[selinux-policy: 1801/3172] trunk: udev update and brctl module from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:40:44 UTC 2010
commit 8241b538af7ef15d1a3b64c2ff36fe435cfd164e
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Sep 5 17:55:57 2007 +0000
trunk: udev update and brctl module from dan.
Changelog | 1 +
policy/modules/admin/brctl.fc | 1 +
policy/modules/admin/brctl.if | 19 +++++++++++++++
policy/modules/admin/brctl.te | 47 ++++++++++++++++++++++++++++++++++++++
policy/modules/kernel/devices.fc | 9 ++++++-
policy/modules/kernel/devices.te | 2 +-
policy/modules/system/udev.te | 43 +++++++++++++++++++++++++++++++++-
7 files changed, 118 insertions(+), 4 deletions(-)
---
diff --git a/Changelog b/Changelog
index 8cb7b33..23fe8d4 100644
--- a/Changelog
+++ b/Changelog
@@ -16,6 +16,7 @@
- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
- Added modules:
application
+ brctl (Dan Walsh)
* Fri Jun 29 2007 Chris PeBenito <selinux at tresys.com> - 20070629
- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
diff --git a/policy/modules/admin/brctl.fc b/policy/modules/admin/brctl.fc
new file mode 100644
index 0000000..642f67e
--- /dev/null
+++ b/policy/modules/admin/brctl.fc
@@ -0,0 +1 @@
+/usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)
diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
new file mode 100644
index 0000000..71b431d
--- /dev/null
+++ b/policy/modules/admin/brctl.if
@@ -0,0 +1,19 @@
+## <summary>Utilities for configuring the linux ethernet bridge</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run brctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`brctl_domtrans',`
+ gen_require(`
+ type brctl_t, brctl_exec_t;
+ ')
+
+ domtrans_pattern($1,brctl_exec_t,brctl_t)
+')
diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
new file mode 100644
index 0000000..133cd2d
--- /dev/null
+++ b/policy/modules/admin/brctl.te
@@ -0,0 +1,47 @@
+policy_module(brctl,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type brctl_t;
+type brctl_exec_t;
+domain_type(brctl_t)
+init_system_domain(brctl_t, brctl_exec_t)
+
+########################################
+#
+# brctl local policy
+#
+
+allow brctl_t self:capability net_admin;
+allow brctl_t self:fifo_file rw_file_perms;
+allow brctl_t self:unix_stream_socket create_stream_socket_perms;
+allow brctl_t self:unix_dgram_socket create_socket_perms;
+allow brctl_t self:tcp_socket create_socket_perms;
+
+kernel_load_module(brctl_t)
+kernel_read_network_state(brctl_t)
+kernel_read_sysctl(brctl_t)
+
+dev_rw_sysfs(brctl_t)
+
+# Init script handling
+domain_use_interactive_fds(brctl_t)
+
+files_read_etc_files(brctl_t)
+
+libs_use_ld_so(brctl_t)
+libs_use_shared_libs(brctl_t)
+
+miscfiles_read_localization(brctl_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(brctl_t)
+ term_dontaudit_use_generic_ptys(brctl_t)
+')
+
+optional_policy(`
+ xen_append_log(brctl_t)
+')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 2fc074c..7334fc7 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -12,6 +12,7 @@
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -53,7 +54,7 @@
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-/dev/(misc/)?rtc -c gen_context(system_u:object_r:clock_device_t,s0)
+/dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -64,7 +65,9 @@
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
+/dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
@@ -110,6 +113,10 @@ ifdef(`distro_suse', `
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
+/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
+
+/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
+
ifdef(`distro_debian',`
# used by udev init script as temporary mount point
/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 9140df6..734b489 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.5.0)
+policy_module(devices,1.5.1)
########################################
#
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 028789b..5864115 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,5 +1,5 @@
-policy_module(udev,1.7.0)
+policy_module(udev,1.7.1)
########################################
#
@@ -68,8 +68,9 @@ allow udev_t udev_etc_t:file read_file_perms;
allow udev_t udev_tbl_t:file manage_file_perms;
dev_filetrans(udev_t,udev_tbl_t,file)
+manage_dirs_pattern(udev_t,udev_var_run_t,udev_var_run_t)
manage_files_pattern(udev_t,udev_var_run_t,udev_var_run_t)
-files_pid_filetrans(udev_t,udev_var_run_t,file)
+files_pid_filetrans(udev_t,udev_var_run_t,{ dir file })
kernel_read_system_state(udev_t)
kernel_getattr_core_if(udev_t)
@@ -83,16 +84,23 @@ kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
+kernel_rw_net_sysctls(udev_t)
+kernel_read_network_state(udev_t)
+
corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
+dev_search_usbfs(udev_t)
+dev_relabel_all_dev_nodes(udev_t)
domain_read_all_domains_state(udev_t)
domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
files_exec_etc_files(udev_t)
@@ -144,6 +152,12 @@ seutil_domtrans_setfiles(udev_t)
sysnet_domtrans_ifconfig(udev_t)
sysnet_domtrans_dhcpc(udev_t)
+sysnet_rw_dhcp_config(udev_t)
+sysnet_read_dhcpc_pid(udev_t)
+sysnet_delete_dhcpc_pid(udev_t)
+sysnet_signal_dhcpc(udev_t)
+sysnet_manage_config(udev_t)
+sysnet_etc_filetrans_config(udev_t)
userdom_use_sysadm_ttys(udev_t)
userdom_dontaudit_search_all_users_home_content(udev_t)
@@ -176,6 +190,10 @@ ifdef(`targeted_policy',`
')
optional_policy(`
+ brctl_domtrans(udev_t)
+')
+
+optional_policy(`
consoletype_exec(udev_t)
')
@@ -184,6 +202,10 @@ optional_policy(`
')
optional_policy(`
+ fstools_domtrans(udev_t)
+')
+
+optional_policy(`
hal_dgram_send(udev_t)
')
@@ -194,5 +216,22 @@ optional_policy(`
')
optional_policy(`
+ openct_read_pid_files(udev_t)
+ openct_domtrans(udev_t)
+')
+
+optional_policy(`
+ pcscd_read_pub_files(udev_t)
+ pcscd_domtrans(udev_t)
+')
+
+optional_policy(`
+ kernel_write_xen_state(udev_t)
+ kernel_read_xen_state(udev_t)
+ xen_manage_log(udev_t)
+ xen_read_image_files(udev_t)
+')
+
+optional_policy(`
xserver_read_xdm_pid(udev_t)
')
More information about the scm-commits
mailing list