Gentoo Archives: gentoo-commits

From: "Anthony G. Basile (blueness)" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in sec-policy/selinux-skype/files: add-apps-skype.patch add-skype.patch add-apps-skype-r2.patch
Date: Sat, 05 Feb 2011 20:42:20
Message-Id: 20110205204104.B9AC720065@flycatcher.gentoo.org
1 blueness 11/02/05 20:41:04
2
3 Added: add-apps-skype.patch add-skype.patch
4 add-apps-skype-r2.patch
5 Log:
6 Bulk addition of new selinux policies.
7
8 (Portage version: 2.1.9.25/cvs/Linux x86_64)
9
10 Revision Changes Path
11 1.1 sec-policy/selinux-skype/files/add-apps-skype.patch
12
13 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-skype/files/add-apps-skype.patch?rev=1.1&view=markup
14 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-skype/files/add-apps-skype.patch?rev=1.1&content-type=text/plain
15
16 Index: add-apps-skype.patch
17 ===================================================================
18 --- apps/skype.te 1970-01-01 01:00:00.000000000 +0100
19 +++ apps/skype.te 2011-01-22 14:21:31.257000064 +0100
20 @@ -0,0 +1,93 @@
21 +policy_module(skype, 1.0.1)
22 +
23 +############################
24 +#
25 +# Declarations
26 +#
27 +
28 +type skype_t;
29 +type skype_exec_t;
30 +application_domain(skype_t, skype_exec_t)
31 +
32 +type skype_home_t;
33 +userdom_user_home_content(skype_home_t)
34 +
35 +type skype_tmpfs_t;
36 +files_tmpfs_file(skype_tmpfs_t)
37 +ubac_constrained(skype_tmpfs_t)
38 +
39 +############################
40 +#
41 +# Policy
42 +#
43 +
44 +allow skype_t self:process { getsched setsched };
45 +allow skype_t self:fifo_file rw_fifo_file_perms;
46 +allow skype_t self:unix_stream_socket create_socket_perms;
47 +allow skype_t self:sem create_sem_perms;
48 +
49 +manage_dirs_pattern(skype_t, skype_home_t, skype_home_t)
50 +manage_files_pattern(skype_t, skype_home_t, skype_home_t)
51 +manage_lnk_files_pattern(skype_t, skype_home_t, skype_home_t)
52 +userdom_user_home_dir_filetrans(skype_t, skype_home_t, dir)
53 +
54 +userdom_manage_user_home_content_dirs(skype_t)
55 +userdom_manage_user_home_content_files(skype_t)
56 +
57 +manage_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
58 +manage_lnk_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
59 +manage_fifo_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
60 +manage_sock_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
61 +fs_tmpfs_filetrans(skype_t, skype_tmpfs_t, { file lnk_file sock_file fifo_file })
62 +
63 +can_exec(skype_t, skype_exec_t)
64 +
65 +kernel_read_system_state(skype_t)
66 +
67 +corecmd_exec_bin(skype_t)
68 +corecmd_exec_shell(skype_t)
69 +
70 +corenet_all_recvfrom_netlabel(skype_t)
71 +corenet_all_recvfrom_unlabeled(skype_t)
72 +corenet_tcp_bind_generic_node(skype_t)
73 +corenet_udp_bind_generic_node(skype_t)
74 +corenet_tcp_bind_generic_port(skype_t)
75 +corenet_udp_bind_generic_port(skype_t)
76 +corenet_tcp_connect_generic_port(skype_t)
77 +corenet_tcp_connect_http_port(skype_t)
78 +corenet_tcp_sendrecv_http_port(skype_t)
79 +corenet_sendrecv_http_client_packets(skype_t)
80 +allow skype_t self:tcp_socket create_stream_socket_perms;
81 +
82 +dev_read_video_dev(skype_t)
83 +dev_write_video_dev(skype_t)
84 +dev_read_sound(skype_t)
85 +dev_write_sound(skype_t)
86 +
87 +domain_use_interactive_fds(skype_t)
88 +
89 +files_read_etc_files(skype_t)
90 +files_read_usr_files(skype_t)
91 +
92 +auth_use_nsswitch(skype_t)
93 +
94 +libs_use_ld_so(skype_t)
95 +
96 +miscfiles_read_localization(skype_t)
97 +miscfiles_dontaudit_setattr_fonts_dirs(skype_t)
98 +
99 +userdom_use_user_terminals(skype_t)
100 +
101 +xserver_user_x_domain_template(skype, skype_t, skype_tmpfs_t)
102 +
103 +allow skype_t self:process { execmem };
104 +
105 +optional_policy(`
106 + alsa_read_rw_config(skype_t)
107 +')
108 +
109 +optional_policy(`
110 + dbus_system_bus_client(skype_t)
111 + dbus_session_bus_client(skype_t)
112 +')
113 +
114 --- apps/skype.fc 1970-01-01 01:00:00.000000000 +0100
115 +++ apps/skype.fc 2011-01-09 21:27:25.364999962 +0100
116 @@ -0,0 +1,3 @@
117 +/usr/bin/skype -- gen_context(system_u:object_r:skype_exec_t,s0)
118 +/opt/skype/skype -- gen_context(system_u:object_r:skype_exec_t,s0)
119 +HOME_DIR/\.Skype(/.*)? gen_context(system_u:object_r:skype_home_t,s0)
120
121
122
123 1.1 sec-policy/selinux-skype/files/add-skype.patch
124
125 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-skype/files/add-skype.patch?rev=1.1&view=markup
126 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-skype/files/add-skype.patch?rev=1.1&content-type=text/plain
127
128 Index: add-skype.patch
129 ===================================================================
130 --- apps/skype.te 1970-01-01 01:00:00.000000000 +0100
131 +++ ../../../refpolicy/policy/modules/apps/skype.te 2011-01-08 00:23:10.900000094 +0100
132 @@ -0,0 +1,94 @@
133 +policy_module(skype, 1.0.0)
134 +
135 +############################
136 +#
137 +# Declarations
138 +#
139 +
140 +
141 +type skype_t;
142 +type skype_exec_t;
143 +typealias skype_t alias { user_skype_t staff_skype_t sysadm_skype_t };
144 +application_domain(skype_t, skype_exec_t)
145 +
146 +type skype_home_t;
147 +typealias skype_home_t alias { user_skype_home_t staff_skype_home_t sysadm_skype_home_t };
148 +userdom_user_home_content(skype_home_t)
149 +
150 +type skype_tmpfs_t;
151 +typealias skype_tmpfs_t alias { user_skype_tmpfs_t staff_skype_tmpfs_t sysadm_skype_tmpfs_t };
152 +files_tmpfs_file(skype_tmpfs_t)
153 +ubac_constrained(skype_tmpfs_t)
154 +
155 +############################
156 +#
157 +# Local policy
158 +#
159 +
160 +# Looks as if the binary needs this; for the time being use the tunable policy
161 +tunable_policy(`allow_execmem',`
162 + allow skype_t self:process { execmem };
163 +')
164 +
165 +# Manage ~/.Skype
166 +manage_dirs_pattern(skype_t, skype_home_t, skype_home_t)
167 +manage_files_pattern(skype_t, skype_home_t, skype_home_t)
168 +manage_lnk_files_pattern(skype_t, skype_home_t, skype_home_t)
169 +userdom_user_home_dir_filetrans(skype_t, skype_home_t, dir)
170 +userdom_search_user_home_dirs(skype_t)
171 +
172 +# Declare access permissions on skype_tmpfs_t domain for X sessions
173 +manage_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
174 +manage_lnk_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
175 +manage_fifo_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
176 +manage_sock_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
177 +fs_tmpfs_filetrans(skype_t, skype_tmpfs_t, { file lnk_file sock_file fifo_file })
178 +
179 +# Be able to call skype from a terminal (debugging)
180 +userdom_use_user_terminals(skype_t)
181 +domain_use_interactive_fds(skype_t)
182 +
183 +corecmd_exec_bin(skype_t)
184 +corecmd_exec_shell(skype_t)
185 +can_exec(skype_t, skype_exec_t)
186 +#exec_files_pattern(skype_t, skype_exec_t, skype_exec_t)
187 +libs_use_ld_so(skype_t)
188 +files_read_usr_symlinks(skype_t)
189 +
190 +# This is an X application
191 +xserver_user_x_domain_template(skype, skype_t, skype_tmpfs_t)
192 +
193 +files_search_var_lib(skype_t)
194 +miscfiles_read_fonts(skype_t)
195 +miscfiles_read_localization(skype_t)
196 +miscfiles_dontaudit_setattr_fonts_dirs(skype_t)
197 +dbus_system_bus_client(skype_t)
198 +files_read_etc_files(skype_t)
199 +libs_read_lib_files(skype_t)
200 +
201 +corenet_tcp_bind_generic_node(skype_t)
202 +corenet_udp_bind_generic_node(skype_t)
203 +corenet_tcp_bind_generic_port(skype_t)
204 +corenet_udp_bind_generic_port(skype_t)
205 +corenet_tcp_connect_generic_port(skype_t)
206 +corenet_tcp_connect_http_port(skype_t)
207 +
208 +dev_read_video_dev(skype_t)
209 +dev_write_video_dev(skype_t)
210 +dev_read_sound(skype_t)
211 +dev_write_sound(skype_t)
212 +alsa_read_rw_config(skype_t)
213 +
214 +files_read_usr_files(skype_t)
215 +kernel_read_system_state(skype_t)
216 +sysnet_read_config(skype_t)
217 +
218 +# Self
219 +allow skype_t self:process { getsched };
220 +allow skype_t self:unix_stream_socket create_socket_perms;
221 +allow skype_t self:udp_socket create_stream_socket_perms;
222 +allow skype_t self:tcp_socket create_stream_socket_perms;
223 +allow skype_t self:sem create_sem_perms;
224 +allow skype_t self:netlink_route_socket rw_netlink_socket_perms;
225 +allow skype_t self:fifo_file rw_fifo_file_perms;
226 +
227 --- apps/skype.fc 1970-01-01 01:00:00.000000000 +0100
228 +++ ../../../refpolicy/policy/modules/apps/skype.fc 2011-01-07 21:46:47.603999891 +0100
229 @@ -0,0 +1,3 @@
230 +/usr/bin/skype -- gen_context(system_u:object_r:skype_exec_t,s0)
231 +/opt/skype/skype -- gen_context(system_u:object_r:skype_exec_t,s0)
232 +HOME_DIR/\.Skype(/.*)? gen_context(system_u:object_r:skype_home_t,s0)
233
234
235
236 1.1 sec-policy/selinux-skype/files/add-apps-skype-r2.patch
237
238 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-skype/files/add-apps-skype-r2.patch?rev=1.1&view=markup
239 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-skype/files/add-apps-skype-r2.patch?rev=1.1&content-type=text/plain
240
241 Index: add-apps-skype-r2.patch
242 ===================================================================
243 --- apps/skype.te 1970-01-01 01:00:00.000000000 +0100
244 +++ apps/skype.te 2011-01-30 16:17:19.481000177 +0100
245 @@ -0,0 +1,97 @@
246 +policy_module(skype, 0.0.2)
247 +
248 +############################
249 +#
250 +# Declarations
251 +#
252 +
253 +type skype_t;
254 +type skype_exec_t;
255 +application_domain(skype_t, skype_exec_t)
256 +
257 +type skype_home_t;
258 +
259 +type skype_tmpfs_t;
260 +files_tmpfs_file(skype_tmpfs_t)
261 +ubac_constrained(skype_tmpfs_t)
262 +
263 +############################
264 +#
265 +# Policy
266 +#
267 +
268 +allow skype_t self:process { getsched setsched execmem };
269 +allow skype_t self:fifo_file rw_fifo_file_perms;
270 +allow skype_t self:unix_stream_socket create_socket_perms;
271 +allow skype_t self:sem create_sem_perms;
272 +allow skype_t self:tcp_socket create_stream_socket_perms;
273 +
274 +
275 +manage_dirs_pattern(skype_t, skype_home_t, skype_home_t)
276 +manage_files_pattern(skype_t, skype_home_t, skype_home_t)
277 +manage_lnk_files_pattern(skype_t, skype_home_t, skype_home_t)
278 +userdom_user_home_dir_filetrans(skype_t, skype_home_t, dir)
279 +userdom_user_home_content(skype_home_t)
280 +
281 +manage_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
282 +manage_lnk_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
283 +manage_fifo_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
284 +manage_sock_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t)
285 +fs_tmpfs_filetrans(skype_t, skype_tmpfs_t, { file lnk_file sock_file fifo_file })
286 +
287 +
288 +kernel_read_system_state(skype_t)
289 +
290 +can_exec(skype_t, skype_exec_t)
291 +corecmd_exec_bin(skype_t)
292 +corecmd_exec_shell(skype_t)
293 +corenet_all_recvfrom_netlabel(skype_t)
294 +corenet_all_recvfrom_unlabeled(skype_t)
295 +corenet_tcp_bind_generic_node(skype_t)
296 +corenet_udp_bind_generic_node(skype_t)
297 +corenet_tcp_bind_generic_port(skype_t)
298 +corenet_udp_bind_generic_port(skype_t)
299 +corenet_tcp_connect_generic_port(skype_t)
300 +corenet_tcp_connect_http_port(skype_t)
301 +corenet_tcp_sendrecv_http_port(skype_t)
302 +corenet_sendrecv_http_client_packets(skype_t)
303 +dev_read_sound(skype_t)
304 +dev_read_video_dev(skype_t)
305 +dev_write_sound(skype_t)
306 +dev_write_video_dev(skype_t)
307 +files_read_etc_files(skype_t)
308 +files_read_usr_files(skype_t)
309 +
310 +
311 +auth_use_nsswitch(skype_t)
312 +domain_use_interactive_fds(skype_t)
313 +libs_use_ld_so(skype_t)
314 +miscfiles_dontaudit_setattr_fonts_dirs(skype_t)
315 +miscfiles_read_localization(skype_t)
316 +userdom_manage_user_home_content_dirs(skype_t)
317 +userdom_manage_user_home_content_files(skype_t)
318 +userdom_use_user_terminals(skype_t)
319 +
320 +
321 +xserver_user_x_domain_template(skype, skype_t, skype_tmpfs_t)
322 +
323 +tunable_policy(`gentoo_try_dontaudit',`
324 + dev_dontaudit_search_sysfs(skype_t)
325 + fs_dontaudit_getattr_xattr_fs(skype_t)
326 +')
327 +
328 +optional_policy(`
329 + tunable_policy(`gentoo_try_dontaudit',`
330 + mozilla_dontaudit_manage_user_home_files(skype_t)
331 + ')
332 +')
333 +
334 +optional_policy(`
335 + alsa_read_rw_config(skype_t)
336 +')
337 +
338 +optional_policy(`
339 + dbus_system_bus_client(skype_t)
340 + dbus_session_bus_client(skype_t)
341 +')
342 +
343 --- apps/skype.fc 1970-01-01 01:00:00.000000000 +0100
344 +++ apps/skype.fc 2011-01-09 21:27:25.364999962 +0100
345 @@ -0,0 +1,3 @@
346 +/usr/bin/skype -- gen_context(system_u:object_r:skype_exec_t,s0)
347 +/opt/skype/skype -- gen_context(system_u:object_r:skype_exec_t,s0)
348 +HOME_DIR/\.Skype(/.*)? gen_context(system_u:object_r:skype_home_t,s0)