[selinux-policy: 2772/3172] Add livecd from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:06:39 UTC 2010
commit b841dffda16da196695aba6d5c4cbdb94ed9a919
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Jul 7 10:28:25 2010 -0400
Add livecd from Dan Walsh.
Changelog | 1 +
policy/modules/apps/livecd.fc | 1 +
policy/modules/apps/livecd.if | 104 +++++++++++++++++++++++++++++++++++++++++
policy/modules/apps/livecd.te | 35 ++++++++++++++
4 files changed, 141 insertions(+), 0 deletions(-)
---
diff --git a/Changelog b/Changelog
index 9ebdae9..e647b76 100644
--- a/Changelog
+++ b/Changelog
@@ -3,6 +3,7 @@
- Increased default number of categories to 1024, from Russell Coker.
- Added modules:
cgroup (Dominick Grift)
+ livecd (Dan Walsh)
* Mon May 24 2010 Chris PeBenito <selinux at tresys.com> - 2.20100524
- Merged a significant portion of Fedora policy.
diff --git a/policy/modules/apps/livecd.fc b/policy/modules/apps/livecd.fc
new file mode 100644
index 0000000..34937fc
--- /dev/null
+++ b/policy/modules/apps/livecd.fc
@@ -0,0 +1 @@
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if
new file mode 100644
index 0000000..272e97a
--- /dev/null
+++ b/policy/modules/apps/livecd.if
@@ -0,0 +1,104 @@
+## <summary>Livecd tool for building alternate livecd for different os and policy versions.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run livecd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`livecd_domtrans',`
+ gen_require(`
+ type livecd_t, livecd_exec_t;
+ ')
+
+ domtrans_pattern($1, livecd_exec_t, livecd_t)
+')
+
+########################################
+## <summary>
+## Execute livecd in the livecd domain, and
+## allow the specified role the livecd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`livecd_run',`
+ gen_require(`
+ type livecd_t;
+ ')
+
+ livecd_domtrans($1)
+ role $2 types livecd_t;
+
+ optional_policy(`
+ mount_run(livecd_t, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Read livecd temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`livecd_read_tmp_files',`
+ gen_require(`
+ type livecd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
+')
+
+########################################
+## <summary>
+## Read and write livecd temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`livecd_rw_tmp_files',`
+ gen_require(`
+ type livecd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 livecd_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Allow read and write access to livecd semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`livecd_rw_semaphores',`
+ gen_require(`
+ type livecd_t;
+ ')
+
+ allow $1 livecd_t:sem { unix_read unix_write associate read write };
+')
diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te
new file mode 100644
index 0000000..49abe8e
--- /dev/null
+++ b/policy/modules/apps/livecd.te
@@ -0,0 +1,35 @@
+policy_module(livecd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type livecd_t;
+type livecd_exec_t;
+application_domain(livecd_t, livecd_exec_t)
+role system_r types livecd_t;
+
+type livecd_tmp_t;
+files_tmp_file(livecd_tmp_t)
+
+########################################
+#
+# livecd local policy
+#
+
+dontaudit livecd_t self:capability2 mac_admin;
+
+domain_ptrace_all_domains(livecd_t)
+
+manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
+
+optional_policy(`
+ unconfined_domain(livecd_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(livecd_t)
+')
More information about the scm-commits
mailing list