[selinux-policy: 1083/3172] add lockdev
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:38:27 UTC 2010
commit 1ae2c3135007910662afc7e76c935d29c4b671c6
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Jan 11 20:18:56 2006 +0000
add lockdev
refpolicy/Changelog | 1 +
refpolicy/policy/modules/apps/lockdev.fc | 2 +
refpolicy/policy/modules/apps/lockdev.if | 81 ++++++++++++++++++++++++++++++
refpolicy/policy/modules/apps/lockdev.te | 10 ++++
refpolicy/policy/modules/kernel/files.if | 22 ++++++++-
5 files changed, 115 insertions(+), 1 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index a8d14de..0ceec0a 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -9,6 +9,7 @@
ddcprobe
fetchmail
irc
+ lockdev
logwatch (Dan Walsh)
openct
readahead
diff --git a/refpolicy/policy/modules/apps/lockdev.fc b/refpolicy/policy/modules/apps/lockdev.fc
new file mode 100644
index 0000000..8b5ce03
--- /dev/null
+++ b/refpolicy/policy/modules/apps/lockdev.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/lockdev.if b/refpolicy/policy/modules/apps/lockdev.if
new file mode 100644
index 0000000..2e4e8ca
--- /dev/null
+++ b/refpolicy/policy/modules/apps/lockdev.if
@@ -0,0 +1,81 @@
+## <summary>device locking policy for lockdev</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the lockdev module.
+## </summary>
+## <desc>
+## <p>
+## This template creates derived domains which are used
+## for lockdev. A derived type is also created to protect
+## the user's device locks.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="user_domain">
+## The type of the user domain.
+## </param>
+## <param name="user_role">
+## The role associated with the user domain.
+## </param>
+#
+template(`lockdev_per_userdomain_template',`
+ gen_require(`
+ type lockdev_exec_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_lockdev_t;
+ domain_type($1_lockdev_t)
+ domain_entry_file($1_lockdev_t,lockdev_exec_t)
+ role $3 types $1_lockdev_t;
+
+ type $1_lockdev_lock_t;
+ files_lock_file($1_lockdev_lock_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ # Use capabilities.
+ allow $1_lockdev_t self:capability setgid;
+ allow $1_lockdev_t $2:process signull;
+
+ # Transition from the user domain to the derived domain.
+ domain_auto_trans($2, lockdev_exec_t, $1_lockdev_t)
+ allow $2 $1_lockdev_t:fd use;
+ allow $1_lockdev_t $2:fd use;
+ allow $1_lockdev_t $2:fifo_file rw_file_perms;
+ allow $1_lockdev_t $2:process sigchld;
+
+ allow $1_lockdev_t $1_lockdev_lock_t:file create_file_perms;
+ files_create_lock($1_lockdev_t,$1_lockdev_lock_t)
+
+ files_read_all_locks($1_lockdev_t)
+
+ fs_getattr_xattr_fs($1_lockdev_t)
+
+ libs_use_ld_so($1_lockdev_t)
+ libs_use_shared_libs($1_lockdev_t)
+
+ logging_send_syslog_msg($1_lockdev_t)
+
+ userdom_use_user_terminals($1, $1_lockdev_t)
+
+ optional_policy(`logging',`
+ logging_send_syslog_msg($1_t)
+ ')
+')
diff --git a/refpolicy/policy/modules/apps/lockdev.te b/refpolicy/policy/modules/apps/lockdev.te
new file mode 100644
index 0000000..06eae58
--- /dev/null
+++ b/refpolicy/policy/modules/apps/lockdev.te
@@ -0,0 +1,10 @@
+
+policy_module(lockdev,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type lockdev_exec_t;
+files_type(lockdev_exec_t)
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index cafee78..f0ef6a4 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -2880,6 +2880,26 @@ interface(`files_delete_all_locks',`
')
########################################
+## <summary>
+## Read all lock files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_all_locks',`
+ gen_require(`
+ attribute lockfile;
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ allow $1 lockfile:dir r_dir_perms;
+ allow $1 lockfile:file r_file_perms;
+ allow $1 lockfile:lnk_file { getattr read };
+')
+
+########################################
#
# files_create_lock(domain,private_type,[object class(es)])
#
@@ -3257,4 +3277,4 @@ interface(`files_write_non_security_dir',`
')
allow $1 file_type:dir write;
-')
\ No newline at end of file
+')
More information about the scm-commits
mailing list