[selinux-policy: 1182/3172] merge tvtime to trunk bug 1391

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:47:09 UTC 2010 

commit b77d019f1414e405c05429ca45e54369ee9d6dcf
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Feb 1 15:11:43 2006 +0000

    merge tvtime to trunk
    bug 1391

 refpolicy/Changelog                     |    1 +
 refpolicy/policy/modules/apps/tvtime.fc |    5 +
 refpolicy/policy/modules/apps/tvtime.if |  133 +++++++++++++++++++++++++++++++
 refpolicy/policy/modules/apps/tvtime.te |   13 +++
 4 files changed, 152 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 91dc82e..4fca63c 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -28,6 +28,7 @@
 	mono (Dan Walsh)
 	mrtg
 	portage
+	tvtime
 	userhelper
 	usernetctl
 	wine (Dan Walsh)
diff --git a/refpolicy/policy/modules/apps/tvtime.fc b/refpolicy/policy/modules/apps/tvtime.fc
new file mode 100644
index 0000000..8698a61
--- /dev/null
+++ b/refpolicy/policy/modules/apps/tvtime.fc
@@ -0,0 +1,5 @@
+#
+# /usr
+#
+/usr/bin/tvtime		--	gen_context(system_u:object_r:tvtime_exec_t,s0)
+
diff --git a/refpolicy/policy/modules/apps/tvtime.if b/refpolicy/policy/modules/apps/tvtime.if
new file mode 100644
index 0000000..6cca6d7
--- /dev/null
+++ b/refpolicy/policy/modules/apps/tvtime.if
@@ -0,0 +1,133 @@
+## <summary> tvtime - a high quality television application </summary>
+
+#######################################
+## <summary>
+##	The per user domain template for the tvtime module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for tvtime.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="user_domain">
+##	The type of the user domain.
+## </param>
+## <param name="user_role">
+##	The role associated with the user domain.
+## </param>
+#
+template(`tvtime_per_userdomain_template',`
+
+	########################################
+	#
+	# Declarations
+	#
+
+	type $1_tvtime_t;
+	domain_type($1_tvtime_t)
+	domain_entry_file($1_tvtime_t,tvtime_exec_t)
+	role $3 types $1_tvtime_t;
+
+	type $1_tvtime_home_t alias $1_tvtime_rw_t;
+	userdom_home_file($1,$1_tvtime_home_t)
+	files_poly_member($1_tvtime_home_t)
+
+	type $1_tvtime_tmp_t;
+	files_tmp_file($1_tvtime_tmp_t)
+	
+	########################################
+	#
+	# Local policy
+	#
+
+	allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
+	allow $1_tvtime_t self:process setsched;
+	allow $1_tvtime_t self:unix_dgram_socket rw_socket_perms;
+	allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms;
+
+	# X access, Home files
+	allow $1_tvtime_t $1_tvtime_home_t:dir manage_dir_perms;
+	allow $1_tvtime_t $1_tvtime_home_t:file manage_file_perms;
+	allow $1_tvtime_t $1_tvtime_home_t:lnk_file create_lnk_perms;
+	type_transition $1_tvtime_t $1_home_dir_t:dir $1_tvtime_home_t;
+	userdom_filetrans_user_home_dir($1,$1_tvtime_t,$1_tvtime_home_t,dir)
+
+	allow $1_tvtime_t $1_tvtime_tmp_t:dir create_dir_perms;
+	allow $1_tvtime_t $1_tvtime_tmp_t:file create_file_perms;
+	files_filetrans_tmp($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file })
+	fs_filetrans_tmpfs($1_tvtime_t,$1_tvtime_tmp_t,{file dir lnk_file fifo_file sock_file })
+
+	# Type transition
+	domain_auto_trans($2, tvtime_exec_t, $1_tvtime_t)
+	allow $2 $1_tvtime_t:fd use;
+	allow $1_tvtime_t $2:fd use;
+	allow $1_tvtime_t $2:fifo_file rw_file_perms;
+	allow $1_tvtime_t $2:process sigchld;
+
+	# X access, Home files
+	allow $2 $1_tvtime_home_t:dir manage_dir_perms;
+	allow $2 $1_tvtime_home_t:file manage_file_perms;
+	allow $2 $1_tvtime_home_t:lnk_file create_lnk_perms;
+	allow $2 $1_tvtime_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+	# Allow the user domain to signal/ps.
+	allow $2 $1_tvtime_t:dir { search getattr read };
+	allow $2 $1_tvtime_t:{ file lnk_file } { read getattr };
+	allow $2 $1_tvtime_t:process getattr;
+	# We need to suppress this denial because procps tries to access
+	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
+	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
+	# running in a privileged domain.
+	dontaudit $2 $1_tvtime_t:process ptrace;
+	allow $2 $1_tvtime_t:process signal_perms;
+	
+	kernel_read_all_sysctl($1_tvtime_t)
+	kernel_get_sysvipc_info($1_tvtime_t)
+
+	dev_read_urand($1_tvtime_t)
+	dev_read_realtime_clock($1_tvtime_t)
+	dev_read_snd_dev($1_tvtime_t)
+
+	files_read_usr_files($1_tvtime_t)
+	files_search_pids($1_tvtime_t)
+	# Read /etc/tvtime
+	files_read_etc_files($1_tvtime_t)
+
+	# X access, Home files
+	fs_search_auto_mountpoints($1_tvtime_t)
+	
+	libs_use_ld_so($1_tvtime_t)
+	libs_use_shared_libs($1_tvtime_t)
+
+	miscfiles_read_localization($1_tvtime_t)
+	miscfiles_read_fonts($1_tvtime_t)
+
+	userdom_use_user_terminals($1,$1_tvtime_t)
+	userdom_read_user_home_files($1,$1_tvtime_t)
+	
+	# X access, Home files
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_dirs($1_tvtime_t)
+		fs_manage_nfs_files($1_tvtime_t)
+		fs_manage_nfs_symlinks($1_tvtime_t)
+	')
+	tunable_policy(`use_samba_home_dirs',`
+		fs_manage_cifs_dirs($1_tvtime_t)
+		fs_manage_cifs_files($1_tvtime_t)
+		fs_manage_cifs_symlinks($1_tvtime_t)
+	')
+
+	ifdef(`TODO',`
+		x_client_domain($1_tvtime, $1)
+	')
+')
diff --git a/refpolicy/policy/modules/apps/tvtime.te b/refpolicy/policy/modules/apps/tvtime.te
new file mode 100644
index 0000000..0f557d2
--- /dev/null
+++ b/refpolicy/policy/modules/apps/tvtime.te
@@ -0,0 +1,13 @@
+
+policy_module(tvtime,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type tvtime_exec_t;
+files_type(tvtime_exec_t)
+
+type tvtime_dir_t;
+files_pid_file(tvtime_dir_t)

More information about the scm-commits mailing list