[selinux-policy: 1080/3172] add usbmodules
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:38:12 UTC 2010
commit 44f490b556a3516015a72516da265bc1cd21a05b
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Jan 11 18:28:57 2006 +0000
add usbmodules
refpolicy/Changelog | 1 +
refpolicy/policy/modules/admin/usbmodules.fc | 9 +++++
refpolicy/policy/modules/admin/usbmodules.if | 49 +++++++++++++++++++++++++
refpolicy/policy/modules/admin/usbmodules.te | 48 ++++++++++++++++++++++++
refpolicy/policy/modules/system/hotplug.te | 4 ++
refpolicy/policy/modules/system/userdomain.te | 6 +++-
6 files changed, 116 insertions(+), 1 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 81420bd..fc0c904 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -16,6 +16,7 @@
slrnpull
smartmon
sysstat
+ usbmodules
vbetool (Dan Walsh)
* Wed Dec 07 2005 Chris PeBenito <selinux at tresys.com> - 20051207
diff --git a/refpolicy/policy/modules/admin/usbmodules.fc b/refpolicy/policy/modules/admin/usbmodules.fc
new file mode 100644
index 0000000..a008efb
--- /dev/null
+++ b/refpolicy/policy/modules/admin/usbmodules.fc
@@ -0,0 +1,9 @@
+#
+# /sbin
+#
+/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/usbmodules.if b/refpolicy/policy/modules/admin/usbmodules.if
new file mode 100644
index 0000000..394d990
--- /dev/null
+++ b/refpolicy/policy/modules/admin/usbmodules.if
@@ -0,0 +1,49 @@
+## <summary>List kernel modules of USB devices</summary>
+
+########################################
+## <summary>
+## Execute usbmodules in the usbmodules domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`usbmodules_domtrans',`
+ gen_require(`
+ type usbmodules_t, usbmodules_exec_t;
+ ')
+
+ domain_auto_trans($1, usbmodules_exec_t, usbmodules_t)
+
+ allow $1 usbmodules_t:fd use;
+ allow usbmodules_t $1:fd use;
+ allow usbmodules_t $1:fifo_file rw_file_perms;
+ allow usbmodules_t $1:process sigchld;
+
+')
+
+########################################
+## <summary>
+## Execute usbmodules in the usbmodules domain, and
+## allow the specified role the usbmodules domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+## <param name="role">
+## The role to be allowed the usbmodules domain.
+## </param>
+## <param name="terminal">
+## The type of the terminal allow the usbmodules domain to use.
+## </param>
+#
+interface(`usbmodules_run',`
+ gen_require(`
+ type usbmodules_t;
+ ')
+
+ usbmodules_domtrans($1)
+ role $2 types usbmodules_t;
+ allow usbmodules_t $3:chr_file rw_term_perms;
+')
diff --git a/refpolicy/policy/modules/admin/usbmodules.te b/refpolicy/policy/modules/admin/usbmodules.te
new file mode 100644
index 0000000..d4c8a9a
--- /dev/null
+++ b/refpolicy/policy/modules/admin/usbmodules.te
@@ -0,0 +1,48 @@
+
+policy_module(usbmodules,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type usbmodules_t;
+type usbmodules_exec_t;
+init_system_domain(usbmodules_t,usbmodules_exec_t)
+role system_r types usbmodules_t;
+
+########################################
+#
+# Local policy
+#
+
+
+kernel_list_proc(usbmodules_t)
+
+bootloader_list_kernel_modules(usbmodules_t)
+
+dev_list_usbfs(usbmodules_t)
+# allow usb device access
+dev_rw_usbfs(usbmodules_t)
+
+files_list_etc(usbmodules_t)
+# needs etc_t read access for the hotplug config, maybe should have a new type
+files_read_etc_files(usbmodules_t)
+
+term_read_console(usbmodules_t)
+term_write_console(usbmodules_t)
+
+init_use_fd(usbmodules_t)
+
+libs_use_ld_so(usbmodules_t)
+libs_use_shared_libs(usbmodules_t)
+
+modutils_read_mods_deps(usbmodules_t)
+
+optional_policy(`hotplug',`
+ hotplug_read_config(usbmodules_t)
+')
+
+optional_policy(`logging',`
+ logging_send_syslog_msg(usbmodules_t)
+')
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index f5be174..d01fb75 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -205,3 +205,7 @@ optional_policy(`udev',`
optional_policy(`updfstab',`
updfstab_domtrans(hotplug_t)
')
+
+optional_policy(`usbmodules',`
+ usbmodules_domtrans(hotplug_t)
+')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index f0d78d9..321064d 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.1.4)
+policy_module(userdomain,1.1.5)
gen_require(`
role sysadm_r, staff_r, user_r, secadm_r;
@@ -315,6 +315,10 @@ ifdef(`targeted_policy',`
unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
')
+ optional_policy(`usbmodules',`
+ usbmodules_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
optional_policy(`usermanage',`
usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
More information about the scm-commits
mailing list