[selinux-policy: 1800/3172] trunk: 4 patches from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:40:33 UTC 2010 

commit 016e5c5cdc3866645666dbdb2a388735e52c5a0e
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Sep 5 14:48:21 2007 +0000

    trunk: 4 patches from dan.

 policy/modules/admin/bootloader.te |    3 +-
 policy/modules/admin/vbetool.te    |    3 +-
 policy/modules/services/clamav.fc  |    6 ++-
 policy/modules/services/clamav.te  |   15 ++++--
 policy/modules/services/hal.fc     |    5 ++
 policy/modules/services/hal.if     |   94 ++++++++++++++++++++++++++++++++++++
 policy/modules/services/hal.te     |   37 ++++++++++++++-
 policy/support/file_patterns.spt   |    5 ++
 8 files changed, 159 insertions(+), 9 deletions(-)
---
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index a467412..37f4d94 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,5 +1,5 @@
 
-policy_module(bootloader,1.5.1)
+policy_module(bootloader,1.5.2)
 
 ########################################
 #
@@ -185,6 +185,7 @@ optional_policy(`
 
 optional_policy(`
 	hal_dontaudit_append_lib_files(bootloader_t)
+	hal_write_log(bootloader_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te
index fb98c4e..0d72e4c 100644
--- a/policy/modules/admin/vbetool.te
+++ b/policy/modules/admin/vbetool.te
@@ -1,5 +1,5 @@
 
-policy_module(vbetool,1.1.0)
+policy_module(vbetool,1.1.1)
 
 ########################################
 #
@@ -32,4 +32,5 @@ miscfiles_read_localization(vbetool_t)
 
 optional_policy(`
 	hal_rw_pid_files(vbetool_t)
+	hal_write_log(vbetool_t)
 ')
diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc
index f9790aa..0455984 100644
--- a/policy/modules/services/clamav.fc
+++ b/policy/modules/services/clamav.fc
@@ -1,6 +1,5 @@
 /etc/clamav(/.*)?			gen_context(system_u:object_r:clamd_etc_t,s0)
 
-
 /usr/bin/clamscan		--	gen_context(system_u:object_r:clamscan_exec_t,s0)
 /usr/bin/clamdscan		--	gen_context(system_u:object_r:clamscan_exec_t,s0)
 /usr/bin/freshclam		--	gen_context(system_u:object_r:freshclam_exec_t,s0)
@@ -9,8 +8,13 @@
 
 /var/run/amavis(d)?/clamd\.pid	--	gen_context(system_u:object_r:clamd_var_run_t,s0)
 /var/run/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamd\..*			gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamav\..*			gen_context(system_u:object_r:clamd_var_run_t,s0)
+
 /var/lib/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_lib_t,s0)
+
 /var/log/clamav			-d	gen_context(system_u:object_r:clamd_var_log_t,s0)
 /var/log/clamav/clamav.*	--	gen_context(system_u:object_r:clamd_var_log_t,s0)
 /var/log/clamav/freshclam.*	--	gen_context(system_u:object_r:freshclam_var_log_t,s0)
+
 /var/spool/amavisd/clamd\.sock	-s	gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index a6a8905..c4d4e5f 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,5 +1,5 @@
 
-policy_module(clamav,1.4.0)
+policy_module(clamav,1.4.1)
 
 ########################################
 #
@@ -74,17 +74,19 @@ manage_dirs_pattern(clamd_t,clamd_var_lib_t,clamd_var_lib_t)
 manage_files_pattern(clamd_t,clamd_var_lib_t,clamd_var_lib_t)
 
 # log files
-allow clamd_t clamd_var_log_t:dir setattr;
+manage_dirs_pattern(clamd_t,clamd_var_log_t,clamd_var_log_t)
 manage_files_pattern(clamd_t,clamd_var_log_t,clamd_var_log_t)
-logging_log_filetrans(clamd_t,clamd_var_log_t,file)
+logging_log_filetrans(clamd_t,clamd_var_log_t,{ dir file })
 
 # pid file
+manage_dirs_pattern(clamd_t,clamd_var_log_t,clamd_var_log_t)
 manage_files_pattern(clamd_t,clamd_var_run_t,clamd_var_run_t)
 manage_sock_files_pattern(clamd_t,clamd_var_run_t,clamd_var_run_t)
-files_pid_filetrans(clamd_t,clamd_var_run_t,file)
+files_pid_filetrans(clamd_t,clamd_var_run_t,{ file dir })
 
 kernel_dontaudit_list_proc(clamd_t)
 kernel_read_sysctl(clamd_t)
+kernel_read_kernel_sysctls(clamd_t)
 
 corenet_all_recvfrom_unlabeled(clamd_t)
 corenet_all_recvfrom_netlabel(clamd_t)
@@ -213,7 +215,7 @@ manage_files_pattern(clamscan_t,clamscan_tmp_t,clamscan_tmp_t)
 files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir })
 
 # var/lib files together with clamd
-read_files_pattern(clamscan_t,clamd_var_lib_t,clamd_var_lib_t)
+manage_files_pattern(clamscan_t,clamd_var_lib_t,clamd_var_lib_t)
 allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
 
 kernel_read_kernel_sysctls(clamscan_t)
@@ -222,6 +224,9 @@ files_read_etc_files(clamscan_t)
 files_read_etc_runtime_files(clamscan_t)
 files_search_var_lib(clamscan_t)
 
+init_read_utmp(clamscan_t)
+init_dontaudit_write_utmp(clamscan_t)
+
 libs_use_ld_so(clamscan_t)
 libs_use_shared_libs(clamscan_t)
 
diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc
index 38cc644..4c43b6c 100644
--- a/policy/modules/services/hal.fc
+++ b/policy/modules/services/hal.fc
@@ -2,6 +2,8 @@
 /etc/hal/device\.d/printer_remove\.hal -- 	gen_context(system_u:object_r:hald_exec_t,s0)
 /etc/hal/capability\.d/printer_update\.hal --	gen_context(system_u:object_r:hald_exec_t,s0)
 
+/usr/bin/hal-setup-keymap		--	gen_context(system_u:object_r:hald_keymap_exec_t,s0)
+
 /usr/libexec/hal-acl-tool		--	gen_context(system_u:object_r:hald_acl_exec_t,s0)
 /usr/libexec/hal-hotplug-map 		--	gen_context(system_u:object_r:hald_exec_t,s0)
 /usr/libexec/hal-system-sonypic	 	--	gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
@@ -13,4 +15,7 @@
 
 /var/lib/hal(/.*)?				gen_context(system_u:object_r:hald_var_lib_t,s0)
 
+/var/log/pm-suspend.log				gen_context(system_u:object_r:hald_log_t,s0)
+
 /var/run/haldaemon.pid	--	 		gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/vbestate 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index d220329..0e4c46b 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -20,6 +20,42 @@ interface(`hal_domtrans',`
 
 ########################################
 ## <summary>
+##	Allow ptrace of hal domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_ptrace',`
+	gen_require(`
+		type hald_t;
+	')
+
+	allow $1 hald_t:process ptrace;
+')
+
+########################################
+## <summary>
+##	Allow domain to use file descriptors from hal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`hal_use_fds',`
+	gen_require(`
+		type hald_t;
+	')
+
+	allow $1 hald_t:fd use; 
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to use file descriptors from hal.
 ## </summary>
 ## <param name="domain">
@@ -38,6 +74,25 @@ interface(`hal_dontaudit_use_fds',`
 
 ########################################
 ## <summary>
+##	Allow attempts to read and write to
+##	hald unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`hal_rw_pipes',`
+	gen_require(`
+		type hald_t;
+	')
+
+	allow $1 hald_t:fifo_file rw_fifo_file_perms; 
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read and write to
 ##	hald unnamed pipes.
 ## </summary>
@@ -135,6 +190,45 @@ interface(`hal_dbus_chat',`
 
 ########################################
 ## <summary>
+##	Allow attempts to write the hal
+##	log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`hal_write_log',`
+	gen_require(`
+		type hald_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 hald_log_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write the hal
+##	log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`hal_dontaudit_write_log',`
+	gen_require(`
+		type hald_log_t;
+	')
+
+	dontaudit $1 hald_log_t:file { append write };
+')
+
+########################################
+## <summary>
 ##	Read hald tmp files.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 1f1ddf1..caa7857 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
 
-policy_module(hal,1.7.0)
+policy_module(hal,1.7.1)
 
 ########################################
 #
@@ -19,6 +19,12 @@ role system_r types hald_acl_t;
 type hald_cache_t;
 files_pid_file(hald_cache_t)
 
+type hald_keymap_t;
+type hald_keymap_exec_t;
+domain_type(hald_keymap_t)
+domain_entry_file(hald_keymap_t,hald_keymap_exec_t)
+role system_r types hald_keymap_t;
+
 type hald_log_t;
 files_type(hald_log_t)
 
@@ -81,6 +87,7 @@ files_pid_filetrans(hald_t,hald_var_run_t,file)
 
 kernel_read_system_state(hald_t)
 kernel_read_network_state(hald_t)
+kernel_read_software_raid_state(hald_t)
 kernel_rw_kernel_sysctl(hald_t)
 kernel_read_fs_sysctls(hald_t)
 kernel_rw_irq_sysctls(hald_t)
@@ -131,6 +138,7 @@ files_read_usr_files(hald_t)
 files_create_boot_flag(hald_t)
 files_getattr_all_dirs(hald_t)
 files_read_kernel_img(hald_t)
+files_rw_lock_dirs(hald_t)
 
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
@@ -180,6 +188,7 @@ modutils_domtrans_insmod(hald_t)
 
 seutil_read_config(hald_t)
 seutil_read_default_contexts(hald_t)
+seutil_read_file_contexts(hald_t)
 
 sysnet_read_config(hald_t)
 
@@ -192,6 +201,7 @@ ifdef(`targeted_policy',`
 ')
 
 optional_policy(`
+	alsa_domtrans(hald_t)
 	alsa_read_rw_config(hald_t)
 ')
 
@@ -301,7 +311,10 @@ files_search_var_lib(hald_acl_t)
 corecmd_exec_bin(hald_acl_t)
 
 dev_getattr_all_chr_files(hald_acl_t)
+dev_getattr_generic_usb_dev(hald_acl_t)
+dev_getattr_video_dev(hald_acl_t)
 dev_setattr_video_dev(hald_acl_t)
+dev_getattr_sound_dev(hald_acl_t)
 dev_setattr_sound_dev(hald_acl_t)
 dev_setattr_generic_usb_dev(hald_acl_t)
 dev_setattr_usbfs_files(hald_acl_t)
@@ -378,3 +391,25 @@ ifdef(`targeted_policy',`
 	term_dontaudit_use_console(hald_sonypic_t)
 	term_dontaudit_use_generic_ptys(hald_sonypic_t)
 ')
+
+########################################
+#
+# Hal keymap local policy
+#
+
+domtrans_pattern(hald_t, hald_keymap_exec_t, hald_keymap_t)
+allow hald_t hald_keymap_t:process signal;
+allow hald_keymap_t hald_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(hald_keymap_t,hald_var_lib_t,hald_var_lib_t)
+manage_files_pattern(hald_keymap_t,hald_var_lib_t,hald_var_lib_t)
+files_search_var_lib(hald_keymap_t)
+
+dev_rw_input_dev(hald_keymap_t)
+
+files_read_usr_files(hald_keymap_t)
+
+libs_use_ld_so(hald_keymap_t)
+libs_use_shared_libs(hald_keymap_t)
+
+miscfiles_read_localization(hald_keymap_t)
diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
index 9f4a291..69c9366 100644
--- a/policy/support/file_patterns.spt
+++ b/policy/support/file_patterns.spt
@@ -36,6 +36,11 @@ define(`del_entry_dirs_pattern',`
 	allow $1 $3:dir del_entry_dir_perms;
 ')
 
+define(`rw_dirs_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:dir { add_entry_dir_perms del_entry_dir_perms };
+')
+
 define(`create_dirs_pattern',`
 	allow $1 $2:dir add_entry_dir_perms;
 	allow $1 $3:dir create_dir_perms;

More information about the scm-commits mailing list