[selinux-policy: 2258/3172] add kdump from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:20:25 UTC 2010
commit 71965a1fc58af381ad42a19d3bf5fe8fd54cbfb7
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Sep 2 08:33:25 2009 -0400
add kdump from dan.
Changelog | 1 +
policy/modules/system/kdump.fc | 5 ++
policy/modules/system/kdump.if | 111 ++++++++++++++++++++++++++++++++++++++++
policy/modules/system/kdump.te | 36 +++++++++++++
4 files changed, 153 insertions(+), 0 deletions(-)
---
diff --git a/Changelog b/Changelog
index 61bb77c..51dceb7 100644
--- a/Changelog
+++ b/Changelog
@@ -10,6 +10,7 @@
- Add missing compatibility aliases for xdm_xserver*_t types.
- Added modules:
hddtemp (Dan Walsh)
+ kdump (Dan Walsh)
* Thu Jul 30 2009 Chris PeBenito <selinux at tresys.com> - 2.20090730
- Gentoo fixes for init scripts and system startup.
diff --git a/policy/modules/system/kdump.fc b/policy/modules/system/kdump.fc
new file mode 100644
index 0000000..c66934f
--- /dev/null
+++ b/policy/modules/system/kdump.fc
@@ -0,0 +1,5 @@
+/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
+/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
+
+/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
diff --git a/policy/modules/system/kdump.if b/policy/modules/system/kdump.if
new file mode 100644
index 0000000..19e65b8
--- /dev/null
+++ b/policy/modules/system/kdump.if
@@ -0,0 +1,111 @@
+## <summary>Kernel crash dumping mechanism</summary>
+
+######################################
+## <summary>
+## Execute kdump in the kdump domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`kdump_domtrans',`
+ gen_require(`
+ type kdump_t, kdump_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, kdump_exec_t, kdump_t)
+')
+
+#######################################
+## <summary>
+## Execute kdump in the kdump domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`kdump_initrc_domtrans',`
+ gen_require(`
+ type kdump_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+')
+
+#####################################
+## <summary>
+## Read kdump configuration file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kdump_read_config',`
+ gen_require(`
+ type kdump_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 kdump_etc_t:file read_file_perms;
+')
+
+####################################
+## <summary>
+## Manage kdump configuration file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kdump_manage_config',`
+ gen_require(`
+ type kdump_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 kdump_etc_t:file manage_file_perms;
+')
+
+######################################
+## <summary>
+## All of the rules required to administrate
+## an kdump environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the kdump domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kdump_admin',`
+ gen_require(`
+ type kdump_t, kdump_etc_t;
+ type kdump_initrc_exec_t;
+ ')
+
+ allow $1 kdump_t:process { ptrace signal_perms };
+ ps_process_pattern($1, kdump_t)
+
+ init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 kdump_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+ admin_pattern($1, kdump_etc_t)
+')
diff --git a/policy/modules/system/kdump.te b/policy/modules/system/kdump.te
new file mode 100644
index 0000000..a5a7526
--- /dev/null
+++ b/policy/modules/system/kdump.te
@@ -0,0 +1,36 @@
+
+policy_module(kdump, 1.0.0)
+
+#######################################
+#
+# Declarations
+#
+
+type kdump_t;
+type kdump_exec_t;
+init_system_domain(kdump_t, kdump_exec_t)
+
+type kdump_etc_t;
+files_config_file(kdump_etc_t)
+
+type kdump_initrc_exec_t;
+init_script_file(kdump_initrc_exec_t)
+
+#####################################
+#
+# kdump local policy
+#
+
+allow kdump_t self:capability { sys_boot dac_override };
+
+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
+
+files_read_etc_runtime_files(kdump_t)
+files_read_kernel_img(kdump_t)
+
+kernel_read_system_state(kdump_t)
+
+dev_read_framebuffer(kdump_t)
+dev_read_sysfs(kdump_t)
+
+term_use_console(kdump_t)
More information about the scm-commits
mailing list