1 |
blueness 11/02/05 20:41:04 |
2 |
|
3 |
Added: add-apps-skype.patch add-skype.patch |
4 |
add-apps-skype-r2.patch |
5 |
Log: |
6 |
Bulk addition of new selinux policies. |
7 |
|
8 |
(Portage version: 2.1.9.25/cvs/Linux x86_64) |
9 |
|
10 |
Revision Changes Path |
11 |
1.1 sec-policy/selinux-skype/files/add-apps-skype.patch |
12 |
|
13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-skype/files/add-apps-skype.patch?rev=1.1&view=markup |
14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-skype/files/add-apps-skype.patch?rev=1.1&content-type=text/plain |
15 |
|
16 |
Index: add-apps-skype.patch |
17 |
=================================================================== |
18 |
--- apps/skype.te 1970-01-01 01:00:00.000000000 +0100 |
19 |
+++ apps/skype.te 2011-01-22 14:21:31.257000064 +0100 |
20 |
@@ -0,0 +1,93 @@ |
21 |
+policy_module(skype, 1.0.1) |
22 |
+ |
23 |
+############################ |
24 |
+# |
25 |
+# Declarations |
26 |
+# |
27 |
+ |
28 |
+type skype_t; |
29 |
+type skype_exec_t; |
30 |
+application_domain(skype_t, skype_exec_t) |
31 |
+ |
32 |
+type skype_home_t; |
33 |
+userdom_user_home_content(skype_home_t) |
34 |
+ |
35 |
+type skype_tmpfs_t; |
36 |
+files_tmpfs_file(skype_tmpfs_t) |
37 |
+ubac_constrained(skype_tmpfs_t) |
38 |
+ |
39 |
+############################ |
40 |
+# |
41 |
+# Policy |
42 |
+# |
43 |
+ |
44 |
+allow skype_t self:process { getsched setsched }; |
45 |
+allow skype_t self:fifo_file rw_fifo_file_perms; |
46 |
+allow skype_t self:unix_stream_socket create_socket_perms; |
47 |
+allow skype_t self:sem create_sem_perms; |
48 |
+ |
49 |
+manage_dirs_pattern(skype_t, skype_home_t, skype_home_t) |
50 |
+manage_files_pattern(skype_t, skype_home_t, skype_home_t) |
51 |
+manage_lnk_files_pattern(skype_t, skype_home_t, skype_home_t) |
52 |
+userdom_user_home_dir_filetrans(skype_t, skype_home_t, dir) |
53 |
+ |
54 |
+userdom_manage_user_home_content_dirs(skype_t) |
55 |
+userdom_manage_user_home_content_files(skype_t) |
56 |
+ |
57 |
+manage_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) |
58 |
+manage_lnk_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) |
59 |
+manage_fifo_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) |
60 |
+manage_sock_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) |
61 |
+fs_tmpfs_filetrans(skype_t, skype_tmpfs_t, { file lnk_file sock_file fifo_file }) |
62 |
+ |
63 |
+can_exec(skype_t, skype_exec_t) |
64 |
+ |
65 |
+kernel_read_system_state(skype_t) |
66 |
+ |
67 |
+corecmd_exec_bin(skype_t) |
68 |
+corecmd_exec_shell(skype_t) |
69 |
+ |
70 |
+corenet_all_recvfrom_netlabel(skype_t) |
71 |
+corenet_all_recvfrom_unlabeled(skype_t) |
72 |
+corenet_tcp_bind_generic_node(skype_t) |
73 |
+corenet_udp_bind_generic_node(skype_t) |
74 |
+corenet_tcp_bind_generic_port(skype_t) |
75 |
+corenet_udp_bind_generic_port(skype_t) |
76 |
+corenet_tcp_connect_generic_port(skype_t) |
77 |
+corenet_tcp_connect_http_port(skype_t) |
78 |
+corenet_tcp_sendrecv_http_port(skype_t) |
79 |
+corenet_sendrecv_http_client_packets(skype_t) |
80 |
+allow skype_t self:tcp_socket create_stream_socket_perms; |
81 |
+ |
82 |
+dev_read_video_dev(skype_t) |
83 |
+dev_write_video_dev(skype_t) |
84 |
+dev_read_sound(skype_t) |
85 |
+dev_write_sound(skype_t) |
86 |
+ |
87 |
+domain_use_interactive_fds(skype_t) |
88 |
+ |
89 |
+files_read_etc_files(skype_t) |
90 |
+files_read_usr_files(skype_t) |
91 |
+ |
92 |
+auth_use_nsswitch(skype_t) |
93 |
+ |
94 |
+libs_use_ld_so(skype_t) |
95 |
+ |
96 |
+miscfiles_read_localization(skype_t) |
97 |
+miscfiles_dontaudit_setattr_fonts_dirs(skype_t) |
98 |
+ |
99 |
+userdom_use_user_terminals(skype_t) |
100 |
+ |
101 |
+xserver_user_x_domain_template(skype, skype_t, skype_tmpfs_t) |
102 |
+ |
103 |
+allow skype_t self:process { execmem }; |
104 |
+ |
105 |
+optional_policy(` |
106 |
+ alsa_read_rw_config(skype_t) |
107 |
+') |
108 |
+ |
109 |
+optional_policy(` |
110 |
+ dbus_system_bus_client(skype_t) |
111 |
+ dbus_session_bus_client(skype_t) |
112 |
+') |
113 |
+ |
114 |
--- apps/skype.fc 1970-01-01 01:00:00.000000000 +0100 |
115 |
+++ apps/skype.fc 2011-01-09 21:27:25.364999962 +0100 |
116 |
@@ -0,0 +1,3 @@ |
117 |
+/usr/bin/skype -- gen_context(system_u:object_r:skype_exec_t,s0) |
118 |
+/opt/skype/skype -- gen_context(system_u:object_r:skype_exec_t,s0) |
119 |
+HOME_DIR/\.Skype(/.*)? gen_context(system_u:object_r:skype_home_t,s0) |
120 |
|
121 |
|
122 |
|
123 |
1.1 sec-policy/selinux-skype/files/add-skype.patch |
124 |
|
125 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-skype/files/add-skype.patch?rev=1.1&view=markup |
126 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-skype/files/add-skype.patch?rev=1.1&content-type=text/plain |
127 |
|
128 |
Index: add-skype.patch |
129 |
=================================================================== |
130 |
--- apps/skype.te 1970-01-01 01:00:00.000000000 +0100 |
131 |
+++ ../../../refpolicy/policy/modules/apps/skype.te 2011-01-08 00:23:10.900000094 +0100 |
132 |
@@ -0,0 +1,94 @@ |
133 |
+policy_module(skype, 1.0.0) |
134 |
+ |
135 |
+############################ |
136 |
+# |
137 |
+# Declarations |
138 |
+# |
139 |
+ |
140 |
+ |
141 |
+type skype_t; |
142 |
+type skype_exec_t; |
143 |
+typealias skype_t alias { user_skype_t staff_skype_t sysadm_skype_t }; |
144 |
+application_domain(skype_t, skype_exec_t) |
145 |
+ |
146 |
+type skype_home_t; |
147 |
+typealias skype_home_t alias { user_skype_home_t staff_skype_home_t sysadm_skype_home_t }; |
148 |
+userdom_user_home_content(skype_home_t) |
149 |
+ |
150 |
+type skype_tmpfs_t; |
151 |
+typealias skype_tmpfs_t alias { user_skype_tmpfs_t staff_skype_tmpfs_t sysadm_skype_tmpfs_t }; |
152 |
+files_tmpfs_file(skype_tmpfs_t) |
153 |
+ubac_constrained(skype_tmpfs_t) |
154 |
+ |
155 |
+############################ |
156 |
+# |
157 |
+# Local policy |
158 |
+# |
159 |
+ |
160 |
+# Looks as if the binary needs this; for the time being use the tunable policy |
161 |
+tunable_policy(`allow_execmem',` |
162 |
+ allow skype_t self:process { execmem }; |
163 |
+') |
164 |
+ |
165 |
+# Manage ~/.Skype |
166 |
+manage_dirs_pattern(skype_t, skype_home_t, skype_home_t) |
167 |
+manage_files_pattern(skype_t, skype_home_t, skype_home_t) |
168 |
+manage_lnk_files_pattern(skype_t, skype_home_t, skype_home_t) |
169 |
+userdom_user_home_dir_filetrans(skype_t, skype_home_t, dir) |
170 |
+userdom_search_user_home_dirs(skype_t) |
171 |
+ |
172 |
+# Declare access permissions on skype_tmpfs_t domain for X sessions |
173 |
+manage_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) |
174 |
+manage_lnk_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) |
175 |
+manage_fifo_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) |
176 |
+manage_sock_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) |
177 |
+fs_tmpfs_filetrans(skype_t, skype_tmpfs_t, { file lnk_file sock_file fifo_file }) |
178 |
+ |
179 |
+# Be able to call skype from a terminal (debugging) |
180 |
+userdom_use_user_terminals(skype_t) |
181 |
+domain_use_interactive_fds(skype_t) |
182 |
+ |
183 |
+corecmd_exec_bin(skype_t) |
184 |
+corecmd_exec_shell(skype_t) |
185 |
+can_exec(skype_t, skype_exec_t) |
186 |
+#exec_files_pattern(skype_t, skype_exec_t, skype_exec_t) |
187 |
+libs_use_ld_so(skype_t) |
188 |
+files_read_usr_symlinks(skype_t) |
189 |
+ |
190 |
+# This is an X application |
191 |
+xserver_user_x_domain_template(skype, skype_t, skype_tmpfs_t) |
192 |
+ |
193 |
+files_search_var_lib(skype_t) |
194 |
+miscfiles_read_fonts(skype_t) |
195 |
+miscfiles_read_localization(skype_t) |
196 |
+miscfiles_dontaudit_setattr_fonts_dirs(skype_t) |
197 |
+dbus_system_bus_client(skype_t) |
198 |
+files_read_etc_files(skype_t) |
199 |
+libs_read_lib_files(skype_t) |
200 |
+ |
201 |
+corenet_tcp_bind_generic_node(skype_t) |
202 |
+corenet_udp_bind_generic_node(skype_t) |
203 |
+corenet_tcp_bind_generic_port(skype_t) |
204 |
+corenet_udp_bind_generic_port(skype_t) |
205 |
+corenet_tcp_connect_generic_port(skype_t) |
206 |
+corenet_tcp_connect_http_port(skype_t) |
207 |
+ |
208 |
+dev_read_video_dev(skype_t) |
209 |
+dev_write_video_dev(skype_t) |
210 |
+dev_read_sound(skype_t) |
211 |
+dev_write_sound(skype_t) |
212 |
+alsa_read_rw_config(skype_t) |
213 |
+ |
214 |
+files_read_usr_files(skype_t) |
215 |
+kernel_read_system_state(skype_t) |
216 |
+sysnet_read_config(skype_t) |
217 |
+ |
218 |
+# Self |
219 |
+allow skype_t self:process { getsched }; |
220 |
+allow skype_t self:unix_stream_socket create_socket_perms; |
221 |
+allow skype_t self:udp_socket create_stream_socket_perms; |
222 |
+allow skype_t self:tcp_socket create_stream_socket_perms; |
223 |
+allow skype_t self:sem create_sem_perms; |
224 |
+allow skype_t self:netlink_route_socket rw_netlink_socket_perms; |
225 |
+allow skype_t self:fifo_file rw_fifo_file_perms; |
226 |
+ |
227 |
--- apps/skype.fc 1970-01-01 01:00:00.000000000 +0100 |
228 |
+++ ../../../refpolicy/policy/modules/apps/skype.fc 2011-01-07 21:46:47.603999891 +0100 |
229 |
@@ -0,0 +1,3 @@ |
230 |
+/usr/bin/skype -- gen_context(system_u:object_r:skype_exec_t,s0) |
231 |
+/opt/skype/skype -- gen_context(system_u:object_r:skype_exec_t,s0) |
232 |
+HOME_DIR/\.Skype(/.*)? gen_context(system_u:object_r:skype_home_t,s0) |
233 |
|
234 |
|
235 |
|
236 |
1.1 sec-policy/selinux-skype/files/add-apps-skype-r2.patch |
237 |
|
238 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-skype/files/add-apps-skype-r2.patch?rev=1.1&view=markup |
239 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-skype/files/add-apps-skype-r2.patch?rev=1.1&content-type=text/plain |
240 |
|
241 |
Index: add-apps-skype-r2.patch |
242 |
=================================================================== |
243 |
--- apps/skype.te 1970-01-01 01:00:00.000000000 +0100 |
244 |
+++ apps/skype.te 2011-01-30 16:17:19.481000177 +0100 |
245 |
@@ -0,0 +1,97 @@ |
246 |
+policy_module(skype, 0.0.2) |
247 |
+ |
248 |
+############################ |
249 |
+# |
250 |
+# Declarations |
251 |
+# |
252 |
+ |
253 |
+type skype_t; |
254 |
+type skype_exec_t; |
255 |
+application_domain(skype_t, skype_exec_t) |
256 |
+ |
257 |
+type skype_home_t; |
258 |
+ |
259 |
+type skype_tmpfs_t; |
260 |
+files_tmpfs_file(skype_tmpfs_t) |
261 |
+ubac_constrained(skype_tmpfs_t) |
262 |
+ |
263 |
+############################ |
264 |
+# |
265 |
+# Policy |
266 |
+# |
267 |
+ |
268 |
+allow skype_t self:process { getsched setsched execmem }; |
269 |
+allow skype_t self:fifo_file rw_fifo_file_perms; |
270 |
+allow skype_t self:unix_stream_socket create_socket_perms; |
271 |
+allow skype_t self:sem create_sem_perms; |
272 |
+allow skype_t self:tcp_socket create_stream_socket_perms; |
273 |
+ |
274 |
+ |
275 |
+manage_dirs_pattern(skype_t, skype_home_t, skype_home_t) |
276 |
+manage_files_pattern(skype_t, skype_home_t, skype_home_t) |
277 |
+manage_lnk_files_pattern(skype_t, skype_home_t, skype_home_t) |
278 |
+userdom_user_home_dir_filetrans(skype_t, skype_home_t, dir) |
279 |
+userdom_user_home_content(skype_home_t) |
280 |
+ |
281 |
+manage_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) |
282 |
+manage_lnk_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) |
283 |
+manage_fifo_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) |
284 |
+manage_sock_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) |
285 |
+fs_tmpfs_filetrans(skype_t, skype_tmpfs_t, { file lnk_file sock_file fifo_file }) |
286 |
+ |
287 |
+ |
288 |
+kernel_read_system_state(skype_t) |
289 |
+ |
290 |
+can_exec(skype_t, skype_exec_t) |
291 |
+corecmd_exec_bin(skype_t) |
292 |
+corecmd_exec_shell(skype_t) |
293 |
+corenet_all_recvfrom_netlabel(skype_t) |
294 |
+corenet_all_recvfrom_unlabeled(skype_t) |
295 |
+corenet_tcp_bind_generic_node(skype_t) |
296 |
+corenet_udp_bind_generic_node(skype_t) |
297 |
+corenet_tcp_bind_generic_port(skype_t) |
298 |
+corenet_udp_bind_generic_port(skype_t) |
299 |
+corenet_tcp_connect_generic_port(skype_t) |
300 |
+corenet_tcp_connect_http_port(skype_t) |
301 |
+corenet_tcp_sendrecv_http_port(skype_t) |
302 |
+corenet_sendrecv_http_client_packets(skype_t) |
303 |
+dev_read_sound(skype_t) |
304 |
+dev_read_video_dev(skype_t) |
305 |
+dev_write_sound(skype_t) |
306 |
+dev_write_video_dev(skype_t) |
307 |
+files_read_etc_files(skype_t) |
308 |
+files_read_usr_files(skype_t) |
309 |
+ |
310 |
+ |
311 |
+auth_use_nsswitch(skype_t) |
312 |
+domain_use_interactive_fds(skype_t) |
313 |
+libs_use_ld_so(skype_t) |
314 |
+miscfiles_dontaudit_setattr_fonts_dirs(skype_t) |
315 |
+miscfiles_read_localization(skype_t) |
316 |
+userdom_manage_user_home_content_dirs(skype_t) |
317 |
+userdom_manage_user_home_content_files(skype_t) |
318 |
+userdom_use_user_terminals(skype_t) |
319 |
+ |
320 |
+ |
321 |
+xserver_user_x_domain_template(skype, skype_t, skype_tmpfs_t) |
322 |
+ |
323 |
+tunable_policy(`gentoo_try_dontaudit',` |
324 |
+ dev_dontaudit_search_sysfs(skype_t) |
325 |
+ fs_dontaudit_getattr_xattr_fs(skype_t) |
326 |
+') |
327 |
+ |
328 |
+optional_policy(` |
329 |
+ tunable_policy(`gentoo_try_dontaudit',` |
330 |
+ mozilla_dontaudit_manage_user_home_files(skype_t) |
331 |
+ ') |
332 |
+') |
333 |
+ |
334 |
+optional_policy(` |
335 |
+ alsa_read_rw_config(skype_t) |
336 |
+') |
337 |
+ |
338 |
+optional_policy(` |
339 |
+ dbus_system_bus_client(skype_t) |
340 |
+ dbus_session_bus_client(skype_t) |
341 |
+') |
342 |
+ |
343 |
--- apps/skype.fc 1970-01-01 01:00:00.000000000 +0100 |
344 |
+++ apps/skype.fc 2011-01-09 21:27:25.364999962 +0100 |
345 |
@@ -0,0 +1,3 @@ |
346 |
+/usr/bin/skype -- gen_context(system_u:object_r:skype_exec_t,s0) |
347 |
+/opt/skype/skype -- gen_context(system_u:object_r:skype_exec_t,s0) |
348 |
+HOME_DIR/\.Skype(/.*)? gen_context(system_u:object_r:skype_home_t,s0) |