[selinux-policy: 1080/3172] add usbmodules

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:38:12 UTC 2010 

commit 44f490b556a3516015a72516da265bc1cd21a05b
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Jan 11 18:28:57 2006 +0000

    add usbmodules

 refpolicy/Changelog                           |    1 +
 refpolicy/policy/modules/admin/usbmodules.fc  |    9 +++++
 refpolicy/policy/modules/admin/usbmodules.if  |   49 +++++++++++++++++++++++++
 refpolicy/policy/modules/admin/usbmodules.te  |   48 ++++++++++++++++++++++++
 refpolicy/policy/modules/system/hotplug.te    |    4 ++
 refpolicy/policy/modules/system/userdomain.te |    6 +++-
 6 files changed, 116 insertions(+), 1 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 81420bd..fc0c904 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -16,6 +16,7 @@
 	slrnpull
 	smartmon
 	sysstat
+	usbmodules
 	vbetool (Dan Walsh)
 
 * Wed Dec 07 2005 Chris PeBenito <selinux at tresys.com> - 20051207
diff --git a/refpolicy/policy/modules/admin/usbmodules.fc b/refpolicy/policy/modules/admin/usbmodules.fc
new file mode 100644
index 0000000..a008efb
--- /dev/null
+++ b/refpolicy/policy/modules/admin/usbmodules.fc
@@ -0,0 +1,9 @@
+#
+# /sbin
+#
+/sbin/usbmodules		--	gen_context(system_u:object_r:usbmodules_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/usbmodules	--	gen_context(system_u:object_r:usbmodules_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/usbmodules.if b/refpolicy/policy/modules/admin/usbmodules.if
new file mode 100644
index 0000000..394d990
--- /dev/null
+++ b/refpolicy/policy/modules/admin/usbmodules.if
@@ -0,0 +1,49 @@
+## <summary>List kernel modules of USB devices</summary>
+
+########################################
+## <summary>
+##	Execute usbmodules in the usbmodules domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`usbmodules_domtrans',`
+	gen_require(`
+		type usbmodules_t, usbmodules_exec_t;
+	')
+
+	domain_auto_trans($1, usbmodules_exec_t, usbmodules_t)
+
+	allow $1 usbmodules_t:fd use;
+	allow usbmodules_t $1:fd use;
+	allow usbmodules_t $1:fifo_file rw_file_perms;
+	allow usbmodules_t $1:process sigchld;
+
+')
+
+########################################
+## <summary>
+##	Execute usbmodules in the usbmodules domain, and
+##	allow the specified role the usbmodules domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the usbmodules domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the usbmodules domain to use.
+## </param>
+#
+interface(`usbmodules_run',`
+	gen_require(`
+		type usbmodules_t;
+	')
+
+	usbmodules_domtrans($1)
+	role $2 types usbmodules_t;
+	allow usbmodules_t $3:chr_file rw_term_perms;
+')
diff --git a/refpolicy/policy/modules/admin/usbmodules.te b/refpolicy/policy/modules/admin/usbmodules.te
new file mode 100644
index 0000000..d4c8a9a
--- /dev/null
+++ b/refpolicy/policy/modules/admin/usbmodules.te
@@ -0,0 +1,48 @@
+
+policy_module(usbmodules,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type usbmodules_t;
+type usbmodules_exec_t;
+init_system_domain(usbmodules_t,usbmodules_exec_t)
+role system_r types usbmodules_t;
+
+########################################
+#
+# Local policy
+#
+
+
+kernel_list_proc(usbmodules_t)
+
+bootloader_list_kernel_modules(usbmodules_t)
+
+dev_list_usbfs(usbmodules_t)
+# allow usb device access
+dev_rw_usbfs(usbmodules_t)
+
+files_list_etc(usbmodules_t)
+# needs etc_t read access for the hotplug config, maybe should have a new type
+files_read_etc_files(usbmodules_t)
+
+term_read_console(usbmodules_t)
+term_write_console(usbmodules_t)
+
+init_use_fd(usbmodules_t)
+
+libs_use_ld_so(usbmodules_t)
+libs_use_shared_libs(usbmodules_t)
+
+modutils_read_mods_deps(usbmodules_t)
+
+optional_policy(`hotplug',`
+	hotplug_read_config(usbmodules_t)
+')
+
+optional_policy(`logging',`
+	logging_send_syslog_msg(usbmodules_t)
+')
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index f5be174..d01fb75 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -205,3 +205,7 @@ optional_policy(`udev',`
 optional_policy(`updfstab',`
 	updfstab_domtrans(hotplug_t)
 ')
+
+optional_policy(`usbmodules',`
+	usbmodules_domtrans(hotplug_t)
+')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index f0d78d9..321064d 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.1.4)
+policy_module(userdomain,1.1.5)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r, secadm_r;
@@ -315,6 +315,10 @@ ifdef(`targeted_policy',`
 		unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`usbmodules',`
+		usbmodules_run(sysadm_t,sysadm_r,admin_terminal)
+	')
+
 	optional_policy(`usermanage',`
 		usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
 		usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)

More information about the scm-commits mailing list