[selinux-policy: 1128/3172] login fixes and pieces of xserver

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:42:33 UTC 2010 

commit 2ce6b04e733addb4006df404d8ebe7255e1c9df6
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Jan 19 21:04:33 2006 +0000

    login fixes and pieces of xserver

 refpolicy/policy/modules/apps/userhelper.if     |   23 ++++-
 refpolicy/policy/modules/kernel/corecommands.fc |    2 +-
 refpolicy/policy/modules/kernel/devices.if      |  110 ++++++++++++++++++++---
 refpolicy/policy/modules/system/userdomain.if   |   74 +++++++++++++++
 4 files changed, 191 insertions(+), 18 deletions(-)
---
diff --git a/refpolicy/policy/modules/apps/userhelper.if b/refpolicy/policy/modules/apps/userhelper.if
index 440bf9e..0ba786c 100644
--- a/refpolicy/policy/modules/apps/userhelper.if
+++ b/refpolicy/policy/modules/apps/userhelper.if
@@ -202,10 +202,27 @@ template(`userhelper_per_userdomain_template',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search userhelp configuration
+##	Search the userhelper configuration directory.
 ## </summary>
 ## <param name="domain">
-##      The type of the process performing this action.
+##      Domain allowed access.
+## </param>
+#
+interface(`userhelper_search_config',`
+	gen_require(`
+		type userhelper_conf_t;
+	')
+
+	allow $1 userhelper_conf_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search 
+##	the userhelper configuration directory.
+## </summary>
+## <param name="domain">
+##      Domain to not audit.
 ## </param>
 #
 interface(`userhelper_dontaudit_search_config',`
@@ -213,5 +230,5 @@ interface(`userhelper_dontaudit_search_config',`
 		type userhelper_conf_t;
 	')
 
-	dontaudit $1 userhelper_conf_t:dir search;
+	dontaudit $1 userhelper_conf_t:dir search_dir_perms;
 ')
diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc
index 5fd8de3..94c7af6 100644
--- a/refpolicy/policy/modules/kernel/corecommands.fc
+++ b/refpolicy/policy/modules/kernel/corecommands.fc
@@ -140,7 +140,7 @@ ifdef(`distro_gentoo',`
 /usr/share/printconf/util/print\.py --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 
-/usr/X11R6/lib/X11/xkb/xkbcomp	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_gentoo', `
 /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 678ceff..cbfc9d6 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -672,6 +672,23 @@ interface(`dev_manage_all_chr_files',`
 
 ########################################
 ## <summary>
+##	Getattr the agp devices.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_getattr_agp_dev',`
+	gen_require(`
+		type device_t, dri_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 agp_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
 ##	Read and write the agp devices.
 ## </summary>
 ## <param name="domain">
@@ -916,52 +933,53 @@ interface(`dev_rw_crypto',`
 
 ########################################
 ## <summary>
-##	Getattr the agp devices.
+##	Read and write the dri devices.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_getattr_agp_dev',`
+interface(`dev_rw_dri_dev',`
 	gen_require(`
 		type device_t, dri_device_t;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 dri_device_t:chr_file getattr;
+	allow $1 dri_device_t:chr_file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write the dri devices.
+##	Dontaudit read and write on the dri devices.
 ## </summary>
 ## <param name="domain">
-##	Domain allowed access.
+##	Domain to dontaudit access.
 ## </param>
 #
-interface(`dev_rw_dri_dev',`
+interface(`dev_dontaudit_rw_dri_dev',`
 	gen_require(`
-		type device_t, dri_device_t;
+		type dri_device_t;
 	')
 
-	allow $1 device_t:dir r_dir_perms;
-	allow $1 dri_device_t:chr_file rw_file_perms;
+	dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
 ')
 
 ########################################
 ## <summary>
-##	Dontaudit read and write on the dri devices.
+##	Create, read, write, and delete the dri devices.
 ## </summary>
 ## <param name="domain">
-##	Domain to dontaudit access.
+##	Domain allowed access.
 ## </param>
 #
-interface(`dev_dontaudit_rw_dri_dev',`
+interface(`dev_manage_dri_dev',`
 	gen_require(`
-		type dri_device_t;
+		type device_t, dri_device_t;
 	')
 
-	dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
+	allow $1 device_t:dir rw_dir_perms;
+	allow $1 dri_device_t:chr_file manage_file_perms;
+	type_transition $1 device_t:chr_file dri_device_t;
 ')
 
 ########################################
@@ -983,6 +1001,23 @@ interface(`dev_read_input',`
 
 ########################################
 ## <summary>
+##	Read input event devices (/dev/input).
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_rw_input_dev',`
+	gen_require(`
+		type device_t, event_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 event_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the framebuffer device node.
 ## </summary>
 ## <param name="domain">
@@ -1084,6 +1119,23 @@ interface(`dev_write_framebuffer',`
 
 ########################################
 ## <summary>
+##	Read and write the framebuffer.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_rw_framebuffer',`
+	gen_require(`
+		type device_t, framebuf_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 framebuf_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read the lvm comtrol device.
 ## </summary>
 ## <param name="domain">
@@ -1450,6 +1502,19 @@ interface(`dev_write_mtrr',`
 
 ########################################
 ## <summary>
+##	Read and write the mtrr device.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_rw_mtrr',`
+	dev_read_mtrr($1)
+	dev_write_mtrr($1)
+')
+
+########################################
+## <summary>
 ##	Read and write to the null device (/dev/null).
 ## </summary>
 ## <param name="domain">
@@ -2229,6 +2294,23 @@ interface(`dev_setattr_xserver_misc_dev',`
 
 ########################################
 ## <summary>
+##	Read and write X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_rw_xserver_misc_dev',`
+	gen_require(`
+		type device_t, xserver_misc_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 xserver_misc_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read and write to the zero device (/dev/zero).
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 1a6cbe4..77a415b 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -2321,6 +2321,72 @@ interface(`userdom_read_all_tmp_untrusted_content',`
 
 ########################################
 ## <summary>
+##	Set the attributes of a user domain tty.
+## </summary>
+## <desc>
+##	<p>
+##	Set the attributes of a user domain tty.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+template(`userdom_setattr_user_tty',`
+	ifdef(`targeted_policy',`
+		term_setattr_unallocated_ttys($2)
+	',`
+		gen_require(`
+			type $1_tty_device_t;
+		')
+
+		allow $2 $1_tty_device_t:chr_file setattr;
+	')
+')
+
+########################################
+## <summary>
+##	Read and write a user domain tty.
+## </summary>
+## <desc>
+##	<p>
+##	Read and write a user domain tty.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+template(`userdom_use_user_tty',`
+	ifdef(`targeted_policy',`
+		term_use_unallocated_tty($2)
+	',`
+		gen_require(`
+			type $1_tty_device_t;
+		')
+
+		allow $2 $1_tty_device_t:chr_file rw_term_perms;
+	')
+')
+
+########################################
+## <summary>
 ##	Read and write a user domain tty and pty.
 ## </summary>
 ## <desc>
@@ -2403,6 +2469,10 @@ interface(`userdom_spec_domtrans_all_users',`
 	')
 
 	corecmd_shell_spec_domtrans($1,userdomain)
+	allow $1 userdomain:fd use;
+	allow userdomain $1:fd use;
+	allow userdomain $1:fifo_file rw_file_perms;
+	allow userdomain $1:process sigchld;
 ')
 
 ########################################
@@ -2421,6 +2491,10 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 	')
 
 	corecmd_shell_spec_domtrans($1,unpriv_userdomain)
+	allow $1 unpriv_userdomain:fd use;
+	allow unpriv_userdomain $1:fd use;
+	allow unpriv_userdomain $1:fifo_file rw_file_perms;
+	allow unpriv_userdomain $1:process sigchld;
 ')
 
 ########################################

More information about the scm-commits mailing list