[selinux-policy: 1801/3172] trunk: udev update and brctl module from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:40:44 UTC 2010 

commit 8241b538af7ef15d1a3b64c2ff36fe435cfd164e
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Sep 5 17:55:57 2007 +0000

    trunk: udev update and brctl module from dan.

 Changelog                        |    1 +
 policy/modules/admin/brctl.fc    |    1 +
 policy/modules/admin/brctl.if    |   19 +++++++++++++++
 policy/modules/admin/brctl.te    |   47 ++++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/devices.fc |    9 ++++++-
 policy/modules/kernel/devices.te |    2 +-
 policy/modules/system/udev.te    |   43 +++++++++++++++++++++++++++++++++-
 7 files changed, 118 insertions(+), 4 deletions(-)
---
diff --git a/Changelog b/Changelog
index 8cb7b33..23fe8d4 100644
--- a/Changelog
+++ b/Changelog
@@ -16,6 +16,7 @@
 - Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
 - Added modules:
 	application
+	brctl (Dan Walsh)
 
 * Fri Jun 29 2007 Chris PeBenito <selinux at tresys.com> - 20070629
 - Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
diff --git a/policy/modules/admin/brctl.fc b/policy/modules/admin/brctl.fc
new file mode 100644
index 0000000..642f67e
--- /dev/null
+++ b/policy/modules/admin/brctl.fc
@@ -0,0 +1 @@
+/usr/sbin/brctl		--	gen_context(system_u:object_r:brctl_exec_t,s0)
diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
new file mode 100644
index 0000000..71b431d
--- /dev/null
+++ b/policy/modules/admin/brctl.if
@@ -0,0 +1,19 @@
+## <summary>Utilities for configuring the linux ethernet bridge</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run brctl.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`brctl_domtrans',`
+	gen_require(`
+		type brctl_t, brctl_exec_t;
+	')
+
+	domtrans_pattern($1,brctl_exec_t,brctl_t)
+')
diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
new file mode 100644
index 0000000..133cd2d
--- /dev/null
+++ b/policy/modules/admin/brctl.te
@@ -0,0 +1,47 @@
+policy_module(brctl,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type brctl_t;
+type brctl_exec_t;
+domain_type(brctl_t)
+init_system_domain(brctl_t, brctl_exec_t)
+
+########################################
+#
+# brctl local policy
+#
+
+allow brctl_t self:capability net_admin;
+allow brctl_t self:fifo_file rw_file_perms;
+allow brctl_t self:unix_stream_socket create_stream_socket_perms;
+allow brctl_t self:unix_dgram_socket create_socket_perms;
+allow brctl_t self:tcp_socket create_socket_perms;
+
+kernel_load_module(brctl_t)
+kernel_read_network_state(brctl_t)
+kernel_read_sysctl(brctl_t)
+
+dev_rw_sysfs(brctl_t)
+
+# Init script handling
+domain_use_interactive_fds(brctl_t)
+
+files_read_etc_files(brctl_t)
+
+libs_use_ld_so(brctl_t)
+libs_use_shared_libs(brctl_t)
+
+miscfiles_read_localization(brctl_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(brctl_t)
+	term_dontaudit_use_generic_ptys(brctl_t)
+')
+
+optional_policy(`
+	xen_append_log(brctl_t)
+')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 2fc074c..7334fc7 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -12,6 +12,7 @@
 /dev/atibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@@ -53,7 +54,7 @@
 /dev/radio.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/random		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/raw1394.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
-/dev/(misc/)?rtc	-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/(misc/)?rtc[0-9]*	-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/sequencer		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sequencer2		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/smpte.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
@@ -64,7 +65,9 @@
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
+/dev/usbmon[0-9]+	-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/usbdev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/usb[0-9]+		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
@@ -110,6 +113,10 @@ ifdef(`distro_suse', `
 /dev/xen/blktap.*	-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 
+/etc/udev/devices -d	gen_context(system_u:object_r:device_t,s0)
+
+/lib/udev/devices -d	gen_context(system_u:object_r:device_t,s0)
+
 ifdef(`distro_debian',`
 # used by udev init script as temporary mount point
 /lib/udev/devices	-d		gen_context(system_u:object_r:device_t,s0)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 9140df6..734b489 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.5.0)
+policy_module(devices,1.5.1)
 
 ########################################
 #
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 028789b..5864115 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,5 +1,5 @@
 
-policy_module(udev,1.7.0)
+policy_module(udev,1.7.1)
 
 ########################################
 #
@@ -68,8 +68,9 @@ allow udev_t udev_etc_t:file read_file_perms;
 allow udev_t udev_tbl_t:file manage_file_perms;
 dev_filetrans(udev_t,udev_tbl_t,file)
 
+manage_dirs_pattern(udev_t,udev_var_run_t,udev_var_run_t)
 manage_files_pattern(udev_t,udev_var_run_t,udev_var_run_t)
-files_pid_filetrans(udev_t,udev_var_run_t,file)
+files_pid_filetrans(udev_t,udev_var_run_t,{ dir file })
 
 kernel_read_system_state(udev_t)
 kernel_getattr_core_if(udev_t)
@@ -83,16 +84,23 @@ kernel_rw_unix_dgram_sockets(udev_t)
 kernel_dgram_send(udev_t)
 kernel_signal(udev_t)
 
+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
+kernel_rw_net_sysctls(udev_t)
+kernel_read_network_state(udev_t)
+
 corecmd_exec_all_executables(udev_t)
 
 dev_rw_sysfs(udev_t)
 dev_manage_all_dev_nodes(udev_t)
 dev_rw_generic_files(udev_t)
 dev_delete_generic_files(udev_t)
+dev_search_usbfs(udev_t)
+dev_relabel_all_dev_nodes(udev_t)
 
 domain_read_all_domains_state(udev_t)
 domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these 
 
+files_read_usr_files(udev_t)
 files_read_etc_runtime_files(udev_t)
 files_read_etc_files(udev_t)
 files_exec_etc_files(udev_t)
@@ -144,6 +152,12 @@ seutil_domtrans_setfiles(udev_t)
 
 sysnet_domtrans_ifconfig(udev_t)
 sysnet_domtrans_dhcpc(udev_t)
+sysnet_rw_dhcp_config(udev_t)
+sysnet_read_dhcpc_pid(udev_t)
+sysnet_delete_dhcpc_pid(udev_t)
+sysnet_signal_dhcpc(udev_t)
+sysnet_manage_config(udev_t)
+sysnet_etc_filetrans_config(udev_t)
 
 userdom_use_sysadm_ttys(udev_t)
 userdom_dontaudit_search_all_users_home_content(udev_t)
@@ -176,6 +190,10 @@ ifdef(`targeted_policy',`
 ')
 
 optional_policy(`
+	brctl_domtrans(udev_t)
+')
+
+optional_policy(`
 	consoletype_exec(udev_t)
 ')
 
@@ -184,6 +202,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	fstools_domtrans(udev_t)
+')
+
+optional_policy(`
 	hal_dgram_send(udev_t)
 ')
 
@@ -194,5 +216,22 @@ optional_policy(`
 ')
 
 optional_policy(`
+	openct_read_pid_files(udev_t)
+	openct_domtrans(udev_t)
+')
+
+optional_policy(`
+	pcscd_read_pub_files(udev_t)
+	pcscd_domtrans(udev_t)
+')
+
+optional_policy(`
+	kernel_write_xen_state(udev_t)
+	kernel_read_xen_state(udev_t)
+	xen_manage_log(udev_t)
+	xen_read_image_files(udev_t)
+')
+
+optional_policy(`
 	xserver_read_xdm_pid(udev_t)
 ')

More information about the scm-commits mailing list