[selinux-policy: 1083/3172] add lockdev

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:38:27 UTC 2010 

commit 1ae2c3135007910662afc7e76c935d29c4b671c6
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Jan 11 20:18:56 2006 +0000

    add lockdev

 refpolicy/Changelog                      |    1 +
 refpolicy/policy/modules/apps/lockdev.fc |    2 +
 refpolicy/policy/modules/apps/lockdev.if |   81 ++++++++++++++++++++++++++++++
 refpolicy/policy/modules/apps/lockdev.te |   10 ++++
 refpolicy/policy/modules/kernel/files.if |   22 ++++++++-
 5 files changed, 115 insertions(+), 1 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index a8d14de..0ceec0a 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -9,6 +9,7 @@
 	ddcprobe
 	fetchmail
 	irc
+	lockdev
 	logwatch (Dan Walsh)
 	openct
 	readahead
diff --git a/refpolicy/policy/modules/apps/lockdev.fc b/refpolicy/policy/modules/apps/lockdev.fc
new file mode 100644
index 0000000..8b5ce03
--- /dev/null
+++ b/refpolicy/policy/modules/apps/lockdev.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/lockdev	--	gen_context(system_u:object_r:lockdev_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/lockdev.if b/refpolicy/policy/modules/apps/lockdev.if
new file mode 100644
index 0000000..2e4e8ca
--- /dev/null
+++ b/refpolicy/policy/modules/apps/lockdev.if
@@ -0,0 +1,81 @@
+## <summary>device locking policy for lockdev</summary>
+
+#######################################
+## <summary>
+##	The per user domain template for the lockdev module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates derived domains which are used
+##	for lockdev. A derived type is also created to protect
+##	the user's device locks.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="user_domain">
+##	The type of the user domain.
+## </param>
+## <param name="user_role">
+##	The role associated with the user domain.
+## </param>
+#
+template(`lockdev_per_userdomain_template',`
+	gen_require(`
+		type lockdev_exec_t;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	type $1_lockdev_t;
+	domain_type($1_lockdev_t)
+	domain_entry_file($1_lockdev_t,lockdev_exec_t)
+	role $3 types $1_lockdev_t;
+
+	type $1_lockdev_lock_t;
+	files_lock_file($1_lockdev_lock_t)
+
+	########################################
+	#
+	# Local policy
+	#
+
+	# Use capabilities.
+	allow $1_lockdev_t self:capability setgid;
+	allow $1_lockdev_t $2:process signull;
+
+	# Transition from the user domain to the derived domain.
+	domain_auto_trans($2, lockdev_exec_t, $1_lockdev_t)
+	allow $2 $1_lockdev_t:fd use;
+	allow $1_lockdev_t $2:fd use;
+	allow $1_lockdev_t $2:fifo_file rw_file_perms;
+	allow $1_lockdev_t $2:process sigchld;
+
+	allow $1_lockdev_t $1_lockdev_lock_t:file create_file_perms;
+	files_create_lock($1_lockdev_t,$1_lockdev_lock_t)
+
+	files_read_all_locks($1_lockdev_t)
+
+	fs_getattr_xattr_fs($1_lockdev_t)
+	
+	libs_use_ld_so($1_lockdev_t)
+	libs_use_shared_libs($1_lockdev_t)
+
+	logging_send_syslog_msg($1_lockdev_t)
+
+	userdom_use_user_terminals($1, $1_lockdev_t)
+	
+	optional_policy(`logging',`
+		logging_send_syslog_msg($1_t)
+	')
+')
diff --git a/refpolicy/policy/modules/apps/lockdev.te b/refpolicy/policy/modules/apps/lockdev.te
new file mode 100644
index 0000000..06eae58
--- /dev/null
+++ b/refpolicy/policy/modules/apps/lockdev.te
@@ -0,0 +1,10 @@
+
+policy_module(lockdev,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type lockdev_exec_t;
+files_type(lockdev_exec_t)
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index cafee78..f0ef6a4 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -2880,6 +2880,26 @@ interface(`files_delete_all_locks',`
 ')
 
 ########################################
+## <summary>
+##	Read all lock files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_all_locks',`
+	gen_require(`
+		attribute lockfile;
+		type var_t, var_lock_t;
+	')
+
+	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+	allow $1 lockfile:dir r_dir_perms;
+	allow $1 lockfile:file r_file_perms;
+	allow $1 lockfile:lnk_file { getattr read };
+')
+
+########################################
 #
 # files_create_lock(domain,private_type,[object class(es)])
 #
@@ -3257,4 +3277,4 @@ interface(`files_write_non_security_dir',`
 	')
 
 	allow $1 file_type:dir write;
-')
\ No newline at end of file
+')

More information about the scm-commits mailing list