[selinux-policy: 1128/3172] login fixes and pieces of xserver
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:42:33 UTC 2010
commit 2ce6b04e733addb4006df404d8ebe7255e1c9df6
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jan 19 21:04:33 2006 +0000
login fixes and pieces of xserver
refpolicy/policy/modules/apps/userhelper.if | 23 ++++-
refpolicy/policy/modules/kernel/corecommands.fc | 2 +-
refpolicy/policy/modules/kernel/devices.if | 110 ++++++++++++++++++++---
refpolicy/policy/modules/system/userdomain.if | 74 +++++++++++++++
4 files changed, 191 insertions(+), 18 deletions(-)
---
diff --git a/refpolicy/policy/modules/apps/userhelper.if b/refpolicy/policy/modules/apps/userhelper.if
index 440bf9e..0ba786c 100644
--- a/refpolicy/policy/modules/apps/userhelper.if
+++ b/refpolicy/policy/modules/apps/userhelper.if
@@ -202,10 +202,27 @@ template(`userhelper_per_userdomain_template',`
########################################
## <summary>
-## Do not audit attempts to search userhelp configuration
+## Search the userhelper configuration directory.
## </summary>
## <param name="domain">
-## The type of the process performing this action.
+## Domain allowed access.
+## </param>
+#
+interface(`userhelper_search_config',`
+ gen_require(`
+ type userhelper_conf_t;
+ ')
+
+ allow $1 userhelper_conf_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## the userhelper configuration directory.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
## </param>
#
interface(`userhelper_dontaudit_search_config',`
@@ -213,5 +230,5 @@ interface(`userhelper_dontaudit_search_config',`
type userhelper_conf_t;
')
- dontaudit $1 userhelper_conf_t:dir search;
+ dontaudit $1 userhelper_conf_t:dir search_dir_perms;
')
diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc
index 5fd8de3..94c7af6 100644
--- a/refpolicy/policy/modules/kernel/corecommands.fc
+++ b/refpolicy/policy/modules/kernel/corecommands.fc
@@ -140,7 +140,7 @@ ifdef(`distro_gentoo',`
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-/usr/X11R6/lib/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
+/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 678ceff..cbfc9d6 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -672,6 +672,23 @@ interface(`dev_manage_all_chr_files',`
########################################
## <summary>
+## Getattr the agp devices.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`dev_getattr_agp_dev',`
+ gen_require(`
+ type device_t, dri_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 agp_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
## Read and write the agp devices.
## </summary>
## <param name="domain">
@@ -916,52 +933,53 @@ interface(`dev_rw_crypto',`
########################################
## <summary>
-## Getattr the agp devices.
+## Read and write the dri devices.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
-interface(`dev_getattr_agp_dev',`
+interface(`dev_rw_dri_dev',`
gen_require(`
type device_t, dri_device_t;
')
allow $1 device_t:dir r_dir_perms;
- allow $1 dri_device_t:chr_file getattr;
+ allow $1 dri_device_t:chr_file rw_file_perms;
')
########################################
## <summary>
-## Read and write the dri devices.
+## Dontaudit read and write on the dri devices.
## </summary>
## <param name="domain">
-## Domain allowed access.
+## Domain to dontaudit access.
## </param>
#
-interface(`dev_rw_dri_dev',`
+interface(`dev_dontaudit_rw_dri_dev',`
gen_require(`
- type device_t, dri_device_t;
+ type dri_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 dri_device_t:chr_file rw_file_perms;
+ dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
')
########################################
## <summary>
-## Dontaudit read and write on the dri devices.
+## Create, read, write, and delete the dri devices.
## </summary>
## <param name="domain">
-## Domain to dontaudit access.
+## Domain allowed access.
## </param>
#
-interface(`dev_dontaudit_rw_dri_dev',`
+interface(`dev_manage_dri_dev',`
gen_require(`
- type dri_device_t;
+ type device_t, dri_device_t;
')
- dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
+ allow $1 device_t:dir rw_dir_perms;
+ allow $1 dri_device_t:chr_file manage_file_perms;
+ type_transition $1 device_t:chr_file dri_device_t;
')
########################################
@@ -983,6 +1001,23 @@ interface(`dev_read_input',`
########################################
## <summary>
+## Read input event devices (/dev/input).
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`dev_rw_input_dev',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 event_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
## Get the attributes of the framebuffer device node.
## </summary>
## <param name="domain">
@@ -1084,6 +1119,23 @@ interface(`dev_write_framebuffer',`
########################################
## <summary>
+## Read and write the framebuffer.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`dev_rw_framebuffer',`
+ gen_require(`
+ type device_t, framebuf_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 framebuf_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
## Read the lvm comtrol device.
## </summary>
## <param name="domain">
@@ -1450,6 +1502,19 @@ interface(`dev_write_mtrr',`
########################################
## <summary>
+## Read and write the mtrr device.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`dev_rw_mtrr',`
+ dev_read_mtrr($1)
+ dev_write_mtrr($1)
+')
+
+########################################
+## <summary>
## Read and write to the null device (/dev/null).
## </summary>
## <param name="domain">
@@ -2229,6 +2294,23 @@ interface(`dev_setattr_xserver_misc_dev',`
########################################
## <summary>
+## Read and write X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`dev_rw_xserver_misc_dev',`
+ gen_require(`
+ type device_t, xserver_misc_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 xserver_misc_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 1a6cbe4..77a415b 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -2321,6 +2321,72 @@ interface(`userdom_read_all_tmp_untrusted_content',`
########################################
## <summary>
+## Set the attributes of a user domain tty.
+## </summary>
+## <desc>
+## <p>
+## Set the attributes of a user domain tty.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+template(`userdom_setattr_user_tty',`
+ ifdef(`targeted_policy',`
+ term_setattr_unallocated_ttys($2)
+ ',`
+ gen_require(`
+ type $1_tty_device_t;
+ ')
+
+ allow $2 $1_tty_device_t:chr_file setattr;
+ ')
+')
+
+########################################
+## <summary>
+## Read and write a user domain tty.
+## </summary>
+## <desc>
+## <p>
+## Read and write a user domain tty.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+template(`userdom_use_user_tty',`
+ ifdef(`targeted_policy',`
+ term_use_unallocated_tty($2)
+ ',`
+ gen_require(`
+ type $1_tty_device_t;
+ ')
+
+ allow $2 $1_tty_device_t:chr_file rw_term_perms;
+ ')
+')
+
+########################################
+## <summary>
## Read and write a user domain tty and pty.
## </summary>
## <desc>
@@ -2403,6 +2469,10 @@ interface(`userdom_spec_domtrans_all_users',`
')
corecmd_shell_spec_domtrans($1,userdomain)
+ allow $1 userdomain:fd use;
+ allow userdomain $1:fd use;
+ allow userdomain $1:fifo_file rw_file_perms;
+ allow userdomain $1:process sigchld;
')
########################################
@@ -2421,6 +2491,10 @@ interface(`userdom_spec_domtrans_unpriv_users',`
')
corecmd_shell_spec_domtrans($1,unpriv_userdomain)
+ allow $1 unpriv_userdomain:fd use;
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
')
########################################
More information about the scm-commits
mailing list