys_t self:capability { setuid sys_tty_config };
+allow loadkeys_t self:fifo_file rw_file_perms;
+
+kernel_read_system_state(loadkeys_t)
+
+corecmd_exec_bin(loadkeys_t)
+corecmd_exec_shell(loadkeys_t)
+
+files_dontaudit_read_etc_runtime_files(loadkeys_t)
+
+libs_use_ld_so(loadkeys_t)
+libs_use_shared_libs(loadkeys_t)
+
+locallogin_use_fd(loadkeys_t)
+
+miscfiles_read_localization(loadkeys_t)
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index ecfc8dd..576dfde 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -923,34 +923,64 @@ interface(`files_create_boot_flag',`
 ')
 
 ########################################
+## <summary>
+##	Read files in /etc that are dynamically
+##	created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
 #
-# files_manage_etc_runtime_files(type)
-#
-interface(`files_manage_etc_runtime_files',`
+interface(`files_read_etc_runtime_files',`
 	gen_require(`
 		type etc_t, etc_runtime_t;
-		class dir rw_dir_perms;
-		class file create_file_perms;
+		class dir r_dir_perms;
+		class file r_file_perms;
 	')
 
-	allow $1 etc_t:dir rw_dir_perms;
-	allow $1 etc_runtime_t:file create_file_perms;
-	type_transition $1 etc_t:file etc_runtime_t;
+	allow $1 etc_t:dir r_dir_perms;
+	allow $1 etc_runtime_t:file r_file_perms;
 ')
 
 ########################################
+## <summary>
+##	Do not audit attempts to read files
+##	in /etc that are dynamically
+##	created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
 #
-# files_read_etc_runtime_files(domain)
+interface(`files_dontaudit_read_etc_runtime_files',`
+	gen_require(`
+		type etc_runtime_t;
+		class file { getattr read };
+	')
+
+	allow $1 etc_runtime_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files in
+##	/etc that are dynamically created on boot,
+##	such as mtab.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
 #
-interface(`files_read_etc_runtime_files',`
+interface(`files_manage_etc_runtime_files',`
 	gen_require(`
 		type etc_t, etc_runtime_t;
-		class dir r_dir_perms;
-		class file r_file_perms;
+		class dir rw_dir_perms;
+		class file create_file_perms;
 	')
 
-	allow $1 etc_t:dir r_dir_perms;
-	allow $1 etc_runtime_t:file r_file_perms;
+	allow $1 etc_t:dir rw_dir_perms;
+	allow $1 etc_runtime_t:file create_file_perms;
+	type_transition $1 etc_t:file etc_runtime_t;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 129b41c..6c39e70 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -381,6 +381,10 @@ optional_policy(`kerberos.te',`
 	kerberos_use(initrc_t)
 ')
 
+optional_policy(`loadkeys.te',`
+	loadkeys_exec(initrc_t)
+')
+
 optional_policy(`lvm.te',`
 	#allow initrc_t lvm_control_t:chr_file unlink;
 
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index cc1a1b4..d3809ef 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -543,6 +543,10 @@ template(`unpriv_user_template', `
 		kerberos_use($1_t)
 	')
 
+	optional_policy(`loadkeys.te',`
+		loadkeys_run($1_t,$1_r,$1_tty_device_t)
+	')
+
 	# for running depmod as part of the kernel packaging process
 	optional_policy(`modutils.te',`
 		modutils_read_module_conf($1_t)

More information about the scm-commits mailing list