[selinux-policy: 1182/3172] merge tvtime to trunk bug 1391
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:47:09 UTC 2010
commit b77d019f1414e405c05429ca45e54369ee9d6dcf
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Feb 1 15:11:43 2006 +0000
merge tvtime to trunk
bug 1391
refpolicy/Changelog | 1 +
refpolicy/policy/modules/apps/tvtime.fc | 5 +
refpolicy/policy/modules/apps/tvtime.if | 133 +++++++++++++++++++++++++++++++
refpolicy/policy/modules/apps/tvtime.te | 13 +++
4 files changed, 152 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 91dc82e..4fca63c 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -28,6 +28,7 @@
mono (Dan Walsh)
mrtg
portage
+ tvtime
userhelper
usernetctl
wine (Dan Walsh)
diff --git a/refpolicy/policy/modules/apps/tvtime.fc b/refpolicy/policy/modules/apps/tvtime.fc
new file mode 100644
index 0000000..8698a61
--- /dev/null
+++ b/refpolicy/policy/modules/apps/tvtime.fc
@@ -0,0 +1,5 @@
+#
+# /usr
+#
+/usr/bin/tvtime -- gen_context(system_u:object_r:tvtime_exec_t,s0)
+
diff --git a/refpolicy/policy/modules/apps/tvtime.if b/refpolicy/policy/modules/apps/tvtime.if
new file mode 100644
index 0000000..6cca6d7
--- /dev/null
+++ b/refpolicy/policy/modules/apps/tvtime.if
@@ -0,0 +1,133 @@
+## <summary> tvtime - a high quality television application </summary>
+
+#######################################
+## <summary>
+## The per user domain template for the tvtime module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for tvtime.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="user_domain">
+## The type of the user domain.
+## </param>
+## <param name="user_role">
+## The role associated with the user domain.
+## </param>
+#
+template(`tvtime_per_userdomain_template',`
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_tvtime_t;
+ domain_type($1_tvtime_t)
+ domain_entry_file($1_tvtime_t,tvtime_exec_t)
+ role $3 types $1_tvtime_t;
+
+ type $1_tvtime_home_t alias $1_tvtime_rw_t;
+ userdom_home_file($1,$1_tvtime_home_t)
+ files_poly_member($1_tvtime_home_t)
+
+ type $1_tvtime_tmp_t;
+ files_tmp_file($1_tvtime_tmp_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
+ allow $1_tvtime_t self:process setsched;
+ allow $1_tvtime_t self:unix_dgram_socket rw_socket_perms;
+ allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms;
+
+ # X access, Home files
+ allow $1_tvtime_t $1_tvtime_home_t:dir manage_dir_perms;
+ allow $1_tvtime_t $1_tvtime_home_t:file manage_file_perms;
+ allow $1_tvtime_t $1_tvtime_home_t:lnk_file create_lnk_perms;
+ type_transition $1_tvtime_t $1_home_dir_t:dir $1_tvtime_home_t;
+ userdom_filetrans_user_home_dir($1,$1_tvtime_t,$1_tvtime_home_t,dir)
+
+ allow $1_tvtime_t $1_tvtime_tmp_t:dir create_dir_perms;
+ allow $1_tvtime_t $1_tvtime_tmp_t:file create_file_perms;
+ files_filetrans_tmp($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file })
+ fs_filetrans_tmpfs($1_tvtime_t,$1_tvtime_tmp_t,{file dir lnk_file fifo_file sock_file })
+
+ # Type transition
+ domain_auto_trans($2, tvtime_exec_t, $1_tvtime_t)
+ allow $2 $1_tvtime_t:fd use;
+ allow $1_tvtime_t $2:fd use;
+ allow $1_tvtime_t $2:fifo_file rw_file_perms;
+ allow $1_tvtime_t $2:process sigchld;
+
+ # X access, Home files
+ allow $2 $1_tvtime_home_t:dir manage_dir_perms;
+ allow $2 $1_tvtime_home_t:file manage_file_perms;
+ allow $2 $1_tvtime_home_t:lnk_file create_lnk_perms;
+ allow $2 $1_tvtime_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+ # Allow the user domain to signal/ps.
+ allow $2 $1_tvtime_t:dir { search getattr read };
+ allow $2 $1_tvtime_t:{ file lnk_file } { read getattr };
+ allow $2 $1_tvtime_t:process getattr;
+ # We need to suppress this denial because procps tries to access
+ # /proc/pid/environ and this now triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps to not do this, or only if
+ # running in a privileged domain.
+ dontaudit $2 $1_tvtime_t:process ptrace;
+ allow $2 $1_tvtime_t:process signal_perms;
+
+ kernel_read_all_sysctl($1_tvtime_t)
+ kernel_get_sysvipc_info($1_tvtime_t)
+
+ dev_read_urand($1_tvtime_t)
+ dev_read_realtime_clock($1_tvtime_t)
+ dev_read_snd_dev($1_tvtime_t)
+
+ files_read_usr_files($1_tvtime_t)
+ files_search_pids($1_tvtime_t)
+ # Read /etc/tvtime
+ files_read_etc_files($1_tvtime_t)
+
+ # X access, Home files
+ fs_search_auto_mountpoints($1_tvtime_t)
+
+ libs_use_ld_so($1_tvtime_t)
+ libs_use_shared_libs($1_tvtime_t)
+
+ miscfiles_read_localization($1_tvtime_t)
+ miscfiles_read_fonts($1_tvtime_t)
+
+ userdom_use_user_terminals($1,$1_tvtime_t)
+ userdom_read_user_home_files($1,$1_tvtime_t)
+
+ # X access, Home files
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_tvtime_t)
+ fs_manage_nfs_files($1_tvtime_t)
+ fs_manage_nfs_symlinks($1_tvtime_t)
+ ')
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_tvtime_t)
+ fs_manage_cifs_files($1_tvtime_t)
+ fs_manage_cifs_symlinks($1_tvtime_t)
+ ')
+
+ ifdef(`TODO',`
+ x_client_domain($1_tvtime, $1)
+ ')
+')
diff --git a/refpolicy/policy/modules/apps/tvtime.te b/refpolicy/policy/modules/apps/tvtime.te
new file mode 100644
index 0000000..0f557d2
--- /dev/null
+++ b/refpolicy/policy/modules/apps/tvtime.te
@@ -0,0 +1,13 @@
+
+policy_module(tvtime,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type tvtime_exec_t;
+files_type(tvtime_exec_t)
+
+type tvtime_dir_t;
+files_pid_file(tvtime_dir_t)
More information about the scm-commits
mailing list