[selinux-policy: 1362/3172] add resmgr, bug 1543

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:03:12 UTC 2010 

commit b057be8d6db45f5499f8d2d48a9fa6d0510f3bb9
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Apr 14 19:13:17 2006 +0000

    add resmgr, bug 1543

 refpolicy/Changelog                           |    1 +
 refpolicy/policy/modules/apps/cdrecord.if     |    4 +-
 refpolicy/policy/modules/apps/cdrecord.te     |    2 +-
 refpolicy/policy/modules/services/resmgr.fc   |    7 ++
 refpolicy/policy/modules/services/resmgr.if   |   22 +++++++
 refpolicy/policy/modules/services/resmgr.te   |   81 +++++++++++++++++++++++++
 refpolicy/policy/modules/services/xserver.te  |    8 ++-
 refpolicy/policy/modules/system/userdomain.if |    6 +-
 refpolicy/policy/modules/system/userdomain.te |    2 +-
 9 files changed, 124 insertions(+), 9 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index c30a277..c5beb7e 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -53,6 +53,7 @@
 	postgrey
 	pxe
 	qmail (Petre Rodan)
+	resmgr
 	rhgb
 	snort
 	speedtouch
diff --git a/refpolicy/policy/modules/apps/cdrecord.if b/refpolicy/policy/modules/apps/cdrecord.if
index 41bb205..34644d6 100644
--- a/refpolicy/policy/modules/apps/cdrecord.if
+++ b/refpolicy/policy/modules/apps/cdrecord.if
@@ -197,7 +197,7 @@ template(`cdrecord_per_userdomain_template', `
 		fs_read_nfs_symlinks($1_cdrecord_t)
 	')
 	
-	ifdef(`TODO',`
-		can_resmgrd_connect($1_cdrecord_t)
+	optional_policy(`
+		resmgr_stream_connect($1_cdrecord_t)
 	')
 ')
diff --git a/refpolicy/policy/modules/apps/cdrecord.te b/refpolicy/policy/modules/apps/cdrecord.te
index 5e410f7..d78c592 100644
--- a/refpolicy/policy/modules/apps/cdrecord.te
+++ b/refpolicy/policy/modules/apps/cdrecord.te
@@ -1,5 +1,5 @@
 
-policy_module(cdrecord,1.0.0)
+policy_module(cdrecord,1.0.1)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/resmgr.fc b/refpolicy/policy/modules/services/resmgr.fc
new file mode 100644
index 0000000..af810b9
--- /dev/null
+++ b/refpolicy/policy/modules/services/resmgr.fc
@@ -0,0 +1,7 @@
+
+/etc/resmgr\.conf	--	gen_context(system_u:object_r:resmgrd_etc_t,s0)
+
+/sbin/resmgrd		--	gen_context(system_u:object_r:resmgrd_exec_t,s0)
+
+/var/run/\.resmgr_socket -s	gen_context(system_u:object_r:resmgrd_var_run_t,s0)
+/var/run/resmgr\.pid	--	gen_context(system_u:object_r:resmgrd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/resmgr.if b/refpolicy/policy/modules/services/resmgr.if
new file mode 100644
index 0000000..d457736
--- /dev/null
+++ b/refpolicy/policy/modules/services/resmgr.if
@@ -0,0 +1,22 @@
+## <summary>Resource management daemon</summary>
+
+########################################
+## <summary>
+##	Connect to resmgrd over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`resmgr_stream_connect',`
+	gen_require(`
+		type resmgrd_var_run_t, resmgrd_t;
+	')
+
+	allow $1 resmgrd_t:unix_stream_socket connectto;
+	allow $1 resmgrd_var_run_t:sock_file { getattr write };
+	files_search_pids($1)
+')
diff --git a/refpolicy/policy/modules/services/resmgr.te b/refpolicy/policy/modules/services/resmgr.te
new file mode 100644
index 0000000..695d7c6
--- /dev/null
+++ b/refpolicy/policy/modules/services/resmgr.te
@@ -0,0 +1,81 @@
+
+policy_module(resmgr,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type resmgrd_t;
+type resmgrd_exec_t;
+init_daemon_domain(resmgrd_t,resmgrd_exec_t)
+
+type resmgrd_etc_t;
+files_config_file(resmgrd_etc_t)
+
+type resmgrd_var_run_t;
+files_pid_file(resmgrd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow resmgrd_t self:capability { dac_override sys_admin sys_rawio };
+dontaudit resmgrd_t self:capability sys_tty_config;
+allow resmgrd_t self:process signal_perms;
+
+allow resmgrd_t resmgrd_etc_t:file { getattr read };
+files_search_etc(resmgrd_t)
+
+allow resmgrd_t resmgrd_var_run_t:file manage_file_perms;
+allow resmgrd_t resmgrd_var_run_t:sock_file manage_file_perms;
+files_pid_filetrans(resmgrd_t,resmgrd_var_run_t,{ file sock_file })
+
+kernel_list_proc(resmgrd_t)
+kernel_read_proc_symlinks(resmgrd_t)
+kernel_read_kernel_sysctls(resmgrd_t)
+
+dev_read_sysfs(resmgrd_t)
+dev_getattr_scanner_dev(resmgrd_t)
+
+domain_use_interactive_fds(resmgrd_t)
+
+files_read_etc_files(resmgrd_t)
+
+fs_search_auto_mountpoints(resmgrd_t)
+
+storage_dontaudit_read_fixed_disk(resmgrd_t)
+storage_read_scsi_generic(resmgrd_t)
+storage_raw_read_removable_device(resmgrd_t)
+# not sure if it needs write access, needs to be investigated further...
+storage_write_scsi_generic(resmgrd_t)
+storage_raw_write_removable_device(resmgrd_t)
+
+term_dontaudit_use_console(resmgrd_t)
+
+init_use_fds(resmgrd_t)
+init_use_script_ptys(resmgrd_t)
+
+libs_use_ld_so(resmgrd_t)
+libs_use_shared_libs(resmgrd_t)
+
+logging_send_syslog_msg(resmgrd_t)
+
+miscfiles_read_localization(resmgrd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(resmgrd_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(resmgrd_t)
+	term_dontaudit_use_generic_ptys(resmgrd_t)
+	files_dontaudit_read_root_files(resmgrd_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(resmgrd_t)
+')
+
+optional_policy(`
+	udev_read_db(resmgrd_t)
+')
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index 9918eb5..b39f586 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
 
-policy_module(xserver,1.1.4)
+policy_module(xserver,1.1.5)
 
 ########################################
 #
@@ -441,13 +441,15 @@ ifdef(`targeted_policy',`
 ')
 
 optional_policy(`
+	resmgr_stream_connect(xdm_t)
+')
+
+optional_policy(`
 	rhgb_rw_shm(xdm_xserver_t)
 	rhgb_rw_tmpfs_files(xdm_xserver_t)
 ')
 
 ifdef(`TODO',`
-can_resmgrd_connect(xdm_t)
-
 # Need to further investigate these permissions and
 # perhaps define derived types.
 allow xdm_t var_lib_t:dir { write search add_name remove_name  create unlink };
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 5a73156..475a7ce 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -420,6 +420,10 @@ template(`base_user_template',`
 	')
 
 	optional_policy(`
+		resmgr_stream_connect($1_t)
+	')
+
+	optional_policy(`
 		rpc_dontaudit_getattr_exports($1_t)
 		rpc_manage_nfs_rw_content($1_t)
 	')
@@ -487,8 +491,6 @@ template(`base_user_template',`
 
 	allow $1_t usbtty_device_t:chr_file read;
 
-	can_resmgrd_connect($1_t)
-
 	ifdef(`xdm.te', `
 		allow $1_t xdm_var_lib_t:file r_file_perms;
 	')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 4c95bbf..00baa24 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.13)
+policy_module(userdomain,1.3.14)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;

More information about the scm-commits mailing list