1 |
commit: 36b9de677df390ea7ac2ef242414a7122c6e26ac |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Tue Oct 30 09:58:49 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 30 18:32:58 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=36b9de67 |
7 |
|
8 |
Changes to the tvtime policy module |
9 |
|
10 |
Module clean up |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/tvtime.fc | 6 ++---- |
16 |
policy/modules/contrib/tvtime.if | 26 ++++++++++++-------------- |
17 |
policy/modules/contrib/tvtime.te | 20 ++++++++++---------- |
18 |
3 files changed, 24 insertions(+), 28 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/tvtime.fc b/policy/modules/contrib/tvtime.fc |
21 |
index 3b0e6ce..92cb760 100644 |
22 |
--- a/policy/modules/contrib/tvtime.fc |
23 |
+++ b/policy/modules/contrib/tvtime.fc |
24 |
@@ -1,5 +1,3 @@ |
25 |
-# |
26 |
-# /usr |
27 |
-# |
28 |
-/usr/bin/tvtime -- gen_context(system_u:object_r:tvtime_exec_t,s0) |
29 |
+HOME_DIR/\.tvtime(/.*)? gen_context(system_u:object_r:tvtime_home_t,s0) |
30 |
|
31 |
+/usr/bin/tvtime -- gen_context(system_u:object_r:tvtime_exec_t,s0) |
32 |
|
33 |
diff --git a/policy/modules/contrib/tvtime.if b/policy/modules/contrib/tvtime.if |
34 |
index 8d89f21..1bb0f7c 100644 |
35 |
--- a/policy/modules/contrib/tvtime.if |
36 |
+++ b/policy/modules/contrib/tvtime.if |
37 |
@@ -1,4 +1,4 @@ |
38 |
-## <summary> tvtime - a high quality television application </summary> |
39 |
+## <summary>High quality television application.</summary> |
40 |
|
41 |
######################################## |
42 |
## <summary> |
43 |
@@ -17,24 +17,22 @@ |
44 |
# |
45 |
interface(`tvtime_role',` |
46 |
gen_require(` |
47 |
- type tvtime_t, tvtime_exec_t; |
48 |
+ attribute_role tvtime_roles; |
49 |
+ type tvtime_t, tvtime_exec_t, tvtime_tmp_t; |
50 |
type tvtime_home_t, tvtime_tmpfs_t; |
51 |
') |
52 |
|
53 |
- role $1 types tvtime_t; |
54 |
+ roleattribute $1 tvtime_roles; |
55 |
|
56 |
- # Type transition |
57 |
domtrans_pattern($2, tvtime_exec_t, tvtime_t) |
58 |
|
59 |
- # X access, Home files |
60 |
- manage_dirs_pattern($2, tvtime_home_t, tvtime_home_t) |
61 |
- manage_files_pattern($2, tvtime_home_t, tvtime_home_t) |
62 |
- manage_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t) |
63 |
- relabel_dirs_pattern($2, tvtime_home_t, tvtime_home_t) |
64 |
- relabel_files_pattern($2, tvtime_home_t, tvtime_home_t) |
65 |
- relabel_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t) |
66 |
- |
67 |
- # Allow the user domain to signal/ps. |
68 |
ps_process_pattern($2, tvtime_t) |
69 |
- allow $2 tvtime_t:process signal_perms; |
70 |
+ allow $2 tvtime_t:process { ptrace signal_perms }; |
71 |
+ |
72 |
+ allow $2 { tvtime_home_t tvtime_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; |
73 |
+ allow $2 { tvtime_home_t tvtime_tmpfs_t tvtime_tmp_t }:file { manage_file_perms relabel_file_perms }; |
74 |
+ allow $2 { tvtime_home_t tvtime_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; |
75 |
+ allow $2 tvtime_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; |
76 |
+ allow $2 tvtime_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; |
77 |
+ userdom_user_home_dir_filetrans($2, tvtime_home_t, dir, ".tvtime") |
78 |
') |
79 |
|
80 |
diff --git a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te |
81 |
index 531b1f1..3292fcc 100644 |
82 |
--- a/policy/modules/contrib/tvtime.te |
83 |
+++ b/policy/modules/contrib/tvtime.te |
84 |
@@ -1,15 +1,18 @@ |
85 |
-policy_module(tvtime, 2.2.0) |
86 |
+policy_module(tvtime, 2.2.1) |
87 |
|
88 |
######################################## |
89 |
# |
90 |
# Declarations |
91 |
# |
92 |
|
93 |
+attribute_role tvtime_roles; |
94 |
+ |
95 |
type tvtime_t; |
96 |
type tvtime_exec_t; |
97 |
typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t }; |
98 |
typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t }; |
99 |
userdom_user_application_domain(tvtime_t, tvtime_exec_t) |
100 |
+role tvtime_roles types tvtime_t; |
101 |
|
102 |
type tvtime_home_t alias tvtime_rw_t; |
103 |
typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t }; |
104 |
@@ -36,7 +39,6 @@ allow tvtime_t self:process setsched; |
105 |
allow tvtime_t self:unix_dgram_socket rw_socket_perms; |
106 |
allow tvtime_t self:unix_stream_socket rw_stream_socket_perms; |
107 |
|
108 |
-# X access, Home files |
109 |
manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) |
110 |
manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) |
111 |
manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) |
112 |
@@ -55,30 +57,28 @@ fs_tmpfs_filetrans(tvtime_t, tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file |
113 |
kernel_read_all_sysctls(tvtime_t) |
114 |
kernel_get_sysvipc_info(tvtime_t) |
115 |
|
116 |
-dev_read_urand(tvtime_t) |
117 |
dev_read_realtime_clock(tvtime_t) |
118 |
dev_read_sound(tvtime_t) |
119 |
+dev_read_urand(tvtime_t) |
120 |
|
121 |
files_read_usr_files(tvtime_t) |
122 |
-files_search_pids(tvtime_t) |
123 |
-# Read /etc/tvtime |
124 |
-files_read_etc_files(tvtime_t) |
125 |
|
126 |
-# X access, Home files |
127 |
+fs_getattr_all_fs(tvtime_t) |
128 |
fs_search_auto_mountpoints(tvtime_t) |
129 |
|
130 |
-miscfiles_read_localization(tvtime_t) |
131 |
+auth_use_nsswitch(tvtime_t) |
132 |
+ |
133 |
miscfiles_read_fonts(tvtime_t) |
134 |
+miscfiles_read_localization(tvtime_t) |
135 |
|
136 |
userdom_use_user_terminals(tvtime_t) |
137 |
-userdom_read_user_home_content_files(tvtime_t) |
138 |
|
139 |
-# X access, Home files |
140 |
tunable_policy(`use_nfs_home_dirs',` |
141 |
fs_manage_nfs_dirs(tvtime_t) |
142 |
fs_manage_nfs_files(tvtime_t) |
143 |
fs_manage_nfs_symlinks(tvtime_t) |
144 |
') |
145 |
+ |
146 |
tunable_policy(`use_samba_home_dirs',` |
147 |
fs_manage_cifs_dirs(tvtime_t) |
148 |
fs_manage_cifs_files(tvtime_t) |