[selinux-policy: 1746/3172] trunk: 5 patches from dan

Thu Oct 7 21:35:53 UTC 2010

commit d534d35a7efdf36af055650393b55dfbfcad432b
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Jun 11 15:01:10 2007 +0000

    trunk: 5 patches from dan

 Changelog                          |    1 +
 policy/modules/kernel/devices.fc   |    3 +
 policy/modules/kernel/devices.if   |   74 ++++++++++++++++++++++++++++
 policy/modules/kernel/devices.te   |    6 ++
 policy/modules/kernel/storage.if   |    1 +
 policy/modules/services/openct.fc  |    3 +-
 policy/modules/services/openct.if  |   94 ++++++++++++++++++++++++++++++++++++
 policy/modules/services/openct.te  |    4 ++
 policy/modules/services/pcscd.te   |    7 +++
 policy/modules/system/libraries.fc |    3 +
 policy/modules/system/libraries.te |    3 +-
 policy/modules/system/raid.te      |    1 +
 12 files changed, 198 insertions(+), 2 deletions(-)
---

diff --git a/Changelog b/Changelog
index f32025a..0290b04 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Openct updates patch from Dan Walsh.
 - Merge restorecon into setfiles.
 - Patch to begin separating out hald helper programs from Dan Walsh.
 - Fixes for squid, dovecot, and snmp from Dan Walsh.
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index e0ef469..2fc074c 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -19,6 +19,7 @@
 /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
 /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
+/dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
@@ -81,6 +82,8 @@ ifdef(`distro_suse', `
 
 /dev/bus/usb/.*/[0-9]+	-c	gen_context(system_u:object_r:usb_device_t,s0)
 
+/dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
+
 /dev/cpu/.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/cpu/mtrr		-c	gen_context(system_u:object_r:mtrr_device_t,s0)
 
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 27973bb..cd19f57 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2431,6 +2431,80 @@ interface(`dev_rw_power_management',`
 
 ########################################
 ## <summary>
+##	Getattr on smartcard devices
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_smartcard_dev',`
+	gen_require(`
+		type smartcard_device_t;
+	')
+
+	allow $1 smartcard_device_t:chr_file getattr;
+
+')
+
+########################################
+## <summary>
+##	dontaudit getattr on smartcard devices
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_smartcard_dev',`
+	gen_require(`
+		type smartcard_device_t;
+	')
+
+	dontaudit $1 smartcard_device_t:chr_file getattr;
+
+')
+
+########################################
+## <summary>
+##	Read and write smartcard devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_smartcard',`
+	gen_require(`
+		type device_t, smartcard_device_t;
+	')
+
+	rw_chr_files_pattern($1,device_t,smartcard_device_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete smartcard devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_smartcard',`
+	gen_require(`
+		type device_t, smartcard_device_t;
+	')
+
+	manage_chr_files_pattern($1,device_t,smartcard_device_t)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of sysfs directories.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index f7c7bc4..553a92b 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -137,6 +137,12 @@ type scanner_device_t;
 dev_node(scanner_device_t)
 
 #
+# Type for smartcards
+#
+type smartcard_device_t;
+dev_node(smartcard_device_t)
+
+#
 # Type for sound devices and mixers
 #
 type sound_device_t;
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index bc7c840..8781fe6 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -184,6 +184,7 @@ interface(`storage_manage_fixed_disk',`
 	')
 
 	dev_list_all_dev_nodes($1)
+	allow $1 self:capability mknod;
 	allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;
 	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
 ')
diff --git a/policy/modules/services/openct.fc b/policy/modules/services/openct.fc
index 8aaadc5..58c8816 100644
--- a/policy/modules/services/openct.fc
+++ b/policy/modules/services/openct.fc
@@ -1,7 +1,8 @@
 #
 # /usr
 #
-/usr/sbin/openct-control	 --	gen_context(system_u:object_r:openct_exec_t,s0)
+/usr/sbin/ifdhandler		--	gen_context(system_u:object_r:openct_exec_t,s0)
+/usr/sbin/openct-control	--	gen_context(system_u:object_r:openct_exec_t,s0)
 
 #
 # /var
diff --git a/policy/modules/services/openct.if b/policy/modules/services/openct.if
index 6df1a48..b947cfd 100644
--- a/policy/modules/services/openct.if
+++ b/policy/modules/services/openct.if
@@ -1 +1,95 @@
 ## <summary>Service for handling smart card readers.</summary>
+
+########################################
+## <summary>
+##	Send openct a null signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openct_signull',`
+	gen_require(`
+		type openct_t;
+	')
+
+	allow $1 openct_t:process signull;
+')
+
+########################################
+## <summary>
+##	Execute openct in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openct_exec',`
+	gen_require(`
+		type openct_t, openct_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1,openct_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run openct.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openct_domtrans',`
+	gen_require(`
+		type openct_t, openct_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1,openct_exec_t,openct_t)
+')
+
+########################################
+## <summary>
+##	Read openct PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openct_read_pid_files',`
+	gen_require(`
+		type openct_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1,openct_var_run_t,openct_var_run_t)
+')
+
+########################################
+## <summary>
+##	Connect to openct over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openct_stream_connect',`
+	gen_require(`
+		type openct_t, openct_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1,openct_var_run_t,openct_var_run_t,openct_t)
+')
diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te
index 2bb27db..2e3e602 100644
--- a/policy/modules/services/openct.te
+++ b/policy/modules/services/openct.te
@@ -31,6 +31,8 @@ kernel_read_proc_symlinks(openct_t)
 dev_read_sysfs(openct_t)
 # openct asks for this
 dev_rw_usbfs(openct_t)
+dev_rw_smartcard(openct_t)
+dev_rw_generic_usb_dev(openct_t)
 
 domain_use_interactive_fds(openct_t)
 
@@ -50,6 +52,8 @@ miscfiles_read_localization(openct_t)
 userdom_dontaudit_use_unpriv_user_fds(openct_t)
 userdom_dontaudit_search_sysadm_home_dirs(openct_t)
 
+openct_exec(openct_t)
+
 ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(openct_t)
 	term_dontaudit_use_generic_ptys(openct_t)
diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
index 9d04d41..681aa61 100644
--- a/policy/modules/services/pcscd.te
+++ b/policy/modules/services/pcscd.te
@@ -21,6 +21,7 @@ files_pid_file(pcscd_var_run_t)
 #
 
 allow pcscd_t self:capability { dac_override dac_read_search };
+allow pcscd_t self:process signal;
 allow pcscd_t self:fifo_file { read write };
 allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
 allow pcscd_t self:unix_dgram_socket create_socket_perms;
@@ -62,5 +63,11 @@ ifdef(`targeted_policy',`
 ')
 
 optional_policy(`
+	openct_stream_connect(pcscd_t)
+	openct_read_pid_files(pcscd_t)
+	openct_signull(pcscd_t)
+')
+
+optional_policy(`
 	rpm_use_script_fds(pcscd_t)
 ')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 6c5a096..db4b55c 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -133,6 +133,8 @@ ifdef(`distro_gentoo',`
 /usr/(.*/)?nvidia/.+\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/lib/transgaming_cedega/gddb_parser.so --	gen_context(system_u:object_r:shlib_t,s0)
+/usr/lib/vlc/codec/libdmo_plugin.so	   --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/codec/librealaudio_plugin.so  --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/win32/.*			--	gen_context(system_u:object_r:shlib_t,s0)
 
 /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -149,6 +151,7 @@ ifdef(`distro_gentoo',`
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xulrunner-[^/]*/libxul\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 3a6d102..f849f0f 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -62,7 +62,8 @@ files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
 
 manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
 manage_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
-files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir })
+manage_lnk_files_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
+files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })
 
 manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t)
 
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 3ded450..59a7d69 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -46,6 +46,7 @@ fs_dontaudit_list_tmpfs(mdadm_t)
 # RAID block device access
 storage_manage_fixed_disk(mdadm_t)
 storage_dev_filetrans_fixed_disk(mdadm_t)
+storage_read_scsi_generic(mdadm_t)
 
 term_dontaudit_list_ptys(mdadm_t)
 
