[selinux-policy: 1957/3172] trunk: podsleuth and hal updates from dan.

Thu Oct 7 21:54:05 UTC 2010

commit 131634a581ea84d1f6f925a3bbe66ed76e943742
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Jun 17 14:07:44 2008 +0000

    trunk: podsleuth and hal updates from dan.

 Changelog                        |    1 +
 policy/modules/apps/mono.if      |   19 +++++++++++++++++++
 policy/modules/apps/mono.te      |    2 +-
 policy/modules/apps/podsleuth.fc |    2 ++
 policy/modules/apps/podsleuth.if |   19 +++++++++++++++++++
 policy/modules/apps/podsleuth.te |   38 ++++++++++++++++++++++++++++++++++++++
 policy/modules/services/hal.fc   |    7 ++++++-
 policy/modules/services/hal.te   |   38 +++++++++++++++++++++++++++++++++-----
 8 files changed, 119 insertions(+), 7 deletions(-)
---

diff --git a/Changelog b/Changelog
index 336e867..bfe3d71 100644
--- a/Changelog
+++ b/Changelog
@@ -13,6 +13,7 @@
 - Added modules:
 	kerneloops (Dan Walsh)
 	kismet (Dan Walsh)
+	podsleuth (Dan Walsh)
 	prelude (Dan Walsh)
 	qemu (Dan Walsh)
 	virt (Dan Walsh)
diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
index 2468754..3e34268 100644
--- a/policy/modules/apps/mono.if
+++ b/policy/modules/apps/mono.if
@@ -18,3 +18,22 @@ interface(`mono_domtrans',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, mono_exec_t, mono_t)
 ')
+
+########################################
+## <summary>
+##	Execute the mono program in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mono_exec',`
+	gen_require(`
+		type mono_t, mono_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, mono_exec_t)
+')
diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
index ee29a1f..843a5cb 100644
--- a/policy/modules/apps/mono.te
+++ b/policy/modules/apps/mono.te
@@ -1,5 +1,5 @@
 
-policy_module(mono,1.4.1)
+policy_module(mono,1.4.2)
 
 ########################################
 #
diff --git a/policy/modules/apps/podsleuth.fc b/policy/modules/apps/podsleuth.fc
new file mode 100644
index 0000000..91397a3
--- /dev/null
+++ b/policy/modules/apps/podsleuth.fc
@@ -0,0 +1,2 @@
+
+/usr/bin/podsleuth	--	gen_context(system_u:object_r:podsleuth_exec_t,s0)
diff --git a/policy/modules/apps/podsleuth.if b/policy/modules/apps/podsleuth.if
new file mode 100644
index 0000000..c35702d
--- /dev/null
+++ b/policy/modules/apps/podsleuth.if
@@ -0,0 +1,19 @@
+## <summary>Podsleuth is a tool to get information about an Apple (TM) iPod (TM)</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run podsleuth.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`podsleuth_domtrans',`
+	gen_require(`
+		type podsleuth_t, podsleuth_exec_t;
+	')
+
+	domtrans_pattern($1, podsleuth_exec_t, podsleuth_t)
+')
diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
new file mode 100644
index 0000000..67d52ed
--- /dev/null
+++ b/policy/modules/apps/podsleuth.te
@@ -0,0 +1,38 @@
+
+policy_module(podsleuth, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type podsleuth_t;
+type podsleuth_exec_t;
+application_domain(podsleuth_t, podsleuth_exec_t)
+role system_r types podsleuth_t;
+
+########################################
+#
+# podsleuth local policy
+#
+
+allow podsleuth_t self:process { signal getsched execheap execmem };
+allow podsleuth_t self:fifo_file rw_file_perms;
+allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(podsleuth_t)
+
+dev_read_urand(podsleuth_t)
+
+files_read_etc_files(podsleuth_t)
+
+libs_use_ld_so(podsleuth_t)
+libs_use_shared_libs(podsleuth_t)
+
+miscfiles_read_localization(podsleuth_t)
+
+dbus_system_bus_client_template(podsleuth, podsleuth_t)
+
+mono_exec(podsleuth_t)
+
+hal_dbus_chat(podsleuth_t)
diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc
index afdf511..130c317 100644
--- a/policy/modules/services/hal.fc
+++ b/policy/modules/services/hal.fc
@@ -8,6 +8,7 @@
 /usr/libexec/hal-hotplug-map 		--	gen_context(system_u:object_r:hald_exec_t,s0)
 /usr/libexec/hal-system-sonypic	 	--	gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
 /usr/libexec/hald-addon-macbookpro-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
+/usr/libexec/hald-addon-macbook-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
 
 /usr/sbin/hald		--			gen_context(system_u:object_r:hald_exec_t,s0)
 
@@ -15,10 +16,14 @@
 
 /var/lib/hal(/.*)?				gen_context(system_u:object_r:hald_var_lib_t,s0)
 
+/var/log/pm(/.*)?				gen_context(system_u:object_r:hald_log_t,s0)
 /var/log/pm-suspend\.log			gen_context(system_u:object_r:hald_log_t,s0)
 
+/var/run/hald(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
 /var/run/haldaemon\.pid	--	 		gen_context(system_u:object_r:hald_var_run_t,s0)
-/var/run/vbestate 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/pm(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/pm-utils(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/vbe.*	 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
 
 ifdef(`distro_gentoo',`
 /var/lib/cache/hald(/.*)?			gen_context(system_u:object_r:hald_cache_t,s0)
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index bb0da44..e24de94 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
 
-policy_module(hal,1.9.2)
+policy_module(hal,1.9.3)
 
 ########################################
 #
@@ -57,7 +57,7 @@ files_type(hald_var_lib_t)
 # execute openvt which needs setuid
 allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
 dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
-allow hald_t self:process signal_perms;
+allow hald_t self:process { getattr signal_perms };
 allow hald_t self:fifo_file rw_fifo_file_perms;
 allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow hald_t self:unix_dgram_socket create_socket_perms;
@@ -70,7 +70,7 @@ allow hald_t self:netlink_socket create_socket_perms;
 manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
 
 # log files for hald
-allow hald_t hald_log_t:file manage_file_perms;
+manage_files_pattern(hald_t, hald_log_t, hald_log_t)
 logging_log_filetrans(hald_t,hald_log_t,file)
 
 manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t)
@@ -82,8 +82,9 @@ manage_dirs_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
 manage_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
 manage_sock_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
 
+manage_dirs_pattern(hald_t, hald_var_run_t, hald_var_run_t)
 manage_files_pattern(hald_t,hald_var_run_t,hald_var_run_t)
-files_pid_filetrans(hald_t,hald_var_run_t,file)
+files_pid_filetrans(hald_t, hald_var_run_t, { dir file })
 
 kernel_read_system_state(hald_t)
 kernel_read_network_state(hald_t)
@@ -93,6 +94,7 @@ kernel_read_fs_sysctls(hald_t)
 kernel_rw_irq_sysctls(hald_t)
 kernel_rw_vm_sysctls(hald_t)
 kernel_write_proc_files(hald_t)
+kernel_setsched(hald_t)
 
 auth_read_pam_console_data(hald_t)
 
@@ -119,8 +121,10 @@ dev_rw_generic_usb_dev(hald_t)
 dev_setattr_generic_usb_dev(hald_t)
 dev_setattr_usbfs_files(hald_t)
 dev_rw_power_management(hald_t)
+dev_read_raw_memory(hald_t)
 # hal is now execing pm-suspend
 dev_rw_sysfs(hald_t)
+dev_read_video_dev(hald_t)
 
 domain_use_interactive_fds(hald_t)
 domain_read_all_domains_state(hald_t)
@@ -166,6 +170,8 @@ term_dontaudit_use_unallocated_ttys(hald_t)
 
 auth_use_nsswitch(hald_t)
 
+fstools_getattr_swap_files(hald_t)
+
 init_domtrans_script(hald_t)
 init_read_utmp(hald_t)
 #hal runs shutdown, probably need a shutdown domain
@@ -245,6 +251,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	gpm_dontaudit_getattr_gpmctl(hald_t)
+')
+
+optional_policy(`
 	hotplug_read_config(hald_t)
 ')
 
@@ -266,6 +276,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	podsleuth_domtrans(hald_t)
+')
+
+optional_policy(`
 	rpc_search_nfs_state_data(hald_t)
 ')
 
@@ -292,7 +306,8 @@ optional_policy(`
 #
 
 allow hald_acl_t self:capability { dac_override fowner };
-allow hald_acl_t self:fifo_file read_fifo_file_perms;
+allow hald_acl_t self:process { getattr signal };
+allow hald_acl_t self:fifo_file rw_fifo_file_perms;
 
 domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
 allow hald_t hald_acl_t:process signal;
@@ -302,9 +317,14 @@ manage_dirs_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t)
 manage_files_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t)
 files_search_var_lib(hald_acl_t)
 
+manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
+manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
+files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
+
 corecmd_exec_bin(hald_acl_t)
 
 dev_getattr_all_chr_files(hald_acl_t)
+dev_setattr_all_chr_files(hald_acl_t)
 dev_getattr_generic_usb_dev(hald_acl_t)
 dev_getattr_video_dev(hald_acl_t)
 dev_setattr_video_dev(hald_acl_t)
@@ -339,7 +359,11 @@ manage_dirs_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
 manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
 files_search_var_lib(hald_mac_t)
 
+kernel_read_system_state(hald_mac_t)
+
+dev_read_raw_memory(hald_mac_t)
 dev_write_raw_memory(hald_mac_t)
+dev_read_sysfs(hald_mac_t)
 
 files_read_usr_files(hald_mac_t)
 
@@ -392,3 +416,7 @@ libs_use_ld_so(hald_keymap_t)
 libs_use_shared_libs(hald_keymap_t)
 
 miscfiles_read_localization(hald_keymap_t)
+
+# This is caused by a bug in hald and PolicyKit.  
+# Should be removed when this is fixed
+#cron_read_system_job_lib_files(hald_t)
