[selinux-policy: 493/3172] add raid (mdadm)
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:47:16 UTC 2010
commit 50aca6d2f9c99e15b4d59ce8bf29c4d95c92fb87
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Jul 15 20:45:26 2005 +0000
add raid (mdadm)
refpolicy/Changelog | 1 +
refpolicy/policy/modules/admin/dmesg.if | 8 +-
refpolicy/policy/modules/kernel/kernel.if | 19 +++++
refpolicy/policy/modules/system/raid.fc | 5 ++
refpolicy/policy/modules/system/raid.if | 26 +++++++
refpolicy/policy/modules/system/raid.te | 89 +++++++++++++++++++++++++
refpolicy/policy/modules/system/userdomain.if | 25 +++++++-
7 files changed, 167 insertions(+), 6 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 3aa268c..bc02f2f 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -6,6 +6,7 @@
ipsec
nscd
pcmcia
+ raid
20050707 (7 Jul 2005)
* Changed xml to have modules encapsulated by layer tags, rather
diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if
index eebda7b..baa7769 100644
--- a/refpolicy/policy/modules/admin/dmesg.if
+++ b/refpolicy/policy/modules/admin/dmesg.if
@@ -1,9 +1,9 @@
## <summary>Policy for dmesg.</summary>
########################################
-## <desc>
+## <summary>
## Execute dmesg in the dmesg domain.
-## </desc>
+## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
@@ -26,9 +26,9 @@ interface(`dmesg_domtrans',`
')
########################################
-## <desc>
+## <summary>
## Execute dmesg in the caller domain.
-## </desc>
+## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 39521c1..789a910 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -403,6 +403,25 @@ interface(`kernel_read_software_raid_state',`
allow $1 proc_mdstat_t:file r_file_perms;
')
+#######################################
+## <summary>
+## Allow caller to read and set the state information for software raid.
+## </summary>
+## <param name="domain">
+## The process type reading software raid state.
+## </param>
+#
+interface(`kernel_rw_software_raid_state',`
+ gen_require(`
+ type proc_t, proc_mdstat_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ ')
+
+ allow $1 proc_t:dir r_dir_perms;
+ allow $1 proc_mdstat_t:file rw_file_perms;
+')
+
########################################
## <summary>
## Allows caller to get attribues of core kernel interface.
diff --git a/refpolicy/policy/modules/system/raid.fc b/refpolicy/policy/modules/system/raid.fc
new file mode 100644
index 0000000..c6126ed
--- /dev/null
+++ b/refpolicy/policy/modules/system/raid.fc
@@ -0,0 +1,5 @@
+
+/sbin/mdadm -- system_u:object_r:mdadm_exec_t
+/sbin/mdmpd -- system_u:object_r:mdadm_exec_t
+
+/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t
diff --git a/refpolicy/policy/modules/system/raid.if b/refpolicy/policy/modules/system/raid.if
new file mode 100644
index 0000000..434ac36
--- /dev/null
+++ b/refpolicy/policy/modules/system/raid.if
@@ -0,0 +1,26 @@
+## <summary>RAID array management tools</summary>
+
+########################################
+## <summary>
+## Execute software raid tools in the mdadm domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`raid_domtrans_mdadm',`
+ gen_require(`
+ type mdadm_t, mdadm_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,mdadm_exec_t,mdadm_t)
+
+ allow $1 mdadm_t:fd use;
+ allow mdadm_t $1:fd use;
+ allow mdadm_t $1:fifo_file rw_file_perms;
+ allow mdadm_t $1:process sigchld;
+')
diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te
new file mode 100644
index 0000000..43bb0aa
--- /dev/null
+++ b/refpolicy/policy/modules/system/raid.te
@@ -0,0 +1,89 @@
+#DESC mdadm - Linux RAID tool
+#
+# Author: Colin Walters <walters at redhat.com>
+#
+
+type mdadm_t;
+type mdadm_exec_t;
+init_daemon_domain(mdadm_t,mdadm_exec_t)
+role system_r types mdadm_t;
+
+type mdadm_var_run_t;
+files_pid_file(mdadm_var_run_t)
+
+allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+dontaudit mdadm_t self:capability sys_tty_config;
+allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
+
+allow mdadm_t mdadm_var_run_t:file create_file_perms;
+files_create_pid(mdadm_t,mdadm_var_run_t)
+
+kernel_read_system_state(mdadm_t)
+kernel_read_kernel_sysctl(mdadm_t)
+kernel_rw_software_raid_state(mdadm_t)
+
+dev_read_sysfs(mdadm_t)
+# Ignore attempts to read every device file
+dev_dontaudit_getattr_all_blk_files(mdadm_t)
+dev_dontaudit_getattr_all_chr_files(mdadm_t)
+
+fs_search_auto_mountpoints(mdadm_t)
+
+# RAID block device access
+storage_manage_fixed_disk(mdadm_t)
+
+term_dontaudit_use_console(mdadm_t)
+term_dontaudit_list_ptys(mdadm_t)
+
+# Helper program access
+corecmd_exec_bin(mdadm_t)
+corecmd_exec_sbin(mdadm_t)
+
+domain_use_wide_inherit_fd(mdadm_t)
+
+files_read_etc_files(mdadm_t)
+files_read_etc_runtime_files(mdadm_t)
+
+init_use_fd(mdadm_t)
+init_use_script_pty(mdadm_t)
+init_dontaudit_getattr_initctl(mdadm_t)
+
+libs_use_ld_so(mdadm_t)
+libs_use_shared_libs(mdadm_t)
+
+logging_send_syslog_msg(mdadm_t)
+
+miscfiles_read_localization(mdadm_t)
+
+userdom_dontaudit_use_unpriv_user_fd(mdadm_t)
+userdom_dontaudit_use_sysadm_tty(mdadm_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty(mdadm_t)
+ term_dontaudit_use_generic_pty(mdadm_t)
+ files_dontaudit_read_root_file(mdadm_t)
+')
+
+optional_policy(`rhgb.te',`
+ rhgb_domain(mdadm_t)
+')
+
+optional_policy(`selinux.te',`
+ seutil_sigchld_newrole(mdadm_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(mdadm_t)
+')
+
+ifdef(`TODO',`
+allow initrc_t mdadm_var_run_t:file create_file_perms;
+
+# Ignore attempts to read every device file
+dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr };
+
+# Other random ignores
+dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
+
+allow mdadm_t var_t:dir getattr;
+') dnl TODO
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index cdedb60..5a25579 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1017,6 +1017,27 @@ interface(`userdom_use_sysadm_tty',`
########################################
## <summary>
+## Do not audit attempts to use sysadm ttys.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`userdom_dontaudit_use_sysadm_tty',`
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty($1)
+ ',`
+ gen_require(`
+ attribute sysadm_tty_device_t;
+ class chr_file { read write };
+ ')
+
+ dontaudit $1 sysadm_tty_device_t:chr_file { read write };
+ ')
+')
+
+########################################
+## <summary>
## Read and write sysadm ptys.
## </summary>
## <param name="domain">
@@ -1053,10 +1074,10 @@ interface(`userdom_use_sysadm_terms',`
########################################
## <summary>
-## Do not audit attempts to use admin ttys and ptys.
+## Do not audit attempts to use sysadm ttys and ptys.
## </summary>
## <param name="domain">
-## The type of the process performing this action.
+## Domain to not audit.
## </param>
#
interface(`userdom_dontaudit_use_sysadm_terms',`
More information about the scm-commits
mailing list